JP6427889B2 - Navigation message authentication system, receiving terminal, and authentication processing device - Google Patents

Description

  The present invention relates to a navigation message authentication system capable of authenticating a navigation message received by a receiving terminal, a receiving terminal provided in the navigation message authentication system, and an authentication processing device.

  Conventionally, a receiving terminal that receives a navigation message transmitted from an artificial satellite used in a satellite positioning system and calculates a current position based on the navigation message is widely known.

  However, in recent years, with the development of simulators and the like that can artificially generate signals similar to those transmitted by artificial satellites, the problem is that a malicious person uses the simulator to cause the receiving terminal to calculate an incorrect position. Has occurred.

  On the other hand, Patent Document 1 proposes a navigation message authentication system that performs an authentication process as to whether a navigation message received by a receiving terminal is a navigation message transmitted by an artificial satellite used in a satellite positioning system. ing. More specifically, the navigation message authentication system transmits data used for authentication of the navigation message from the quasi-zenith satellite used in the quasi-zenith satellite system.

  And the receiving terminal is a normal navigation message from the artificial satellite used in the satellite positioning system by performing numerical calculation using the data acquired from the quasi-zenith satellite and the navigation message received by the own terminal. Judgment is made.

  The position information calculated based on the navigation message authenticated in the authentication process described above is relatively unlikely to be falsified by a simulator or the like. That is, by introducing this navigation message authentication system, the reliability of the position information calculated by the receiving terminal can be improved.

JP 2013-130395 A

  It is considered that various services using the position information of the receiving terminal can be provided by improving the reliability of the position information calculated by the receiving terminal. The service using location information is, for example, a service that automatically charges a toll for toll roads according to the location of the receiving terminal.

  However, since the navigation message authentication process performed by the receiving terminal of Patent Document 1 requires numerical calculation, the CPU is subjected to a corresponding processing load when performing the authentication process for one navigation message. is assumed. In addition, the receiving terminal needs to perform navigation message authentication processing for any of the navigation messages received by the terminal itself, and in order to perform this authentication processing for all these navigation messages, more Processing load. Therefore, there is a possibility that a waiting time unacceptable for the service provider or the person who receives the service is generated before the authentication for each navigation message is completed.

  In response to such a problem, the waiting time can be reduced if a CPU having a relatively high arithmetic processing capability is installed in the receiving terminal. However, since the CPU with higher arithmetic processing capability is more expensive, the cost of the receiving terminal increases.

  The present invention has been made based on this situation, and the object of the present invention is to provide a navigation message authentication system capable of suppressing an increase in cost of a receiving terminal for authenticating a navigation message received by the receiving terminal, and receiving It is to provide a terminal and an authentication processing device.

The invention according to the navigation message authentication system for achieving the above object includes at least one first satellite (2) for transmitting the first navigation message (M), and test data used for authentication processing of the first navigation message. And a receiving terminal (200) for receiving the first navigation message and the second navigation message, and the inspection data included in the second navigation message is stored in the second navigation message. A navigation message authentication system (1) for performing an authentication process as to whether the first navigation message received by the receiving terminal is the first navigation message transmitted by the first satellite, wherein the navigation message authentication system includes: further, provided outside of the receiving terminal, an authentication processing unit that communicates to the receiving terminal (300), check data for a predetermined first navigation messages Is configured as matrix data composed by multiplying the H matrix is a predetermined matrix to the bit string arranged in the band, the receiving terminal, the first navigation messages and a second satellite first satellite sent sent A terminal-side satellite receiver (230) that receives the second navigation message, a test data extraction unit (S2) that extracts test data from the second navigation message received by the terminal-side satellite receiver, and a terminal-side satellite reception An authentication-related data extraction unit (S5) that extracts a bit string arranged in a predetermined area of the first navigation message received by the aircraft as authentication-related data that is a part necessary for the authentication process of the first navigation message; The first navigation message received by the terminal-side satellite receiver, including the inspection data extracted by the data extraction unit and the authentication-related data extracted by the authentication-related data extraction unit An authentication request signal generation unit (S7) that generates an authentication request signal for requesting to perform an authentication process on the authentication request, and an authentication request signal transmission processing unit (S8) that transmits an authentication request signal generated by the authentication request signal generation unit. the provided authentication processing unit, the authentication request signal authentication request signal reception processing section that the transmission processing unit receives the authentication request signal transmitted (S11), for the authentication-related data that is contained in the authentication request signal H matrix The comparison calculation data is calculated by multiplying the comparison inspection data, and the comparison calculation data is compared with the inspection data, thereby performing an authentication process on the first navigation message received by the receiving terminal (S20). And.

  In the above configuration, when the receiving terminal receives the first navigation message, the receiving terminal extracts authentication data necessary for the authentication process from the first navigation message. Further, from the second navigation message, the inspection data used for authentication of the first navigation message is extracted. Then, an authentication request signal including the authentication data and the inspection data is transmitted to the authentication processing device.

  When receiving the authentication request signal, the authentication processing device performs authentication processing based on the authentication data included in the authentication request signal and the inspection data.

  According to such a configuration, it is not necessary for the receiving terminal to perform the authentication process, and the authentication processing apparatus performs the authentication process on behalf of the receiving terminal. That is, since the receiving terminal does not require a CPU with high calculation processing capability for performing numerical calculation associated with the authentication process at high speed, an increase in cost of the receiving terminal can be suppressed.

