JP5664579B2 - COMMUNICATION SYSTEM, RELAY DEVICE, EXTERNAL DEVICE, AND COMMUNICATION METHOD - Google Patents

Description

  The present invention relates to a technique for performing communication between an external device and an in-vehicle device.

  In recent years, with the advancement of electronic control in vehicles, various vehicle components such as engines and brakes are controlled via electronic components, and the number of electronic control units (ECUs) connected to these electronic components is also increasing. It is in. For this reason, a network (in-vehicle LAN) is constructed by a plurality of ECUs, and cooperative operation and information sharing between the ECUs is realized.

  Further, the vehicle is provided with a connector for connecting an external tool (external device), and the vehicle condition can be diagnosed by connecting the external tool to the connector and communicating with the ECU. It has become. However, operations that can be performed using external tools include operations that should not be performed by persons other than authorized workers, such as setting and canceling security-related information and program rewriting (reprogramming). It is.

  Therefore, a technique has been proposed to prevent an unauthorized person from performing a specific operation by providing an external tool with an authentication function and requesting a password when performing a specific operation. (See Patent Document 1).

JP-A-9-250970

  However, since the authentication function described in Patent Document 1 is completed within the external tool, there is a problem that it cannot be handled when an unauthorized external tool is used. That is, since the connector itself provided in the vehicle is standardized, even if it is an unauthorized external tool, various operations can be performed if the connector standard is satisfied. For this reason, it is easy to connect an unauthorized external tool that does not have an authentication function to the connector and monitor the communication content on the network. Security-related information can be obtained from the communication content, and reprogramming is performed. There was a possibility of being.

  The present invention has been made in view of these problems, and an object of the present invention is to provide a technique for suppressing specific communication from being performed using an unauthorized outside device.

  The communication system of the present invention includes an on-vehicle device (60) for communicating with the on-vehicle device (30), and a relay device (10) mounted on the vehicle and relaying communication between the on-vehicle device and the on-vehicle device. And comprising.

  The vehicle exterior device includes input means (S205), generation means (S209), and transmission means (S210). The input means inputs mileage information displayed on the odometer (24) of the vehicle. The generation unit generates authentication information by performing a predetermined calculation based on the travel distance information input by the input unit. Then, the transmission means transmits the authentication information generated by the generation means to the relay device.

  On the other hand, the relay device includes an acquisition unit (S107), a reception unit (S112), and a restriction release unit (S115). The acquisition means acquires travel distance information from the device (20) that manages travel distance information. The receiving means receives the authentication information transmitted from the external device. When the restriction release unit determines that the authentication information received by the receiving unit is information generated by a predetermined calculation based on the travel distance information acquired by the acquiring unit, The restriction | limiting with respect to the specific communication performed between apparatuses is cancelled | released.

  According to such a communication system, the relay device cancels the restriction on the specific communication performed between the outside device and the in-vehicle device based on the authentication information transmitted from the outside device. It is possible to prevent specific communication from being performed using an unauthorized outside device. In particular, since the authentication information is generated by a predetermined calculation based on the travel distance information of the vehicle, the security can be enhanced as compared with the configuration in which the authentication information is generated based on the fixed information.

  In addition, the code | symbol in the parenthesis described in this column and a claim shows the correspondence with the specific means as described in embodiment mentioned later as one aspect, Comprising: The technical scope of this invention is shown. It is not limited.

It is a block diagram which shows the structure of a communication system. It is a flowchart of a relay process. It is a flowchart of a communication process.

Embodiments to which the present invention is applied will be described below with reference to the drawings.
[1. overall structure]
The communication system shown in FIG. 1 includes an in-vehicle system 1 mounted on a vehicle, and an external tool (external diagnostic device) 60 for communicating with an electronic control unit (ECU) constituting the in-vehicle system 1.

