JP6151125B2 - Vehicle network system - Google Patents

Description

  Embodiments described herein relate generally to a vehicle network system.

  In recent years, a service for connecting crew members to a vehicle network has been implemented on railway vehicles. This vehicle network is beneficial because it improves the work efficiency of the crew. For example, it becomes possible for a conductor to sell a ticket using a vehicle network, or to adjust the air conditioning in a vehicle on which the passenger has boarded.

  Thus, in addition to using a vehicle network for crew members, a vehicle network may be used for passenger services. For example, an internet connection service for passengers by a wireless LAN is performed in a train using a vehicle network.

  In this way, when using a vehicle network for passenger services, the network area used by crewmembers includes data important for operation and information for control, so a network for general passengers and a network used by railway operators are used. A physical separation method is used. However, it is preferable to use the same equipment as much as possible for effective use of network resources. For example, network resources can be used effectively if the network area used by the crew and the network area used by passengers can be distinguished while sharing the wireless LAN equipment in the train.

  In order to configure such a network, it is sufficient to perform access control by authentication for network areas that can only be used by crew members, and to perform control that allows only regular crew members to connect. Such a system is realized by a general network system.

JP 2007-241383 A

  However, the network in a railway vehicle has the following peculiar circumstances as compared with a general network.

(1) It is a moving body.
(2) Stops at night and turns off and becomes unattended.
(3) Since the control device is mounted on a railway vehicle, an on-board computer in which the small size and the environment resistance are emphasized is the mainstream, and the transaction processing amount is limited.

  The following problems occur due to these unique circumstances in a railway vehicle.

  When an authentication device and authentication data for performing authentication are mounted on a vehicle, there is a possibility that the vehicle is invaded at night and the authentication data is stolen. Even if a single-use password such as a one-time password is adopted, a program for generating this one-time password is implemented in the authentication device, so that the program for generating this one-time password leaks. There is a fear.

  Even if nighttime intrusion into the vehicle can be prevented, if authentication data for all crew members is installed in the vehicle, the processing capacity of the control device mounted on the railway vehicle is generally low, so authentication takes time. End up.

  Further, since it is necessary to perform maintenance of authentication data for each vehicle, and the work needs to be performed for all vehicles, the labor cannot be ignored. Therefore, a method of updating the authentication data of the authentication device of the corresponding train when a crew member who is only in the corresponding train is on board can be considered. In this case, there is a possibility that the authentication data may be lost when the crew member carries it. Furthermore, it is necessary to permit the temporary crew to update the authentication data, and there is a concern that security may be lowered due to an increase in the frequency of access to the authentication data for updating.

  On the other hand, when an authentication device and authentication data are installed on the ground side and a method of authenticating by wireless communication with the ground side is adopted, when an authentication device and authentication data for performing the above authentication are mounted on a vehicle However, while wireless connection is disabled, such as when passing through a tunnel, authentication cannot be performed and availability is reduced.

  The problem to be solved by the present invention is to provide a vehicle network system in which authentication data maintenance work is easy, availability is not lowered even during movement, and leakage or loss of authentication data can be prevented.

The vehicle network system of the embodiment includes an on-vehicle network system and a ground network system. The on-vehicle network system includes a first network and a second network provided on the vehicle, and is provided on the vehicle between the first network and the second network, and the second network via the second network. A gateway device that performs access control to the network of 1 and an on-vehicle authentication device that is provided on the vehicle and that determines permission / denial of access to the first network from a terminal device connected to the second network; And an on-vehicle wireless device that is provided on the vehicle and is connected to the on-vehicle authentication device and communicates with the ground side. The terrestrial network system is provided on the ground side, a third network provided on the ground side, provided on the ground side, connected to the third network, and communicated with the on-board wireless device, and provided on the ground side. A ground authentication device that determines permission / non-permission of access to the first network from a terminal device connected to the second network. Onboard authentication device, or a vehicle vehicle on the vehicle authentication device is mounted is traveling, depending on whether it is parked on one of the station, from a terminal connected to the second network It is determined whether the on-vehicle authentication device or the ground authentication device determines whether to permit / deny access to the first network. The gateway device controls the access from the second network to the first network when permission is determined by the on-board authentication device or the ground authentication device. 1 is controlled so as not to access the network.