In addition, the invention according to the receiving terminal for achieving the above object includes a bit string arranged in a predetermined area of the first navigation message transmitted by the first satellite and the first navigation message transmitted by the second satellite. On the other hand, the terminal-side satellite receiver (230) that receives the second navigation message including the test data configured as matrix data obtained by multiplying the predetermined matrix H matrix, and the terminal-side satellite receiver received A test data extraction unit (S2) that extracts test data from the second navigation message, and a bit string arranged in a predetermined area of the first navigation message received by the terminal-side satellite receiver, authentication-related data extraction unit and (S5), authentication-related de inspection data for test data extraction unit has extracted to extract the authentication-related data is a portion necessary for authentication processing An authentication request signal generation unit (S7) for generating an authentication request signal for requesting to perform an authentication process on the first navigation message received by the terminal-side satellite receiver, including the authentication-related data extracted by the data extraction unit; And an authentication request signal transmission processing unit (S8) for transmitting the authentication request signal generated by the authentication request signal generation unit.

Furthermore, the invention according to the authentication processing device for achieving the above object includes, among the first navigation messages transmitted by the first satellite, authentication-related data that is a part necessary for the authentication processing of the first navigation message, An authentication request signal reception processing unit (S11) that receives an authentication request signal from the outside, including inspection data used for authentication processing of the first navigation message among the second navigation messages transmitted by the two satellites, and an authentication request An authentication calculation unit (S20) that performs authentication processing on the first navigation message based on the inspection data and the authentication-related data included in the signal, and the inspection data is arranged in a predetermined region of the first navigation message. Is formed as matrix data obtained by multiplying a predetermined bit string by an H matrix that is a predetermined matrix, and the authentication-related data is the first navigation message. The data obtained by extracting the bit string arranged in the predetermined area, the authentication calculation unit calculates the data for comparison inspection by multiplying the authentication related data included in the authentication request signal by the H matrix, by comparing the test data with the comparative check data, it characterized that you have been configured to perform an authentication process for the first navigation messages.

  In addition, the code | symbol in the parenthesis described in the claim shows the correspondence with the specific means as described in embodiment mentioned later as one aspect, Comprising: The technical scope of this invention is limited is not.

1 is a block diagram illustrating an example of a schematic configuration of a navigation message authentication system 1 in Embodiment 1. FIG. 2 is a block diagram illustrating an example of a schematic configuration of a control segment 100. FIG. 3 is a block diagram illustrating an example of a schematic configuration of an in-vehicle device 200. FIG. It is a flowchart which shows an example of the flow of the authentication request related process which the control part 220 of the vehicle equipment 200 implements. 2 is a block diagram illustrating an example of a schematic configuration of an NMA information management center 300. FIG. 5 is a flowchart illustrating an example of a flow of authentication-related processing performed by a control unit 320 of the NMA information management center 300. 5 is a flowchart illustrating an example of a flow of authentication calculation processing performed by a control unit 320 of the NMA information management center 300. It is a block diagram which shows an example of a schematic structure of the navigation message authentication system 1a in Embodiment 2. It is a block diagram which shows an example of a schematic structure of the service center 400 in Embodiment 2. FIG. It is a flowchart which shows an example of the flow of the SC side authentication related process which the control part 420 of the service center 400 implements. It is a block diagram which shows an example of a schematic structure of the service center 400 in the modification 2. FIG. FIG. 10 is a schematic diagram for explaining functions provided in a control unit 220 of an in-vehicle device 200 in Modification 3.

<Embodiment 1>
Hereinafter, Embodiment 1 of the present invention will be described with reference to the drawings. FIG. 1 is a diagram illustrating an example of a schematic configuration of a navigation message authentication system 1 according to the present embodiment. As shown in FIG. 1, the navigation message authentication system 1 includes a GPS satellite 2, a quasi-zenith satellite (hereinafter, QZS satellite) 3, a control segment 100, an in-vehicle device 200, and an NMA information management center 300. The control segment 100 includes a monitor station (MS) 110, an authentication center (AC) 120, and a master control station (MCS) 130.

  The GPS satellite 2 corresponds to the first satellite described in the claims, and the QZS satellite 3 corresponds to the second satellite described in the claims. The NMA information management center 300 corresponds to the authentication processing device described in the claims, the in-vehicle device 200 corresponds to the receiving terminal described in the claims, and the control segment 100 corresponds to the authentication center device described in the claims.

<Schematic configuration of navigation message authentication system 1>
Here, an outline of each element provided in the navigation message authentication system 1 will be described. First, the monitor station 110 receives a radio wave (a so-called GPS radio wave) transmitted by a GPS satellite 2 included in a GPS (Global Positioning System) which is one of satellite positioning systems. Although only one GPS satellite 2 is shown in FIG. 1, the navigation message authentication system 1 is of course provided with a plurality of GPS satellites 2.

  As is well known, a signal carried by a GPS radio wave transmitted from the GPS satellite 2 is phase-modulated using a C / A code. The value of pseudo random noise (PRN: Pseudo Random Noise) used for the C / A code is different for each GPS satellite 2, and the C / A code is also different for each GPS satellite 2. ing. The GPS satellite 2 that is the source of the GPS radio wave can be specified by the PRN value (that is, PRNID) used for the C / A code. Hereinafter, this PRNID will be used as a satellite number for identifying the GPS satellite 2.

  The GPS radio wave also includes a navigation message M. The navigation message M transmitted by each GPS satellite 2 includes a TOW (Time Of Week) indicating the elapsed time within one week, a clock correction parameter of the satellite clock, detailed orbit information (that is, ephemeris data) of the GPS satellite 2, It includes ionospheric correction parameters, general orbit information (ie almanac data) of all GPS satellites 2 and the like. The navigation message M transmitted by the GPS satellite 2 corresponds to the first navigation message described in the claims.

