JP2022119454A - Vehicle control device and vehicle control system - Google Patents

Abstract

To improve security in an inter-vehicle communication.SOLUTION: A vehicle control device 20 comprises: a first acquisition unit 21 that acquires, from a remote server 70 by a remote communication, an authentication key containing at least information indicating a current status of a communication-scheduled vehicle that is scheduled to communicate with a self vehicle; a second acquisition unit 22 that acquires a pairing request signal containing at least information indicating a current status of a candidate vehicle from the candidate vehicle through an inter-vehicle communication; a pairing operation unit 23 that performs a pairing operation with the candidate vehicle, assuming that the candidate vehicle is a communication-scheduled vehicle, in the case where the information indicating the current status of the candidate vehicle included in the pairing request signal is coincident with the information indicating the current status of the communication-scheduled vehicle included in the authentication key; and an encrypted information transmitting/receiving unit 24 that performs inter-vehicle communication with the candidate vehicle for encrypted information based on the authentication key after the pairing operation.SELECTED DRAWING: Figure 3

Description

The present invention relates to a vehicle control device and a vehicle control system.

2. Description of the Related Art Vehicle-to-vehicle communication is known in which vehicles directly communicate with each other in order to acquire information about other vehicles in an automatic driving vehicle (see Patent Literature 1, for example).

JP 2012-38258 A

In the vehicle-to-vehicle communication as described above, data communication and authentication are normally performed using a fixed encryption key between vehicles. Therefore, if the encryption key is leaked, there is a risk that vehicle-to-vehicle communication will be performed with an unexpected vehicle (for example, a malicious vehicle). For example, when connecting self-driving vehicles while driving, there is a risk that the encryption key will be leaked and the vehicle will be connected to an unexpected vehicle (e.g., a malicious vehicle) while driving. . Thus, conventionally, there has been a demand for improved security in inter-vehicle communication.

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and an object of the present invention is to improve security in inter-vehicle communication.

A vehicle control device according to an aspect of the present invention acquires an authentication key including at least information indicating the current status of a communication-scheduled vehicle, which is a vehicle scheduled to communicate with the own vehicle, from a remote server via remote communication. a second obtaining unit for obtaining a pairing request signal including at least information indicating the current status of the candidate vehicle from the candidate vehicle through inter-vehicle communication; and a current status of the candidate vehicle included in the pairing request signal. If the information indicating the status of matches the information indicating the current status of the vehicle to be communicated contained in the authentication key, pairing operation is performed with the candidate vehicle assuming that the candidate vehicle is the vehicle to be communicated with. and an encrypted information transmitting/receiving unit that performs inter-vehicle communication with the candidate vehicle for encrypted information based on the authentication key after the pairing operation.

In the vehicle control device according to one aspect of the present invention, an authentication key including at least information indicating the current status of the vehicle to be communicated with is obtained from the remote server, and at least including information indicating the current status of the candidate vehicle. When the pairing request signal is obtained from the candidate vehicle and the pieces of information indicating the current status match each other, the candidate vehicle is assumed to be the communication-scheduled vehicle, and the pairing operation with the candidate vehicle is performed. In this way, the authentication key for determining whether to perform pairing is acquired from a remote server separate from the vehicle control device, thereby preventing pairing with the vehicle control device that has been hacked or spoofed. can be properly prevented. The information included in the authentication key is "information indicating the current status of the vehicle to be communicated with", and is unique each time, so that it is possible to determine whether pairing is to be performed using a one-time password. Therefore, the security regarding the pairing operation can be improved. By performing encryption based on the authentication key, which is a one-time password, highly secure inter-vehicle communication can be realized by clearly distinguishing from hacked or spoofed communication with the vehicle control device.

The first acquisition unit acquires the current weight of the communication-scheduled vehicle as information indicating the current status of the communication-scheduled vehicle, and the second acquisition unit acquires the current weight of the candidate vehicle as information indicating the current status of the candidate vehicle. You can get the weight of To appropriately determine whether or not a candidate vehicle is a communication-scheduled vehicle by using the "current weight of the vehicle", which is a unique value depending on the number of passengers to be transported and the status of luggage, as the current status of the vehicle. It is possible to appropriately prevent pairing with a hacked or spoofed vehicle control device.