FIG. 1 is a diagram illustrating a configuration of a vehicle network system according to the first embodiment. FIG. 2 is a block diagram illustrating a configuration of the on-board authentication device according to the first embodiment. FIG. 3 is a block diagram illustrating a configuration of the ground authentication apparatus according to the first embodiment. FIG. 4 is a flowchart for explaining an operation outline of the first embodiment. FIG. 5 is a diagram illustrating an example of a determination signal generation device and a device that is a source of the input signal. FIG. 6 is a flowchart for explaining the operation of the on-board authentication device of the first embodiment. FIG. 7 is a flowchart for explaining the operation of the ground authentication apparatus according to the first embodiment. FIG. 8 is a block diagram illustrating a configuration of the on-vehicle authentication device according to the second embodiment. (Claim 3-4) FIG. 9 is a flowchart for explaining the operation of the authentication data storage unit in the second embodiment. FIG. 10 is a block diagram illustrating a configuration of the on-vehicle authentication device according to the third embodiment. (Claim 5-6) FIG. 11 is a block diagram illustrating a configuration of the ground authentication apparatus according to the third embodiment. FIG. 12 is a flowchart for explaining an outline of the operation of the third embodiment. FIG. 13 is a diagram illustrating an example of authentication data stored in the authentication data storage unit of the third embodiment. FIG. 14 is a diagram illustrating an example of a lease record in the authentication data lease management unit of the third embodiment. FIG. 15 is a diagram illustrating an example of a train number reading method according to the third embodiment. FIG. 16 is a diagram illustrating another example of a train number reading method according to the third embodiment. FIG. 17 is a block diagram illustrating a configuration of an authentication data lease management unit of the ground authentication apparatus according to the third embodiment. FIG. 18 is a flowchart for explaining the operation of the on-board authentication device in the third embodiment. FIG. 19 is a flowchart for explaining the operation of the ground authentication apparatus according to the third embodiment.

(First embodiment)
First, the vehicle network system of 1st Embodiment is demonstrated with reference to drawings. FIG. 1 is a diagram illustrating a configuration of a vehicle network system according to the first embodiment.

  The vehicle network system according to this embodiment includes a ground network system 1 and an on-vehicle network system 2. The terrestrial network system 1 and the on-vehicle network system 2 are connected by wireless communication using the terrestrial wireless device 8 and the on-vehicle wireless device 9.

  The ground network system 1 includes a ground network 5, a ground authentication device 6, a ground authentication data device 7, a ground wireless device 8, and a terminal device 12. The terrestrial radio device 8 is preferably installed at least at each station.

  The on-vehicle network system 2 includes an in-vehicle closed network 3 and an in-vehicle open network 4, an on-vehicle wireless device 9, an on-vehicle authentication device 10, a gateway device 11, a terminal device 12, and a determination signal generation device 13. .

  The terminal device 12 can be connected to each of the in-vehicle closed network 3, the in-vehicle open network 4, and the ground network 5. However, authentication is required to connect to the in-vehicle closed network 3.

  In the present embodiment, as a wireless communication method between the terrestrial wireless device 8 and the on-vehicle wireless device 9, for example, a spread spectrum method or the like can be adopted, and encryption is performed at the time of communication. Further, Ethernet (registered trademark) or the like can be adopted as a communication system between each network of the ground network 5, the in-vehicle closed network 3, and the in-vehicle open network 4, and each network and each device. The in-vehicle open network 4 can be connected to an external network (for example, the Internet) by wireless communication not shown in the figure.

  The ground authentication device 6 and the ground authentication data device 7 can be configured using an information processing device such as a server. The on-board authentication device 10 and the gateway device 11 use an information processing device such as an on-board computer. Can be configured. Other devices in the terrestrial network system 1 and the on-vehicle network system 2 can be configured using known network devices.

  FIG. 2 shows the configuration of the on-board authentication device 10.

  The on-board authentication apparatus 10 includes a message processing unit 101, an authentication determination unit 102, an authentication data storage unit 103, a determination processing unit 104, an authentication result recording unit 105, and an authentication data reading unit 106.

  The message processing unit 101 performs a transfer process of a message exchanged with the terminal device 12, permits / denies on-board authentication, and permits ground authentication according to the determination signal from the determination signal generation device 13. / Determine non-permission (described later).

  The authentication data reading unit 106 can be connected to the authentication data setting terminal 14 which is an external device by wireless or wired, reads the authentication data from the authentication data setting terminal 14, and stores the read authentication data in the authentication data storage unit 103. Set to. The authentication data used here is, for example, a user ID and a password.

  The authentication determination unit 102 sends the authentication request message by comparing the authentication data included in the authentication request message with the authentication data stored in the authentication data storage unit 103 and determining whether or not they match. The terminal device 12 is authenticated and the success / failure is determined.

  Based on the authentication result by the authentication determination unit 102, the determination processing unit 104 creates a message indicating successful authentication and transmits the message to the gateway device 11 via the message processing unit 101. On the other hand, in the case of authentication failure, the authentication request message of the corresponding terminal device 12 is substantially discarded because the determination processing unit 104 does not create an authentication success message and does not return the message to the gateway device 11. It will be.

  The authentication result recording unit 105 records the authentication result by the authentication determination unit 102 as a log. The authentication result recording unit 105 is configured to return the stored authentication result via the message processing unit 101 in response to a specific request from the authenticated terminal device 12 or the like. It can be referred from.

  FIG. 3 shows the configuration of the ground authentication apparatus 6.

  The ground authentication device 6 includes a message processing unit 61, an authentication determination unit 62, a determination processing unit 63, and an authentication result recording unit 64.

  The message processing unit 61 performs a transfer process for messages exchanged with the vehicle upper side device via the ground network 5 and the ground wireless device 8.

  The authentication determination unit 62 inquires of the external ground authentication data device 7 in which the authentication data is registered about the authentication data, and the authentication request message transmitted from the authentication data of the ground authentication data device 7 and the vehicle upper side. The authentication is performed by comparing the authentication data included in the data and determining whether the data matches or does not match, and the success / failure is determined.