  The in-vehicle system 1 includes a gateway ECU (hereinafter referred to as “GW-ECU”) 10, a meter ECU 20, and a plurality of other ECUs having various functions as a plurality of ECUs installed (mounted) in each part inside the vehicle. ECU30. The GW-ECU 10, the meter ECU 20, and the other ECU 30 are connected to a bus 40, which is a shared communication line (multiplex communication line), to construct a network (in-vehicle LAN), and to the CAN (Controller Area Network) protocol via the bus 40. Follow the mutual communication.

  The GW-ECU 10 is installed on a communication path 41 that relays a data link connector (hereinafter simply referred to as “connector”) 50 for connecting an external tool 60 and a bus 40. That is, in the in-vehicle system 1, the GW-ECU 10 communicates directly with the external tool 60, and the ECU 30 communicates with the external tool 60 via the GW-ECU 10. In other words, the external tool 60 is not directly connected to the ECU 30, but is connected via the GW-ECU 10, and the GW-ECU 10 relays communication performed between the external tool 60 and the ECU 30. Function as.

  Specifically, the GW-ECU 10 includes a CPU 11, a flash memory 12, a LAN communication unit 13, and an external communication unit 14. The CPU 11 executes processing according to a program stored in the flash memory 12 or the like. Note that the in-vehicle system 1 according to the present embodiment is configured such that power is supplied to the GW-ECU 10 even when the ignition switch of the vehicle is off, and the CPU 11 can execute processing. Further, the CPU 11 is configured to be able to detect whether the ignition switch of the vehicle is on or off.

  The flash memory 12 is a nonvolatile storage device that can electrically rewrite stored contents. In the flash memory 12, an arithmetic expression used to generate a one-time password for authenticating the external tool 60 is stored as secret information.

  The LAN communication unit 13 is an interface for communicating with the meter ECU 20 and other ECUs 30 via the bus 40. The vehicle exterior communication unit 14 is an interface for communicating with the external tool 60 via the communication path 41 and the connector 50.

  The meter ECU 20 calculates and integrates the travel distance of the vehicle by counting and integrating pulse signals output from wheel speed sensors attached to the wheels of the vehicle. Then, the meter ECU 20 displays the accumulated travel distance, which is the accumulated travel distance, on an odometer display unit 24 arranged so that the user can visually recognize the interior of the vehicle. The odometer display unit 24 is an electronic display type display (for example, LCD), and the accumulated travel distance is not displayed when the ignition switch is off, and the accumulated travel distance is displayed when the ignition is on.

  Specifically, the meter ECU 20 includes a CPU 21, a flash memory 22, and a LAN communication unit 23. The CPU 21 executes processing according to a program stored in the flash memory 22 or the like. The flash memory 22 stores the latest (current) accumulated travel distance and is updated as the vehicle travels. The LAN communication unit 23 is an interface for communicating with the GW-ECU 10 and other ECUs 30 via the bus 40.

  Each ECU 30 includes a CPU 31, a flash memory 32, and a LAN communication unit 33. The CPU 31 executes processing according to a program stored in the flash memory 32 or the like. The flash memory 32 stores a program for causing the CPU 31 to execute processing for realizing various functions. The LAN communication unit 33 is an interface for communicating with the GW-ECU 10, the meter ECU 20, and other ECUs 30 via the bus 40.

  The external tool 60 is connected to the connector 50, diagnoses the vehicle state via the ECU 30 installed in the vehicle, reads out data, controls the control components by the functions of the ECU 30, and stores the program stored in the ECU 30. This is a device having a function of performing reprogramming or the like as the rewriting process.

  Specifically, the external tool 60 includes a control unit 61, a storage unit 62, a communication unit 63, and an operation unit 64. The control unit 61 includes a CPU, a ROM, a RAM, and the like, and executes various processes. In the storage unit 62, the same arithmetic expression as that stored in the GW-ECU 10 is stored as secret information. The communication unit 63 is an interface for communicating with the GW-ECU 10, the meter ECU 20, and other ECUs 30 via the connector 50. The operation unit 64 is a user interface that displays various types of information so that the user can visually recognize the information and inputs information by an external operation from the user. The external tool 60 may be configured using a general-purpose personal computer, a smartphone (multifunctional mobile phone), or the like.

