JP5973223B2 - Electronic key registration method - Google Patents

Description

  The present invention relates to an electronic key registration method for registering an electronic key in a communication target.

  As is conventionally known, many vehicles are equipped with an electronic key system that performs key verification using an electronic key ID that is wirelessly transmitted from the electronic key. In this type of electronic key system, even if an ID signal transmitted from the electronic key is illegally acquired, encryption communication is generally employed so that the electronic key ID is not easily determined ( (See Patent Document 1). In encrypted communication, since the communication content is encrypted, it is excellent in confidentiality. As this encryption communication, for example, common key encryption communication is used.

JP 2004-300803 A

  By the way, when registering an electronic key in a vehicle, it is necessary to register an electronic key ID that each electronic key has uniquely associated with an encryption key. At this time, if the encryption key is illegally received, the encryption key is stolen. Therefore, it is necessary to perform registration work by a method with a low possibility of theft. On the other hand, there was a need to perform the registration work smoothly.

  The present invention has been made in view of such circumstances, and an object thereof is to provide an electronic key registration method capable of ensuring security against theft and smoothly performing registration work.

In order to solve the above-mentioned problem, the invention according to claim 1 enables control of the communication target on condition that authentication between the electronic key for initial registration or the electronic key for additional registration and the communication target is established. In the electronic key registration method for registering the two electronic keys used for the electronic key system in the communication target control device, the electronic keys are stored in advance in an external center for storing the two electronic keys and various information of the control device. A unique initial registration electronic key identification information and an initial registration electronic key encryption key, which are different for each electronic key, are stored in the initial registration electronic key and stored in advance in the external center. The additional registration electronic key identification information and the additional registration electronic key encryption key that are different for each electronic key are stored in the additional registration electronic key. An electronic key manufacturing step for additional registration, a control device manufacturing step in which unique control device identification information and a control device encryption key different for each control device stored in advance in the external center are stored in the control device, The initial registration electronic key identification information, the initial registration electronic key encryption key, the control device identification information, and the control device encryption key register the initial registration electronic key with the control device from the external center. An information distribution step that is pre- distributed to an internal center provided in the factory to be generated, an initial authentication key used for the authentication of the electronic key for initial registration and the control device, and the initial authentication key An initial authentication key generation step to be stored in the factory, and from the internal center to at least one of the initial registration electronic key and the control device, Generates additional authentication key used for the authentication of the initial authentication key registration step of distributing the initial authentication key via the internal network is a dedicated local network, with the additional registration electronic key and the control device, the An additional authentication key generating step of storing an additional authentication key in the external center, and from the external center to at least one of the additional registration electronic key and the control device via an external network that is an information communication network inside and outside the factory And an additional authentication key registration step of distributing the additional authentication key.

According to this configuration, the initial authentication key is distributed from the internal center to at least one of the initial registration electronic key and the control device in the factory via the internal network which is an information communication network dedicated to the factory. That is, communication inside and outside the factory is unnecessary. Therefore, the possibility that the initial authentication key is stolen by a third party is low. In addition, since it is suppressed that the initial authentication key cannot be distributed to at least one of the initial registration electronic key and the control device due to instability of communication inside and outside the factory, the initial registration electronic key to the control device is suppressed. Can be registered smoothly.

  On the other hand, the additional authentication key is distributed from the external center to at least one of the additional registration electronic key and the control device via an external network which is an information communication network inside and outside the factory. That is, the place where the additional authentication key is distributed to at least one of the additional registration electronic key and the control device is not limited. For this reason, the registration operation of the additional registration electronic key to the control device can be performed smoothly.

In the electronic key registration method, an initial control device encryption code generating step for converting the initial authentication key into an initial control device encryption code by being encrypted with the control device encryption key, and the initial control device encryption An initial control device encryption code distribution step for distributing an encryption code to the control device, and an additional control device in which the additional authentication key is converted into an additional control device encryption code by being encrypted with the control device encryption key The gist of the invention is to include at least one of an encryption code generation step and an additional control device encryption code distribution step of distributing the additional control device encryption code to the control device.

  According to this configuration, since at least one of the initial control device encryption code and the additional control device encryption code is encrypted with the control device encryption key, it has the control device encryption key used for encryption. Only the control device can decrypt at least one of the initial control device encryption code and the additional control device encryption code. Accordingly, since at least one of the initial authentication key and the additional authentication key can be obtained only by a control device that requires it, security is improved.

In the electronic key registration method, the initial registration electronic key encryption code generating step for converting the initial authentication key into an initial registration electronic key encryption code by being encrypted with the initial registration electronic key encryption key And an initial registration electronic key encryption code distribution step for distributing the initial registration electronic key encryption code to the initial registration electronic key, and the additional authentication key is encrypted with the additional registration electronic key encryption key Step of generating an additional registration electronic key encryption code that is converted into an additional registration electronic key encryption code, and additional registration for distributing the additional registration electronic key encryption code to the additional registration electronic key The gist is to include at least one of an electronic key encryption code distribution step.

  According to this configuration, since the initial registration electronic key encryption code is encrypted with the initial registration electronic key encryption key, the initial registration electronic key encryption key used for the encryption is used. The electronic key encryption code for initial registration can be decrypted only with the electronic key. Therefore, since the initial authentication key can be obtained only by the initial registration electronic key that requires the initial authentication key, the security is improved. In addition, since the additional registration electronic key encryption code is encrypted with the additional registration electronic key encryption key, only the additional registration electronic key having the additional registration electronic key encryption key used for encryption is used. The electronic key encryption code for additional registration can be decrypted. Therefore, the additional authentication key can be obtained only by the additional registration electronic key that requires this additional authentication key, so that the security is improved.

The gist of the electronic key registration method is that the initial registration electronic key encryption key is the initial authentication key, and the additional registration electronic key encryption key is the additional authentication key.

  According to this configuration, it is not necessary to distribute the initial authentication key to the initial registration electronic key and the additional authentication key to the additional registration electronic key. For this reason, it is possible to suppress the initial authentication key and the additional authentication key from being stolen.

The gist of the electronic key registration method is that the control device encryption key is the initial authentication key and the additional authentication key.
According to this configuration, it is not necessary to distribute the initial authentication key and the additional authentication key to the control device. For this reason, it is possible to suppress the initial authentication key and the additional authentication key from being stolen.

In the electronic key registration method, the initial authentication key and the additional authentication key are encrypted and decrypted using a restriction key that can be used only once when the initial authentication key and the additional authentication key are registered. And

  According to this configuration, a restriction key that is valid only once at the time of registration is used as an encryption key when the initial authentication key and the additional authentication key are encrypted and sent to the vehicle and the electronic key. For this reason, since the key for encrypting the initial authentication key and the additional authentication key changes every time registration is performed, theft of the initial authentication key and the additional authentication key can be further suppressed.

In the electronic key registration method, before the control device, the two electronic keys, and the internal center enter the registration mode, communication partner authentication is performed to confirm whether each other's communication partner is correct, and this authentication is established. The gist is that all these three parties are in the registration mode in which the initial authentication key and the additional authentication key can be registered.

  According to this configuration, in order to register the initial authentication key in the control device and the initial registration electronic key, authentication is established between the control device, the initial registration electronic key, and the internal center, and the control device and the initial registration key are registered. The electronic key must be switched to registration mode. Therefore, when registering the initial authentication key, it is necessary to establish authentication for shifting to the registration mode, so that it is possible to prevent unauthorized registration of the initial authentication key. Similarly, in order to register the additional authentication key in the control device and the additional registration electronic key, authentication is established between the control device, the additional registration electronic key and the external center, and the control device and the additional registration electronic key are registered. The key must be switched to registration mode. Therefore, when registering the additional authentication key, it is necessary to establish authentication for shifting to the registration mode, and therefore it is possible to prevent unauthorized registration of the additional authentication key.

In the electronic key registration method, after the control device, the initial registration electronic key, and the internal center all enter the registration mode, before the actual registration operation, the control device, the initial registration electronic key, and the internal key Authenticating the center, and after the control device, the additional registration electronic key, and the external center all enter the registration mode, before the actual registration operation, the control device, the additional registration electronic key, and the The gist is to at least one of authenticating the external center.

According to this configuration, even after entering the registration mode, authentication for checking whether the communication partner is correct or not is performed, so that it is possible to further prevent unauthorized registration of the secret initial authentication key.
In the electronic key registration method, at least one of a registration tool that is an operation terminal for performing the registration and an operator who performs the registration work is authenticated, and the initial authentication key and The gist is to permit registration of at least one of the additional authentication keys.

  According to this configuration, since the registration tool and the operator authentication are also established as a condition for registration execution, it is possible to further prevent unauthorized registration of at least one of the initial authentication key and the additional authentication key.

  ADVANTAGE OF THE INVENTION According to this invention, the electronic key registration method which can ensure the security with respect to theft and can perform a registration operation | work smoothly can be provided.