  Based on the authentication result by the authentication determination unit 62, the determination processing unit 63 creates an authentication success message when the authentication is successful. The message processing unit 61, the ground network 5, the terrestrial wireless device 8, the on-vehicle wireless device 9, And it transmits to the gateway apparatus 11 on a vehicle via the on-vehicle authentication apparatus 10.

  The authentication result recording unit 64 records the authentication result by the authentication determination unit 62. Further, the authentication result recording unit 64 sends the stored authentication result to the message processing unit 61 in response to a specific request from an external device (for example, the terminal device 12 connected to the terrestrial network 5) via the terrestrial network 5. The authentication result can be referred to from an external device.

  The terminal device 12 is a portable information processing device. In the initial state, the terminal device 12 can be connected to the in-vehicle open network 4, but cannot be connected to the in-vehicle closed network 3 by the gateway device 11. However, authentication request message communication to the gateway device 11 is possible. In order to connect to the in-vehicle closed network 3, the terminal device 12 makes an authentication request by transmitting an authentication request message including authentication data to the gateway device 11.

  The gateway device 11 is a VPN (Virtual Private Network) device or the like serving as a gateway switch, and receives an authentication request message from the terminal device 12 after constructing an encrypted virtual transmission path with the terminal device 12. The authentication request message is transmitted to the on-board authentication device 10 connected to the gateway device 11. The in-vehicle closed network 3 and the in-vehicle open network 4 are logically separated by the barrier device 11, but physically share resources.

  In the on-board authentication device 10, in response to the authentication request message from the gateway device 11, the message processing unit 101 determines whether authentication can be performed by the on-board authentication device 10 and the ground authentication device 6 according to the vehicle situation. Depending on the result, the on-board authentication device 10 or the ground authentication device 6 performs authentication processing. Hereinafter, the outline of the operation will be described with reference to FIG.

  If the message processing unit 101 determines that the on-board authentication device 10 can perform authentication according to the vehicle status (Yes in step S101), the authentication determination unit 102 performs authentication. When it is determined that the authentication is OK (Yes in Step S102), the gateway device 11 allows the terminal device 12 that has requested the authentication to connect to the in-vehicle closed network 3 (Step S103).

  On the other hand, when it is determined that authentication cannot be performed by the on-board authentication device 10 (No in step S101), or it is determined that authentication can be performed by the on-board authentication device 10 (Yes in step S101), the on-board authentication device 10 When authentication is performed and it is determined No in this authentication (No in Step S102), the message processing unit 101 further determines whether authentication can be performed by the ground authentication device 6 (Step S104).

  Here, when it is determined that authentication can be performed by the ground authentication device 6 (Yes in Step S104), the message processing unit 101 transfers the authentication request message to the ground authentication device 6, and the authentication determination unit of the ground authentication device 6 62 performs authentication. If it is determined that the authentication is OK (Yes in step S105), the gateway device 11 allows the terminal device 12 that has requested the authentication to connect to the in-vehicle closed network 3 (step S103).

  On the other hand, if it is determined that the ground authentication device 6 cannot perform authentication (No in step S104), or it is determined that the ground authentication device 6 can perform authentication, the ground authentication device 6 performs authentication. When it is determined No (No in Step S105), the gateway device 11 disables connection to the in-vehicle closed network 3 with respect to the terminal device 12 that has requested authentication (Step S106).

  By the way, in this embodiment, the message processing unit 101 is configured to determine whether or not the on-board authentication device 10 and the ground authentication device 6 can perform authentication according to the vehicle situation. In order for the message processing unit 101 to make this determination, the determination signal generator 13 generates a determination signal. Specifically, the determination signal generation device 13 indicates a vehicle state, such as a vehicle travel state, a travel distance, a time, arrival at a terminal station, a communication state with the ground, an ATO (Automatic Train Operation) signal, a door open / close state, A determination signal is generated on the basis of information including any one of the ON / OFF state of the cab key, the operation plan, the command from the ground, the destination guidance, or a combination thereof.

  FIG. 5 shows a determination signal generation device 13 and a device that is a source of the input signal.

  The determination signal generation device 13 includes a determination unit 131 and a determination policy 132. Information indicating the vehicle status is input to the determination unit 131 constantly or periodically. Specifically, from the monitor system 30 that monitors each part in the vehicle, speed information by the speed generator 22, travel distance information by the distance calculation unit 23, opening / closing state of the door 20, and information on the state of the cab key 21 To get. Further, from the ATO system 31, station stop information is acquired by stop signal information from the ground unit 24, particularly the P4 ground unit. The current time information is acquired from the timer 25, and the operation plan 28 is acquired from the operation management system 29. In addition, information such as destination guidance is acquired from the in-house guidance system 26, and information such as current position information is acquired from the ground system 27. By using these pieces of information, the determination unit 131 can know the current vehicle situation.