  The monitor station 110 demodulates the received GPS radio wave and extracts the navigation message M. Then, the monitor station 110 sequentially sends the extracted navigation message M to the authentication center 120. The monitor station 110 corresponds to a first navigation message receiver described in the claims.

  The authentication center 120 generates a reference authentication navigation data (RAND: Reference Authentication Navigation Data) message based on the navigation message M acquired from the monitor station 110. Although details of the RAND message will be described later, the RAND message includes at least the PRNID and the TOW, and can specify which GPS satellite 2 corresponds to the navigation message M transmitted when. The authentication center 120 creates parity data corresponding to the navigation message M and the RAND message from the created RAND message and the H matrix that is the encryption key. This parity data corresponds to the inspection data described in the claims.

  The authentication center 120 is configured to be able to communicate with the monitor station 110, the master control station 130, the in-vehicle device 200, and the like. For example, the authentication center 120 sends a signal including the created parity data to the master control station 130.

  The master control station 130 transmits the parity data received from the authentication center 120 to the QZS satellite 3. The QZS satellite 3 broadcasts a navigation message N including parity data toward the ground. Parity data is provided with data indicating which RANND message corresponds to the data. The navigation message N transmitted by the QZS satellite 3 corresponds to the second navigation message recited in the claims, and the master control station 130 corresponds to the inspection data transmission unit recited in the claims.

  The in-vehicle device 200 is configured to receive radio waves transmitted from the GPS satellite 2 and the QZS satellite 3 and to communicate with the NMA information management center 300. The in-vehicle device 200 detects the position of its own terminal from the radio wave transmitted by the GPS satellite 2 or the QZS satellite 3 (that is, positioning).

  Further, the in-vehicle device 200 acquires the navigation message M from the GPS radio wave received by the terminal itself, and further uses the navigation message M for information (NMA GPS side information and NMA) for navigation message authentication (NMA) processing. Extract). Here, a RAND message is generated as GPS side information for NMA. In addition, although a RAND message is used here as GPS side information for NMA, it is not restricted to this. The NMA GPS side information may be a navigation message M. The GPS side information for NMA only needs to include the GPS satellite 2 that is the transmission source of the navigation message M and information for specifying the transmission time. The GPS side information for NMA corresponds to the authentication related data described in the claims.

  Furthermore, the in-vehicle device 200 acquires parity data as information used for NMA processing from the navigation message N transmitted by the QZS satellite 3.

  The in-vehicle device 200 acquires a plurality of types of parity data corresponding to the number of GPS satellites 2 from the QZS satellite 3. Among the plurality of parity data, the parity data corresponding to the RAND message created as the NMA GPS side information is specified from the PRNID and TOW of the RAND message. The in-vehicle device 200 generates NMA request data Rq including the RAND message created by the own terminal and the parity data received from the QZS satellite 3 and transmits the NMA request data Rq to the NMA information management center 300.

  The NMA information management center 300 can communicate with the in-vehicle device 200 and the authentication center 120 via a known communication network. When the NMA information management center 300 acquires the NMA request data Rq from the in-vehicle device 200, the NMA information management center 300 extracts the RAND message generated by the in-vehicle device 200 and the corresponding parity data from the NMA request data Rq.

  Then, the NMA information management center 300 accesses the data storage unit 124 of the authentication center 120, and acquires the H matrix corresponding to the RAND message from the PRNID and TOW included in the RAND message. For example, the NMA information management center 300 transmits to the authentication center 120 an H matrix request signal that includes a PRNID and a TOW included in the RAND message and requests to transmit an H matrix corresponding to these PRNID and TOW. . Then, an authentication related process described later is performed using the H matrix acquired from the authentication center 120. By performing this authentication-related process, it is possible to perform an authentication process as to whether the navigation message M received by the in-vehicle device 200 is a regular navigation message, that is, an NMA process.

  By the way, the vehicle-mounted device 200 may receive a radio wave transmitted by a simulator that artificially generates a signal transmitted by the GPS satellite 2 in addition to a signal transmitted by the regular GPS satellite 2. If the location information of the in-vehicle device 200 is falsified by such an unauthorized signal, for example, a service provider cannot provide appropriate charges when providing a service using the location information. Occurs.

  On the other hand, the NMA information management center 300 performs the above-described NMA processing, so that the service provider identifies whether the in-vehicle device 200 receives a signal transmitted from a legitimate transmission source (that is, the GPS satellite 2). Will be able to. Hereinafter, among the transmission sources of the navigation message M received by the in-vehicle device 200, the GPS satellite 2 that transmits the authenticated navigation message M is also referred to as an authenticated GPS satellite 2.

<Detailed Configuration of Authentication Center 120>
Here, a more detailed configuration of the authentication center 120 will be described. As shown in FIG. 2, the authentication center 120 includes a control unit 122, a data storage unit 124, and a communication unit 126.

  The control unit 122 is a computer including a CPU, a ROM, a RAM, and the like, and controls the data storage unit 124 and the communication unit 126. In addition, various functions are realized by the CPU executing programs stored in the ROM while using the temporary storage function of the RAM. More specifically, the control unit 122 includes a RAND message generation unit 1221, a SEED value generation unit 1222, an H matrix generation unit 1223, a parity generation unit 1224, and a signal processing unit 1225 as functional blocks. Note that the functions of these units 1221 to 1225 may be the same as the functions disclosed in Patent Document 1.

  The RAND message generator 1221 creates a RAND message from the navigation message M acquired from the monitor station 110. The RAND message corresponds to the authentication data described in the claims, and the RAND message generator 1221 corresponds to the authentication data generator described in the claims.