1 is a block diagram showing a schematic configuration of an electronic key system in a first embodiment. The block diagram which shows schematic structure of a secret key registration system. The block diagram which shows schematic structure of a writer. The block diagram which shows schematic structure of a center. The block diagram which shows schematic structure of a vehicle. The block diagram which shows schematic structure of an electronic key. The block diagram which shows schematic structure of a registration tool. The flowchart which shows the operation | movement outline | summary of a secret key registration system. FIG. 9 is a flowchart showing a continuation of FIG. 8. FIG. 10 is a flowchart showing a continuation of FIG. 9. 1 is a conceptual diagram of a secret key registration system. The block diagram which shows schematic structure of the private key registration system in 2nd Embodiment. The block diagram which shows schematic structure of a registration tool and a center. Tool center ID combination table. Electronic key OBE ID combination table. The flowchart which shows the operation | movement outline | summary of a secret key registration system.

(First embodiment)
Hereinafter, a first embodiment of the present invention will be described with reference to FIGS.
As shown in FIG. 1, the vehicle 1 performs key verification by wireless communication with an electronic key 2 used as a vehicle key, and locks and unlocks the door lock and starts the engine on the condition that the key verification is established. An electronic key system 3 that permits or executes the above is provided. The electronic key 2 is capable of narrow-area wireless communication with the vehicle 1, and transmits an ID code (hereinafter referred to as an electronic key ID) unique to the electronic key 2 to the vehicle 1 by wireless communication. A key that can cause the vehicle 1 to perform ID verification as key verification.

  The electronic key system 3 includes a wireless door lock system that locks or unlocks the door lock of the vehicle door by remote operation by operating a button of an electronic key (commonly known as a remote control key) 2. In this case, the vehicle 1 is provided with a verification ECU 4 that performs ID verification with the electronic key 2, and a main body ECU 5 that manages the power supply system of the vehicle 1, and these ECUs 4 and 5 are connected to a bus 6 that is one network in the vehicle. Connected through. A vehicle tuner 7 capable of receiving radio waves in a UHF (Ultra High Frequency) band (about 312 MHz) is connected to the verification ECU 4. Further, a door lock motor 8 is connected to the main body ECU 5 as a drive source when performing door locking / unlocking.

  In addition, the electronic key 2 is provided with a communication control unit 9 that performs overall control of various operations of the electronic key 2. The communication control unit 9 has various devices such as a CPU 10 and a memory 11, and an electronic key ID is registered in the memory 11 as a unique key code of the electronic key 2. The electronic key 2 is provided with a locking button 12 that is operated when the vehicle door is locked by remote operation, and an unlocking button 13 that is operated when the vehicle door is unlocked by remote operation. The communication control unit 9 manages the presence or absence of the operation. The communication control unit 9 is connected to a key transmitter 14 capable of transmitting a UHF band radio signal, and the signal control operation of the key transmitter 14 is managed by the communication control unit 9.

  For example, when the lock button 12 is operated, the communication control unit 9 includes a wireless key including an electronic key ID of the electronic key 2 and a function code (locking request code) for requesting the vehicle 1 to start a door lock locking operation. The signal Swl is transmitted from the key transmitter 14 as a UHF band signal, and narrow band wireless communication (wireless communication) is executed. When the vehicle ECU 7 receives the wireless signal Swl, the verification ECU 4 compares the electronic key ID included in the wireless signal Swl with the electronic key ID registered in its own memory 15 to perform ID verification (wireless verification). I do. When the verification ECU 4 confirms that the wireless verification has been established, the verification ECU 4 causes the main body ECU 5 to perform the locking operation of the door lock in accordance with the subsequent locking request code.

  For wireless communication, encrypted communication in which a wireless signal Swl transmitted from the electronic key 2 is encrypted and sent to the vehicle 1 is used. The encryption communication of this example employs a secret key cryptosystem that uses a secret key that is a common authentication key for the signal sender and receiver. Therefore, a common secret key 16 is registered in the memory 11 of the electronic key 2 and the memory 15 of the vehicle 1 (verification ECU 4). When the electronic key 2 transmits the wireless signal Swl, the wireless signal Swl encrypted by the secret key 16 of the electronic key 2 is transmitted, and when the vehicle 1 receives the wireless signal Swl, The wireless signal Swl is decrypted with the secret key 16.

  As shown in FIG. 2, the vehicle 1 and the electronic key 2 are provided with a secret key registration system 17 that issues a secret key 16 to the vehicle 1 and the electronic key 2. Here, the electronic key 2 can be used for the vehicle 1 shipped from the factory in advance when the electronic key for initial registration attached to the vehicle 1 at the time of factory shipment and the electronic key for initial registration are lost. There are two types of electronic keys for additional registration. That is, the secret key registration system 17 of this example includes an initial registration system 17a and an additional registration system 17b as shown in FIG. In the initial registration system 17a, a handy type registration tool 19 connectable to the vehicle 1 and an internal center 20 capable of wireless communication with the registration tool 19 via a dedicated communication network in the manufacturing factory are used. . The internal center 20 is capable of wireless communication with the external center 200 via a wide area wireless communication network (for example, the Internet), and wireless communication with the external center 200 is performed periodically ( For example, once a day). Here, the external center 200 stores various information of the vehicle 1 including the electronic key 2 (for initial registration and additional registration) and the verification ECU 4 (for initial registration and additional registration). The internal center 20 stores a part of information used in the external center 200 in the factory where the internal center 20 is provided, here mainly information for initial registration. In the additional registration system 17b, a handy type registration tool 19 connectable to the vehicle 1 and an external center 200 capable of wireless communication with the registration tool 19 via a high-frequency wireless communication network are used. That is, the secret key registration system 17 includes five members, a writer 18, a registration tool 19, an internal center 20, and an external center 200, which will be described later, managed in the manufacturing factory of the vehicle 1, the electronic key 2, the electronic key 2, and the verification ECU 4. In this system, the secret key 16 is registered in the vehicle 1 and the electronic key 2. The difference between the initial registration system 17a and the additional registration system 17b is whether the registration tool 19 communicates with the internal center 20 or the external center 200, and the basic registration process is common. . Therefore, in this example, the initial registration system 17 a will be mainly described as the secret key registration system 17.

  The details of the system 17 will be explained. As shown in FIG. 3, the memory 21 of the writer 18 stores the on-vehicle device center key 22 (initial registration) used when registering the secret key 16 in the verification ECU 4 of the vehicle 1. And an electronic key center key 23 (for initial registration and additional registration) used when registering the private key 16 in the electronic key 2 are stored. The in-vehicle device center key 22 is a secret key registration encryption key associated between the vehicle 1 and the internal center 20, and is a key assigned to the vehicle 1 individually. The OBE center key 22 is used for data exchange between the verification ECU 4 and the internal center 20 when the secret key 16 is registered in the vehicle 1 and the electronic key 2. The electronic key center key 23 is a secret key registration encryption key associated between the electronic key 2 and the internal center 20, and is a key that is individually assigned to the electronic key 2. The electronic key center key 23 is used for data exchange between the electronic key 2 and the internal center 20 when the secret key 16 is registered in the vehicle 1 and the electronic key 2. Since the writer 18 is placed in a manufacturing factory or the like, even if the writer 18 has the in-vehicle device center key 22 or the electronic key center key 23, it is unlikely to be stolen. The manufacturing factory generates the vehicle-mounted device center key 22 and the electronic key center key 23.

  As shown in FIG. 3, the writing device 18 includes an on-vehicle device center key writing unit 24 for writing the on-vehicle device center key 22 to the vehicle 1 (verification ECU 4) at the time of manufacture, and an electronic key center on the electronic key 2 at the time of manufacturing. An electronic key center key writing unit 25 for writing the key 23 is provided. The in-vehicle device center key writing unit 24 directly injects the in-vehicle device center key 22 by wire to the verification ECU 4 flowing on the production line via the electric wiring 24a. Further, the electronic key center key writing unit 25 directly injects the electronic key center key 23 into the IC of the communication control unit 9 via the electric wiring 25a to the electronic key 2 flowing on the production line via a wire. .

  As shown in FIG. 4, in the memory 200a of the external center 200, there are a key database 207 in which each set of the electronic key ID and the electronic key center key 23 is registered, and each set of the onboard unit ID and the onboard unit center key 22. A registered car database 208 is provided. That is, the external center 200 is separately provided with the vehicle-mounted device center key 22 (for initial registration and additional registration) similar to that registered in the verification ECU 4 from the manufacturing factory and the same electronic key center as that registered in the verification ECU 4. The key 23 (for initial registration and additional registration) is obtained and stored.

  As shown in FIG. 4, the memory 26 of the internal center 20 stores the vehicle-mounted device center key 22 (for initial registration) and the electronic key center key 23 (for initial registration). The onboard unit center key 22 (for initial registration) and the electronic key center key 23 (for initial registration) are transmitted from the external center 200 to the internal center 20 through wireless communication periodically performed between the external center 200 and the internal center 20. Are distributed in advance (information distribution step). The internal center 20 is distributed with the vehicle-mounted device center key 22 and the electronic key center key 23 of the vehicle 1 and the electronic key 2 for 1 to 6 days registered on the production line. This is because the wide area wireless communication network becomes unstable, and wireless communication between the internal center 20 and the external center 200 cannot be performed, and the in-vehicle device center key 22 and the electronic key center are connected to the internal center 20. Even when the distribution of the key 23 is not possible for 1 to 6 days, the vehicle-mounted device center key 22 and the electronic key center key 23 can be registered in the verification ECU 4 and the communication control unit 9 of the electronic key 2. That is, there is no need to stop the production line due to the wide area wireless communication network becoming unstable.