  In the determination policy 132, the determination unit 131 determines whether authentication on the on-board authentication device 10 can be performed and whether authentication on the ground authentication device 6 is possible based on the information indicating the vehicle status. Judgment criteria (conditions for permitting on-vehicle authentication and ground authentication) are set.

  In the determination signal generation device 13 configured as described above, the determination unit 131 compares the input information indicating the vehicle situation with the policy of the determination policy 132, and permits / disallows on-board authentication and ground authentication. The result is sent to the message processing unit 101 of the on-board authentication device 10 as a judgment signal. The message processing unit 101 determines permission / denial of on-board authentication and ground authentication based on the determination signal.

  Here, the determination policy 132 will be described in more detail.

  The determination policy 132 basically has a policy that permits both on-board authentication and ground authentication while the station is stopped, but gives priority to ground authentication, and otherwise permits only on-board authentication. . In order for the determination unit 131 to determine permission / non-permission of on-board authentication and ground authentication based on such a determination policy 132, it is necessary to distinguish between the state where the station is stopped and other states as vehicle conditions.

  In order to recognize that the vehicle is stopped at the station, it is only necessary to determine that the vehicle is stopped at the station platform. For example, the determination unit 131 acquires a signal from the speed generator 22 from the monitor system 30 and determines whether the vehicle is stopped. In addition, the determination unit 131 acquires the travel distance calculated by the distance calculation unit 23 and the stop signal information by the P4 ground unit via the ATO system 31, and whether or not the current stop position is a station based on the operation plan information. Determine. In addition, since the door 20 is open only when the station is stopped during business, the determination unit 131 obtains the open / closed state of the door 20 from the monitor system 30 and if the door 20 is open. It can be determined that the station stops. Alternatively, the determination unit 131 can acquire the station arrival scheduled time from the operation management system 29 to which the operation plan 28 is input, and determine the stop at the station from the time information. In order to determine that the vehicle is stopped at the station platform, any of these methods may be used, or a combination thereof may be used.

  Further, as a policy of the determination policy 132, on-board authentication and ground authentication may not be permitted when a crew member is not on board. For example, the determination unit 131 obtains the ON / OFF state of the cab key 21 from the monitor system 30 and determines that the crew member is not on the vehicle when OFF. Alternatively, the determination unit 131 acquires the operation plan 28 from the operation management system 29, and determines that the crew is not currently on board in comparison with the current time. In this case, it is determined that neither on-vehicle authentication nor ground authentication is possible according to the policy, and the authentication request message from the terminal device 12 is discarded without performing both on-vehicle authentication and ground authentication.

  Next, details of the operation of the on-board authentication device 10 will be described using the flowchart of FIG.

  When receiving a message from the outside (step S201), the message processing unit 101 determines whether it is an authentication request message (step S202).

  If it is an authentication request message (Yes in step S202), the message processing unit 101 determines whether authentication can be performed by the on-board authentication device based on the determination signal from the determination signal generation device 13 (step S203). ). If it is determined that authentication by the on-board authentication device is possible (Yes in step S203), the content (authentication data) of the authentication request message is transmitted to the authentication determination unit 102 for authentication. If the authentication is successful (Yes in step S204), the authentication result is recorded in the authentication result recording unit 105 (step S205). Further, the determination processing unit 104 generates an authentication success message, and sends this message to the gateway device 11 via the message processing unit 101 (step S206).

  When the gateway device 11 receives the authentication success reply message from the on-board authentication device 10, the gateway device 11 changes the access control so that the terminal device 12 can connect to the in-vehicle closed network 3, and sends the authentication success reply message to the terminal device 12. Send to.

  On the other hand, if the authentication by the on-board authentication device 10 fails (No in step S204), the authentication result recording unit 105 records the authentication result (step S207), and the process proceeds to step S208. Also in the above-described step S203, when the on-board authentication device cannot perform authentication (No in step S203), the process proceeds to step S208. In step S208, the message processing unit 101 determines whether authentication by the ground authentication device 6 is possible based on the determination signal from the determination signal generation device 13.

  If the ground authentication cannot be performed (No in step S208), the message processing unit 101 discards the authentication request message (step S209). In this case, the gateway device 11 remains in the original access control (initial state), and a state where the terminal device 12 cannot be connected to the in-vehicle closed network 3 is maintained. On the terminal device 12 side, a timeout occurs after a lapse of a certain time, and processing is performed assuming that authentication has failed.

  On the other hand, if the authentication by the ground authentication device 6 is possible (Yes in step S208), the corresponding authentication request message received by the message processing unit 101 is transmitted to the on-board wireless device 9, the ground wireless device 8, and the ground network 5. Then, the data is transferred to the ground authentication device 6 (step S210). The subsequent authentication by the ground authentication device 6 is an operation at the time of authentication by the ground authentication device 6 described later.

  If the message received by the message processing unit 101 is not an authentication request message (No in step S202), it is determined whether this message is a reply message addressed to the gateway device 11 from the ground authentication device 6 (step S211). If this message is a reply message addressed to the gateway device 11 (Yes in step S211), the message processing unit 101 transfers the message to the gateway device 11 (step S212), and otherwise (No in step S211). Then, other processing such as management is performed corresponding to the message (step S213). When the gateway device 11 receives a reply message addressed to itself (authentication success reply message from the ground authentication device 6), the gateway device 11 changes the access control so that the terminal device 12 in the vehicle can connect to the closed network 3 in the vehicle. The authentication success reply message is sent to the terminal device 12. Then, when the series of processing ends, the process returns to step S201.