  The RAND message includes a TOW (Time Of Week) that is extracted from the bit string of the navigation message M and that indicates an elapsed time within one week, and TOC, AF0, and AF1 that are clock correction parameters. The TOW is updated every 6 seconds, and is reset when the time for one week has elapsed. This TOW corresponds to the satellite time described in the claims, and TOC, AF0, and AF1 correspond to the satellite time correction parameters described in the claims. The clock correction parameter is information used for specifying the satellite time, and is also information specific to the satellite. That is, the PRNID and the clock correction parameter correspond to the transmission source specific information described in the claims, and the TOW corresponds to the transmission time information.

  Furthermore, AS Flag and PRNID, which are anti-spoof flags, are added to the RAND message after AF1. TOW, PRNID, TOC, AF0, AF1, AS Flag, and the like are arranged in a bit string constituting the RAND message according to an appropriately designed format.

  Since the RAND message includes the PRNID and the TOW as described above, it can be said that the RAND message is data indicating which GPS satellite 2 has transmitted when. Further, since the TOW is updated every 6 seconds, the RAND message generator 1221 generates a RAND message every 6 seconds for each of all the GPS satellites 2 from which the monitor station 110 receives the navigation message M. It will be.

  The SEED value generation unit 1222 generates a SEED value by generating a random number with the PC clock as an input.

  The H matrix generation unit 1223 uses the SEED value generated by the SEED value generation unit 1222 to generate an H matrix for generating a parity bit that is uniquely determined from input data. The H matrix is a matrix, and the number of rows and columns are values corresponding to the number of bits of input data and the number of parity bits. As the H matrix, a known hash function may be used, for example, a parity check matrix for performing LDPC (Low Density Parity Check) encoding may be used. The H matrix corresponds to the encryption key recited in the claims, and the H matrix generation unit 1223 corresponds to the encryption key generation unit recited in the claims.

  The parity generation unit 1224 calculates parity data based on the RAND message created by the RAND message generation unit 1221 and the H matrix calculated by the H matrix generation unit 1223. That is, the parity data is calculated by multiplying the RAND message by this H matrix. The parity generation unit 1224 corresponds to the inspection data generation unit described in the claims.

  The signal processing unit 1225 associates the parity data generated by the parity generation unit 1224 with the RAND message used for the calculation, and inserts it in the navigation message N transmitted from the QZS satellite 3. Then, the inserted navigation message N is sent to the master control station 130.

  In the present embodiment, as an example, the navigation message N transmitted by the QZS satellite 3 is configured to include parity data and RAND message corresponding to each GPS satellite 2 captured by the monitor station 110. That is, the signal processing unit 1225 inserts the parity data corresponding to the plurality of GPS satellites 2 and the RAND message into the navigation message N in association with each other.

  Further, the signal processing unit 1225 associates the parity data calculated by the parity generation unit 1224, the RAND message used for calculating the parity data, the H matrix, and the SEED value used for calculating the H matrix in accordance with the signal insertion. And stored in the data storage unit 124. The data storage unit 124 corresponds to the storage unit described in the claims.

  This signal processing unit 1225 inserts the RAND message and parity data into the navigation message N that causes the QZS satellite 3 to transmit each time the RAND message generation unit 1221 generates the RAND message. Therefore, the RAND message generation unit 1221, the SEED value generation unit 1222, the H matrix generation unit 1223, and the parity generation unit 1224 also execute processing each time the RAND message generation unit 1221 generates a RAND message.

  When receiving the H matrix request signal transmitted from the NMA information management center 300, the communication unit 126 selects the H matrix corresponding to the received H matrix request signal from the H matrix stored in the data storage unit 124. . Then, the selected H matrix is returned to the NMA information management center 300.

  Transmission / reception of the H matrix between the authentication center 120 and the NMA information management center 300 is performed by encrypted secure communication. For example, the authentication center 120 may encrypt the H matrix using the public key issued by the NMA information management center 300 and transmit it to the NMA information management center 300. Of course, the confidentiality of communication may be ensured by using a common key cryptosystem.

<Detailed configuration of in-vehicle device 200>
Here, the configuration of the in-vehicle device 200 will be described with reference to FIG. As shown in FIG. 3, the in-vehicle device 200 includes a communication unit 210, a control unit 220, and a satellite receiver 230.

  The communication unit 210 includes a reception unit 211 that demodulates a reception signal and the like, and a transmission unit 212 that modulates and transmits data input from the control unit 220. The transmission unit 212 corresponds to the terminal-side transmission unit described in the claims.

  The communication unit 210 has a narrow area communication function and a wide area communication function. The wide-area communication function has a communication distance of several kilometers, for example, and can communicate with other communication devices in the communication area of the public communication network by communicating with the base station of the public communication network. The wide area communication function is realized by a communication module used in, for example, a third generation mobile communication system. Communication with the NMA information management center 300 is performed by the wide area communication function. The narrow area communication function has a communication distance of several hundred meters, for example. When the vehicle-mounted device 200 is configured to communicate with the authentication center 120 and the service center 400 via a roadside device (not shown), the vehicle-mounted device 200 communicates with the roadside device using the narrow area communication function.

  The satellite receiver 230 receives radio waves transmitted by the GPS satellite 2 and the QZS satellite 3 at a constant period. The received radio wave is demodulated and output to the control unit 220. That is, the satellite receiver 230 sequentially receives the navigation message M transmitted from the GPS satellite 2 and the navigation message N transmitted from the QZS satellite 3 and outputs them to the control unit 220. The satellite receiver 230 corresponds to the terminal-side satellite receiver described in the claims.

