JP5678907B2 - Relay system, external device - Google Patents

Description

  The present invention relates to a relay system including a relay device for connecting an external device to a communication network formed by connecting a plurality of in-vehicle devices to the same communication path.

  2. Description of the Related Art Conventionally, when diagnosing an electronic control unit (Electronic Control Unit; hereinafter also referred to as an ECU) that is an in-vehicle device, an external device such as a failure diagnosis device prepared in a repair shop or the like is used. This type of failure diagnosis device is usually wired to a connector provided on a vehicle that has been stored in a repair shop or the like, so that the failure diagnosis device can communicate with the ECU via the in-vehicle network, and the repair person is in trouble. By directly operating the diagnostic device, various information is acquired from the ECU or data in the ECU is updated.

  Patent Document 1 discloses a technique for preventing an unqualified operator from inadvertently performing an item related to a specific work requiring security by providing an authentication function for a repair person in this type of failure diagnosis apparatus. Is disclosed.

JP-A-9-250970

  However, in the prior art as disclosed in Patent Document 1, it is only considered to ensure security by an authentication function provided on the failure diagnosis apparatus side, in order to prevent unauthorized access to the ECU. The vehicle's security measures are not considered. Therefore, an external device intended for unauthorized access to the ECU is connected to the connector on the vehicle side, and this external device can communicate with the ECU via the in-vehicle network, so that important work related to security is performed illegally. There is a fear.

  For example, an unauthorized access to an ECU that controls immobilizer to prevent vehicle theft by an external device, leading to unauthorized use or theft of the vehicle, such as when an authentication code is read or rewritten with another authentication code There was a problem that important information was illegally obtained or falsified.

  In order to solve the above problems, an object of the present invention is to provide a technique for preventing an unauthorized device from accessing an in-vehicle device by an external device connected to the in-vehicle network.

  In the relay system according to claim 1, an external device that performs a predetermined operation by performing data communication with an in-vehicle device for an in-vehicle network formed by connecting a plurality of in-vehicle devices to the same communication path. Are connected via a relay device constituting the in-vehicle network.

  Also, the relay system is used by connecting to an external device, and a key detection device that reads the identification code from a key device that stores an identification code associated with a vehicle equipped with an in-vehicle network, and authentication of the key detection device An authentication device is provided.

  Then, the external device authenticates the key detection device using the authentication device, and when the authentication of the device is successful, the external device requests the relay device to authenticate the worker using the identification code acquired through the key detection device. If the worker is successfully authenticated, the specific work requiring security is permitted.

On the other hand, when the relay device confirms that the identification code requested for authentication from the external device is a registered regular one, the relay device permits security communication related to the execution of the specific work.
In the relay system of the present invention configured as described above, only a regular worker who uses a regular key detection device and possesses a regular key device can perform a specific work using security communication. Therefore, it is possible to prevent the specific work from being performed illegally by an unauthorized worker who is not authorized to perform the specific work by an unauthorized device that is not a genuine product.

  The external device according to claim 2 connects a first interface means used for connection to the in-vehicle network and a key detection device that reads the identification code from a key device that stores the identification code associated with the vehicle. Second interface means is provided.

  Then, the device authentication means uses the key detection device connected to the second interface means as the target device, and authenticates the target device. If the device authentication means succeeds in authenticating the target device, the worker authentication requesting means uses the in-vehicle network connected to the first interface means as the target system and the identification code acquired via the target device as the target code. Requests the target system to authenticate the worker. When it is confirmed by the response from the target system to the request of the worker authentication request means that the worker has been successfully authenticated, the specific work permission means permits the execution of the specific work requiring security.

The thus configured external device of the present invention can be suitably used as an external device constituting the relay system according to claim 1.
In the external device according to the present invention, the device authentication means, for example, as described in claim 3, stores a database in which registration information including at least information for identifying the key detection device is registered for each key detection device. An authentication server that performs authentication is used as an authentication device, and the authentication result is obtained from the authentication server by providing the authentication device with target device information that is information related to the target device and collating it with registration information. May be.