  Next, details of the operation of the ground authentication apparatus 6 will be described using the flowchart of FIG.

  When the message processing unit 61 of the ground authentication device 6 receives the message transferred from the on-board authentication device 10 (step S301), it determines whether the message is an authentication request message (step S302). If the received message is an authentication request message (Yes in step S302), the content (authentication data) of the authentication request message is transmitted to the authentication determination unit 62 for authentication. If the authentication is successful (Yes in step S303), the determination processing unit 63 generates an authentication success reply message, and the message processing unit 61, the ground authentication device 6, the ground wireless device 8, and the onboard The information is sent to the gateway device 11 on the vehicle via the wireless device 9 and the on-vehicle authentication device 10 (step S304). Then, the authentication result recording unit 64 records the authentication result (step S306), and the process returns to step S301.

  When the gateway device 11 receives the authentication success reply message from the on-board authentication device 10, the gateway device 11 changes the access control so that the terminal device 12 can connect to the in-vehicle closed network 3, and sends the authentication success reply message to the terminal device 12. Send to.

  On the other hand, if the authentication determination unit 62 fails authentication (No in step S303), the message processing unit 61 discards the authentication request message (step S305), and the authentication result recording unit 64 records the authentication result. (Step S306), the process returns to Step S301. In this case, the gateway device 11 remains in the original access control (initial state), and a state where the terminal device 12 cannot be connected to the in-vehicle closed network 3 is maintained. On the terminal device 12 side, a timeout occurs after a lapse of a certain time, and processing is performed assuming that authentication has failed.

  If the received message is not an authentication request message in step S302 described above (No in step S302), other processing corresponding to the message is performed (step S307).

  Since the vehicle network system of the present embodiment has such a mechanism, only crew members who are authentication targets can be connected to the in-vehicle closed network 3 necessary for railway operation. In addition, since there is an authentication device on the vehicle, authentication can be performed even when communication with the ground side is not possible. Further, even if there is no authentication data required for the on-board authentication device, if communication with the ground is possible, authentication can be performed using the ground authentication device. For example, temporary in-vehicle inspection work, baggage confirmation, ticket sales, and the like by station staff who are stopped at the station can be performed via the in-vehicle closed network 3. Further, since there is no passenger getting on and off during traveling, only the corresponding crew member can be connected to the in-vehicle closed network 3, and unauthorized network connections other than the corresponding crew member can be eliminated. In addition, while the vehicle is running, there is a high possibility that the wireless communication between the vehicle and the ground will be interrupted by tunnels, buildings, etc., so it is possible to reduce useless communication resources by disabling the authentication by the ground authentication device. It becomes possible. Further, since it is possible to prevent the authentication itself from being accepted in a situation that is not clearly used by the crew, it is possible to further increase the safety of the certification data for the crew.

(Second Embodiment)
Next, a second embodiment will be described. The configuration diagram of the vehicle network system in the present embodiment is the same as FIG. However, the configuration of the on-board authentication device 10 takes the configuration shown in FIG. 8 instead of that shown in FIG.

  In FIG. 8, the output of the determination signal generation device 13 is input to the authentication data storage unit 103 of the on-board authentication device 10 in addition to the message processing unit 101. With this configuration, the authentication data in the authentication data storage unit 103 can be erased according to the determination signal from the determination signal generation device 13 based on the vehicle situation.

  In this embodiment, in order to delete the authentication data in the authentication data storage unit 103 according to the vehicle situation, the determination signal generation device 13 generates a determination signal as an authentication data deletion request to the authentication data storage unit 103, This signal is output to the on-board authentication device 10. As shown in FIG. 9, the authentication data storage unit 103 of the on-board authentication device 10 receives the authentication data deletion request (Yes in step S401) and deletes the stored authentication data (step S402).

  The determination signal generation device 13 outputs the authentication data erasure request according to the vehicle situation, such as the vehicle state, the vehicle travel state, the travel distance, the time, the arrival at the terminal station, the ground communication state, the ATO A signal for judgment (authentication data erasure request) based on any one of these signals, door open / closed state, cab key 21 ON / OFF state, operation plan 28, command from the ground, destination guidance, or a combination thereof Generate. The basic configuration of the determination signal generation device 13 in this embodiment is the same as that of the first embodiment, and includes a determination unit 131 and a determination policy 132.

  The determination unit 131 can determine the state of the train (vehicle situation) as in the first embodiment. In the present embodiment, the policy of the determination policy 132 is set so that, for example, the authentication data of the on-board authentication device 10 is deleted when one train operation from the start to the end of the train ends. When set in this way, according to this determination policy, the determination unit 131 determines the end of one business operation based on the end time of the last business on the operation day, and deletes the authentication data in the authentication data storage unit 103. For this purpose (authentication data erasure request) is output to the authentication data storage unit 103. In response to the authentication data deletion request, the authentication data of the on-board authentication device 10 is deleted as described above. By erasing the authentication data of the on-board authentication device at the end of the final business in this way, unauthorized access after the end of business can be prevented, and the authentication data can be retained in the train in the unattended state at night Therefore, it is possible to prevent leakage due to theft of authentication data at night.