  The control unit 220 is a computer including a CPU, a ROM, a RAM, and the like, and controls the communication unit 210 and the satellite receiver 230. Further, the CPU executes a program stored in the ROM while using the temporary storage function of the RAM, thereby executing an authentication request related process described later.

  The memory 221 is a rewritable storage medium and is realized by, for example, an EEPROM or a RAM included in the control unit 220. The memory 221 stores the navigation message M and navigation message N acquired sequentially from the satellite receiver 230 and the current position calculated sequentially. When the storage capacity becomes full, the oldest ones should be discarded sequentially. The current position is represented by, for example, a well-known geodetic coordinate system or ECEF coordinate system.

  Next, using the flowchart shown in FIG. 4, a series of processes required for the NMA information management center 300 to perform authentication of the navigation message M received by the satellite receiver 230 (the authentication request related process). ). The authentication of the navigation message M received by the satellite receiver 230 means that the received navigation message M is not a navigation message forged by the simulator but an authentic navigation message M transmitted by the GPS satellite 2. Refers to that.

  This authentication request related process is performed by the control unit 220 of the in-vehicle device 200 as described above. The control unit 220 sequentially executes the authentication request related process shown in the flowchart shown in FIG. 4 when, for example, power is supplied to the in-vehicle device 200 (for example, every 100 milliseconds). In addition, for example, it may be configured to be executed when the navigation message M is input from the satellite receiver 230.

  First, in step S1, the navigation message N received from the QZS satellite 3 by the satellite receiver 230 is acquired. In step S2, parity data and a RAND message corresponding to the parity data are extracted from the navigation message N acquired in step S1. Then, PRNID and TOW are extracted from the RAND message as information for specifying which RAND message the parity data corresponds to, and stored in the memory 221 in association with the parity data. This step S2 corresponds to the inspection data extraction unit described in the claims.

  Note that the navigation message N in this embodiment includes a RAND message for each GPS satellite 2 and parity data corresponding to the RAND message. Therefore, the control unit 220 acquires parity data corresponding to the navigation message M transmitted by each GPS satellite 2 and stores it in the memory 221 through this step S2. The parity data extracted from these navigation messages N is referred to as reception parity data in order to distinguish it from comparison parity data described later.

  In step S3, the navigation message M received from the GPS satellite 2 by the satellite receiver 230 is acquired. In step S4, it is determined whether authentication of the navigation message M is necessary. Whether or not the received navigation message M needs to be authenticated may be determined according to a request from an application that uses position information of the in-vehicle device 200, for example.

  For example, as an application that uses position information, an application that automatically charges a user of the vehicle when it is determined that a vehicle equipped with the vehicle-mounted device 200 is parked in a pay parking area, or position information is used. Applications such as games and route guidance are assumed. An application that performs billing using location information requires authentication of the navigation message M in order to ensure that the location information has not been tampered with. Is provided, the authentication of the navigation message M is considered optional.

  That is, in step S4, it is determined whether or not an authentication process is necessary based on the type of application that provides position information and a request from the application. If authentication of the navigation message M is necessary, step S4 becomes YES and the process moves to step S5. On the other hand, if authentication of the navigation message M is not required, step S4 is NO and this flow ends.

  In step S5, a RAND message is created from the navigation message M received in step S3 by the same method as the RAND message generator 1221 of the authentication center 120, and the process proceeds to step S6. This step S5 corresponds to the authentication related data extracting unit described in the claims.

  The control unit 220 generates a RAND message from the navigation message M by the same method as the RAND message generation unit 1221. Therefore, if the navigation message M used to generate the RAND message is the same in each of the control unit 220 and the RAND message generation unit 1221, the RAND message generated from the navigation message M also has the same content.

  That is, if the navigation message M received by the satellite receiver 230 in step S3 is a regular navigation message M, the RAND message generated in step S5 matches the RAND message generated by the RAND message generator 1221.

  In step S6, PRNID and TOW are extracted from the navigation message M acquired in step S3, the received parity data corresponding to these combinations is read from the memory 221, and the process proceeds to step S7. In step S7, NMA request data Rq including the RAND message generated in step S5 and the received parity data read in step S6 is generated, and the process proceeds to step S8. The NMA request data Rq corresponds to an example of an authentication request signal described in the claims. Further, step S7 corresponds to the authentication request signal generation unit described in the claims.

  In step S8, the NMA request data Rq is transmitted to the NMA information management center 300. This step S8 corresponds to the authentication request signal transmission processing unit described in the claims.

  Communication between the in-vehicle device 200 and the NMA information management center 300 is performed by encrypted secure communication. For example, the NMA request data Rq may be encrypted using the public key issued by the NMA information management center 300 and transmitted to the NMA information management center 300. Of course, the confidentiality of communication may be ensured by using a common key cryptosystem.

<Detailed Configuration of NMA Information Management Center 300>
Next, the configuration of the NMA information management center 300 will be described with reference to FIG. As shown in FIG. 5, the NMA information management center 300 includes a communication unit 310, a control unit 320, and an NMA information database (hereinafter referred to as NMA information DB) 340.

  The communication unit 310 includes a reception unit 311 that demodulates a reception signal and the like, and a transmission unit 312 that modulates and transmits data input from the control unit 320. The NMA information management center 300 can communicate with the in-vehicle device 200 and the authentication center 120 via the communication unit 310.

  The control unit 320 is a computer that includes a CPU, a ROM, a RAM, and the like, and controls the operation of the communication unit 310 and adds, deletes, and reads data stored in the NMA information DB 340. Further, the CPU of the control unit 320 executes an authentication-related process described later by executing a program stored in the ROM while using the temporary storage function of the RAM.

