JP6168898B2 - Wireless level crossing warning system - Google Patents

Description

  The present invention relates to a railroad crossing warning system that controls the warning output of a railroad crossing alarm installed on a railroad crossing (railroad crossing) that traverses a railroad track. Specifically, an on-board device and a ground device constituting the system are wirelessly connected. The present invention relates to a wireless level crossing warning system for exchanging information, and more particularly to encryption of wireless transmission and a defense against replay attacks on level crossing warning control.

  Wireless level crossing warning systems that are convenient to be applied to single-line railways that are often used in local traffic lines have been developed (see, for example, Patent Documents 1 to 5). This wireless railroad crossing warning system is mounted on a train traveling on a track and wirelessly transmits onboard information for crossing control including train position, and onboard device provided along the track. It is equipped with a ground device that performs railroad crossing control based on information obtained by wireless transmission, and on-board information such as the driving direction of the train, position, speed, and train length is transmitted wirelessly from the on-board device. At the same time, when the ground device receives on-board information wirelessly from a train approaching to a place where communication is possible, alarm control related to the level crossing of the ground device is performed by the ground device based on the on-board information. ing.

Also, a GPS radio wave blocking object detection system that detects GPS radio wave blocking objects such as moving railway vehicles is known (see, for example, Patent Document 6). In this system, the presence / absence of a GPS radio wave blocking object is detected using a GPS radio wave transmitted from a GPS (Global Positioning Satellite) satellite for a satellite positioning system (Global Positioning System).
Since GPS radio waves contain time information and position information, they were used for position measurement and not used for object detection prior to the implementation of this system. In this system, however, the GPS usage mode was devised. Thus, the arrival and departure of railway vehicles is detected.

Furthermore, regarding railroad crossing control, it is known to transmit and receive a setting instruction related to breaker lifting / lowering control of a railroad crossing breaker by encrypted infrared communication (see, for example, Patent Document 7).
For encryption, all keys must be concealed, but the encryption key and the decryption key are the same, so the common key cryptosystem that can perform high-speed processing, and the encryption key and decryption key are different. There is a public key cryptosystem that can make the other party's key public, though it is heavy.
AES (Advanced Encryption Standard) standardized in the United States is known as an encryption standard that cannot be decrypted at present by the common key encryption method.

  If undecryptable encryption is used, there is no possibility of contents being leaked and there is no possibility of being tampered with, so there is no worry of being damaged by a masquerade attack, but a technique that can disrupt communication without decryption The so-called replay attack is known. A replay attack is an attack in which an attacker intercepts a communication message on a communication path and later re-injects the communication message, thereby allowing the receiving terminal to accept the communication message as a newly generated communication message. Since the communication message is a copy of regular data, it cannot be protected by decryption or authentication (see, for example, Patent Document 8). It is also known that there are three typical methods for preventing such replay attacks: a method using a counter value (management serial number), a method using time information, and a method using challenge response. (See, for example, Patent Document 8).

Both methods prevent data replay attacks by checking the novelty of the data, but in the method using the counter value, both the transmitting terminal and the receiving terminal manage the counter value associated with the communication partner. To confirm the novelty of the data.
In the method using time information, the novelty of the data is confirmed by synchronizing the time between the transmitting terminal and the receiving terminal and keeping the transmission / reception time difference within a predetermined time.
Further, in the method using the challenge response, when the transmitting terminal transmits data to the receiving terminal, the novelty of the data is confirmed by reflecting the challenge information received from the receiving terminal in the data.

Specifically, a method for confirming the novelty of a communication message using a challenge response after the device is activated from the sleep state (see, for example, Patent Document 8), or encryption using public key encryption on the portable information terminal side A method of authenticating a document exchanged without performing processing such as digitization or signature (see, for example, Patent Document 9) is known.
In addition, encryption strengthening measures for switching keys used for encryption and decryption are also known, and specific examples include a time key, a daily key, a weekly key, and the like (see, for example, Patent Document 10).