(Third embodiment)
Next, a third embodiment will be described. The configuration diagram of the vehicle network system in the present embodiment is the same as FIG. However, the configuration of the on-board authentication device 10 takes the configuration shown in FIG. 10 instead of the one shown in FIG. 2, and the configuration of the ground authentication device 6 takes the configuration shown in FIG. 11 instead of the one shown in FIG.

  The configuration of the on-board authentication apparatus 10 shown in FIG. 10 is different from that of the first embodiment shown in FIG. 2 in that the received on-board authentication data update message is sent from the message processing unit 101 to the authentication data reading unit 106. It is a point that can be input. Further, the ground authentication device 6 shown in FIG. 11 is different from that of the first embodiment shown in FIG. 3 in that an authentication data lease management unit 65 is added. The outline of the operation will be described with reference to FIG.

  As shown in FIG. 12, in this embodiment, steps S107 to S111 are added to the operation flow shown in FIG. 4 in the first embodiment. As shown in the figure, if the authentication data is leased (in the case of Yes in step S107), the same operation as in the first embodiment is performed in this embodiment. In the present embodiment, when a function called lease of authentication data is introduced and authentication is successful in the ground authentication device 6 (Yes in step S105), if the authentication data is not leased (No in step S107), At the same time that the authentication data of the authentication device 10 is updated, the determination processing unit 63 generates a reply message indicating successful authentication and transmits it to the gateway device 11 in order to permit connection to the in-vehicle closed network 3. (Step S108). The gateway device 11 allows connection to the in-vehicle closed network 3 with respect to the terminal device 12 that has requested authentication in response to the authentication success reply message (step S109). Further, when the lease time (usable time) has elapsed from the lease start time (use start time) (Yes in step S110), the on-board authentication device 10 deletes the authentication data (step S111). ).

  The generation of the authentication data update message for updating the authentication data of the on-board authentication device 10 is performed by the determination processing unit 63 of the ground authentication device 6, which is sent to the on-board authentication device 10. The authentication data update message generated here includes update data including lease information. In the on-board authentication device 10, when the message processing unit 101 receives the authentication data update message, the authentication data reading unit 106 reads the update data and updates the authentication data (including lease information) in the authentication data storage unit 103. (FIG. 13). It is assumed that authentication data for crew members using the terminal device 12 is registered on the ground authentication device 6 side.

  Because of such a mechanism, the authentication data of the on-board authentication device can be automatically updated without having to read the authentication data of the crew member who gets on the vehicle on-board authentication device every business operation. In addition, the authentication data can be automatically updated even if there is a mid-boarding of a crew member in business operation. Also, the authentication data can always be matched with the registration contents of the ground authentication data device, and the consistency and maintainability of the authentication data can be improved. In addition, the security of the authentication data recorded in the on-board authentication device 10 can be enhanced.

  Next, details of the vehicle network system of the present embodiment will be further described.

  FIG. 14 shows an example of the recorded contents (lease record) of the authentication data lease management unit 65. As shown in the figure, the user information (user ID), the target train number, the time when the on-board authentication data update message was sent (lease time), and the lease time (seconds) are recorded. As shown in FIGS. 15 and 16, the train number information is obtained from the cab 41 for inputting the train number 40 in FIG. 15 or from the operation management system 29 for managing the operation plan 28. To enter. The input from the cab 41 can be input manually by a crew member or input via a storage medium in which data for operation support is input. Moreover, the input from the operation management system 29 can be input by radio communication from the ground in addition to the method using the storage medium. The on-board authentication device 10 adds a train number to the ground authentication device 6 when sending the authentication request message.

  FIG. 17 shows the configuration of the authentication data lease management unit 65. The authentication data lease management unit 65 includes a determination policy 651, a determination unit 652, a lease recording unit 653, an update message generation unit 654, and a timer 655. Note that the timer 655 may be the timer 25 shown in FIG.

  When authentication by the authentication determination unit 62 is successful, the determination unit 652 performs determination according to the determination policy based on the corresponding user information (user ID) and the train number. When the authentication data is not leased, the determination unit 652 determines that the authentication data of the on-board authentication device 10 needs to be updated, and the update message generation unit 654 generates an on-board authentication data update message to determine this message. The information is sent to the on-board authentication device 10 via the processing unit 63 and the message processing unit 61, and a record (lease record) in which the authentication data is newly updated is written in the lease recording unit 653. In order to permit the connection, the determination processing unit 63 generates an authentication success reply message and transmits it to the gateway device 11. On the other hand, when the determination unit 652 determines that the authentication data need not be updated (ie, leased), the determination processing unit 63 takes over the generation of the authentication success reply message.