[2. processing]
Next, processing (communication method) executed in the communication system of the present embodiment will be described. First, relay processing executed by the CPU 11 of the GW-ECU 10 will be described with reference to the flowchart of FIG. First, in S101, the CPU 11 determines whether or not the external tool 60 is connected to the connector 50. If the CPU 11 determines that the external tool 60 is connected (S101: YES), the process proceeds to S102. Whether or not the external tool 60 is connected to the connector 50 may be determined, for example, by providing a sensor or the like for detecting the connection to the connector 50, and the signal transmitted via the vehicle exterior communication unit 14 may be determined. You may determine based on transmission / reception.

  In S102, the CPU 11 determines whether or not the ignition switch of the vehicle is on. If it is determined that the vehicle is on (S102: YES), the process proceeds to S103. In S103, the CPU 11 determines whether or not a communication end notification (notification transmitted in S215 to be described later) has been received from the external tool 60, and determines that the notification has not been received. (S103: NO), the process proceeds to S104.

  In S104, the CPU 11 determines whether the communication requested by the external tool 60 is security communication. In this embodiment, the communication performed between the external tool 60 and the ECU 30 is classified in advance into normal communication and security communication according to the security level. For example, if an authentication code stored in the ECU 30 that performs immobilizer control is read or rewritten, the anti-theft function by the immobilizer may become invalid and the vehicle may be stolen. In this way, communication that requires high security (in other words, communication that is highly necessary to prevent unauthorized external tools from being used) is classified as security communication. On the other hand, communication that has no problem even with low security (in other words, communication that is less necessary to prevent unauthorized external tools from being used), such as normal diagnosis, is classified as normal communication.

  When determining that the communication requested by the external tool 60 is not security communication (normal communication) (S104: NO), the CPU 11 shifts the processing to S105. In step S <b> 105, the CPU 11 executes normal relay processing that relays normal communication performed between the external tool 60 and the ECU 30. The CPU 11 shifts the process to S101 after starting the normal relay process. That is, the processing of S101 to S105 is repeated while these determination results do not change, and normal relay processing (normal communication) is continued during that time.

  On the other hand, if the CPU 11 determines that the communication requested by the external tool 60 is security communication (S104: YES), the CPU 11 shifts the processing to S106. In step S <b> 106, the CPU 11 determines whether the restriction on security communication is released. At the start of the relay process in FIG. 2, security communication is restricted (prohibited), and the restriction is released in S115 described later.

  If the CPU 11 determines that the restriction of security communication has not been released (security communication is restricted) (S106: NO), the CPU 11 moves the process to S107 and displays the latest information displayed on the odometer display unit 24. (Current) accumulated travel distance is acquired from the meter ECU 20 via the bus 40.

  Subsequently, in S108, the CPU 11 determines whether or not the accumulated travel distance acquired this time is the same value as the accumulated travel distance acquired last time (the value stored in S116 described later). In addition, when the accumulated travel distance acquired last time is not stored, it is determined that it is not the same value as the previous time.

  If the CPU 11 determines that the accumulated travel distance acquired this time is not the same value as the previous time (S108: NO), the CPU 11 shifts the process to S109 and counts the number of times the same accumulated travel distance has been acquired (hereinafter referred to as “the accumulated travel distance”). The “count value C1” is reset to an initial value (for example, 1). On the other hand, when the CPU 11 determines that the accumulated travel distance acquired this time is the same value as the previous time (S108: YES), the CPU 11 shifts the processing to S110 and counts up the count value C1 (adds 1).

  Subsequently, in S111, the CPU 11 generates a one-time password by performing a calculation according to the calculation formula stored in the flash memory 12 using the latest accumulated travel distance and the count value C1 as parameters.