JP 2011-105117 A JP 2011-195117 A JP 2011-195120 A JP 2012-077653 A JP 2012-180000 A JP 2009-150797 A JP 2012-166578 A JP 2011-066703 A JP 2010-045631 A JP 2004-363724 A

  Under such a technical situation, the radio level crossing warning system that is the subject of the present invention is also an open transmission system, and therefore, as a countermeasure against impersonation, the above-described AES or an unbreakable encryption equivalent thereto may be used. Although it can be considered, replay attack countermeasures are also necessary. In other words, in railroad crossing control, the output of a level crossing alarm is started in response to the entry of a train to the railroad crossing warning start point, and the level crossing alarm output is stopped in response to a train crossing from a railroad crossing alarm end point or a railroad crossing road. When a replay attack is performed that sends a fake message that is a copy of the on-board information communication message that satisfies the level-crossing warning output start condition, the ground device becomes a fake message even though the train is not actually coming. This is because the railroad crossing warning is started, but the effective and practical way of stopping the railroad crossing warning is the advancement of the actual train, so that the railroad crossing becomes a warning and there is a possibility that the road side traffic may be disturbed for a long time.

  Therefore, in the wireless level crossing warning system of the present invention, it is conceivable to employ a time information utilization method that is considered to be relatively easy to use for ground devices among the three methods described above as a countermeasure against replay attacks. In other words, the ground devices of the wireless level crossing warning system are attached to each level crossing and are scattered over a wide range. Therefore, time adjustment is automatically performed with a centralized monitoring device or the like for the clock incorporated in each ground device. In addition, expensive equipment is necessary and inconvenient, and it is also inconvenient for the adjustment staff to walk and adjust one by one because it is inefficient and heavy work burden, so a GPS receiver is attached to each ground device This is because it can be said that it is easy to use the time that has become accurate by using such GPS for replay attack countermeasures, and it also contributes to a reduction in the cost of the system.

  By the way, as described above, since the time synchronization between the transmitting terminal and the receiving terminal is necessary for the data novelty confirmation in the countermeasure against the replay attack using the time information, the replay attack countermeasure utilizing the time information is introduced in the wireless level crossing warning system. Therefore, it is necessary to synchronize the time between the ground device provided with the railroad crossing and the on-vehicle device within the communicable range. For such time synchronization, avoid installing GPS receivers on all on-board devices because of the increased cost, and include time information in the communication message from the ground device to the on-board device. It is practical to notify. Since time information obtained from many GPS receivers includes year, month, day, hour, minute, and second, the required time synchronization can be achieved by sending such long-term time information from the ground device to the on-board device. It can be used to prevent replay attacks.

  However, data representing year / month / day / hour / minute / second requires 7 bits, 4, 5, 5, 6, 6 bits for each year even if the year is reduced to 63 years or less, and 33 bits in total. Even if the year, month, day, hour, minute, and second are not separated into each other and expressed as a total number of seconds, the same number of bits are required, and it is difficult for a wireless level crossing warning system to add data of this number of bits to a communication message. The burden is too heavy. In other words, the radio level crossing warning system employs time division multiple access (TDMA, Time Division Multiple Access), which is relatively simple to avoid collision of communication messages. The communication slot (fixed time slot) allocated to each radio station under the connection method is already full of necessary transmission data. Therefore, considering the preparation for future expansion, the amount of data that can be used for time information is There is not much room.

In other words, a wireless level crossing warning system in which a ground device equipped with a GPS receiver and an on-board device not equipped with a GPS receiver communicate wirelessly protects against replay attacks that attempt to start the output of a level crossing warning. To achieve this, the time information utilization method is effective and practical, but for the time information transmitted from the ground device to the on-board device in order to achieve time synchronization, the number of bits is reduced as much as possible to shorten the data length as much as possible. It is desirable.
Therefore, even when the number of bits of time information included in the communication message is less than that of the GPS receiver, time synchronization can be accurately achieved and a wireless function that can exert a defense function against a replay attack that attempts to start the output of a level crossing alarm An important technical issue is the realization of a type crossing warning system.

  The wireless railroad crossing warning system of the present invention (Solution 1) was created to solve such a problem, and is mounted on a train traveling on a track and wirelessly transmits on-board information including the train position. In the radio level crossing warning system, comprising: an on-vehicle device for transmission; and a ground device that is provided along the track and that performs crossing control based on information obtained by wireless transmission with the on-vehicle device. However, the time information including the year, month, day, hour, minute, and second is acquired from the GPS receiver, and the hour / minute / second information of the time information is included in the wireless transmission with the on-vehicle device, and the wireless transmission with the on-vehicle device is performed. Hour / minute / second information after the clock has been set based on the hour / minute / second information obtained by wireless transmission with the ground device. Included in the wireless transmission with the ground device Characterized in that it adapted to encrypt the radio transmission between the ground device at day instead key.