  In addition, any vehicle 1 (verification ECU 4) and any electronic key 2 can be registered in the memory 26 of the internal center 20 as a pair. The vehicle 1 has an in-vehicle device ID as a unique value (individual ID code) of the vehicle 1 (collation ECU 4). The electronic key 2 has an electronic key ID as a unique value (individual ID code) of the electronic key 2. That is, the vehicle-mounted device ID and the electronic key ID are registered in the memory 26. Furthermore, a tool center key 27 is registered in the memory 26 of the internal center 20 as a kind of encryption key defined between the registration tool 19 and the internal center 20. The tool center key 27 is an encryption key used for data exchange between the registration tool 19 and the internal center 20 when registering the secret key 16 in the vehicle 1 and the electronic key 2.

  The internal center 20 is provided with a tool connection unit 20a as a data input / output port for exchanging various data with the registration tool 19. The internal center 20 can communicate with the registration tool 19 by wireless communication via the tool connection unit 20a.

  The internal center 20 is provided with a center-side registration mode switching unit 28 that switches the operation mode of the internal center 20 to the registration mode. The center-side registration mode switching unit 28 switches the operation mode of the internal center 20 to the registration mode on condition that challenge response authentication is established with the registration tool 19. In challenge-response authentication, a random number code that changes every time a call is sent is sent as a challenge from the authenticating side to the receiving side, and is calculated through a calculation formula on the receiving side, and the calculation result is received as a response. Similarly, the authentication side calculates the response using its own calculation formula, calculates the response, and performs authentication to see whether or not this response matches the response on the receiving side.

  The internal center 20 is provided with a center-side communication partner authentication unit 29 that authenticates whether the registered communication partner is correct after the internal center 20 enters the registration mode. Further, when the vehicle 1 and the electronic key 2 register the secret key 16 in the internal center 20, an ID pair registration unit that registers the vehicle 1 and the electronic key 2 registered with the same secret key 16 in the memory 26 as a pair. 30 is provided.

  The internal center 20 is provided with a random number generator 31 that generates the secret key 16 in the internal center 20. The random number generator 31 generates a code having a different value every time data is output as the secret key 16 of the electronic key system 3 (authentication key generation step). In other words, the secret key 16 is generated by the internal center 20, and the internal center 20 collectively manages the secret key 16.

  The internal center 20 is provided with an encryption processing unit 32 that encrypts the secret key 16 generated by the random number generator 31 with the in-vehicle device center key 22 and the electronic key center key 23 in the memory 26. The encryption processing unit 32 generates the on-vehicle device registration code Ccr by encrypting the on-vehicle device ID, the electronic key ID, and the secret key 16 with the on-vehicle device center key 22 in the memory 26. The electronic key registration code Cdk is generated by encrypting the secret key 16 with the electronic key center key 23. That is, the in-vehicle device registration code Ccr and the electronic key registration code Cdk have the in-vehicle device ID, the electronic key ID, and the secret key 16 as information, and are necessary for registering the secret key 16 in the vehicle 1 or the electronic key 2. Used as a condition.

  The internal center 20 is provided with a registration code output unit 33 that outputs the vehicle-mounted device registration code Ccr and the electronic key registration code Cdk generated by the encryption processing unit 32 to the vehicle 1 and the electronic key 2, respectively. The registration code output unit 33 can wirelessly communicate with the vehicle 1, the electronic key 2, and the registration tool 19 via a dedicated communication network (for example, an intranet) in the factory. The registration code output unit 33 transmits the vehicle-mounted device registration code Ccr to the vehicle 1 and transmits the electronic key registration code Cdk to the electronic key 2.

  As shown in FIG. 5, the vehicle 1 is provided with a tool connection portion 1 a as a data input / output port when exchanging various data with the registration tool 19. The registration tool 19 can be connected to the vehicle 1 by connecting a cable to the tool connection portion 1a. The verification ECU 4 can communicate with the registration tool 19 by wired communication via the tool connection unit 1a.

  In addition, the vehicle 1 is provided with a communication device 34 that can wirelessly communicate with the internal center 20 via an intranet. The communication device 34 is connected to the verification ECU 4 via, for example, the bus 6. The communication device 34 can receive the OBE registration code Ccr transmitted from the internal center 20 and can supply the OBE registration code Ccr to the verification ECU 4.

  The verification ECU 4 is provided with a vehicle-side registration mode switching unit 35 that switches the operation mode of the verification ECU 4 to the registration mode. The vehicle-side registration mode switching unit 35 switches the operation mode of the verification ECU 4 to the registration mode on condition that challenge response authentication is established with the internal center 20 that has entered the registration mode. The verification ECU 4 is also provided with a vehicle-side communication partner authentication unit 36 that authenticates whether or not the registered communication partner is correct after the verification ECU 4 enters the registration mode.

  The verification ECU 4 is provided with an in-vehicle device center key acquisition unit 37 for acquiring the in-vehicle device center key 22 output from the writing device 18 at the time of manufacture. The verification ECU 4 is provided with an in-vehicle device registration code acquisition unit 38 that acquires the in-vehicle device registration code Ccr transmitted from the internal center 20 via the communication device 34. As described above, by providing the verification ECU 4 with the OBE center key acquisition unit 37 and the OBE registration code acquisition unit 38, the verification ECU 4 can capture the OBE center key 22 and the OBE registration code Ccr. It has become.

  The verification ECU 4 is provided with a vehicle-side decryption processing unit 39 that decrypts the OBE registration code Ccr registered by the OBE registration code acquisition unit 38 with the OBE center key 22 acquired by the OBE center key acquisition unit 37. ing. The decrypted data obtained by the vehicle side decryption processing unit 39 is correctly decrypted if the in-vehicle device center key 22 applied to the in-vehicle device registration code Ccr is the same as the in-vehicle device center key 22 acquired from the writer 18. .

  The verification ECU 4 is provided with a vehicle-side registration code determination unit 40 that determines whether or not the vehicle-mounted device registration code Ccr taken from the internal center 20 via the communication device 34 is correct. The vehicle-side registration code determination unit 40 can correctly decode the vehicle-mounted device registration code Ccr by the vehicle-side decoding processing unit 39, and whether the vehicle-mounted device ID included in the decoded data matches that of the vehicle 1 or not. By looking, it is determined whether the registration code Ccr is correct or not. The vehicle-side registration code determination unit 40 permits the registration of the secret key 16 if the establishment of the ID of the vehicle-mounted device ID is confirmed, and disables the registration of the secret key 16 if the ID establishment of the vehicle-mounted device ID cannot be confirmed. .

  The verification ECU 4 is provided with a vehicle-side secret key registration unit 41 that performs registration of the secret key 16 in the vehicle 1 on the condition that the vehicle-mounted device registration code Ccr is correct. When the registration code is correctly determined, the vehicle-side secret key registration unit 41 writes the secret key 16 included in the vehicle-mounted device registration code Ccr in the memory 15 as the encryption key of the vehicle 1.

  As shown in FIG. 6, the electronic key 2 is provided with a key receiver 42 that receives various radio waves transmitted outside the key 2. The key receiver 42 can receive, for example, a kind of RF (Radio Frequency) radio wave in the UHF (Ultra High Frequency) band, and supplies the received radio wave to the communication control unit 9 after amplification or demodulation. In the case of the key receiver 42, for example, when the electronic key system 3 is a key operation free system, that is, the electronic key 2 automatically returns an electronic key ID to the vehicle 1 in response to a request from the vehicle 1, the ID is verified. Various radio waves transmitted from the vehicle 1 can be received in the system 3.

  The communication control unit 9 is provided with a key side registration mode switching unit 43 that switches the operation mode of the electronic key 2 to the registration mode. When the key-side registration mode switching unit 43 receives a registration mode transition request from the vehicle 1 that has entered the registration mode, the key-side registration mode switching unit 43 switches the operation mode of the electronic key 2 to the registration mode. The communication control unit 9 is also provided with a key-side communication partner authentication unit 44 that authenticates whether or not the registered communication partner is correct after the communication control unit 9 enters the registration mode.

  The communication control unit 9 is provided with an electronic key center key acquisition unit 45 that acquires the electronic key center key 23 output from the writing device 18 at the time of manufacture. The communication control unit 9 is provided with an electronic key registration code acquisition unit 46 that acquires the electronic key registration code Cdk transmitted from the internal center 20 via the key receiver 42. Thus, by providing the communication control unit 9 with the electronic key center key acquisition unit 45 and the electronic key registration code Cdk, the communication control unit 9 can capture the electronic key center key 23 and the electronic key registration code Cdk. It is possible.