  Further, according to the external device of the present invention, as described in claim 4, the position acquisition means uses the current position of the own device (that is, the place where the work using the external device is performed, and thus the key detection device is used. It may be configured to acquire position information indicating (location) and include the position information in the target device information. However, it is assumed that the registration information of the database used by the authentication server includes location information about a place where the use of the key detection device is permitted.

  In this case, even if a key detection device that is stolen etc. is used illegally, if it is used outside a regular work place registered in the database, security communication is not permitted. It is possible to prevent specific work from being performed.

  In addition, the position acquisition means, when a function (hereinafter referred to as “GPS function”) for acquiring position information or the like using GPS (Global Positioning System) is mounted on the external device or the key detection device, this GPS function However, as described in claim 5, it may be configured to acquire position information from the target system.

That is, the configuration of the external device and the key detection device can be simplified by using the GPS function mounted on the vehicle via the in-vehicle network .

It is a block diagram which shows the whole structure of the relay system of 1st Embodiment. It is a flowchart which shows the content of the security cancellation | release process which a failure diagnosis tester performs. It is a flowchart which shows the detail of a key detection authentication process. It is a flowchart which shows the processing content of a gateway side process. It is a sequence diagram which shows the procedure of communication at the time of implementing the specific operation | work which utilizes security communication by a failure diagnosis tester. It is a block diagram which shows the whole structure of the relay system of 2nd Embodiment. It is a flowchart which shows the processing content of a gateway side process.

Embodiments of the present invention will be described below with reference to the drawings.
[First Embodiment]
A first embodiment will be described.

<Overall configuration>
As shown in FIG. 1, the relay system 1 to which the present invention is applied includes an in-vehicle network 10 mounted on a vehicle, an external device 20 that is used by being connected to the in-vehicle network 10, and performs a predetermined operation, The key detection device 30 used for connecting to the device 20 and reading the identification code (hereinafter referred to as “key ID code”) stored in the immobilizer key 40 and the external device 20 are connected via a public communication network such as the Internet. And a vehicle manufacturer server 50 as an authentication device for authenticating the key detection device 30.

<In-vehicle network>
The in-vehicle network 10 connects a plurality of electronic control units (ECUs) 11 that are in-vehicle devices installed in each part of the vehicle, a backbone bus 12 that is a communication path that connects the ECUs 11, and an external device 20. A vehicle-side connector 13 and a gateway ECU 14 that is a relay device provided on a communication path from the vehicle-side connector 13 to the trunk bus 12 are provided.

  In the ECU 11, as an immobilizer that collates a key ID code read from the immobilizer key 40 with an identification code registered in the vehicle (hereinafter referred to as “registered key ID code”) and starts the engine when they match. There are at least those having the function (hereinafter referred to as “immobilizer ECU 11a”) and those having the GPS function (hereinafter referred to as “navigator ECU 11b”).

  The gateway ECU 14 includes a tool-side communication unit 141 that performs communication with the external device 20 connected to the vehicle-side connector 13, a bus-side communication unit 142 that performs communication with the ECU 11 via the backbone bus 12, and a tool-side And a relay control unit 143 that executes a process of relaying communication frames transmitted and received via the communication unit 141 and the bus side communication unit 142 to each other.

The tool side communication unit 141 and the bus side communication unit 142 are both well-known ones configured by a CAN transceiver, a CAN controller, or the like.
The relay control unit 143 includes a known microcomputer including a CPU, a ROM, a RAM, and the like, and is configured to execute at least gateway side processing described later.

  Note that the communication frame used in the in-vehicle network 10 includes a designated frame used when performing a specific work permitted only by a predetermined regular worker via the external device 20, and an arbitrary worker. There is a normal frame that is used when carrying out the normal work (work other than the specific work) that is permitted to the user. However, the designated frame and the normal frame are distinguished by identification data given to the communication frame in order to identify the type of data mounted on the communication frame. Specific operations include, for example, release / registration of immobil key, rewriting (replogging) of an ECU program, initialization of a learning value acquired by various controls, registration of a smart key, and the like.