  Subsequently, in S <b> 112, the CPU 11 requests the external tool 60 to transmit a one-time password, and receives the one-time password from the external tool 60. As described above, in the regular external tool 60, the same arithmetic expression as that stored in the GW-ECU 10 is stored as secret information. As will be described later, in the external tool 60, a one-time password (the same one-time password as that generated by the GW-ECU 10) is generated using the latest accumulated travel distance displayed on the odometer display unit 24, It is transmitted to the GW-ECU 10.

  Subsequently, in S113, the CPU 11 collates the one-time password received from the external tool 60 with the one-time password generated in S111. In step S <b> 114, the CPU 11 determines whether or not the one-time passwords are matched by the verification, and transmits the verification result to the external tool 60. Specifically, if the CPU 11 determines that the one-time passwords do not match (S114: NO), the CPU 11 shifts the processing to S101 without releasing the restriction of the security communication. That is, when the external tool 60 is an unauthorized (non-regular) external tool that does not store an arithmetic expression, security communication cannot be performed. Note that even when the one-time password cannot be received from the external tool 60, it is determined that the one-time password does not match.

  On the other hand, if the CPU 11 determines that the one-time passwords match as a result of the collation (S114: YES), the CPU 11 shifts the process to S115 and cancels the restriction of the security communication. Subsequently, the CPU 11 stores the accumulated travel distance acquired this time in the flash memory 12 in S116. Thereafter, the CPU 11 shifts the process to S101.

  In S106 after the restriction of the security communication is released, the CPU 11 determines that the restriction of the security communication is released (S106: YES), and shifts the process to S117. In S117, the CPU 11 determines whether or not the elapsed time after the restriction of security communication is released is within the time limit (for example, within 10 minutes), and if it is determined that it is within the time limit (S117). : YES), the process proceeds to S118. In step S <b> 118, the CPU 11 executes specific relay processing for relaying security communication performed between the external tool 60 and the ECU 30. The CPU 11 shifts the process to S101 after starting the specific relay process. That is, the processes of S101 to S104, S106, S117, and S118 are repeated while these determination results do not change, and the specific relay process (security communication) is continued during that period.

  When the CPU 11 determines in S102 that the ignition switch of the vehicle is not turned on (S102: NO), or when it is determined in S103 that a notification that the communication has been completed is received from the external tool 60 (S103). : YES), the process proceeds to S119. In addition, when the CPU 11 determines that the elapsed time after the restriction of the security communication is released in S117 is not within the time limit (exceeds the time limit) (S117: NO), the CPU 11 shifts the process to S119.

  In S119, the CPU 11 performs a process of restricting security communication. Specifically, when security communication is restricted, the restriction is maintained, and when the restriction of security communication is released, the release is reset and returned to the restricted state. Thereafter, the CPU 11 shifts the process to S101. If normal relay processing (normal communication) or specific relay processing (security communication) is continued, the process ends at this stage.

  Next, communication processing executed by the control unit 61 of the external tool 60 when the external tool 60 is connected to the connector 50 will be described with reference to the flowchart of FIG. First, in S201, the control unit 61 determines whether to perform security communication with the ECU 30 (whether to perform normal communication). Note that what operation is performed using the external tool 60 is determined by the user (operator) of the external tool 60. In S201, the user is to perform the operation based on the user's operation and setting contents. It is determined whether the operation to be classified into security communication or normal communication.

  When it is determined that security communication is not performed (normal communication is performed) (S201: NO), the control unit 61 shifts the process to S202, and performs normal communication with the ECU 30 via the GW-ECU 10. When the normal communication ends, the control unit 61 shifts the process to S215 and transmits a notification that the communication is ended to the GW-ECU 10. Then, the communication process in FIG. 3 ends.

  On the other hand, when it is determined that the security communication is performed with the ECU 30 (S201: YES), the control unit 61 shifts the process to S203 and determines whether or not the restriction of the security communication is released.