The pairing operation unit creates a common key for the candidate vehicle based on the information indicating the current status of the vehicle to be communicated with and the information indicating the current status of the own vehicle. may be used to perform inter-vehicle communication with the candidate vehicle. In this way, by creating a common key from the information indicating the current status of the vehicle to be communicated with and the information indicating the current status of the own vehicle, the two vehicle control devices performing the pairing operation can be properly connected. , can generate the same common key as each other. Part of the data for creating the common key is information indicating the current status of the own vehicle, so that, for example, data obtained from a remote server (information indicating the current status of the vehicle to be communicated with) can be intercepted. Even if this is the case, since the information of the own vehicle is not on the communication, it will not be intercepted, and the common key will not be guessed, so that the security in the inter-vehicle communication can be improved.

The vehicle control device further includes a connection control unit for controlling connection while running with the candidate vehicle under pairing, and the encrypted information transmission/reception unit performs inter-vehicle communication of information related to connection while running with the candidate vehicle. and the connection control unit may control the connection while running with the candidate vehicle based on the information related to the connection while running received by the encrypted information transmission/reception unit. According to such a configuration, it is possible to appropriately prevent connection with a vehicle that is not paired (a hacked vehicle or a spoofed vehicle) while driving.

A vehicle control system according to one aspect of the present invention includes a remote server, a first vehicle control device that controls a first vehicle, and a second vehicle control device that controls a second vehicle. A system, wherein a remote server determines to perform pairing for a first vehicle and a second vehicle; An authentication key including at least information indicating the current situation of the vehicle is transmitted, and the first vehicle control device sends a pairing request signal including at least information indicating the current situation of the first vehicle to the second vehicle. and the second vehicle control device transmits the information indicating the current status of the first vehicle contained in the pairing request signal to the current status of the pairing partner vehicle contained in the authentication key. If the information matches, a pairing operation is performed between the second vehicle and the first vehicle. According to the vehicle control system according to one aspect of the present invention, security in inter-vehicle communication can be improved, like the vehicle control device described above.

The first vehicle control device and the second vehicle control device encrypt information related to the running connection of the first vehicle and the second vehicle based on the authentication key, and transmit and receive the information to and from each other through inter-vehicle communication. The first vehicle and the second vehicle are coupled while driving based on the information related to the intermediate coupling, and the remote server receives information indicating that the first vehicle and the second vehicle are coupled while driving. can be managed. According to such a configuration, the remote server can reliably connect the two paired vehicles while they are running.

The first vehicle and the second vehicle are commercial vehicles that transport passengers, and the first vehicle controller and the second vehicle controller transmit the weight of the own vehicle to the remote server at predetermined time intervals. and the remote server, when the first vehicle and the second vehicle are connected while driving, based on a change in the weight of the first vehicle or the second vehicle, Specifying completion of passenger movement between vehicles, transmitting a disconnection instruction to the first vehicle control device and the second vehicle control device when the passenger movement is completed, and controlling the first vehicle The device and the second vehicle control device may release the running coupling of the first vehicle and the second vehicle based on the coupling release instruction. If the train is connected while driving, the passengers will move, but the completion of passenger movement is determined based on the change in the weight of both vehicles, and when it is determined that it is completed, the train is disconnected while driving. , the connection can be smoothly released at an appropriate timing while the vehicle is running.

According to the present invention, security in inter-vehicle communication can be improved.

It is a figure explaining the connection during driving|running|working of two vehicles. It is a figure explaining the apparatus structure of a vehicle. It is a figure explaining the function of the vehicle control system which concerns on this embodiment. It is a flow chart which shows vehicle pairing processing. 4 is a flowchart showing vehicle connection and connection release processing; 9 is a flow chart showing another example of the decoupling process; It is a figure which shows an example of the data transmitted to a remote server from a vehicle. FIG. 4 is a diagram showing an example of data transmitted from a remote server to a vehicle; It is a figure explaining the communication using the common key between vehicles. FIG. 4 is an image diagram of vehicle spoofing prevention using an authentication key.

Various embodiments are described in detail below with reference to the drawings. In each drawing, the same or corresponding parts are denoted by the same reference numerals, and redundant description of the same or corresponding parts is omitted.