  The NMA information DB 340 is a rewritable mass storage device, and is realized by, for example, an HDD. The NMA information DB 340 stores information (referred to as NMA information) used for authentication of the navigation message M received by the in-vehicle device 200 based on an instruction from the control unit 320. More specifically, the NMA information DB 340 stores, as NMA information, a combination of a RAND message and parity data that have been determined to be successful in the authentication calculation process described later. The NMA information corresponds to the authenticated data described in the claims, and the NMA information DB 340 corresponds to the authenticated data storage unit described in the claims.

  The NMA information DB 340 stores a combination of each RAND message and parity data so that it can be identified from the PRNID and TOW included in the RAND message. That is, if PRNID and TOW are designated, control unit 320 can access parity data corresponding to the combination of the PRNID and TOW and the RAND message. Hereinafter, the RAND message stored in the NMA information DB 340 and the parity data corresponding to the RAND message are referred to as an authenticated RAND message and authenticated parity data, respectively.

  Next, a series of processes (referred to as authentication-related processes) for authenticating the navigation message M received by the satellite receiver 230 performed by the control unit 320 will be described using the flowchart shown in FIG. The flowchart shown in FIG. 6 is executed when NMA request data Rq is received from the in-vehicle device 200, for example.

  First, in step S11, encrypted NMA request data Rq transmitted from the in-vehicle device 200 is acquired from the communication unit 310. Then, the encrypted NMA request data Rq is decrypted using the secret key corresponding to the public key used for the encryption, and the process proceeds to step S12. This S11 corresponds to the authentication request signal reception processing unit described in the claims.

  In step S12, the RAND message and parity data are extracted from the NMA request data Rq decoded in step S11. This parity data is data received by the in-vehicle device 200 from the QZS satellite 3, that is, received parity data. PRNID and TOW are further extracted from the RAND message extracted from the NMA request data Rq.

  In step S13, the NMA information DB 340 is accessed, and the authenticated RAND message and authenticated parity data corresponding to the PRNID and TOW acquired in step S12 are searched. If the authenticated RAND message and authenticated parity data corresponding to the PRNID and TOW acquired in step S12 are present in the NMA information DB 340, step S13 becomes YES and the process moves to step S14. On the other hand, if the authenticated parity data acquired in step S12 does not exist in the NMA information DB 340, step S13 is NO and the process proceeds to step S20. This step S13 corresponds to the authenticated determination unit described in the claims. Further, the NMA information corresponding to the PRNID and TOW acquired in step S12 corresponds to the authenticated data corresponding to the authentication related data described in the claims.

  In step S14, it is determined whether the authenticated RAND message found in step S13 matches the RAND message extracted from NMA request data Rq in step S12. If the respective RAND messages match, step S14 becomes YES and the process moves to step S15. In step S15, it is determined that the authentication is successful, and this flow ends. The success of authentication means that the navigation message M received by the in-vehicle device 200 in step S3 of FIG. 4 is not a signal generated by a simulator or the like but a regular navigation message M transmitted by the GPS satellite 2. .

  Here, the authentication is successful if the authenticated RAND message matches the RAND message extracted from the NMA request data Rq in step S12. However, the configuration is not limited to this. Furthermore, a configuration may be adopted in which authentication success is determined when the authenticated parity data matches the received parity data.

  On the other hand, if the authenticated RAND message found in step S13 and the RAND message extracted from the NMA request data Rq in step S12 do not match, step S14 becomes NO and the process moves to step S16 to determine authentication failure. To end this flow. These steps S14 to 16 correspond to the authenticated data verification authentication unit described in the claims.

  In step S20, an authentication calculation process is performed using the RAND message extracted from the NMA request data Rq and the received parity data. This authentication calculation process will be described separately using a flowchart shown in FIG. In addition, this step S20 corresponds to the authentication calculation unit described in the claims.

  The flowchart in FIG. 7 is executed when the process proceeds to step S20 in FIG. First, in step S21, received parity data extracted from the NMA request data Rq is acquired, and the process proceeds to step S22. In step S22, the RAND message extracted from the NMA request data Rq is acquired, and the process proceeds to step S23.

  In step S23, the PRNID and TOW included in the RAND message are transmitted from the transmission unit 312 to the authentication center 120 together with the public key used for the secret communication. As described above, the authentication center 120 encrypts the H matrix determined by the PRNID and TOW with the public key distributed from the NMA information management center 300 and transmits the encrypted H matrix to the NMA information management center 300.

  In step S <b> 24, the encrypted H matrix transmitted from the authentication center 120 is acquired from the reception unit 311. In step S25, the encrypted H matrix acquired in step S24 is decrypted with the secret key, and the process proceeds to step S26. Steps S24 to S25 correspond to the encryption key acquisition unit described in the claims.

  In step S26, parity data (this is referred to as comparative parity data) is created from the RAND message acquired in step S22 and the H matrix decoded in step S25 by the same process as the process performed by the parity generation unit 1224. To do. The comparison parity data corresponds to the comparison inspection data described in the claims, and step S26 corresponds to the comparison inspection data generation unit described in the claims.

  In step S27, it is determined whether or not the comparison parity data created in step S26 matches the received parity data acquired in step S21. If the two match, the navigation message M received by the in-vehicle device 200 is authenticated for the reason described below (step S28).

  That is, the H matrix decoded in step S25 is the same as the H matrix used when the authentication center 120 creates parity data from the RAND message. The parity data generated by the authentication center 120 is parity data transmitted by the QZS satellite 3, that is, received parity data itself.

  Therefore, when the comparison parity data created in step S26 matches the received parity data obtained in step S21, it can be considered that the RAND message created in step S26 is the same as the RAND message created by the authentication center 120. it can.