Hereinafter, communication performed in the designated frame is also referred to as security communication, and communication performed in the normal frame is also referred to as normal communication.
<Vehicle manufacturer server>
The vehicle manufacturer server 50 has a database in which information related to the authorized key detection device 30 recognized by the manufacturer of the vehicle on which the vehicle-mounted network 10 is mounted, and is provided from the external device 20 via a public communication network or the like (hereinafter referred to as the information). The key detection device 30 specified by the target device information is authenticated by comparing the “target device information” with information registered in the database (hereinafter referred to as “registered information”).

  The registration information includes an identification code given to the key detection device 30 (hereinafter referred to as “device ID code”), location information of a place where the use of the key detection device 30 is permitted, and an expiration date of the key detection device 30. At least deadline information is included.

  That is, the vehicle manufacturer server 50 confirms that the registration information that matches the device ID code and the position information indicated in the target device information exists and is within the expiration date by the valid information associated with the registration information. If the authentication is successful, the authentication result indicating that the authentication has been successful is returned. Otherwise, the authentication result indicating that the authentication has failed is returned.

<Key detection device>
The key detection device 30 reads an identification code (hereinafter referred to as “key ID code”) from the immobilizer key 40 and provides it to the external device 20, and in response to a request from the external device 20, a device ID code given to itself is provided. Is configured to provide.

<External device>
The external device 20 includes a tool-side connector 21 connected to the vehicle-side connector 13 of the in-vehicle network 10 and a vehicle communication unit 22 that performs communication with the ECU 11 and the gateway ECU 14 that configure the in-vehicle network 10 via the tool-side connector 21. A network communication unit 23 that performs communication with the vehicle manufacturer server 50 via a public communication network, a key detection device IF unit 24 for connecting the key detection device 30, and an operator of the external device 20 In accordance with various commands input from the input / output unit 25 and the input / output unit 25 for presenting information acquired through the vehicle communication unit 22 or the network communication unit 23 to the operator. A process control unit 26 for executing processes for performing various operations (normal work, specific work) using the communication of It is provided.

  The vehicle communication unit 22 is configured in the same manner as the tool-side communication unit 141 and the bus-side communication unit 142 of the gateway ECU 14, and the network communication unit 23 is configured by a transceiver, a controller, or the like that implements TCP / IP. It is well known.

  The processing control unit 26 includes a well-known microcomputer including a CPU, a ROM, a RAM, and the like. When performing the work, a security release process is executed to release the security and enable communication using the specified frame (security communication).

<Security release processing>
Here, the contents of the security release process executed by the CPU of the process control unit 26 will be described with reference to the flowcharts shown in FIGS.

  In this process, when the tool-side connector 21 is connected to the vehicle-side connector 13 and the key detection device 30 is connected to the key detection device IF unit 24, the specific operation is requested through the input / output unit 25. Starts when a command is input.

When this processing is started, first, device authentication processing for authenticating the key detection device 30 connected to the key detection device IF unit 24 is executed (S110).
In this device authentication process, as shown in FIG. 3, first, a device ID code is acquired from the key detection device 30 (S210), and then position information of the current position is acquired (S220). Here, it acquires by requesting information to the navigation ECU 11b by normal communication via the vehicle communication unit 22.

  Next, the target device information including the device ID code acquired in S210 and the current position information acquired in S220 is transmitted to the vehicle manufacturer server 50 via the network communication unit 23, so that the device ID code is used. Authentication of the identified key detection device 30 is requested (S230). Then, it waits until the response of an authentication result is received from the vehicle maker server 50 (S240), and will complete | finish this process, if a response is received.

  Returning to FIG. 2, it is determined whether or not the authentication is successful based on the response from the vehicle manufacturer server 50 obtained by the processing in S110 (S120). If the authentication is successful, the key detecting device 30 immobilizes the key. It waits until 40 key ID codes are acquired (S130). When the key ID code is acquired, the authentication of the worker is requested by transmitting the acquired key ID code to the in-vehicle network 10 (gateway ECU 14) via the vehicle communication unit 22 (S140). Then, it waits until the response from the vehicle-mounted network 10 is received, and it is judged from the content of the received response whether the operator was successfully authenticated (S150).