  Further, the wireless level crossing warning system of the present invention (Solution means 2) is the wireless level crossing warning system of the above solution means 1, wherein the on-board device performs encryption related to wireless transmission with the ground device, Until the first reply is obtained from the ground device, the fixed common key is used, and thereafter, the daily key is used. The ground device encrypts the wireless transmission with the on-board device. In the first reply, the fixed common key is used, and then the daily key is used.In addition, when the crossing control is performed, the start of the level crossing alarm output corresponding to the satisfaction of the condition for starting the level crossing alarm is started. It is characterized in that it is performed after the start of use of the daily key, while using the key.

  In such a wireless railroad crossing warning system of the present invention (Solution 1), even if the time of the clock of the on-board device is deviated, the time is adjusted by the time adjustment based on the time information obtained by wireless transmission with the ground device. For minutes and seconds, time synchronization can be achieved by a straightforward method. In addition, with regard to the date, it is possible to obtain the same effect as when the time synchronization is substantially achieved by the indirect method of matching the daily key. For example, it is possible to substantially synchronize to the date by specifying the daily key in a communication message and matching the daily key. Or, even if the time of the clock on the on-board device is changed, it is usually impossible to change the time on a daily basis. Time synchronization of date / time / minute / second is possible.

And by replaying replay attacks within one day with replay attack countermeasures using time information of hour, minute, second, and by reciprocating with other days replay attacks with encryption using daily key, The defense capability against a replay attack that attempts to start the output of a level crossing warning is increased to a level comparable to the defense capability of a replay attack measure that uses time information including all of the year, month, day, hour, minute, and second.
Therefore, according to the present invention, even if the number of bits of the time information included in the communication message is smaller than that of the GPS receiver, the time synchronization is accurately taken, and the defense against the replay attack that tries to start the output of the level crossing alarm. A wireless railroad crossing warning system that can perform its functions can be realized.

  In the wireless level crossing warning system according to the present invention (solution 2), transmission of wireless transmission performed before time synchronization is established is encrypted with a fixed common key that does not require time synchronization. Countermeasures against replay attacks using time information based on the assumption of synchronization and encryption using a daily key to reduce the weight of time information data will be performed after time synchronization is achieved by initial communication using a fixed common key. As a result, communication between the on-board device and the ground device using encryption with replay attack countermeasures can be started accurately, but it is possible to communicate before the train enters the railroad crossing warning starting point by chance due to worsening radio wave conditions under bad weather conditions, etc. Even in the rare case that the first communication message encrypted with a fixed common key is used for a replay attack in an unfortunate situation that could not be achieved, the ground device would step on such communication message. Because that is adapted to refrain from the start of the alarm output, it is possible to dodge accurately replay attacks to try to start the output of railway crossing warning.

About Example 1 of this invention, the structure and operating condition of a radio | wireless crossing warning system are shown, (a)-(f) is a system schematic diagram.

A specific embodiment for implementing such a radio level crossing warning system of the present invention will be described with reference to Example 1 below.
The first embodiment shown in FIG. 1 embodies all the above-described solving means 1 and 2 (claims 1 and 2 at the beginning of the application).

  The configuration of the wireless railroad crossing warning system according to the first embodiment of the present invention will be described with reference to the drawings. FIG. 1A is a diagram showing a schematic configuration of the radio level crossing warning system 20 + 30 with symbols and blocks.

  This radio level crossing warning system 20 + 30 (see, for example, Patent Documents 1 to 5) is fixedly mounted on the train 10 that travels on the train 10 traveling on the railroad track 11 and near the railroad crossing 12 on the track 11. And a ground device 30 to be installed. The ground device 30 performs the level crossing control related to the alarm 13 of the level crossing 12, and at least starts the output of the level crossing alarm and stops the output of the level crossing alarm. Here, explanations regarding other functions in the level crossing control, such as raising / lowering control of the barrier rod, are omitted.

In the level crossing control, the level crossing alarm start point ADC and the level crossing alarm end point BDC are set separately on both sides of the level crossing 12 with respect to the track 11, but the level crossing control can be performed without installing a level crossing controller at each point. The on-board device 20 and the ground device 30 communicate with each other by wireless transmission (the crossing control is omitted, and is illustrated by a thin one-dot chain line).
While the on-board device 20 is provided in the train 10 and the ground device 30 is provided in the railroad crossing 12, the on-board device 20 enters and leaves the communicable range of the ground device 30 as the train 10 moves in and out. A system in a cooperative state is dynamically established by the on-board device 20 and the ground device 30 that have become possible.