A vehicle control system according to the present embodiment is a system that controls communication (inter-vehicle communication) between automatically driven vehicles. As an example, the vehicle control system according to the present embodiment controls connection between automatically driven vehicles while they are running. FIG. 1 is a diagram illustrating how two vehicles are connected while they are running. In the example shown in FIG. 1, the vehicles 1, 2 are commercial vehicles for transporting passengers. Vehicle 1 is assumed to be a large moving vehicle traveling on a highway. It is also assumed that the vehicle 2 is a small bus that travels between general roads and highways. The vehicle 2 picks up passengers at the "boarding area" (bus stop) of the general road, and then connects with the vehicle 1 while driving at the "connection/moving area" of the expressway. Upon coupling, passengers of vehicle 1 walk to vehicle 2 . On the contrary, the passengers of the vehicle 2 who want to get off walk to the vehicle 1 . After the passengers have finished moving, the vehicle 1 moves on the expressway as it is, and the vehicle 2 moves again to the general road and makes the passengers get off at the "get off area" (bus stop).

In this manner, the vehicle 1 traveling on the expressway and the vehicle 2 traveling between the general road and the expressway are connected during traveling, thereby significantly shortening the transportation time of passengers. In other words, in the past, it was necessary to get off a highway bus or the like on a general road to get on and off in order to pick up passengers. If so, the passenger transportation time can be greatly shortened. Hereinafter, an example in which the vehicle control system according to the present embodiment controls communication (vehicle-to-vehicle communication) between automatically driven vehicles for the purpose of controlling connection while driving as described above will be described. 100 may control vehicle-to-vehicle communication for the purpose of control other than connection while driving.

First, the device configuration (hardware configuration) of vehicles 1 and 2, which are objects to be controlled by the vehicle control system, will be described with reference to FIG. It should be noted that the devices of the vehicle 1 described here are mainly devices related to coupling while driving using inter-vehicle communication, and devices (motors, batteries, engines, wheels, etc.) that implement general functions of the vehicle. ).

FIG. 2 is a diagram for explaining the device configuration of the vehicles 1 and 2. As shown in FIG. As described above, the vehicle 1 is, for example, a large moving vehicle traveling on a highway. Also, the vehicle 2 is a small bus that travels between general roads and expressways. Vehicles 1 and 2 have a hardware configuration such as a GPS (Global Positioning System) 11, a V2V (Vehicle-to-Vehicle) communication device 12, a remote communication device 13, an obstacle recognition device 14, A vehicle coupling device 15 and a vehicle control device 20 are provided.

The GPS 11 is a device that acquires vehicle position information. The V2V communication device 12 is a device that performs inter-vehicle communication with other vehicles. The remote communication device 13 is a device that performs remote communication with other devices (specifically, remote communication with a remote server, which will be described later). The obstacle recognition device 14 is a device that recognizes surrounding obstacles while the vehicle is running. The vehicle coupling device 15 is a coupling portion for coupling while driving. The vehicle control device 20 is a device that controls coupling while driving by controlling other hardware configurations.

FIG. 3 is a diagram illustrating the functions of the vehicle control system 100 according to this embodiment. The vehicle control system 100 includes a plurality of (at least two) vehicle control devices 20 , 20 and a remote server 70 . Assume that the plurality of vehicles are vehicles 1 and 2 (first vehicle and second vehicle) to be paired. Pairing is a process of linking two vehicles that perform vehicle-to-vehicle communication. The vehicle control devices 20, 20 of the vehicles 1, 2 have similar functions.

The remote server 70 has decided to perform pairing for the vehicles 1 and 2 and has included at least information indicating the current status of the paired vehicle to the vehicle control devices 20 and 20 of the vehicles 1 and 2. Send authentication key. The pairing partner is, for example, the vehicle 2 for the vehicle 1 and the vehicle 1 for the vehicle 2 . The current state of the vehicle is, for example, the current weight of the vehicle. On the premise that it is possible to determine the vehicle to be paired and to transmit the authentication key, the remote server 70 receives the Data such as the weight of the own vehicle are acquired periodically. FIG. 7 is a diagram showing an example of data transmitted from the vehicle 1 to the remote server 70. As shown in FIG. As shown in FIG. 7, each of vehicles 1 and 2 periodically transmits a unique number assigned to its own vehicle, destination information, and vehicle weight to remote server 70 . Based on the remote server 70 and the destination information, it is determined which vehicles are to be paired (to be connected while driving). After determining the vehicles 1 and 2 to be paired, the remote server 70 provides an authentication key containing the weight of the pairing partner (vehicle weight obtained periodically) to these vehicles 1. Send. FIG. 8 is a diagram showing an example of data transmitted from the remote server 70 to the vehicles 1 and 2. As shown in FIG. In the example shown in FIG. 8, the remote server 70 sends an authentication key containing vehicle information (unique number) of the pairing partner (ie, connection destination) and the weight of the pairing partner (ie, connection destination) to the vehicle. I am sending to 1 and 2.