  If the worker authentication is successful, a notification that the execution of the specific work (that is, security communication) is permitted is made via the input / output unit 25 (S160), and the process waits until a preset end condition is satisfied. (S170). The end conditions include end of specific work, input of an end instruction from the input / output unit 25, reception of end notification from the in-vehicle network 10, elapse of a predetermined time, etc. Even if one of these is adopted You may employ | adopt two or more.

  When the termination condition is satisfied, a notification to the effect that the security communication is terminated is sent to the in-vehicle network 10 (however, it can be omitted when the end notification is received from the in-vehicle network 10) (S180), and this processing is terminated. .

  On the other hand, if the device authentication fails in the previous S120, or if the worker authentication fails in the previous S150, a notification that the execution of the specific work (security communication) is not permitted via the input / output unit 25 (S190) and the process is terminated.

  That is, when the authentication of the key detection device 30 connected to the external device 20 is successful, and the operator is successfully authenticated based on the key ID code read from the immobil key 40 detected by the key detection device 30, the external device 20 is in a state where the execution of the specific work using the security communication is permitted.

<Gateway processing>
Next, the contents of the gateway-side processing executed by the CPU constituting the relay control unit 143 of the gateway ECU 14 will be described with reference to the flowchart shown in FIG. This process starts when the ignition switch is turned on and continues to operate until it is turned off.

When this process starts, first, the security state is initialized to a state where security communication is prohibited (security setting state) (S310).
Then, it is determined whether or not the security state is a state where security communication is permitted but the state (security release state) (S320). If the security state is the security release state, a termination condition for terminating the security communication is satisfied. It is determined whether or not there is (S330).

  If the end condition is satisfied, the security state is set to the security setting state, and an end notification for notifying the end of the security communication is transmitted to the external device 20 (S340), and the process proceeds to the next step. On the other hand, if it is determined in S320 that the security state is not the security release state, or if it is determined in S330 that the termination condition is not satisfied, the process proceeds to the next step without executing S340.

  In the next step, it is determined whether the communication frame is received by either the tool side communication unit 141 or the bus side communication unit 142 (S350). If no communication frame has been received, the process returns to S320 to receive the communication frame. If so, it is determined whether the received communication frame is a designated frame used in security communication (S360).

  If the received communication frame is a designated frame, it is determined whether or not the security state is a security release state (S370). If the security frame is a security release state, the received designated frame is relayed (S380), If it is not in the security release state, the received designated frame is discarded (S390), and both return to S320.

  If it is determined that the communication frame received in the previous S360 is not a designated frame, that is, if the received communication frame is a normal frame, the normal frame is used for operator authentication (key ID code verification). It is determined whether or not it is a request (S400), and if the normal frame does not require worker authentication, the received normal frame is relayed (S410), and the process returns to S320.

  On the other hand, when it is determined that the normal frame received in S400 is a request for worker authentication, the immobilizer ECU 11a is requested to collate the key ID code indicated in the received normal frame (S420). Based on the response obtained from the immobilizer ECU 11a, it is determined whether or not the key ID code (verification target code) received from the external device 20 matches the key ID code (registration code) registered in the vehicle (S430). .

  If it is determined that the verification target code matches the registration code, the security state is set to the security release state (S440), and the process proceeds to the next step. On the other hand, the verification target code does not match the registration code. If it is determined that there is, the process proceeds to the next step without executing S440, that is, while maintaining the security state in the security setting state.

  In the next step, according to the determination result in S430, a notification of worker authentication result indicating to the external device 20 that the worker authentication has succeeded in the case of coincidence, and that the authentication of the worker has failed in the case of disagreement is performed. (S450), and returns to S320.