  The communication control unit 9 includes a key-side decryption processing unit 47 that decrypts the electronic key registration code Cdk registered by the electronic key registration code acquisition unit 46 using the electronic key center key 23 acquired by the electronic key center key acquisition unit 45. Is provided. The decrypted data obtained by the key-side decryption processing unit 47 is correctly decrypted if the electronic key center key 23 applied to the electronic key registration code Cdk is the same as the electronic key center key 23 acquired from the writer 18. .

  The communication control unit 9 is provided with a key-side registration code determination unit 48 that determines whether or not the electronic key registration code Cdk received from the internal center 20 via the key receiver 42 is correct. The key-side registration code determination unit 48 can correctly decrypt the electronic key registration code Cdk by the key-side decryption processing unit 47, and whether or not the electronic key ID included in the decrypted data matches that of the electronic key 2. To determine whether the registration code Cdk is correct or not. The key-side registration code determination unit 48 permits registration of the secret key 16 if it confirms that the electronic key ID is established, and disables registration of the secret key 16 if it does not confirm that the electronic key ID is established. .

  The communication control unit 9 is provided with a key side secret key registration unit 49 for registering the secret key 16 in the electronic key 2 on condition that the electronic key registration code Cdk is correct. When the determination of the registration code is correct, the key-side secret key registration unit 49 writes the secret key 16 included in the electronic key registration code Cdk into the memory 11 as the encryption key of the electronic key 2.

  As shown in FIG. 7, the registration tool 19 is a handy type that is carried when the secret key 16 is registered in the vehicle 1 and the electronic key 2. Therefore, the registration of the private key 16 to the vehicle 1 and the electronic key 2 is performed by carrying out the portable operation of the registration tool 19. The registration tool 19 includes a tool control unit 50 that performs overall control of the registration tool 19, a communication device 51 that can transmit and receive various radio waves, an input unit 52 that includes, for example, a numeric keypad, and a display unit 53 that displays various screens. Is provided. The registration tool control unit 50 manages input information of the input unit 52 and controls the display unit 53 and the communication device 51 to execute various registration operations.

  The tool control unit 50 is provided with a tool-side registration mode switching unit 54 that manages the registration operation in the registration tool 19. The tool control unit 50 is provided with a tool-side communication partner authentication unit 55 for authenticating whether or not the registered communication partner is correct after the vehicle 1, the electronic key 2, and the internal center 20 all enter the registration mode. . The same tool center key 27 as that registered in the internal center 20 is registered in the memory 56 of the registered tool control unit 50.

Next, the procedure for registering the secret key 16 in the vehicle 1 and the electronic key 2 will be described with reference to FIGS.
As a premise, the on-board device center key 22 (for initial registration and additional registration) is written from the writer 18 to the verification ECU 4 in the manufacturing line of the verification ECU 4 in the manufacturing factory. Similarly, the electronic key center key 23 (for initial registration and additional registration) is written in the electronic key 2 from the writing device 18 in the production line of the electronic key 2 in the production factory. In addition, the in-vehicle center key 22 (for initial registration) and the electronic key center key 23 (for initial registration) are distributed in advance from the external center 200 to the internal center 20 (initial information distribution step).

  Subsequently, as shown in FIG. 8, the vehicle 1, the electronic key 2, and the registration tool 19 are prepared at hand, and the three parties and the internal center 20 are ready for communication (intranet communication). . At this time, a predetermined operation is applied to the vehicle 1 and the electronic key 2 so that they are in a registration start state, and the registration tool 19 is connected to the tool connection portion 1a by a cable (not shown) and the power is turned on. As a result, the registration tool 19 is also set to the registration start state, and the internal center 20 is also turned on to set the internal center 20 to the registration start state. The start state means a preparation stage before the actual registration mode, and various types of operation modes for entering the start state can be adopted.

  It is assumed that the registration operation of the secret key 16 is performed by operating the input unit 52 in the registration tool 19. At this time, as shown in step S101, a wired connection command is output from the registration tool 19 to the verification ECU 4 as a notification of registration operation start. Note that the registration operation in the registration tool 19 at this time is managed by the tool-side registration mode switching unit 54.

  When the verification ECU 4 receives a wired connection command from the registration tool 19, the vehicle-side registration mode switching unit 35 is activated. At this time, the verification ECU 4 takes the form of responding to the wired connection command, and returns the vehicle-mounted device ID registered in itself to the registration tool 19 as shown in step S102. When the registration tool 19 obtains the vehicle-mounted device ID from the verification ECU 4, the registration tool 19 sends a registration request to the internal center 20 via the intranet communication to notify the internal center 20 of the registration start of the secret key 16 as shown in step S103. To do.

  When the internal center 20 receives a registration request from the registration tool 19, the center-side registration mode switching unit 28 is activated. At this time, as shown in step S104, the internal center 20 starts challenge response authentication using the tool center key 27 and sends the first challenge to the registration tool 19. When the registration tool 19 receives the first challenge from the internal center 20, the registration tool 19 calculates the first response as the response of the first challenge by using the tool center key 27 registered in the registration tool 19, and as shown in step S105, the first response Is returned to the internal center 20.

  When the internal center 20 receives the first response from the registration tool 19, as shown in step S106, the internal center 20 performs response verification by comparing the received first response with the response calculated by itself. That is, the internal center 20 authenticates the registration tool 19. When the internal center 20 confirms that the response verification is established, the internal center 20 proceeds to the next step S107 and switches its operation mode to the registration mode. That is, when the center-side registration mode switching unit 28 confirms that challenge response authentication between the registration tool 19 and the internal center 20 is established, the center-side registration mode switching unit 28 switches the operation mode of the internal center 20 to the registration mode. On the other hand, when it is confirmed that the response verification is not established, the internal center 20 forcibly terminates the operation.

  The internal center 20 that has entered the registration mode creates a tool center template key 57 (hereinafter referred to as a tool center temp key 57) using a hash function, as shown in step S108. The tool center temp key 57 inputs the first challenge sent to the registration tool 19, the first response received from the registration tool 19, and the tool center key 27 registered in the memory 26 of the internal center 20 to the hash function. It is constructed by the hash value obtained by doing. The tool center temp key 57 is created with a different value each time during registration, and is a key (restriction key) that can be used only once during registration. The tool center temp key 57 is a key that functions to prevent erroneous registration of the secret key 16.

  Also, the registration tool 19 creates a tool center temp key 57 in the same format as the internal center 20, as shown in step S109. In other words, the registration tool 19 passes the first challenge received from the internal center 20, the first response calculated by itself, and the tool center key 27 registered in its own memory 56 through a hash function, thereby obtaining a hash value. And this hash value is calculated as the tool center temp key 57.

  When the registration tool 19 creates the tool center temp key 57, the registration tool 19 outputs a registration mode transition request to the verification ECU 4, as shown in step S110. When the verification ECU 4 receives the registration mode transition request from the registration tool 19, the verification ECU 4 outputs the vehicle-mounted device ID registered to the registration tool 19 as shown in step S <b> 111. At this time, the verification ECU 4 also starts challenge response authentication using the in-vehicle device center key 22 and outputs the second challenge to the registration tool 19 together with the in-vehicle device ID. Upon receiving the vehicle-mounted device ID and the second challenge from the verification ECU 4, the registration tool 19 transmits these to the internal center 20 through intranet communication.

  When receiving the OBE ID and the second challenge from the registration tool 19, the internal center 20 first refers to its own memory (database) 26 as shown in step S112, and the OBE center key corresponding to the OBE ID. 22 is read. By the way, the in-vehicle device center key 22 is a unique value of each vehicle 1 and is uniquely associated with the in-vehicle device ID which is also the unique value of the vehicle 1. The center key 22 can be read out. Therefore, the internal center 20 reads the onboard equipment center key 22 corresponding to the onboard equipment ID as a clue.

  In addition, when the internal center 20 receives the second challenge from the registration tool 19, the internal center 20 calculates the second response using the on-vehicle device center key 22 of the second challenge, and registers the second response as shown in step S113. Reply to tool 19. Upon receiving the second response, the registration tool 19 outputs this second response to the verification ECU 4.

  When the verification ECU 4 receives the second response from the registration tool 19, as shown in step S <b> 114, the verification ECU 4 performs response verification by comparing the received second response with the response calculated by itself. That is, the verification ECU 4 authenticates the internal center 20. When the verification ECU 4 confirms that the response verification is established, the verification ECU 4 proceeds to the next step S115 and switches its operation mode to the registration mode. That is, when the vehicle-side registration mode switching unit 35 confirms that challenge response authentication is established between the verification ECU 4 and the internal center 20, the vehicle-side registration mode switching unit 35 switches the operation mode of the verification ECU 4 to the registration mode. On the other hand, the verification ECU 4 forcibly terminates the operation when confirming that the response verification is not established.