When the vehicles 1 and 2 are paired based on the authentication key (details will be described later), the remote server 70 manages information indicating that the vehicles 1 and 2 are being paired. Further, when the vehicles 1 and 2 are connected while driving after pairing, the remote server 70 manages information indicating that they are connected while driving. Further, the remote server 70 transmits an instruction to release the coupling while driving to the vehicle control devices 20, 20 of the vehicles 1, 2 when, for example, the movement of the passenger is completed. When the remote server 70 receives a pairing end notification from the vehicle control devices 20, 20, the remote server 70 manages information indicating that the pairing of the vehicles 1, 2 has been cancelled.

The vehicle control device 20 includes a first acquisition unit 21, a second acquisition unit 22, a pairing operation unit 23, an encrypted information transmission/reception unit 24, and a connection control unit 25, as shown in FIG. I have.

The first acquisition unit 21 acquires, from the remote server 70 by remote communication, an authentication key including at least information indicating the current status of the communication-scheduled vehicle that is scheduled to communicate with the own vehicle. The first acquisition unit 21 acquires the authentication key from the remote server 70 by controlling the remote communication device 13 . The first acquisition unit 21 acquires the current weight of the communication-scheduled vehicle as information indicating the current status of the communication-scheduled vehicle.

The second acquisition unit 22 acquires a pairing request signal including at least information indicating the current status of the candidate vehicle from the candidate vehicle through vehicle-to-vehicle communication. The candidate vehicle here is the vehicle 2 for the vehicle 1 and the vehicle 1 for the vehicle 2 . The second acquisition unit 22 acquires the pairing request signal from the candidate vehicle by controlling the V2V communication device 12 . The second acquisition unit 22 acquires the current weight of the candidate vehicle as information indicating the current status of the candidate vehicle.

When the information indicating the current status of the candidate vehicle included in the pairing request signal matches the information indicating the current status of the communication-scheduled vehicle included in the authentication key, the pairing operation unit 23 allows the candidate vehicle to initiate communication. Assuming that the vehicle is the scheduled vehicle, the pairing operation with the candidate vehicle is performed. Such a state in which the information indicating the current situation matches is that it is confirmed that the communication-scheduled vehicle determined by the remote server 70 as a pairing target is the same as the candidate vehicle that has transmitted the pairing request signal. , it is confirmed that the candidate vehicle is not a spoofed vehicle or the like. The pairing operation unit 23 creates a common key for the candidate vehicle based on the information indicating the current status of the communication-scheduled vehicle (candidate vehicle) and the information indicating the current status of the own vehicle. FIG. 9 is a diagram for explaining communication using a common key between vehicles. Now, based on the authentication key, the vehicle 1 acquires the current weight (800 kg) of the vehicle 2 as information indicating the current status of the vehicle 2, which is a vehicle scheduled to communicate (candidate vehicle). Assume that the current weight (500 kg) of the vehicle 1 is obtained as information indicating the current status of the vehicle 1, which is a vehicle scheduled for communication (candidate vehicle), based on the authentication key. In this case, the pairing operation unit 23 of the vehicle 1 generates a common key by processing these information based on the current weight of the vehicle 2 of 800 kg and the current weight of the vehicle 1 of 500 kg, which is the weight of the own vehicle. do. Also, the pairing operation unit 23 of the vehicle 2 generates a common key by processing these information based on the current weight of the vehicle 1 of 500 kg and the current weight of the vehicle 2 of 800 kg, which is the weight of the own vehicle. . Since the information for creating the common key is shared in this way, the common keys created by the vehicle 1 and the vehicle 2 are identical to each other.