  For this reason, the on-board device 20 includes a radio unit 21 in addition to the arithmetic control means for detecting the position of the installed train 10 and performing train stop control, and transmits on-board information including the train position wirelessly. It is supposed to be. Further, the ground device 30 is provided along the track 11, specifically, at each level crossing for several level crossings 12 installed on the track 11, and the level crossing for the alarm 13 of the installation level crossing 12. Control is performed on the basis of on-board information acquired by radio transmission from the on-board device 20 in a cooperative state, that is, capable of communicating. For this purpose, means for wirelessly transmitting the level crossing control state in addition to the level crossing control means It also has. Here, the ground device 30 having a basic configuration including the wireless device 31 is illustrated, but wireless transmission with the on-vehicle device 20 is performed using the wireless device 31 of another nearby ground device. (For example, refer to Patent Document 2).

Since the above components follow the common parts and basic parts of known systems (for example, see Patent Documents 1 to 5), only the matters that are the premise for carrying out the present invention will be described briefly. Characteristic components of the wireless railroad crossing warning system 20 + 30 will be described.
In short, the feature of the present invention is that the wireless communication is encrypted and the time information utilization method is adopted as a countermeasure against the replay attack. For this purpose, the ground device acquires the accurate time from the GPS receiver. Of the year / month / day / hour / minute / second contained, the hour / minute / second portion is transmitted from the ground device to the on-board device wirelessly, and a fixed common key and a daily key are used separately as encryption keys. A fixed common key is used for the first communication, and a daily key is used for the subsequent communication.

The fixed common key is a pre-selected encryption key, which is registered in any on-board device 20 and on the ground device 30, and the same value is always used when used.
The daily key is a plurality of encryption keys consisting of several candidates selected in advance, and is registered in any on-board device 20 and on the ground device 30. Since one is elected and used, the value changes every day. Alternatively, it is an encryption key for which a different value is calculated based on the date, and the on-board device 20 and the ground device 30 are provided with the same calculation means, and when used, depending on the date Since one is calculated and used for use, the value is changed every day. In this embodiment, the ground device 30 selects an encryption key to be used from among a plurality of candidate keys prior to the first reply as a daily key, and notifies the onboard device 20 of the designated code. Are supposed to match.

In order to perform such wireless transmission, the ground device 30 acquires time information including the year, month, day, hour, minute, and second from the GPS receiver 32 as needed.
The GPS receiver 32 may be a commercially available general-purpose product that has been used in the past. If the necessary time information can be acquired, the GPS receiver 32 is not limited to the dedicated equipment shown in the figure, but may be another nearby ground device 30 or other ground equipment. The time information may be acquired indirectly through other devices or the like.

Further, the ground device 30 controls the level crossing with the hour / minute / second information of the time information acquired from the GPS receiver 32 and the designation code of the daily key selected according to the date of the time information. It is included in the message for the on-board device 20 together with the state information and the like. Instead of transmitting the daily key itself, a specified code for identifying one candidate is transmitted, so that the number of bits used for the specified code can be smaller than the number of bits of the year / month / day.
Further, the ground device 30 encrypts the message and transmits it by the wireless device 31 to be used for wireless transmission with the on-vehicle device 20. The message is encrypted using a fixed common key only for the first reply after communication with 20 is possible, and subsequent messages are encrypted using a daily key.

  Further, when the ground device 30 performs the railroad crossing control related to the railroad crossing 12 at the installation destination, if the position of the train 10 acquired by radio transmission from the onboard device 20 is closer to the railroad crossing 12 from the railroad crossing alarm starting point ADC, Basically, it is assumed that the alarm device 13 starts to output a level crossing alarm when the start condition is satisfied. However, in order to protect against a replay attack in which the first communication before time synchronization is copied, the level crossing alarm is output. Refrain from starting at the first communication using a fixed common key, and at the second or subsequent communication that started using the daily key, if the train approach to the railroad crossing alarm starting point ADC is found, the railroad crossing is issued to the alarm 13 Alarm output is started. As for the alarm stop, the ground device 30 causes the alarm device 13 to stop the output of the level crossing warning when it is determined that the railroad crossing alarm end point BDC has passed based on the train position obtained from the onboard device 20. It has become.