<Operation>
A procedure of communication performed between each device constituting the relay system 1 when performing a specific work using the external device 20 will be described with reference to a sequence diagram shown in FIG. However, the tool-side connector 21 is connected to the vehicle-side connector 13, and the key detection device 30 is connected to the key detection device IF unit 24.

  When a command to execute specific work (use security communication) is input in the external device 20, the external device 20 requests a device ID code from the key detection device 30. In response to this, the external device 20 returns a device ID code.

  Next, the external device 20 transmits a communication frame (normal frame) for requesting position information to the navigation ECU 11b. In response to this, the navigation ECU 11b returns a communication frame (normal frame) indicating the current position of the vehicle to the external device 20.

  Further, the external device 20 uses the device ID code acquired from the key detection device 30 and the position information acquired from the navigation ECU 11b as target device information to authenticate the key detection device 30 specified by the device ID code. To request. In response to this, the vehicle manufacturer server 50 returns an authentication result to the external device 20.

  When the authentication result confirms that the device has been successfully authenticated, the external device 20 requests the key detection device 30 for a key ID code. Then, the key detection device 30 waits until the immobilizer key 40 is detected, and returns the key ID code read from the detected immobilizer key 40 to the external device 20.

  Then, the external device 20 transmits to the gateway ECU 14 a communication frame (normal frame) requesting authentication of the worker (owner of the immobil key) specified by the key ID code acquired from the key detection device 30. In response to this, the gateway ECU 14 requests the immobilizer ECU 11a to verify the key ID code, and returns the verification result (worker authentication result) to the external device 20. At this time, if the collation result is identical (successful authentication), the security state is set to the security release state so that security communication is possible.

The external device 20 that has received the collation result informs the result of the worker authentication, and if the worker authentication is successful, the external device 20 permits the specific work using the security communication.
<Effect>
As described above, in the relay system 1, the external device 20 authenticates the key detection device 30 using the vehicle manufacturer server 50, and when the device authentication is successful, the external device 20 obtains from the immobil key 40 via the key detection device 30. Only when the gateway ECU 14 is requested to authenticate the worker using the key ID code and the worker is also successfully authenticated, the specific work using the security communication can be performed.

  As described above, according to the relay system 1, only the authorized worker who uses the authorized key detection device 30 registered in the vehicle manufacturer server 50 and has the authorized immobil key 40 registered in the vehicle is used. Since the execution of the specific work is permitted, the unauthorized key detection device 30 that is not a genuine product is used, or the specific work is illegally performed by an unauthorized worker who is not authorized to perform the specific work. can do.

  In the relay system 1, the registration information registered in the database of the vehicle manufacturer server 50 includes position information about a place where the use of the key detection device 30 is permitted in addition to the device ID code. When the device is authenticated, it is also collated with position information indicating the current position provided from the key detection device 30.

  Therefore, according to the relay system 1, even if a legitimate key detection device 30 that has been stolen or the like is illegally used, security communication is not permitted except in a regular work place registered in the database. The work can be prevented from being performed.

  Furthermore, since the registration information includes information about the expiration date, even if a specific operation may be performed illegally, the expiration date will pass unless the registration information is updated. Thus, it is possible to reliably prevent unauthorized execution of specific work.

<Modification>
In the present embodiment, an example in which the gateway ECU 14 dedicated to the relay function is provided has been described, but an existing ECU having the relay function may be used as the gateway ECU 14.

  In the present embodiment, the device ID code and the current position information are used as the target device information used for authentication of the key detection device 30, but the user ID is input to the operator via the input / output unit 25, and this user The ID may be used together with the device ID code and the current position information, or instead of at least one of them.

  In the present embodiment, the vehicle manufacturer server 50 is used for authentication of the key detection device 30, but a dongle distributed by the vehicle manufacturer to an authorized user of the key detection device 30 is used, and the dongle is connected to the external device 20. Only in some cases, use of the key detection device 30 may be permitted.

  In the present embodiment, the external device 20 acquires the current position information from the navigation ECU 11b of the in-vehicle network 10, but by providing the GPS function in the external device 20 or the key detection device 30, the current position information is acquired from the external device 20. Or may be obtained from the key detection device 30.