  The verification ECU 4 that has entered the registration mode creates an in-vehicle device center template key 58 (hereinafter referred to as an in-vehicle device center temp key 58) using a hash function, as shown in step S116. The OBE center temp key 58 uses the second challenge sent to the internal center 20, the second response received from the internal center 20, and the OBE center key 22 registered in the memory 15 of the verification ECU 4 as a hash function. It is constructed with a hash value obtained by input. The OBE center temp key 58 is also created with a different value each time during registration, and is a key (restriction key) that can be used only once at the time of registration. The in-vehicle device center temp key 58 is a key that functions to prevent wrong registration of the secret key 16. The in-vehicle device center temp key 58 corresponds to a restriction key.

  Moreover, the internal center 20 produces the onboard equipment center temp key 58 by the format similar to collation ECU4 as shown to step S117. That is, the internal center 20 passes the second challenge received from the verification ECU 4, the second response calculated by itself, and the vehicle-mounted device center key 22 registered in its own memory 26 through the hash function to pass the hash value. And the hash value is calculated as the in-vehicle device center temp key 58.

  When the verification ECU 4 creates the vehicle-mounted device center key 22, it sends a registration mode transition request and an electronic key ID request to the electronic key 2 as shown in step S118. When the electronic key 2 receives a registration mode transition request from the verification ECU 4, the key-side registration mode switching unit 43 is activated. Note that the communication infrastructure of the electronic key system 3 is used for wireless communication at this time. The registration mode shift request is a command for shifting the electronic key 2 to the registration mode. The electronic key ID request is a command for returning the electronic key ID to the vehicle 1.

  When receiving the registration mode transition request from the verification ECU 4, the electronic key 2 checks whether or not the private key 16 has already been registered in its own memory 11, as shown in step S119. When the electronic key 2 confirms that the private key 16 is not registered in its own memory 11, the electronic key 2 proceeds to the next step S120 and switches its own operation mode to the registration mode. That is, when the key-side registration mode switching unit 43 confirms that the secret key 16 is not yet registered in the memory 11, the key-side registration mode switching unit 43 switches the operation mode of the electronic key 2 to the registration mode. On the other hand, when the electronic key 2 confirms that the secret key 16 is already registered in its own memory 11, the operation is forcibly terminated.

  When the electronic key 2 enters the registration mode, the key-side communication partner authentication unit 44 is activated in order to perform authentication in the registration mode. At this time, as shown in step S121, the key-side communication partner authentication unit 44 sends the electronic key ID registered in its own memory 11 to the verification ECU 4. When the verification ECU 4 receives the electronic key ID, the vehicle-side communication partner authentication unit 36 is activated and transfers the electronic key ID received from the electronic key 2 to the registration tool 19.

  When the registration tool 19 inputs the electronic key ID from the verification ECU 4, the tool-side communication partner authentication unit 55 is activated. That is, the tool-side communication partner authentication unit 55 calculates the ciphertext data 59 and the falsification detection code data 60 in order to perform MAC (Message Authentication Code) authentication with the internal center 20, as shown in step S122. MAC authentication is a type of authentication for preventing message tampering and spoofing. An authentication code, so-called MAC, is generated by passing a message and a key through an encryption algorithm, and this is transmitted to the other party as communication data. It is sent and authenticated. The MAC algorithm includes, for example, a block cipher (DES (Data Encryption Standard), AES (Advanced Encryption Standard), etc.), a hash function, and a dedicated design.

  The ciphertext data 59 is constructed by ciphertext obtained by inputting a tool center key 27 as a key and an in-vehicle device ID and an electronic key ID as plaintext to an encryption algorithm. Further, the falsification detection code data 60 is constructed by a code obtained by inputting the tool center temp key 57 as a key and the above-described ciphertext data 59 as a plain text into a falsification detection algorithm. The registration tool 19 transmits the calculated ciphertext data 59 and the falsification detection code data 60 to the internal center 20 by intranet communication.

  When the internal center 20 inputs the ciphertext data 59 and the falsification detection code data 60 from the registration tool 19, the center side communication partner authentication unit 29 is activated. That is, the center-side communication partner authentication unit 29 performs MAC authentication and abnormality ID verification using these data 59 and 60 as shown in step S123. Here, the memory 26 of the internal center 20 is provided with an abnormality ID database 61 as a database in which abnormality IDs are registered. The abnormality ID corresponds to the vehicle-mounted device ID of the stolen vehicle or the electronic key ID registered in another vehicle. Therefore, the abnormality ID detection is performed by checking whether the received ID corresponds to the abnormality ID by comparing the ID received from the registration tool 19 with the abnormality ID database 61. When the center-side communication partner authentication unit 29 confirms that the ciphertext and the falsification detection code can be correctly decrypted and confirms that the various IDs do not belong to the abnormal ID, the center-side communication partner authentication unit 29 proceeds to the next step S124. On the other hand, when the internal center 20 confirms that the MAC authentication and the abnormality ID verification are not established, the internal center 20 forcibly terminates the operation.

  When the internal center 20 confirms the establishment of the MAC authentication and the abnormal ID verification, the internal center 20 then proceeds to transfer the secret key 16. At this time, the internal center 20 executes the encryption output process of the secret key 16 as shown in step S124. As this process, the encryption processing unit 32 first reads the electronic key center key 23 and the vehicle-mounted device center key 22 from the memory 26. Subsequently, the random number generator 31 outputs the random number code generated by itself to the encryption processing unit 32 as the secret key 16. The encryption processing unit 32 encrypts 16 acquired from the random number generator 31 with the electronic key center key 23 to generate an electronic key registration code Cdk (initial registration electronic key encryption code generation step), and at the same time, the secret key 16 Is encrypted with the OBE center key 22 to generate the OBE registration code Ccr (initial control device encryption code generation step).

  When the in-vehicle device registration code Ccr is generated, the internal center 20 transmits the on-vehicle device registration code Ccr to the registration tool 19 as shown in step S125. When the registration tool 19 receives the on-vehicle device registration code Ccr, the registration tool 19 transfers the on-vehicle device registration code Ccr to the verification ECU 4 (initial registration electronic key encryption code distribution step, authentication key registration step). The onboard device registration code Ccr includes ciphertext data 62 and falsification detection code data 63. The ciphertext data 62 is constructed by a ciphertext obtained by inputting, as an encryption algorithm, the on-vehicle device center key 22 that is a key, and a plaintext composed of the secret key 16, the electronic key ID, and the on-vehicle device ID. Further, the falsification detection code data 63 is constructed by a code obtained by inputting the on-vehicle device center temp key 58 as a key and the above-described ciphertext data 62 as a plain text to a falsification detection algorithm.

  Further, when the internal center 20 generates the electronic key registration code Cdk, the electronic center registration code Cdk is transmitted to the registration tool 19 as shown in step S126. Upon receiving the electronic key registration code Cdk, the registration tool 19 transfers the electronic key registration code Cdk to the verification ECU 4. Upon receipt of the electronic key registration code Cdk, the verification ECU 4 transfers the electronic key registration code Cdk to the electronic key 2 (initial control device encryption code distribution step, authentication key registration step). This electronic key registration code Cdk is composed of ciphertext data using the electronic key center key 23. That is, the electronic key registration code Cdk is constructed by ciphertext obtained by inputting the electronic key center key 23 that is a key and the plaintext composed of the secret key 16, the vehicle-mounted device ID, and the electronic key ID to the encryption algorithm. Yes.

  When the verification ECU 4 receives the in-vehicle device registration code Ccr from the internal center 20, the verification ECU 4 decrypts the ciphertext data 62 in the in-vehicle device registration code Ccr as shown in step S127. That is, the vehicle-side decryption processing unit 39 passes the on-vehicle device registration code Ccr acquired from the internal center 20 through the on-vehicle device center key 22 written in the memory 15 of the verification ECU 4, thereby obtaining the on-vehicle device registration code Ccr. Decrypt.

  When the decryption in step S127 is completed, the verification ECU 4 authenticates the internal center 20 by executing falsification detection determination and in-vehicle device ID verification, as shown in step S128. That is, the vehicle-side registration code determination unit 40 authenticates the internal center 20 by confirming the decrypted data. The falsification detection determination is a type of authentication in which the verification ECU 4 itself obtains a falsification detection code and checks whether the received same code is correct or not, and checks whether there is an error in the falsification detection code included in the in-vehicle device registration code Ccr. Is. The on-vehicle device ID verification is verification for checking whether the on-vehicle device ID acquired by decrypting the on-vehicle device registration code Ccr with the on-vehicle device center key 22 is correct. The verification ECU 4 proceeds to the next step when confirming that both the falsification detection determination and the vehicle-mounted device ID verification are established, and returns to the start state and terminates the operation when confirming that these are not established.

  On the other hand, when receiving the electronic key registration code Cdk from the internal center 20, the electronic key 2 decrypts the electronic key registration code Cdk as shown in step S129. That is, the key-side decryption processing unit 47 passes the electronic key registration code Cdk acquired from the internal center 20 through the electronic key center key 23 written in the memory 11 of the electronic key 2, so that the electronic key registration code Cdk Is decrypted.