  Until the first response from the ground device 30 is received, the on-board device 20 encrypts a message transmitted to the ground device 30 with a fixed common key and also receives the first response received from the ground device 30. The decryption / decryption is also performed with a fixed common key, so that time information including hours, minutes, and seconds is acquired, and a daily key designation code is acquired. Further, the on-board device 20 directly acquires time information from the ground device 30 or at least when it acquires time information from the first reply of the ground device 30. Clock adjustment is performed by adjustment or by indirect time adjustment such as adding or subtracting difference data from the exterior timer. In the clock adjustment, in addition to making the hour, minute, and second coincide with the acquisition time, the date at the time jump is also updated although it is not essential.

Furthermore, when the on-board device 20 is able to communicate with the ground device 30 for the second or later communication, in addition to the on-board information such as the train position, the time is obtained from a timer that has been set to the clock. Minute second information is also included in the message for the ground device 30. The on-board device 20 encrypts the message by using a daily key corresponding to the designated code, and then wirelessly transmits the message to the ground device 30 by the wireless device 21.
Note that hardware such as a dedicated microprocessor may be added to the on-board device 20 and the ground device 30 in order to perform the above-described encryption processing, etc., but there is room for an existing fail-safe computer for logical operations, etc. If there is, just add a program.

  About the radio | wireless crossing warning system 20 + 30 of this Example 1, the use aspect and operation | movement are demonstrated referring drawings. FIGS. 1A to 1F show the operation state of the radio level crossing warning system 20 + 30 accompanying the travel of the train 10 in time series. Here, a typical operation state will be described. That is, the operation when the on-board device 20 and the ground device 30 can communicate before the train 10 enters the railroad crossing alarm starting point ADC will be described.

In this case (see FIG. 1A), while the train 10 is traveling on the track 11, the onboard device 20 transmits the communication message A at any time, but the onboard device 20 can communicate with the ground device 30. No reply is sent from the ground device 30 to the on-board device 20 until it enters the range.
This communication message A includes on-board information such as the train position and is encrypted with a fixed common key. Since this communication message A does not reach the ground device 30, the ground device 30 stops the output of the level crossing alarm to the alarm device 13 on the assumption that there is no train approaching the level crossing 12.

When the train 10 travels on the track 11 and the on-board device 20 enters the communicable range of the ground device 30, the communication message A reaches the ground device 30 and is transmitted by the ground device 30. Received. Based on the communication message A, the ground device 30 knows that the train 10 has not reached the railroad crossing alarm starting point ADC, and thus the ground device 30 causes the alarm device 13 to stop outputting the railroad crossing alarm. The ground device 30 acquires time information including year / month / day / hour / minute / second from the GPS receiver 32 and transmits the communication message B to the on-vehicle device 20.
The communication message B, which is the first reply, includes the hour / minute / second portion of the time information and the daily key designation code, and is encrypted with a fixed common key.
The on-board device 20 that has received the communication message B performs time adjustment.

Then (see FIG. 1 (c)), while the train 10 is traveling on the track 11 before the railroad crossing alarm starting point ADC, the communication message C is wirelessly transmitted from the onboard device 20 to the ground device 30, Accordingly, the communication message D is wirelessly transmitted from the ground device 30 to the onboard device 20.
The communication message C includes on-board information such as a train position and is encrypted with a daily key. Based on this communication message C, since the ground device 30 knows that the train 10 has not reached the railroad crossing alarm starting point ADC, the ground device 30 causes the alarm device 13 to stop outputting the railroad crossing alarm.
The communication message D includes the hour / minute / second portion necessary for time synchronization in the time information obtained from the GPS receiver 32 and the daily key designation code, and is encrypted with the daily key.

Then (see FIG. 1 (d)), when the train 10 travels on the track 11 and enters the railroad crossing alarm starting point ADC, the communication message E is wirelessly transmitted from the onboard device 20 to the ground device 30 and communicated accordingly. The message F is wirelessly transmitted from the ground device 30 to the on-board device 20.
The communication message E includes on-board information such as the position of the train that has reached the railroad crossing warning starting point ADC, and is encrypted with a daily key. Based on this communication message E, the ground device 30 knows that the train 10 has entered the railroad crossing alarm starting point ADC, so the ground device 30 causes the alarm device 13 to start outputting a railroad crossing alarm. The communication message F includes the hour / minute / second portion necessary for time synchronization in the time information obtained from the GPS receiver 32 and the daily key designation code, and is encrypted with the daily key.