In the present embodiment, the immobilizer key 40 is used as the key device, but the present invention is not limited to this, and any key that is registered and used in the vehicle, such as a smart key or a wireless key, may be used.
[Second Embodiment]
Next, a second embodiment will be described.

<Overall configuration>
As shown in FIG. 6, the relay system 2 of the present embodiment includes an in-vehicle network 60 mounted on a vehicle, and an external device 70 that is used by being connected to the in-vehicle network 60 and that performs a predetermined operation. .

<In-vehicle network>
The in-vehicle network 60 is different from the in-vehicle network 10 in the first embodiment only in the configuration of the gateway ECU 15. Therefore, the same components are denoted by the same reference numerals and the description thereof is omitted, and the gateway ECU 15 is mainly described. Explained.

  The gateway ECU 15 includes an external device in addition to the tool side communication unit 151, the bus side communication unit 152, and the relay control unit 153 configured in the same manner as the tool side communication unit 141, the bus side communication unit 142, and the relay control unit 143 of the gateway ECU 14. A permitted work position database 154 for registering position information of a place where the execution of the specific work using 70 is permitted is provided.

<External device>
The external device 70 has a configuration in which the network communication unit 23 and the key detection IF unit 24 are omitted from the external device 20 in the first embodiment, that is, the tool-side connector 21, the vehicle communication unit 22, and the input / output unit. 25, a processing control unit 26 is provided.

  Then, the process control unit 26 executes a process for performing a normal work using a normal frame or a specific work using a designated frame in accordance with a command input via the input / output unit 25. However, unlike the case of the external device 20, when performing a specific work, transmission by the designated frame is suddenly started without executing the security release processing.

<Gateway processing>
Next, the contents of the gateway side processing executed by the CPU constituting the relay control unit 153 of the gateway ECU 15 will be described with reference to the flowchart shown in FIG. Note that this processing is the same as the processing on the gateway side shown in FIG. 4 in S310 to S360, and only the subsequent processing is different. Therefore, the different portions will be mainly described.

  That is, when the received communication frame is not a designated frame but a normal frame (S360: NO), the received normal frame is relayed (S410), and the process returns to S320. On the other hand, when the received communication frame is a designated frame (S360: YES), it is determined whether or not the security state is a security release state (S370). Is relayed (S380), and the process returns to S320.

  If it is determined in S370 that the security state is not the security unlocked state, current position information indicating the current position of the vehicle is acquired from the navigation ECU 11b (S500), and the acquired current position information is the permitted work position database. It is determined whether or not it matches the stored registration position information of 154 (S510).

  If the current position information matches the registered position information, the security state is set to the security release state (S520), the received designated frame is relayed (S380), and the process returns to S320. On the other hand, if the current position information and the registered position information do not match, the received designated frame is discarded with the security state held in the security setting state (S530), and the process returns to S320.

<Effect>
As described above, in the relay system 2, the external device 70 transmits a designated frame when performing a specific operation. On the other hand, the gateway ECU 15 that has received this designated frame acquires the current position information of the vehicle from the navigation ECU 11b, and if the current position information matches the registered position information stored in the permitted work position database 154, the received designation is received. While the frame is relayed, the security communication using the designated frame (that is, the execution of the specific work) is permitted until the end condition is satisfied.

  Therefore, according to the relay system 2, since the security communication is not permitted except for the regular work place registered in the permitted work position database 154, it is possible to prevent the specific work from being performed illegally.

<Modification>
In the present embodiment, the determination as to whether or not to permit security communication is made based on only the current position information. However, as in the case of the first embodiment, the key detection device 30 is received from the external device 70. The key ID code acquired via the user ID or the user ID input via the input / output unit 25 is transmitted, and in addition to the current position information, the key ID code and the user ID received from the external device 70 are verified. You may make it judge by. Further, when the key detection device 30 is used, the key detection device 30 may be authenticated using the vehicle manufacturer server 50 or the dongle, as in the case of the first embodiment.