  When the decryption of step S129 is completed, the electronic key 2 performs the electronic key ID verification and authenticates the internal center 20 this time as shown in step S130. The electronic key ID verification is verification for checking whether the electronic key ID acquired by decrypting the electronic key registration code Cdk with the electronic key center key 23 is correct. When it is confirmed that the electronic key ID verification is established, the electronic key 2 proceeds to the next step, and when it is confirmed that the electronic key ID verification is not established, the electronic key 2 returns to the start state and ends the operation.

  When the verification ECU 4 confirms that the falsification detection determination and the vehicle-mounted device ID verification are established, the verification ECU 4 starts challenge response authentication using the secret key 16 in order to confirm whether the secret key 16 received from the internal center 20 is correct. At this time, the verification ECU 4 first transmits a third challenge to the electronic key 2 as shown in step S131. When the electronic key 2 receives the third challenge from the verification ECU 4, the electronic key 2 calculates the third challenge with its own secret key 16, and returns the calculation result to the verification ECU 4 as a third response as shown in step S132.

  When the verification ECU 4 receives the third response from the electronic key 2, the verification ECU 4 performs response verification by comparing the third response with the response calculated by itself using the secret key 16 as shown in step S133. That is, the vehicle-side registration code determination unit 40 authenticates the electronic key 2 by confirming whether the response verification is correct. The verification ECU 4 proceeds to the next step when confirming that the response verification is established, and forcibly terminates the operation when confirming that this verification is not established.

  When the verification ECU 4 confirms that the response verification is established in step S133, the verification tool 4 stores the ciphertext data 64 conforming to the vehicle-mounted device center temp key 58, as shown in step S134, to perform final confirmation of registration. To call. When receiving the ciphertext data 64, the registration tool 19 transfers the ciphertext data 64 to the verification ECU 4. The ciphertext data 64 is constructed by ciphertext obtained by inputting the on-vehicle device center temp key 58 and the plaintext composed of the on-vehicle device ID, the electronic key ID, and the electronic key authentication confirmation notification to the encryption algorithm. . The electronic key authentication confirmation notification is a notification issued by confirming the establishment of the response authentication in step S133. The registration tool 19 ends the registration mode when the ciphertext data 64 is transferred.

  When receiving the ciphertext data 64 from the verification ECU 4, the internal center 20 verifies the vehicle-mounted device ID included in the ciphertext data 64 and the electronic key authentication confirmed notification, as shown in step S135. That is, the ID pair registration unit 30 confirms whether or not the electronic key ID is registered in the verification ECU 4. When the ID pair registration unit 30 confirms that the verification in step S135 is established, the ID pair registration unit 30 stores the received vehicle-mounted device ID and the electronic key ID in the memory 26 as a pair. As a result, the in-vehicle device ID and the electronic key ID are paired and registered in the internal center 20. When the pair registration is completed, the internal center 20 ends the registration mode.

  When the verification ECU 4 confirms that the response verification is established in step S133, the verification ECU 4 stores the secret key 16 received from the internal center 20 in the memory 15 as shown in step S137, and also receives it from the electronic key 2 during registration. The electronic key ID is also registered in the memory 15. When the verification ECU 4 completes the registration of the secret key 16 and the electronic key ID in the memory 15, the verification ECU 4 ends the registration mode.

  Further, when the electronic key 2 confirms that the electronic key ID verification is established in step S130, as shown in step S138, the electronic key 2 stores the secret key 16 received from the internal center 20 in the memory 11 and at the time of registration, the verification ECU 4 The vehicle-mounted device ID received from is also registered in the memory 11. When the electronic key 2 completes the registration of the secret key 16 and the vehicle-mounted device ID in the memory 11, the registration mode ends.

  In this example, in order to register the secret key 16 in the vehicle 1, first, the writer 18 writes the vehicle-mounted device center key 22 in the vehicle 1 and also writes the electronic key center key 23 in the electronic key 2. . Then, the secret key 16 generated in the internal center 20 is encrypted by the on-vehicle device center key 22 previously taken in and converted into the on-vehicle device registration code Ccr, which is sent to the vehicle 1, and the same secret key 16 is further transferred. Is encrypted with the electronic key center key 23 previously taken in and converted into an electronic key registration code Cdk, which is sent to the electronic key 2. Then, the registration codes Ccr and Cdk are decrypted by each of the vehicle 1 and the electronic key 2, and the decrypted data is registered as the secret key 16.

  Therefore, in this example, when the secret key 16 is registered in the vehicle 1 and the electronic key 2, the writing device 18 and the internal center 20 cooperate with each other. Therefore, even if the secret key 16 is stolen, in this example, the keys 22 and 23 are obtained from the writer 18 and the registration codes Ccr and Cdk are not obtained from the internal center 20. No longer. Accordingly, since the theft of the secret key 16 is highly difficult to steal two pieces of information, the secret key 16 can be made difficult to be stolen.

  In this example, since the basic registration process is common, the initial registration system 17a is mainly described. However, the difference between the initial registration system 17a and the additional registration system 17b is as follows. Whether the registration tool 19 communicates with the internal center 20 or communicates with the external center 200. Therefore, the description of the additional registration system 17b is completed by replacing the internal center 20 with the external center 200, and thus the description is omitted. In the additional registration system 17b, wireless communication between the external center 200 and the internal center 20 is not necessary. Since the additional registration system 17b uses a wide area wireless communication network, it does not matter where the secret key 16 is distributed. For this reason, the registration work of the secret key 16 can be performed smoothly.

According to the configuration of the present embodiment, the following effects can be obtained.
(1) The internal center 20 performs wireless communication using the wide-area wireless communication network with the external center 200 periodically (here once a day), and performs registration work of the secret key 16 performed in the factory. Get the information you need. Therefore, it is not necessary to use the wide area wireless communication network for the registration work (initial registration work) of the secret key 16 performed in the factory. For this reason, the possibility that the secret key 16 is stolen by a third party is low. In addition, the internal center 20 has, for example, 1 of the vehicle 1 and the electronic key 2 manufactured in the manufacturing factory, and the number of the vehicle-mounted device center key 22 and the electronic key center key 23 stored in its own memory 26 through the wireless communication described above. The in-vehicle device center key 22 and the electronic key center key 23 are acquired so that the number corresponds to the number of weeks. For registration of the secret key 16 in the vehicle 1 and the electronic key 2, the vehicle-mounted device center key 22 and the electronic key center key 23 stored in the memory 26 of the internal center 20 are used. That is, when registering the secret key 16, communication with the outside of the manufacturing plant (external center 200) is not necessary. For this reason, even if the internal center 20 may not be able to acquire the vehicle-mounted device center key 22 and the electronic key center key 23 from the external center 200 due to the wide area wireless communication network becoming unstable, The private key 16 can be registered in the vehicle 1 and the electronic key 2 by using the acquired in-vehicle device center key 22 and the electronic key center key 23.

  (2) The onboard equipment registration code Ccr includes information encrypted by the onboard equipment center temp key 58 that is valid only once at the time of registration. For this reason, since the value of the on-vehicle device registration code Ccr changes every time it is registered, the on-vehicle device registration code Ccr can be made difficult to analyze, and consequently the anti-theft property of the secret key 16 can be increased. .

  (3) In order to register the private key 16 in the vehicle 1 and the electronic key 2, a challenge response is used between the vehicle 1 and the registration tool 19 and between the registration tool 19 and the internal center 20 using the registration tool 19. They must be established and switched to registration mode. Therefore, when registering the secret key 16, it is necessary to establish authentication to shift to the registration mode, so that it is possible to prevent unauthorized registration of the secret key 16.

  (4) After the secret key registration system 17 enters the registration mode, MAC authentication is performed by the internal center 20 and the registration tool 19 is authenticated, so that the illegal registration of the secret key 16 can be further prevented.

  (5) When the internal center 20 authenticates the vehicle 1 and the electronic key 2 that are registration destinations, abnormality ID verification is performed to check whether these IDs are included in the abnormality ID. Therefore, if the ID of the vehicle 1 or the electronic key 2 is an abnormal ID, that is, the ID of a stolen vehicle or an ID already registered in another vehicle, the secret key 16 cannot be registered. Can be made more difficult to occur.

(6) Since the onboard device registration code Ccr includes not only the ciphertext but also the falsification detection code, the onboard device registration code Ccr can be made resistant to unauthorized analysis.
(Second Embodiment)
Next, a second embodiment will be described with reference to FIGS. The second embodiment is different from the first embodiment in that the ID of the registration tool 19 is also managed, and the other basic parts are the same. Therefore, the same portions as those in the first embodiment are denoted by the same reference numerals, detailed description thereof is omitted, and only different portions are described.

  As shown in FIG. 12, when registering the private key 16 of the vehicle 1 and the electronic key 2, the private key registration system 17 of this example also confirms whether the information related to the registration work (registration work related information 65) is correct or not. The establishment of this authentication is also a condition for permitting registration. The registration work related information 65 includes, for example, a registration tool ID that each registration tool 19 has as a unique ID. The registration tool ID is an individual number assigned to each of the registration tools 19 when the registration tool 19 is manufactured.