After the pairing operation, the encrypted information transmitting/receiving unit 24 performs vehicle-to-vehicle communication with the candidate vehicle regarding the encrypted information based on the authentication key. The encrypted information transmitting/receiving unit 24 performs vehicle-to-vehicle communication with the candidate vehicle by controlling the V2V communication device 12 . The encrypted information transmitting/receiving unit 24 performs encryption using the above-described common key, and performs inter-vehicle communication with the candidate vehicle. The encrypted information transmitting/receiving unit 24 transmits/receives information related to the running connection with the candidate vehicle through inter-vehicle communication. Specifically, the encrypted information transmitting/receiving unit 24 transmits/receives information such as the connection position and connection time to/from the candidate vehicle through inter-vehicle communication.

The connection control unit 25 controls connection during running with the candidate vehicle that is being paired. The connection control unit 25 controls the connection between the candidate vehicle and the host vehicle while the candidate vehicle is running, based on the information regarding the connection while the vehicle is running, which is received by the encrypted information transmission/reception unit 24 .

Vehicle pairing processing (see FIG. 4), vehicle connection and decoupling processing (see FIG. 5), and another example of decoupling processing (see FIG. 6) will be described in detail below. In the following description, even if the vehicle control devices 20 and 20 of the vehicles 1 and 2 are performing the processing in detail, it is simply referred to as "being performed by the vehicle 1" (or "being performed by the vehicle 2"). are doing”). 4 to 6, solid line arrows indicate remote communication, dashed line arrows simply indicate the flow of processing, and dotted line arrows indicate V2V communication (vehicle-to-vehicle communication).

FIG. 4 is a flowchart showing vehicle pairing processing. As shown in FIG. 4, it is assumed that a vehicle 1 carrying passengers is running on a highway (step S1). Suppose now that the vehicle 2 carrying passengers leaves the bus stop toward the expressway (step S2). The remote server 70 searches for vehicles to be paired, and pairs the vehicles 1 and 2 based on the destination information of the vehicles 1 and 2. 1 and 2 are paired) (step S3).

Subsequently, remote server 70 transmits an authentication key for pairing to pairing target vehicles 1 and 2 (step S4). The authentication key contains information indicating the current situation (weight) of the paired vehicle. Vehicles 1 and 2 receive the authentication key for pairing (steps S5 and S6).

The vehicle 2 transmits a pairing request signal including information indicating the current situation (weight) of the vehicle 2 to the vehicle 1 by inter-vehicle communication (step S7). The vehicle 1 determines whether the information (the weight of the vehicle 2) included in the authentication key received from the remote server 70 matches the information (the weight of the vehicle 2) included in the pairing request signal received from the vehicle 2. is determined (step S8).

If they do not match in step S8, the process ends and the subsequent processes are not executed (step S9). On the other hand, if they match in step S8, vehicle 1 transmits a pairing permission signal to vehicle 2 by inter-vehicle communication (step S10). Also, the vehicle 2 receives the pairing permission signal, completes the pairing, and transmits a notification to that effect to the remote server 70 (step S11). When the remote server 70 receives the information that the pairing is completed from the vehicle 2, the remote server 70 manages the information that the vehicles 1 and 2 are pairing (step S12). After that, encrypted information (control information) based on the authentication key is transmitted and received between the vehicles 1 and 2 by inter-vehicle communication (steps S13 and S14).

FIG. 5 is a flowchart showing vehicle connection and connection release processing. As a premise of the processing in FIG. 5, it is assumed that the vehicles 1 and 2 are paired. First, the vehicle 1 transmits information on the connection position to the vehicle 2 by inter-vehicle communication (step S101), and the vehicle 2 receives the information (step S102). When the vehicle 2 moves to the coupling position, the vehicles 1 and 2 are coupled while traveling (step S104), and when completed, the remote server 70 manages information indicating that the vehicles 1 and 2 are coupled while traveling. (Step S105).

Then, when the remote server 70 recognizes the movement of the passenger between the vehicles 1 and 2, the remote server 70 transmits a decoupling instruction to the vehicles 1 and 2 (step S106). Vehicles 1 and 2 receive the disconnection instruction (steps S107 and S108). Then, for example, the vehicle 2 transmits a decoupling request to the vehicle 1 (step S109), the vehicle 1 permits decoupling (step S110), the coupling is released, and the vehicle separation is completed (step S111). After that, the pairing end notification is transmitted from the vehicles 1 and 2 to the remote server 70 (steps S112 and S113), and the remote server 70 manages the information indicating that the pairing of the vehicles 1 and 2 has been canceled (step S114). ).