  When it is determined that the restriction of security communication has not been released (security communication is restricted) (S203: NO), the control unit 61 shifts the process to S204, and the one-time password from the GW-ECU 10 The request to send is received.

  Subsequently, the control unit 61 inputs the latest accumulated traveling distance displayed on the odometer display unit 24 in S205. Specifically, the user of the external tool 60 is prompted to input the accumulated travel distance by displaying a message or the like. The user confirms the latest accumulated travel distance displayed on the odometer display unit 24 with the ignition turned on, and inputs it to the external tool 60.

  Subsequently, in S206, the control unit 61 determines whether or not the cumulative travel distance input this time is the same value as the cumulative travel distance input last time (the value stored in S212 described later). In addition, when the integrated travel distance input last time is not stored, it is determined that the value is not the same as the previous value.

  If the controller 61 determines that the cumulative travel distance input this time is not the same value as the previous time (S206: NO), the process proceeds to S207, and the number of times the same cumulative travel distance is acquired is counted. A value (hereinafter referred to as “number value C2”) is reset to an initial value (for example, 1). On the other hand, if the controller 61 determines that the cumulative travel distance input this time is the same value as the previous time (S206: YES), the control unit 61 proceeds to S208 and counts up the count value C2 (add 1). )

  Subsequently, in step S209, the control unit 61 generates a one-time password by performing a calculation according to the calculation formula stored in the storage unit 62 using the latest accumulated travel distance and the count value C2 as parameters.

  Subsequently, in S210, the control unit 61 transmits the generated password to the GW-ECU 10, requests verification, and receives the verification result. If the received verification result is that the one-time passwords do not match (S211: NO), the control unit 61 shifts the process to S215, and notifies the GW-ECU 10 that the communication has ended. Send. Then, the communication process in FIG. 3 ends.

  On the other hand, if the received collation result is that the one-time passwords match (S211: YES), the control unit 61 shifts the process to S212, and stores the total travel distance input this time in the storage unit 62. Remember. Subsequently, the control unit 61 performs security communication with the ECU 30 via the GW-ECU 10 in S213. When the security communication ends, the control unit 61 shifts the process to S215 and transmits a notification that the communication is ended to the GW-ECU 10. Then, the communication process in FIG. 3 ends.

  If the control unit 61 determines in S203 described above that the restriction on security communication has been released (S203: YES), the control unit 61 shifts the process to S214, and performs security communication with the ECU 30 via the GW-ECU 10. I do. When the security communication ends, the control unit 61 shifts the process to S215 and transmits a notification that the communication is ended to the GW-ECU 10. Then, the communication process in FIG. 3 ends.

[3. effect]
As described above, in the communication system according to the present embodiment, the GW-ECU 10 cancels the restriction on the security communication performed between the external tool 60 and the ECU 30 based on the one-time password transmitted from the external tool 60. To do. Usually, in order to generate a one-time password, common key information is required. However, in this embodiment, an integrated travel distance (information that is unique to the vehicle and can be confirmed from the outside by the user) Odometer information) is used as key information. Specifically, a one-time password is generated by performing a calculation according to a predetermined calculation formula based on the accumulated travel distance. Since the value of the accumulated travel distance is updated (increases) as the vehicle travels, security can be improved compared to the case where a one-time password is generated based on fixed information. In particular, since the accumulated travel distance increases monotonously and does not take the same value as the past, authentication using passwords generated in the past can be prevented.

  Although it is possible to generate a one-time password using the time, since both the GW-ECU 10 and the external tool 60 basically hold the time using a battery, the correct time is generated when the one-time password is generated. It may not be retained. On the other hand, since the cumulative travel distance is not updated when the vehicle is stopped, it is possible to make it difficult for information to be shared between the GW-ECU 10 and the external tool 60 to be shifted.

  Therefore, according to the communication system of the present embodiment, it is possible to prevent security communication from being performed using an unauthorized external tool. As a result, for example, an illegal act of invalidating a theft prevention function by the immobilizer can be suppressed by an unauthorized access to the ECU that performs immobilizer control.