  After the communication of the communication messages E and F is repeated, when the train 10 travels on the track 11 and finishes passing through the crossing 12 and the crossing warning end point BDC (see FIG. 1 (e)), the communication message G is Wireless transmission is performed from the on-board device 20 to the ground device 30, and the communication message H is wirelessly transmitted from the ground device 30 to the on-vehicle device 20 accordingly. The communication message G includes on-board information such as the position of the train that has advanced the railroad crossing warning end point BDC, and is encrypted with a daily key. Based on this communication message G, the ground device 30 knows that the train 10 has advanced from the railroad crossing warning end point BDC, so the ground device 30 causes the alarm device 13 to stop outputting the railroad crossing warning. The communication message H includes an instruction to end the communication between the ground device 30 and the on-board device 20, and is encrypted with the daily key.

  Thus, typical and basic level crossing control by wireless transmission between the on-board device 20 and the ground device 30 is performed. At that time, every time the on-vehicle device 20 and the ground device 30 communicate, encryption and decryption are performed. In addition to the above, the replay attack countermeasure using time information is executed. That is, the wireless transmissions C, E, G from the on-board device 20 to the ground device 30 are followed by the predetermined seconds or minutes after the wireless transmissions B, D, F from the ground device 30 to the on-vehicle device 20 prior to that. It is checked by the ground device 30 whether or not it was performed within a predetermined time. And if those wireless transmissions are made within the predetermined time, it is accepted as a regular message, but if that is not the case, that is, if the hour, minute and second of the message is outside the predetermined time, the corresponding message Is discarded as invalid. Of course, messages with different encryption keys cannot be correctly decrypted, and are discarded due to a defective check code.

  Therefore (see FIG. 1 (f)), when a replay attack is set on the ground device 30 by a disturber who is not the on-board device 20, the communication message J used for the replay attack is transferred from the on-device 20 to the ground device 30. Any of the above-mentioned communication messages C, E, and G that are wirelessly transmitted to are discarded due to the difference in time if they are within the same day, and discarded due to the difference in daily keys if they are on the other day In any case, since it is not accepted by the ground device 30, the ground device 30 does not cause the alarm device 13 to erroneously output a railroad crossing warning. Further, when the communication message J is a copy of the communication messages A and C, even if the communication message J is received, since the train position is in front of the railroad crossing alarm starting point ADC, the ground device 30 originally issues a railroad crossing warning to the alarm unit 13. There is no output.

[Others]
In the above embodiment, the case where the replay attack is sporadically performed has been described in detail. However, if the replay attack is performed continuously without interruption, this is a short-term calculation such as the frequency calculation of time-out messages. Since it becomes clear in the meantime, if an alarm is issued, it is possible to quickly take countermeasures against troubles such as monitoring the radio wave at the level crossing to identify the attack source. If a replay attack with the same fake message is performed over a long period of time, this can be determined by time-by-time message accumulation, etc., and it is also preferable to issue an alarm in that case as well.

The wireless level crossing warning system of the present invention was developed to protect against a replay attack that attempts to start the output of a level crossing alarm. Is effective, and it can properly perform any replay attack.
Moreover, although it is convenient to apply to a local traffic line or a single-line railway, the application target is not limited to this, and it can be applied to an urban traffic line or a double-line railway.

10 ... train, 11 ... track (track), 12 ... railroad crossing, 13 ... alarm,
20 ... on-board device, 21 ... radio,
30 ... ground equipment, 31 ... radio, 32 ... GPS receiver,
ADC ... railroad crossing alarm start point, BDC ... railroad crossing alarm end point, AJ ... communication message

Claims (1)

Railroad crossing based on onboard equipment that is mounted on a train traveling on the track and wirelessly transmits onboard information including the train position, and information obtained by wireless transmission with the onboard device provided along the track In a radio level crossing warning system equipped with a ground device for controlling,
The ground device acquires time information including year / month / day / hour / minute / second from a GPS receiver, includes hour / minute / second information of the time information in wireless transmission with the on-vehicle device, and the on-vehicle device; Wireless transmission is encrypted with a daily key,
The on-vehicle device includes the hour / minute / second information after the clock is set based on the hour / minute / second information obtained by the wireless transmission with the ground device in the wireless transmission with the ground device, and the ground device. And wireless transmission is encrypted with a daily key ,
The on-board device performs encryption related to wireless transmission with the ground device using a fixed common key until the first reply is obtained from the ground device, and thereafter using a daily key. And
The ground device performs encryption related to wireless transmission with the on-board device using a fixed common key in the first reply, and thereafter using a daily key, and a level crossing alarm output start condition when performing the level crossing control. No-wire crossing warning system that is characterized in that during use of the common key starts the fixation of the output of the crossing alarm and performs after use start day instead key refrain in response to fulfillment of.

Images