FIG. 6 is a flow chart showing another example of the decoupling process. In this embodiment, on the premise that the vehicle control devices 20, 20 of the vehicles 1, 2 transmit the weight of the vehicle to the remote server 70 at predetermined time intervals, the remote server 70 controls the vehicle 1, 2 to travel. Identify completion of passenger movement between vehicle 1 and vehicle 2 based on change in weight of vehicle 1 or vehicle 2 (or both) when intermediately coupled, and complete passenger movement In this case, a disconnection instruction is transmitted to the vehicle control devices 20 and 20 of the vehicles 1 and 2 .

As shown in FIG. 6, in the vehicle-coupled state, vehicles 1 and 2 periodically transmit their own vehicle weights to remote server 70 (steps S201 and S202). The transmission frequency of the weight by the vehicles 1, 2 may be increased when the vehicles are coupled compared to when the vehicles are not coupled.

Subsequently, the remote server 70 compares the passenger reservation information with the weight information received from the vehicles 1 and 2 (step S203). The passenger reservation information includes the destination of each passenger, and the assumed weight of the vehicles 1 and 2 after the passengers move between the vehicles 1 and 2 can be predicted from the destination information. By comparing the assumed weights of the vehicles 1 and 2 derived from the passenger reservation information in this way with the weight information received from the vehicles 1 and 2, it is possible to determine with high accuracy whether or not the movement of the passengers has been completed. can judge.

The remote server 70 checks whether the estimated weight of the vehicles 1 and 2 derived from the passenger reservation information matches the weight information received from the vehicles 1 and 2, and whether the weight information received from the vehicles 1 and 2 is constant. It is determined whether there is a time change (step S204). If it is determined in step S204 that they match or have not changed for a certain period of time, the remote server 70 determines that the passenger's movement between the vehicles 1 and 2 is not recognized, and releases the connection to the vehicles 1 and 2. An instruction is transmitted (step S205). Vehicles 1 and 2 receive the disconnection instruction (steps S206 and S207). Then, for example, the vehicle 1 transmits a decoupling request to the vehicle 2 (step S208), and the vehicle 2 permits decoupling (step S209). After the confirmation by the in-vehicle camera, the vehicle 2 announces that the door will be closed, and then closes the door in the vehicle (step S210). In the vehicle 1, the vehicle inner door is similarly closed (step S211). Then, vehicle separation control is performed in vehicle 1 (step S212), vehicle separation control is performed in vehicle 2 by remote control in response to V2V communication from vehicle 1 (step S213), connection is released, and vehicle separation is performed. is completed (step S214). After that, a pairing end notification is transmitted from the vehicles 1 and 2 to the remote server 70 (steps S215 and S216), and the remote server 70 manages information indicating that the pairing of the vehicles 1 and 2 has been canceled (step S217). ).

Next, the effects of the vehicle control device 20 and the vehicle control system 100 according to this embodiment will be described.

The vehicle control device 20 according to the present embodiment obtains, from the remote server 70 via remote communication, an authentication key containing at least information indicating the current status of the communication-scheduled vehicle, which is a vehicle scheduled to communicate with the own vehicle. a first acquisition unit 21; a second acquisition unit 22 that acquires a pairing request signal containing at least information indicating the current status of the candidate vehicle from the candidate vehicle through inter-vehicle communication; and the candidate vehicle included in the pairing request signal. If the information indicating the current status of matches the information indicating the current status of the vehicle to be communicated contained in the authentication key, the candidate vehicle is determined to be the vehicle to be communicated with and performs pairing operation with the candidate vehicle. A ring operating unit 23 and an encrypted information transmitting/receiving unit 24 for performing vehicle-to-vehicle communication with the candidate vehicle regarding encrypted information based on the authentication key after the pairing operation.

In such a vehicle control device 20, an authentication key including at least information indicating the current status of the vehicle to be communicated with is acquired from the remote server, and a pairing request including at least information indicating the current status of the candidate vehicle is obtained. When the signal is acquired from the candidate vehicle and the information indicating the current situation matches each other, the candidate vehicle is assumed to be the communication-scheduled vehicle, and the pairing operation with the candidate vehicle is performed. In this way, the authentication key for determining whether to perform pairing is obtained from the remote server 70 separate from the vehicle control device, so that pairing is performed with the hacked or spoofed vehicle control device. can be properly prevented. For example, as shown in FIG. 10, assume that the authentication key from the remote server 70 has been sent to the vehicles 1 and 2. FIG. In this case, even if a malicious vehicle 3 approaches and tries to pair with the vehicles 1 and 2, the authentication key is issued only for the vehicles 1 and 2 managed as pairing targets in the remote server 70. has not been transmitted, the vehicle 3 cannot perform the pairing operation with the vehicles 1 and 2.