  The odometer display unit 24 displays the accumulated travel distance in a state where the ignition switch of the vehicle is on. For this reason, in order to generate a one-time password by the external tool 60, it is necessary to check the integrated travel distance displayed on the odometer display unit 24 with the ignition switch turned on. Therefore, it is possible to suppress the use of the external tool 60 by an unauthorized user as compared with the configuration in which the accumulated travel distance is displayed even when the ignition switch is off.

  In addition, since the one-time password is generated based on the accumulated travel distance and the number of times, the value can be varied every time even when communication is performed a plurality of times while the accumulated travel distance is the same value. In particular, since the number value indicating the number of times the one-time password has been generated based on the same accumulated travel distance is used, the same number value can be shared without communication between the GW-ECU 10 and the external tool 60.

  Further, the GW-ECU 10 (CPU 11) restricts the security communication when it is determined that a predetermined termination condition is satisfied after releasing the restriction on the security communication. For this reason, after the legitimate external tool 60 is used, it is possible to prevent the security communication by an unauthorized external tool from being performed in a state where the restriction on the security communication is released.

  In particular, the condition for terminating security communication includes a condition for limiting the executable time of security communication. For this reason, it is possible to return to a state in which security communication is restricted even in a situation where an end notification to be transmitted from the external tool 60 (notification that communication has ended) cannot be received for some reason.

  In addition, the security communication end condition includes a condition for restricting the security communication when the ignition switch of the vehicle is off. That is, turning on the ignition switch is one condition for releasing the restriction of security communication. For this reason, compared with the structure which cancels | regulates the restriction | limiting of security communication irrespective of the state of an ignition switch, security can be made high.

  The security communication end condition includes a condition for restricting the security communication after the external tool 60 is notified of the end of the security communication. For this reason, when the communication to be performed by the external tool 60 is completed, it is possible to immediately return to the state where the security communication is restricted.

  In the communication system according to the present embodiment, communication performed between the external tool 60 and the ECU 30 is broadly classified into normal communication and security communication, and the normal communication can be performed without releasing the communication restriction. I can do it. For this reason, compared with the structure which must cancel | release the restriction | limiting of communication about all the communication, time until communication without a problem with low security can be shortened.

  In the present embodiment, the GW-ECU 10 corresponds to an example of a relay device, S107 corresponds to an example of a process (acquisition step) as an acquisition unit, S112 corresponds to an example of a process as a reception unit, and S115 Corresponds to an example of a process (regulation release step) as a restriction release means, and S119 corresponds to an example of a process as a restriction means. The external tool 60 corresponds to an example of an external device, S205 corresponds to an example of processing (input step) as an input unit, S209 corresponds to an example of processing (generation step) as a generation unit, and S210 This corresponds to an example of processing (transmission step) as transmission means. The meter ECU 20 corresponds to an example of a device that manages travel distance information, the odometer display unit 24 corresponds to an example of a travel distance meter, and the integrated travel distance corresponds to an example of travel distance information. Also, the one-time password corresponds to an example of authentication information, the calculation according to the calculation formula corresponds to an example of a predetermined calculation, the count value corresponds to an example of additional information, and the security communication is a specific communication. It corresponds to an example. The ECU 30 corresponds to an example of an in-vehicle device.

[4. Other Embodiments]
As mentioned above, although embodiment of this invention was described, it cannot be overemphasized that this invention can take a various form, without being limited to the said embodiment.

  In the above-described embodiment, the one-time password is generated by both the GW-ECU 10 and the external tool 60, and the GW-ECU 10 determines whether or not they match, but the present invention is not limited to this. . For example, the GW-ECU 10 calculates the total travel distance (and the number of times) by performing a calculation opposite to the calculation formula used in the external tool 60 for the one-time password generated by the external tool 60. It may be determined whether the calculated value is correct.