  Further, the registration work related information 65 includes a serviceman ID that a serviceman who performs various actual registration works has as a unique ID. The serviceman ID is, for example, a registration number of an employee belonging to the management company of the secret key registration system 17. This serviceman ID is not limited to a simple registration number, and for example, authentication information may be added. The authentication information includes, for example, a password consisting of a series of alphanumeric characters registered in advance, or biometric information for performing personal authentication using a fingerprint or voice. In this example, the tool center key 27 is an individual key assigned to each of the registration tools 19. The service person corresponds to the worker.

  As shown in FIG. 13, the tool control unit 50 is provided with an ID registration management unit 66 that registers a registration tool ID and a serviceman ID in the registration tool 19. The ID registration management unit 66 performs ID registration by writing a registration tool or serviceman ID input by the input unit 52 or taken in by wireless communication in the memory 56. Further, when biometric authentication is included in the serviceman ID, the ID registration management unit 66 is configured to be able to acquire biometric information. The tool control unit 50 is provided with a registration work related information output unit 67 capable of transmitting the registration tool ID and serviceman ID registered in the registration tool 19 to the internal center 20.

  The internal center 20 is provided with a registration work related information verification unit 68 that verifies whether the registration work related information 65 (registration tool ID, serviceman ID) received from the registration tool 19 is correct. In addition, in the memory 26 of the internal center 20, the issued serviceman ID and registration tool ID are registered in advance. When the registration work related information verification unit 68 receives the registration tool ID and the serviceman ID as the registration work related information 65 from the registration tool 19, the registration work related information verification unit 68 receives the ID by checking whether the received ID exists in the memory 26. The registered tool ID and serviceman ID are authenticated.

  The memory 26 of the internal center 20 is provided with an abnormal tool ID database 69 for registering registered tool IDs that have been notified as abnormal. In the abnormal tool ID database 69, the tool ID registered for theft is registered as an abnormal ID. When the registration work-related information verification unit 68 acquires the registration tool ID, the registration work-related information verification unit 68 checks whether the received registration ID exists in the abnormal tool ID, thereby confirming the presence or absence of the abnormality ID.

  Registered in the memory 26 of the internal center 20 is a tool serviceman ID table 70 in which combinations of registration tool IDs and serviceman IDs are set. As shown in FIG. 14, the tool serviceman ID table 70 is a type of table that determines which number group serviceman ID corresponds to which number group registration tool ID. When the registration work related information verification unit 68 acquires the registration tool ID and the serviceman ID, the registration work related information verification unit 68 checks whether there is a combination abnormality of both IDs by checking whether or not the relationship satisfying the tool serviceman ID table 70 is taken. To do.

  As shown in FIG. 13, the internal center 20 has an electronic key vehicle-mounted device ID combination abnormality confirmation unit 71 that confirms the presence or absence of a combination abnormality between the electronic key ID and the vehicle-mounted device ID in authentication performed after entering the registration mode. Is provided. In the memory 26, an electronic key onboard equipment ID combination table 72 in which a combination to be taken by the electronic key ID and the onboard equipment ID is registered. As shown in FIG. 15, the electronic key vehicle-mounted device ID combination table 72 is a type of table that determines which number group of electronic key IDs corresponds to which number of vehicle-mounted device IDs. When the electronic key onboard device ID combination abnormality confirmation unit 71 acquires the electronic key ID and the onboard device ID, both IDs are obtained by checking whether these IDs satisfy the relationship satisfying the electronic key onboard device ID combination table 72. Check for any abnormal combinations.

Next, a procedure for registering the secret key 16 in the vehicle 1 and the electronic key 2 will be described with reference to FIG. In the flowchart of FIG. 16, only the parts different from the first embodiment are shown.
First, as a premise, the service person registers the service person ID in the registration tool 19 by, for example, manually inputting the input unit 52 of the registration tool 19 or taking in biometric authentication with a sensor provided in the registration tool. . The service center ID and registration tool ID are also registered in the internal center 20 in advance. This ID registration is executed by the ID registration management unit 66 of the registration tool 19.

  When the registration tool 19 inputs the vehicle-mounted device ID returned by the verification ECU 4 in response to the wired connection command, as shown in step S103a, the registration tool 19 transmits a registration request, a registration tool ID, and a serviceman ID. That is, the registration work related information output unit 67 reads the registration tool ID and the serviceman ID from the memory 56, and transmits them to the internal center 20 by intranet communication together with the registration request.

  The internal center 20 uses the reception of the registration request as a trigger to verify the registration tool ID and the serviceman ID ID as shown in step S103b. At this time, the registration work related information verification unit 68 first checks whether the received registration tool ID and serviceman ID are registered in the memory 26. Also, the registration work related information verification unit 68 refers to the abnormal tool ID database 69 and confirms whether the acquired registered tool ID is not an abnormal ID. Furthermore, the registration work related information verification unit 68 refers to the tool serviceman ID table 70 to confirm whether or not the acquired registration tool ID and serviceman ID have a correct combination. When the registration work related information verification unit 68 confirms that all of these verifications are established, the process proceeds to step S104 and the process is continued. If even one verification is not established, the operation is forcibly terminated.

  Moreover, the internal center 20 also confirms the combination abnormality of electronic key ID and onboard equipment ID in the case of abnormality ID verification shown to step S123. That is, the electronic key vehicle-mounted device ID combination abnormality confirmation unit 71 refers to the electronic key vehicle-mounted device ID combination table 72 to confirm whether or not the acquired electronic key ID and vehicle-mounted device ID have a correct combination. In step S123, when it is confirmed that there is no abnormal combination of both IDs in the abnormal ID verification, the registration process is continued.

According to the configuration of the present embodiment, in addition to the effects described in (1) to (6) of the first embodiment, the following effects can be obtained.
(7) Since the registration condition of the registration tool ID and the serviceman ID is included in the execution condition for registering the secret key 16, unauthorized registration of the secret key 16 can be further prevented.

  (8) When registering the secret key 16, the combination of the registration tool ID and the serviceman ID is confirmed, and the registration of the secret key 16 is permitted on the condition that there is no abnormality in this combination. For this reason, when the combination of these IDs is inappropriate, the registration of the secret key 16 is not permitted, so that the illegal registration of the secret key 16 can be further prevented.

Note that the embodiment is not limited to the configuration described so far, and may be modified as follows.
In the first and second embodiments, communication between the internal center 20 and the external center 200 is not limited to a wide area wireless communication network (for example, the Internet), but various communication formats such as using a dedicated communication line. Can be adopted.

  In the first and second embodiments, the internal center 20 determines that the number of the vehicle-mounted device center key 22 and the electronic key center key 23 stored in the memory 26 is one week of the planned vehicle 1 and electronic key 2. The on-board device center key 22 and the electronic key center key 23 are acquired from the external center 200 so that the number of manufactured parts is equal to the number of minutes, but the number of acquisition is not limited to one week. That is, the internal center 20 is configured so that the number of the vehicle-mounted device center key 22 and the electronic key center key 23 stored in the memory 26 is larger than the planned number of vehicles 1 and electronic keys 2 manufactured. The in-vehicle device center key 22 and the electronic key center key 23 may be acquired from 200. In this way, even when communication between the internal center 20 and the external center 200 becomes unstable, the vehicle-mounted device center key 22 and the electronic key center key 23 stored in the memory 26 can be used to Since the private key 16 can be registered in the electronic key 1 and the electronic key 2, it is not necessary to stop the production line.

  In the first and second embodiments, network communication between the registration tool 19 and the internal center 20 is not limited to intranet communication or the like, and various communication formats can be employed. Also, the communication frequency can be changed as appropriate.

In the first and second embodiments, the communication between the registration tool 19 and the internal center 20 may be performed via the communication device 34 of the vehicle 1.
In the first and second embodiments, the calculation formula used when creating the tool center temp key 57 and the vehicle-mounted device center temp key 58 is not necessarily limited to the hash function, and other functions and ciphers can be used. .

  -In 1st and 2nd embodiment, the authentication performed when the private key registration system 17 enters registration mode is not necessarily limited to establishment of challenge response authentication, You may employ | adopt another authentication system.

In the first and second embodiments, the first to third challenge response authentications are not limited to different keys used, and the same key may be used between them.
In the first and second embodiments, the authentication executed in step S123 is not necessarily limited to MAC authentication, and other authentication may be employed.

-In 1st and 2nd embodiment, various encryption formats, such as AES and DES, are employable as an encryption system used when producing | generating a ciphertext.
In the first and second embodiments, the condition for the system to enter the registration state is not necessarily limited to that everyone can confirm the correctness of all members. For example, a predetermined one can confirm the correctness of another predetermined one. That is, you may employ | adopt the format confirmed with arbitrary combinations.

  In the first and second embodiments, the electronic key registration code Cdk is not limited to being composed only of ciphertext, and may have a falsification detection code such as the onboard device registration code Ccr.

  In the first and second embodiments, the registration codes Ccr and Cdk are not necessarily limited to data consisting of ciphertext and falsification detection code, or data consisting only of ciphertext. In short, the contents of the registration codes Ccr and Cdk are not particularly limited as long as they are encrypted (encoded).