The information included in the authentication key is "information indicating the current status of the vehicle to be communicated with", and is unique each time, so that it is possible to determine whether pairing is to be performed using a one-time password. Therefore, the security regarding the pairing operation can be improved. By performing encryption based on the authentication key, which is a one-time password, highly secure inter-vehicle communication can be realized by clearly distinguishing from hacked or spoofed communication with the vehicle control device.

The first acquisition unit 21 acquires the current weight of the communication-scheduled vehicle as information indicating the current status of the communication-scheduled vehicle, and the second acquisition unit 22 acquires the candidate vehicle You may get the current weight of the . To appropriately determine whether or not a candidate vehicle is a communication-scheduled vehicle by using the "current weight of the vehicle", which is a unique value depending on the number of passengers to be transported and the status of luggage, as the current status of the vehicle. It is possible to appropriately prevent pairing with a hacked or spoofed vehicle control device.

The pairing operation unit 23 creates a common key with the candidate vehicle based on the information indicating the current status of the vehicle to be communicated with and the information indicating the current status of the own vehicle, and the encrypted information transmission/reception unit 24 Vehicle-to-vehicle communication may be performed with candidate vehicles using a common key. In this way, by creating a common key from the information indicating the current status of the vehicle to be communicated with and the information indicating the current status of the own vehicle, the two vehicle control devices performing the pairing operation can be properly connected. , can generate the same common key as each other. By making part of the data for creating the common key the information indicating the current status of the own vehicle, for example, the data obtained from the remote server 70 (information indicating the current status of the vehicle to be communicated with) can be intercepted. Even if it is, the information of the own vehicle is not on the communication, so it will not be intercepted, and the common key will not be guessed, so that the security in the inter-vehicle communication can be improved.

The vehicle control device 20 further includes a connection control unit 25 that controls connection during running with the candidate vehicle that is being paired, and the encrypted information transmission/reception unit 24 transmits information related to connection during running with the candidate vehicle. Transmission and reception may be performed by vehicle-to-vehicle communication, and the connection control unit 25 may control connection while driving with the candidate vehicle based on information related to connection during driving received by the encrypted information transmission/reception unit 24 . According to such a configuration, it is possible to appropriately prevent connection with a vehicle that is not paired (a hacked vehicle or a spoofed vehicle) while driving.

A vehicle control system 100 according to one aspect of the present invention is a vehicle control system that includes a remote server 70 and vehicle control devices 20 and 20 that control vehicles 1 and 2. The remote server 70 controls the vehicles 1 and 2. 2, and transmits an authentication key containing at least information indicating the current status of the paired vehicle to the vehicle control devices 20, 20, and one of the vehicle control devices 20 transmits a pairing request signal containing at least information indicating the current situation of one vehicle to the other vehicle control device 20, and the other vehicle control device 20 transmits the pairing request signal of the one vehicle included in the pairing request signal. When the information indicating the current situation matches the information indicating the current situation of the pairing partner vehicle contained in the authentication key, the pairing operation of the vehicles 1 and 2 is performed. According to the vehicle control system 100 according to one aspect of the present invention, security in inter-vehicle communication can be improved in the same manner as the vehicle control device 20 described above.

The vehicle control devices 20, 20 encrypt the information related to the connection while the vehicles 1, 2 are running, based on the authentication key, transmit and receive each other through inter-vehicle communication, and encrypt the information related to the connection while the vehicles 1, 2 are running. 2, and the remote server 70 may manage information indicating that the vehicles 1 and 2 are connected while driving. According to such a configuration, the remote server 70 can reliably connect the two paired vehicles 1 and 2 while they are running.