  DESCRIPTION OF SYMBOLS 1 ... In-vehicle system, 10 ... GW-ECU, 11 ... CPU, 20 ... Meter ECU, 24 ... Odometer display part, 30 ... ECU, 40 ... Bus, 50 ... Connector, 60 ... External tool, 61 ... Control part

Claims (11)

An external device (60) for communicating with the in-vehicle device (30);
A relay device (10) that is mounted on a vehicle and relays communication performed between the external device and the in-vehicle device;
With
The outside device is
Input means (S205) for inputting mileage information displayed on the odometer (24) of the vehicle;
Generation means (S209) for generating authentication information by performing a predetermined calculation based on the travel distance information input by the input means;
Transmission means (S210) for transmitting the authentication information generated by the generation means to the relay device,
The relay device is
Acquisition means (S107) for acquiring the travel distance information from the device (20) for managing the travel distance information;
Receiving means (S112) for receiving the authentication information transmitted from the vehicle exterior device;
When it is determined that the authentication information received by the receiving unit is information generated by the calculation based on the travel distance information acquired by the acquiring unit, between the outside device and the in-vehicle device. And a restriction releasing means (S115) for releasing restriction on specific communication performed in step (S115). The communication system according to claim 1,
The said odometer displays the said mileage information in the state in which the ignition switch of a vehicle is ON. The communication system characterized by the above-mentioned. The communication system according to claim 1 or 2,
The generation unit generates the authentication information by performing the calculation based on the travel distance information and additional information that may be different even if the travel distance information is the same. A communication system according to claim 3,
The communication system, wherein the additional information is information indicating the number of times the authentication information is generated based on the same travel distance information. The communication system according to any one of claims 1 to 4, wherein
The relay device further includes a restriction unit (S119) that restricts the specific communication when it is determined that a predetermined termination condition is satisfied after the restriction on the specific communication is released by the restriction release unit. A communication system characterized by the above. The communication system according to claim 5, wherein
The termination condition includes a condition for limiting an executable time of the specific communication. The communication system according to claim 5 or 6,
The communication system according to claim 1, wherein the termination condition includes a condition for restricting the specific communication when the ignition switch of the vehicle is in an off state. The communication system according to any one of claims 5 to 7,
The end condition includes a condition for restricting the specific communication after the end of the specific communication is notified from the external device. A relay device that is mounted on a vehicle and relays communication performed between an external device and an in-vehicle device,
An acquisition means for acquiring the travel distance information from a device that manages travel distance information displayed on the odometer of the vehicle;
Receiving means for receiving authentication information from the vehicle exterior device;
When it is determined that the authentication information received by the receiving unit is information generated by performing a predetermined calculation based on the travel distance information acquired by the acquiring unit, the external device And a restriction release means for releasing restriction on specific communication performed between the vehicle-mounted device and the vehicle-mounted device,
A relay device comprising: An external device for communicating with an in-vehicle device via a relay device mounted on a vehicle,
Input means for inputting mileage information displayed on the odometer of the vehicle;
Generating means for generating authentication information by performing a predetermined calculation based on the travel distance information input by the input means;
Transmitting means for transmitting the authentication information generated by the generating means to the relay device;
A vehicle exterior device comprising: An external device for communicating with the in-vehicle device;
A relay device that is mounted on a vehicle and relays communication performed between the external device and the in-vehicle device;
A communication method between
An input step (S205) in which the outside device inputs mileage information displayed on the odometer of the vehicle;
A generation step (S209) in which the vehicle exterior device generates authentication information by performing a predetermined calculation based on the travel distance information input in the input step;
A transmission step (S210) in which the outside device transmits the authentication information generated in the generation step to the relay device;
An acquisition step (S107) in which the relay device acquires the travel distance information from a device that manages the travel distance information;
When the relay device determines that the authentication information received from the outside device is information generated by the calculation based on the travel distance information obtained in the obtaining step, the outside device and the in-vehicle device A deregulation step (S115) for deregulating a specific communication performed between
A communication method comprising:

Images