  -In 1st and 2nd embodiment, a restriction | limiting key is not necessarily limited to being an onboard equipment center temp key, The point will not be ask | required in particular if it is a key effective only at the time of one registration. .

In the first and second embodiments, the communication partner authentication executed before entering the registration mode is not necessarily limited to challenge response authentication, and other authentication formats can be adopted.
-In 2nd Embodiment, ID authentication does not necessarily look at the correctness of both tool ID and serviceman ID, For example, you may employ | adopt the form which looks at only one.

In the second embodiment, the ID related to the worker is not necessarily limited to the serviceman ID assigned to each serviceman, but may be any information that can be distinguished by the worker.
-In 1st and 2nd embodiment, the onboard equipment registration key should just be a key registered by the vehicle 1 and the internal center 20 as the name of the onboard equipment center key 22 shared. This also applies to the electric key registration key.

  In the first and second embodiments, the writing operation by the writing device 18 is not necessarily limited to wired, and may be performed wirelessly. In addition, this writing operation is not necessarily executed on the production line, and may be executed at any time. This also applies to the registration of the registration codes Ccr and Cdk by the internal center 20.

  -In 1st and 2nd embodiment, the onboard equipment center key 22 and the electronic key center key 23 are produced | generated in a manufacturing factory, and it is separately acquired by the external center 200, and the external center 200 is the onboard equipment center. The key 22 and the electronic key center key 23 are stored, but the reverse may be possible. That is, the external center 200 generates the vehicle-mounted device center key 22 and the electronic key center key 23, distributes the generated keys to the manufacturing factory in advance, and the manufacturing factory sends the distributed key to the electronic key 2 and the verification ECU 4. Write. Even when configured in this manner, the same effects as those of the above-described embodiment can be obtained.

Next, the thoughts recalled from each of the embodiments and the other examples will be added.
(A) In the electronic key registration method according to any one of claims 8 to 10, in the case of each authentication after the registration mode, if the communication partner ID is included in the abnormality ID, the authentication is performed. An electronic key registration method characterized by disabling establishment of

  According to this configuration, if the abnormal ID includes the initial registration and additional registration key registration destination initial registration and additional registration electronic keys, and the ID of the control device, the authentication is not established. Therefore, the initial authentication key and the additional authentication key cannot be registered. Therefore, it is possible to further prevent unauthorized registration of the initial authentication key and the additional authentication key. The abnormal ID refers to an ID that cannot be recognized as authentication establishment, such as an ID registered for theft or an already registered ID.

  (B) In the electronic key registration method according to any one of claims 8 to 10 or (a) above, various IDs acquired when registering the initial authentication key or the additional authentication key are An electronic key registration method, wherein the authentication is not permitted when a predetermined combination is not taken.

  According to this configuration, since there is no abnormality in the combination of IDs as a condition for registration execution, it is possible to further prevent unauthorized registration of the initial authentication key or the additional authentication key.

  DESCRIPTION OF SYMBOLS 1 ... Vehicle, 2 ... Electronic key, 3 ... Electronic key system, 4 ... Collation ECU, 5 ... Main body ECU, 9 ... Communication control part, 10 ... CPU, 11, 15 ... Memory, 16 ... Secret key, 17 ... Secret Key registration system, 17a ... initial registration system, 17b ... additional registration system, 18 ... writer, 19 ... registration tool, 20 ... internal center, 22 ... onboard unit center key, 23 ... electronic key center key, 24 ... onboard Center key writing unit, 25 ... Electronic key center key writing unit, 28 ... Center side registration mode switching unit, 29 ... Center side communication partner authentication unit, 31 ... Random number generator, 32 ... Encryption processing unit, 33 ... Registration code output unit, 35 ... Vehicle side registration mode switching unit, 36 ... Vehicle side communication partner authentication unit, 38 ... Onboard unit registration code acquisition unit, 39 ... Vehicle side decoding processing unit, 40 ... Vehicle side registration code determination 41: Vehicle side secret key registration unit, 43 ... Key side registration mode switching unit, 44 ... Key side communication partner authentication unit, 46 ... Electronic key registration code acquisition unit, 47 ... Key side decryption processing unit, 48 ... Key Side registration code determination unit, 49 ... key side secret key registration unit, 54 ... tool side registration mode switching unit, 55 ... tool side communication partner authentication unit, 58 ... vehicle equipment center temp key as a restriction key, 61 ... abnormal ID database , 68 ... Registration work related information verification unit, 69 ... Abnormal tool ID database, 70 ... Tool serviceman ID table, 71 ... Electronic key OBE ID combination abnormality confirmation unit, 73 ... Electronic key OBE ID combination table, 200 ... External Center, Ccr ... OBE registration code, Cdk ... Electronic key registration code.

Claims (9)

The two electronic keys used in the electronic key system that can control the communication target on condition that the initial registration electronic key or the additional registration electronic key is authenticated and the communication target is established. In the electronic key registration method for registering in the device,
The electronic key identification information for initial registration and the electronic key encryption key for initial registration, which are different for each electronic key stored in advance in an external center for storing the two electronic keys and various information of the control device, An initial registration electronic key manufacturing step stored in the registration electronic key;
Additional registration electronic key manufacturing step in which the unique electronic key identification information for additional registration and the additional registration electronic key encryption key that are different for each electronic key stored in advance in the external center are stored in the additional registration electronic key When,
A control device manufacturing step in which unique control device identification information and a control device encryption key that are different for each control device stored in advance in the external center are stored in the control device;
The initial registration electronic key identification information, the initial registration electronic key encryption key, the control device identification information, and the control device encryption key are sent from the external center to the initial registration electronic key. An information distribution step that is pre- distributed to an internal center provided in the factory to be registered;
Generating an initial authentication key used for the authentication of the initial registration electronic key and the control device, and storing the initial authentication key in the internal center; and
An initial authentication key registration step of distributing the initial authentication key from the internal center to at least one of the initial registration electronic key and the control device via an internal network that is a dedicated information communication network in the factory;
Generating an additional authentication key used for the authentication of the additional registration electronic key and the control device, and storing the additional authentication key in the external center; and
An additional authentication key registration step of distributing the additional authentication key from the external center to at least one of the additional registration electronic key and the control device via an external network that is an information communication network inside and outside the factory. The electronic key registration method characterized by the above-mentioned. The electronic key registration method according to claim 1 ,
An initial control device encryption code generation step in which the initial authentication key is encrypted with the control device encryption key to be converted into an initial control device encryption code, and the initial control device encryption code is sent to the control device. An initial control device encryption code distribution step for distribution;
An additional control device encryption code generation step in which the additional authentication key is encrypted with the control device encryption key to be converted into an additional control device encryption code, and the additional control device encryption code is sent to the control device. An electronic key registration method comprising: at least one of an additional control device encryption code distribution step for distribution. The electronic key registration method according to claim 1 or 2 ,
An initial registration electronic key encryption code generating step for converting the initial authentication key into an initial registration electronic key encryption code by being encrypted with the initial registration electronic key encryption key, and the initial registration electronic An electronic key encryption code distribution step for initial registration for distributing a key encryption code to the electronic key for initial registration;
An additional registration electronic key encryption code generating step for converting the additional authentication key into an additional registration electronic key encryption code by being encrypted with the additional registration electronic key encryption key, and the additional registration electronic An electronic key registration method comprising: at least one of an additional registration electronic key encryption code distribution step of distributing a key encryption code to the additional registration electronic key. The electronic key registration method according to claim 1 or 2 ,
An electronic key registration method, wherein the initial registration electronic key encryption key is the initial authentication key, and the additional registration electronic key encryption key is the additional authentication key. The electronic key registration method according to claim 1 or 3 ,
An electronic key registration method using the control device encryption key as the initial authentication key and the additional authentication key. In the electronic key registration method according to any one of claims 1 to 5 ,
An electronic key registration method using a restriction key that can be used only once at the time of registration of the initial authentication key and additional authentication key for encryption and decryption of the initial authentication key and additional authentication key. In the electronic key registration method according to any one of claims 1 to 6 ,
Before the control device, the two electronic keys, and the internal center enter the registration mode, communication partner authentication is performed to confirm the correctness of each other's communication partner. The electronic key registration method is characterized in that the registration mode is capable of registering the initial authentication key and the additional authentication key. In the electronic key registration method according to any one of claims 1 to 7 ,
After the control device, the initial registration electronic key, and the internal center all enter the registration mode, before the actual registration operation, the control device, the initial registration electronic key, and the internal center are authenticated. After the control device, the additional registration electronic key, and the external center all enter the registration mode, the control device, the additional registration electronic key, and the external center are authenticated before an actual registration operation. And an electronic key registration method characterized by performing at least one of the following. In the electronic key registration method according to any one of claims 1 to 8 ,
At least one of the initial authentication key and the additional authentication key is authenticated on the condition that at least one of a registration tool which is an operation terminal for performing the registration and an operator who performs the registration work is authenticated and the authentication is established. The electronic key registration method is characterized in that registration of the electronic key is permitted.