Vehicles 1 and 2 are commercial vehicles for transporting passengers. Vehicle controllers 20 and 20 transmit the weights of their own vehicles to remote server 70 at predetermined time intervals. are connected during running, based on the change in the weight of the vehicles 1 and 2, it is specified that the passenger movement between the vehicles 1 and 2 is completed, and when the passenger movement is completed, the vehicle control device 20, 20, and the vehicle control devices 20, 20 may release the coupling while the vehicles 1, 2 are running based on the coupling release instruction. If the train is connected while driving, the passengers will move, but the completion of passenger movement is determined based on the change in the weight of both vehicles, and when it is determined that it is completed, the train is disconnected while driving. , the connection can be smoothly released at an appropriate timing while the vehicle is running.

DESCRIPTION OF SYMBOLS 20... Vehicle control apparatus, 21... 1st acquisition part, 22... 2nd acquisition part, 23... Pairing operation|movement part, 24... Encrypted information transmission/reception part, 25... Connection control part, 70... Remote server, 100... Vehicle control system.

Claims (7)

a first obtaining unit that obtains, from a remote server via remote communication, an authentication key containing at least information indicating the current status of a communication-scheduled vehicle that is scheduled to communicate with the host vehicle;
a second acquiring unit that acquires a pairing request signal including at least information indicating the current status of the candidate vehicle from the candidate vehicle through inter-vehicle communication;
When the information indicating the current status of the candidate vehicle included in the pairing request signal matches the information indicating the current status of the communication-scheduled vehicle included in the authentication key, the candidate vehicle is the communication-scheduled vehicle. A pairing operation unit that performs a pairing operation with the candidate vehicle as a vehicle;
and an encrypted information transmitting/receiving unit that performs inter-vehicle communication with the candidate vehicle for encrypted information based on the authentication key after the pairing operation. The first acquisition unit acquires the current weight of the vehicle to be communicated as information indicating the current status of the vehicle to be communicated,
2. The vehicle control device according to claim 1, wherein said second acquisition unit acquires the current weight of said candidate vehicle as information indicating the current situation of said candidate vehicle. The pairing operation unit creates a common key for the candidate vehicle based on information indicating the current status of the communication-scheduled vehicle and information indicating the current status of the own vehicle,
3. The vehicle control device according to claim 1, wherein said encrypted information transmitting/receiving section performs inter-vehicle communication with said candidate vehicle using said common key. further comprising a connection control unit that controls connection while driving with the candidate vehicle that is being paired;
The encrypted information transmitting/receiving unit transmits/receives information related to connection during driving with the candidate vehicle by inter-vehicle communication,
The connection control unit according to any one of claims 1 to 3, wherein the connection control unit controls the connection while running with the candidate vehicle based on the information related to the connection while running received by the encrypted information transmission/reception unit. vehicle controller. A vehicle control system comprising a remote server, a first vehicle control device controlling a first vehicle, and a second vehicle control device controlling a second vehicle,
The remote server is
deciding to perform pairing with respect to the first vehicle and the second vehicle, and informing the first vehicle control device and the second vehicle control device of the current status of the pairing partner vehicle; Send an authentication key containing at least information indicating
The first vehicle control device includes:
transmitting a pairing request signal containing at least information indicating the current situation of the first vehicle to the second vehicle control device;
The second vehicle control device,
When the information indicating the current situation of the first vehicle included in the pairing request signal matches the information indicating the current situation of the pairing partner vehicle included in the authentication key, the second and the first vehicle. The first vehicle control device and the second vehicle control device are
The information related to the running connection between the first vehicle and the second vehicle is encrypted based on the authentication key and transmitted and received through inter-vehicle communication, and based on the information related to the running connection, the second vehicle is encrypted. connecting one vehicle and the second vehicle while driving;
The remote server is
6. The vehicle control system according to claim 5, which manages information indicating that said first vehicle and said second vehicle are connected while driving. the first vehicle and the second vehicle are commercial vehicles that transport passengers;
The first vehicle control device and the second vehicle control device transmit the weight of the own vehicle to the remote server at predetermined time intervals,
The remote server is
When the first vehicle and the second vehicle are connected while driving, the weight of the first vehicle and the second vehicle is determined based on a change in the weight of the first vehicle or the second vehicle. Identifying completion of passenger movement between vehicles, and transmitting a disconnection instruction to the first vehicle control device and the second vehicle control device when the passenger movement is completed;
7. The vehicle according to claim 6, wherein the first vehicle control device and the second vehicle control device release the coupling while the first vehicle and the second vehicle are running based on the coupling release instruction. control system.

Images