  If the authentication determination unit 62 determines that the authentication has failed, the authentication data lease management unit 65 takes over the processing for the authentication request message to the determination processing unit 63, and the message processing unit 61 discards this message. In addition, the lease recording unit 653 confirms the current time with the timer 655, and deletes the corresponding lease record when the current time has passed a specified time (lease time + lease time).

  In this embodiment, the determination policy 651 is set so that authentication data is not sent except for the dispatch time of the crew in charge. Accordingly, the determination unit 652 confirms whether or not there is a boarding at the current time from the crew number and the boarding time of boarding with the crew in charge from the crew dispatching system 15, and if there is a boarding, judges as a correct authentication request. The authentication success message is sent to the on-board authentication device 10. On the other hand, if there is no boarding, it is determined not to send the authentication data, and the corresponding authentication request message is discarded. Further, the determination policy 651 is set so that authentication of the same user from different train numbers is not permitted within a predetermined time. For example, the user who requests authentication is confirmed in the lease record, and the authentication data is sent if the authentication request from the same user with a different train number has not passed the predetermined time (lease time) from the previous lease time. It is determined not to do so, and the corresponding authentication request message is discarded.

  FIG. 18 shows an operation flow of the on-board authentication device 10 in the present embodiment. As shown in the figure, the operation of the on-board authentication device 10 of this embodiment differs from the operation of the on-board authentication device 10 of the first embodiment shown in FIG. 6 in that on-board authentication data from the ground side. It is the point which added the process (steps S214-S215) with respect to an update message, and the point (steps S216-S217) according to lease time.

  Specifically, as shown in FIG. 18, when the message is received in step S201 and the received message is an on-board authentication data update message (Yes in step S214), the authentication data reading unit 106 is read in step S215. The update data is taken in and the authentication data (including lease information) in the authentication data storage unit 103 is updated. If the lease time has elapsed (Yes in step S216), the corresponding authentication data is deleted in step S217. The other operations are the same as those in the first embodiment shown in FIG.

  Next, FIG. 19 shows an operation flow of the ground authentication apparatus 6 in the present embodiment. As shown in the figure, the operation of the ground authentication device 6 of the present embodiment differs from the operation of the ground authentication device 6 of the first embodiment (FIG. 7) in that the lease is performed when the ground authentication is determined to be OK. And a process of updating the lease record when the lease time has elapsed (deletion of corresponding authentication data; steps S313 to S314).

  Specifically, as shown in FIG. 19, when the ground authentication is determined to be OK (Yes in step S303), the authentication data lease management unit 65 uses the user information (user ID) and the train included in the authentication request message. It is determined whether the authentication data has been leased from the number information and the lease record of the authentication data lease management unit 65 (step S308). Note that lease information (lease start time, lease time) is not set when the authentication data is first registered in the ground authentication device 6.

  If the authentication data has been leased (Yes in step S308), that is, if lease information has been set, it is further determined whether the authentication request is subject to rejection of the determination policy (step S309). This is a process for prohibiting a double lease when an authentication request having the same user information is made from a train having a different train number. Here, when the authentication data is the object of rejection of the determination policy (Yes in step S309), the authentication request message is discarded (step S305). On the other hand, if the authentication data is not subject to rejection of the determination policy (No in step S309), the determination processing unit 63 generates a reply message indicating that authentication has succeeded, and this message is sent to the message processing unit 61, the terrestrial network 5 and so on. Then, the data is transmitted to the gateway device 11 via the ground radio device 8 and the on-vehicle radio device 9 (step S304).

  If the authentication data is not leased (No in step S308), the authentication data lease management unit 65 generates an on-board authentication data update message including lease information, and the message processing unit 61 and the ground network 5 Then, the data is transmitted to the on-board authentication device 10 via the ground radio device 8 and the on-vehicle radio device 9 (step S310). On the other hand, the determination processing unit 63 generates an authentication success reply message to permit the connection of the corresponding terminal 12 to the in-vehicle closed network 3, and the message processing unit 61, the ground network 5, and the ground wireless device 8 Then, the information is transmitted to the gateway device 11 via the on-board wireless device 9 and the on-board authentication device 10 (step S311).

  Further, the authentication data lease management unit 65 updates (adds) the lease record in response to generation / transmission of the on-board authentication data update message (step S312).

  Further, when the lease time from the lease start time of any authentication data has elapsed (Yes in step S313), the authentication data lease management unit 65 updates the lease record by deleting the corresponding data (step S314). .

  As described above, in the present embodiment, when authentication by the ground authentication device 6 is performed, if the authentication data on the vehicle upper side is not leased, the authentication data lease management unit 65 requests to update the vehicle authentication data and The information is recorded, and the on-board authentication device 10 decides to update (delete here) the authentication data according to the lease condition of the authentication data. Since it is such a mechanism, the authentication data of the on-board authentication device can be automatically updated, and a significant update of the authentication data can be prevented. Further, by managing the train number, it is possible to prevent unauthorized authentication such as when authentication is requested by the same user with a different train number.

  In addition, since the authentication data lease management unit 65 manages the lease start time and lease time, the target crew member differs after the specified time has elapsed by deleting the lease record after the lease time has passed. Even when working on trains, it is possible to lease authentication data appropriately without being judged as a double lease.