  In the present embodiment, the gateway ECU 15 acquires the current position information from the navigation ECU 11b of the in-vehicle network 10, but the GPS function is provided in the external device 70 or a device (such as the key detection device 30) connected to the external device 70. Thus, it may be transmitted from the external device 70.

[Other Embodiments]
As mentioned above, although embodiment of this invention was described, this invention is not limited to the said embodiment, In the range which does not deviate from the summary of this invention, it is possible to implement in various aspects.

  For example, in the above-described embodiment, the navigation system 11b (or the external device 20 or the key detection device 30) acquires the current position information using the GPS function of the navigation ECU 11b. However, for example, an in-vehicle data communication module (DCM: Data The current position information may be acquired using a Communication Module) or a mobile phone.

  DESCRIPTION OF SYMBOLS 1, 2 ... Relay system 10, 60 ... In-vehicle network 11 ... Electronic control unit (ECU) 12 ... Main bus 13 ... Vehicle side connector 14, 15 ... Gateway ECU 20, 60 ... External device 21 ... Tool side connector 22 ... Vehicle communication 23: Network communication unit 24 ... Key detection device IF unit 25 ... Input / output unit 26 ... Processing control unit 30 ... Key detection device 40 ... Immobilizer key 50 ... Vehicle manufacturer server 70 ... External device 141, 151 ... Tool side communication unit 142, 152: Bus side communication unit 143, 153 ... Relay control unit 154 ... Permitted work position database

Claims (5)

An external device (20) that performs a predetermined work by performing data communication between the vehicle-mounted network (10) in which a plurality of vehicle-mounted devices (11) are connected to the same communication path (12) and the vehicle-mounted device. ), And the in-vehicle network includes a relay device (14) for connecting the external device,
A key detection device (30) that reads the identification code from a key device (40) that is used in connection with the external device and stores an identification code associated with a vehicle equipped with the in-vehicle network;
An authentication device (50) for authenticating the key detection device;
With
The external device authenticates the key detection device using the authentication device (26, S110). When the authentication of the device is successful, the external device authenticates the operator using the identification code acquired via the key detection device. When a request is made to the relay device (26, S120 to S140), and the operator is successfully authenticated, a specific work requiring security is permitted (26, S150 to S160),
When the relay device confirms that the identification code requested to be authenticated by the external device is a registered regular one, the relay device permits security communication related to the execution of the specific operation (143, S400, S420). To S450). An external device that is used by connecting to a vehicle-mounted network formed by connecting a plurality of vehicle-mounted devices to the same communication path, and that performs predetermined work by performing data communication with the vehicle-mounted device,
First interface means (21) used for connection to the in-vehicle network;
Second interface means (24) used to connect a key detection device that reads the identification code from a key device that stores the identification code associated with the vehicle;
Device authentication means (26, S110) for authenticating the target device using a pre-designated authentication device with the key detection device connected to the second interface means as a target device;
When the device authentication unit succeeds in authenticating the target device, the vehicle code connected to the first interface unit is the target system, and the identification code acquired via the target device is the target code, and the target code Worker authentication request means (26, S120 to S140) for requesting the target system to authenticate the worker according to
When it is confirmed by the response from the target system to the request of the worker authentication request means that the worker has been successfully authenticated, the specific work permission means (143, S400) that permits the execution of the specific work requiring security. , S420 to S450),
An external device comprising:   The device authentication means uses, as the authentication device, an authentication server (50) that performs authentication using a database in which registration information including at least information for identifying the key detection device is registered for each key detection device. 3. The external device according to claim 2, wherein an authentication result is obtained from the authentication server by providing target device information, which is information relating to the target device, to the authentication server and collating with the registration information. . Provided with position acquisition means (26, S220) for acquiring position information indicating the current position of the own device;
The target device information includes the position information acquired by the position acquisition unit,
4. The external apparatus according to claim 3, wherein the registration information of the database includes position information of a place where use of the key detection apparatus is permitted.   The external device according to claim 4, wherein the position acquisition unit acquires from the target system.

Images