  If the RAND messages match, the navigation message M that is the source of the RAND message acquired in step S22, that is, the navigation message acquired in step S3 of FIG. It means that it matches the navigation message M used when creating.

  That is, when the comparison parity data created in step S26 matches the received parity data obtained in step S21, the navigation message M obtained in step S3 in FIG. 4 is the normal navigation message obtained by the authentication center 120. Means M.

  For the reasons described above, if the comparison parity data created in step S26 matches the received parity data acquired in step S21 (YES in step S27), the process proceeds to step S28 and authentication is established. On the other hand, if the two parity data do not match (NO in step S27), the process proceeds to step S29 and authentication is not established. If step S28 or step S29 is implemented, the authentication result will be hold | maintained and it will return to the call origin (FIG. 6, step S20) of the said authentication calculation process.

  Returning to FIG. 6, the description of the authentication-related processing will be continued. With the above description, the processing up to step S20 has been described. When step S20 is completed, the process proceeds to step S40. In step S40, it is determined whether the authentication is successful as a result of the authentication calculation process. When authentication is successful, step S40 becomes YES and moves to step S41. On the other hand, if the authentication has failed, step S40 is NO and the process moves to step S42.

  In step S41, the combination of the RAND data extracted from the NMA request data Rq and the received parity data is newly stored in the NMA information DB 340 as NMA information. Thereby, when NMA request data Rq including the same RAND message and received parity data is transmitted from another in-vehicle device, steps S13 and S14 are YES, and it can be determined that the authentication is successful. That is, the authentication calculation process in step S20 can be omitted from the next time. When the additional storage process in step S41 is completed, this flow ends.

  In step S42, the RAND data extracted from the NMA request data Rq and the received parity data are discarded. That is, the RAND data and the received parity data that have failed in authentication are not stored in the NMA information DB 340. When the processing in step S42 is completed, this flow ends.

(Summary of Embodiment 1)
In the above configuration, when the in-vehicle device 200 receives the navigation message M, the in-vehicle device 200 generates NMA request data Rq for requesting that the navigation message M is the navigation message M transmitted by the GPS satellite 2. To the NMA information management center 300. The NMA request data includes a RAND message and reception parity data corresponding to the RAND message.

  The NMA information management center 300 uses the RAND message and the received parity data included in the NMA request data Rq to perform an authentication process as to whether the navigation message M received by the in-vehicle device 200 is a regular navigation message.

  More specifically, the NMA information DB 340 is accessed to search for NMA information corresponding to the PRNID and TOW included in the NMA request data Rq (step S13). If there is NMA information corresponding to the PRNID and TOW included in the NMA request data Rq, authentication processing is performed using the corresponding NMA information and the RAND message included in the NMA request data Rq (steps S14 to S16). .

  If NMA information corresponding to the PRNID and TOW included in the NMA request data Rq does not exist in the NMA information DB 340, an authentication calculation process using the RAND message and the received parity data included in the NMA request data Rq (step S20). ).

  That is, in this embodiment, the NMA information management center 300 performs authentication calculation processing for determining whether the navigation message M received by the in-vehicle device 200 is a regular navigation message. There is no need to perform authentication calculation processing.

  Therefore, according to the above configuration, the navigation message M received by the in-vehicle device 200 can be authenticated while suppressing an increase in the cost of the in-vehicle device 200.

  In addition, the NMA information management center 300 collects and authenticates the navigation messages M received by the plurality of in-vehicle devices 200 used in the navigation message authentication system 1. Then, the combination of the RAND message and the parity data for which the authentication calculation process has been performed once is stored in the NMA information DB 340. As a result, the NMA request data Rq including the same PRNID and TOW as the NMA request data Rq that has already been successfully authenticated can be authenticated by comparing with the NMA information stored in the NMA information DB 340. The authentication calculation process can be omitted. Therefore, the navigation message M received by the in-vehicle device 200 is authenticated in a shorter time by performing the authentication processing in the NMA information management center 300 in this way.

  As mentioned above, although embodiment of this invention was described, this invention is not limited to the above-mentioned embodiment, The aspect described hereafter is also included in the technical scope of this invention, and also the summary other than the following is also included. Various modifications can be made without departing from the scope.

<Modification 1>
In the first embodiment described above, the NMA information management center 300 sets the parity data to be compared with the parity data (that is, the comparison parity data) generated from the navigation message received by the in-vehicle device 200 in step S27. Although it was set as the structure acquired from the vehicle equipment 200, it is not restricted to this.

  The NMA information management center 300 may acquire the parity data to be compared with the comparison parity data from the data storage unit 124. That is, the NMA information management center 300 sends the parity data corresponding to the RAND message included in the NMA request data Rq from the authentication center 120 in the same manner as the procedure for acquiring the H matrix (steps S23 to 25 in FIG. 7). You may get it. Since the received parity data received by the in-vehicle device 200 from the QZS satellite 3 is the same as the parity data stored in the data storage unit 124, the parity data to be compared with the comparison parity data is received from the data storage unit 124. Even if the acquired data is used, the same determination result is obtained in step S27.

  Further, with such a modification, it is not necessary to include the received parity data in the NMA request data Rq transmitted from the in-vehicle device 200 to the NMA information management center 300, and the in-vehicle device 200 transmits to the NMA information management center 300. The amount of data can be reduced.

<Embodiment 2>
Next, a second embodiment (referred to as a second embodiment) of the present invention will be described with reference to the drawings. For convenience, members having the same functions as those shown in the drawings used in the description of the first embodiment are given the same reference numerals, and descriptions thereof are omitted. Further, when only a part of the configuration is described, the first embodiment described above can be applied to the other parts of the configuration.