  In addition, the update data of the on-board authentication data update message sent to the on-board authentication device 10 includes lease information (lease time and lease time) together with the authentication data, and this data is used as the authentication data of the on-board authentication device 10. The data is stored in the storage unit 103 (FIG. 13). Since the authentication data of the on-board authentication device 10 according to the present embodiment has such a data structure, the on-board authentication device 10 can be set outside the business operation time by setting the lease time to about the business operation time. Necessary authentication data can be automatically deleted.

  As described above, the vehicle network system described in the first to third embodiments has good maintainability with respect to maintenance and management of authentication data, and has a low risk of leakage of authentication data for crew members and is safe for railway operation. The availability of the vehicle network can be maintained even while moving.

  Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. For example, in the above-described embodiments, the function for each device has been described. However, the configuration of the function of each device by one device is not limited. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the spirit of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

DESCRIPTION OF SYMBOLS 1 Ground network system 2 On-vehicle network system 3 In-vehicle closed network 4 In-vehicle open network 5 Ground network 6 Ground authentication apparatus 7 Ground authentication data apparatus 8 Ground radio apparatus 9 On-vehicle radio apparatus 10 On-vehicle authentication apparatus 11 Gateway apparatus 12 Terminal device 13 Signal generator for determination 14 Authentication data setting terminal 15 Crew dispatch system 20 Door 21 Driver key 22 Speed generator 23 Distance calculator 24 Ground unit 25 Timer 26 In-car guide system 27 Ground system 28 Operation plan 29 Operation management system 30 monitor system 31 ATO system 40 train number 41 cab 61 message processing unit (for ground authentication device) 62 authentication determination unit (for ground authentication device) 63 determination processing unit (for ground authentication device) authentication (for ground authentication device) Result recording unit 65 Authentication data lease management unit 101 (for on-board authentication device) Message processing unit 102 (for on-board authentication device) Authentication determination unit 103 (for on-board authentication device) Authentication data storage unit 104 Determination processing unit (of on-board authentication device) 105 Authentication result recording unit (of on-board authentication device) Authentication data reading unit (of on-board authentication device) 131 Determination unit 132 Determination policy 651 (of authentication data lease management unit) Policy 652 Judgment unit (of authentication data lease management unit) 653 Lease recording unit 654 Update message generation unit 655 Timer

Claims (7)

A first network and a second network provided on the vehicle;
A gateway device provided on the vehicle and provided between the first network and the second network, for controlling access to the first network via the second network;
An on-vehicle authentication device for determining permission / non-permission of access to the first network from a terminal device provided on the vehicle and connected to the second network;
An on-vehicle wireless device that is provided on the vehicle and connected to the on-vehicle authentication device to communicate with the ground side;
An on-vehicle network system comprising:
A third network provided on the ground side;
A ground radio device provided on the ground side, connected to the third network and communicating with the on-board radio device;
A ground authentication device that is provided on the ground side and determines permission / non-permission of access to the first network from a terminal device connected to the second network;
A ground network system comprising:
A vehicle network system comprising:
The vehicle on the authentication device, or the vehicle the vehicle on the vehicle authentication device is mounted is traveling, depending on whether it is parked on one of the station, before SL connected to the second network Determining whether to permit / deny access to the first network from the terminal device to be performed in the on-board authentication device or the ground authentication device ;
The gateway device controls the access from the second network to the first network when the authorization determination is made by the on-board authentication device or the ground authentication device, and otherwise the first device Control to prevent access to the first network from the second network;
Vehicle network system. The on-board authentication device permits / denies access to the first network from a terminal device connected to the second network when the vehicle on which the on-board authentication device is mounted is running. the decision, decides to implement on the vehicle authentication device, the vehicle network system according to claim 1. The on-board authentication device is configured to access the first network from a terminal device connected to the second network when the vehicle on which the on-board authentication device is mounted is stopped at any station. 3. The vehicle network system according to claim 2 , wherein it is determined that either the on-board authentication device or the ground authentication device can perform the determination of permission / non-permission of the vehicle, and priority is given to the execution on the ground authentication device. . The on-board authentication device and the terrestrial authentication device include authentication data that the own device has to determine permission / non-permission of access to the first network from a terminal device connected to the second network, 4. The vehicle network system according to claim 3 , wherein the authentication data sent from the terminal device is compared, and if the data matches, the vehicle network system is determined to be permitted. 5. The vehicle network system according to claim 4 , wherein the on-board authentication device deletes the authentication data included in the on-board authentication device according to a situation of the vehicle. The ground authentication device includes a management unit that manages a use start time of the authentication data and an available time of the authentication data, and the authentication data sent from the terminal device and the authentication for the ground authentication device have. If the data matches and the use start time of the authentication data and the useable time of the authentication data are not set, the authentication data and the use as the authentication data are sent to the on-board authentication device. The vehicle network system according to claim 4 , wherein the possible time and the use start time are recorded. The vehicle network system according to claim 6 , wherein the on-board authentication device deletes authentication data that has passed the available time from the use start time.

Images