  In addition to the configuration of the navigation message authentication system 1 of the first embodiment, the navigation message authentication system 1a in the second embodiment is a service center that communicates with each of the in-vehicle device 200 and the NMA information management center 300 as shown in FIG. 400. In addition, the in-vehicle device 200 according to the second embodiment transmits the NMA request data Rq to the service center 400 and transmits the positioning result (that is, position information) by the in-vehicle device 200 to the service center 400.

  The service center 400 is a center that is provided outside the vehicle and is managed by a service provider that provides a service that uses position information transmitted from the in-vehicle device 200. As a service using position information, for example, when it is determined that a vehicle equipped with the vehicle-mounted device 200 is parked in a toll parking area or when it is determined that the vehicle has traveled on a toll road, the user of the vehicle A service that automatically charges the user is assumed.

  Of course, other services using location information may include route guidance, a service that suggests tourist spots around the current location, and a game that uses location information. Here, as an example, a service that is provided by a parking lot management company and charges when it is determined that a vehicle equipped with the in-vehicle device 200 is parked in a pay parking area is assumed.

  In a service that uses location information with billing, it is an important precondition that the location information of the in-vehicle device 200 is not falsified. That is, depending on whether or not the position information acquired from the in-vehicle device 200 is the position information based on the authenticated navigation message M, the service provider determines whether or not to provide the service to the customer who uses the in-vehicle device 200. .

  Here, the configuration of the service center 400 will be described with reference to FIG. The service center 400 includes a communication unit 410, a control unit 420, an NMA information DB 440, and a customer database (hereinafter referred to as customer DB) 450.

  The communication unit 410 includes a reception unit 411 that demodulates received signals and the like, and a transmission unit 412 that modulates and transmits data input from the control unit 420. The service center 400 can communicate with the in-vehicle device 200 and the NMA information management center 300 via the communication unit 410. The receiving unit 411 corresponds to the SC-side receiving unit described in the claims.

  The NMA information DB 440 is a rewritable mass storage device, and stores NMA information in the same manner as the NMA information DB 340 provided in the NMA information management center 300. More specifically, the NMA information DB 340 stores the RAND message and parity data that are successfully authenticated as NMA information in association with each other so as to be identified from the PRNID and TOW included in the RAND message.

  The NMA information stored in the NMA information DB 440 is added at any time in a service center side authentication related process (hereinafter referred to as an SC side authentication related process) to be described later. The NMA information DB 440 corresponds to the SC-side authenticated data storage unit described in the claims.

  The customer DB 450 is a rewritable large-capacity storage device, and stores information (referred to as customer information) about a customer who uses a service provided by the service center 400. Customer information is managed separately for each customer, and stores information relating to the in-vehicle device 200 used by the customer (referred to as registered in-vehicle device information) and position information acquired from the in-vehicle device 200 in association with each other. doing.

  The vehicle-mounted device information includes an identification number for distinguishing the vehicle-mounted device 200 from other vehicle-mounted devices and authentication state information. The authentication status information is, for example, an authenticated GPS satellite 2 out of whether or not the in-vehicle device 200 has received an authenticated navigation message and the number of GPS satellites 2 used by the in-vehicle device 200 for positioning. The number and ratio of As the identification number of the in-vehicle device, for example, the manufacturing number or the MAC address of the in-vehicle device 200 may be used.

  Based on this in-vehicle device information, the service center 400 determines whether or not to provide a service using the location information to a customer who uses the in-vehicle device 200. For example, when positioning is performed using a signal transmitted by an authenticated GPS satellite 2, or the ratio of the authenticated GPS satellites 2 out of the number of GPS satellites 2 used for positioning is a certain threshold (for example, 75 %), It is determined that the service is provided.

  The control unit 420 is a computer that includes a CPU, a ROM, a RAM, and the like, and controls the operation of the communication unit 410 and adds, deletes, and reads data stored in the NMA information DB 440. In addition, the CPU of the control unit 420 executes a program stored in the ROM while using a temporary storage function of the RAM, thereby executing an SC-side authentication related process described later.

  The main difference between the service center 400 and the NMA information management center 300 is that the service center 400 is a facility managed by a service provider and does not have a function for executing an authentication calculation process. That is, although authentication using the NMA information stored in the NMA information DB 440 can be performed, combinations of PRNID and TOW that are not stored in the NMA information DB 440 cannot be authenticated within the own equipment. The processing in this case will be mentioned in the description of the SC-side authentication related processing.

  Next, a series of processes for authenticating the navigation message M received by the in-vehicle device 200 in the second embodiment will be described. First, when the in-vehicle device 200 receives the navigation message M, the in-vehicle device 200 performs an authentication request related process shown in FIG. Also in the second embodiment, the flow of this authentication request related process is the same as in the first embodiment, but the transmission destination of the NMA request data Rq in step S8 is not the NMA information management center 300 but the service center 400.

  Then, the service center 400 that has received the NMA request data Rq from the in-vehicle device 200 performs SC-side authentication related processing. Communication between the in-vehicle device 200 and the service center 400 is performed by encrypted secure communication.

  Here, the SC-side authentication related processing performed by the control unit 420 of the service center 400 will be described using the flowchart shown in FIG. The flowchart shown in FIG. 10 may be executed when the NMA request data Rq is received from the in-vehicle device 200 as described above.

  First, in step S51, the encrypted NMA request data Rq transmitted from the in-vehicle device 200 is acquired from the communication unit 410. Then, the encrypted NMA request data Rq is decrypted using the secret key corresponding to the public key used for the encryption, and the process proceeds to step S52. Step S51 corresponds to the SC-side authentication request signal reception processing unit described in the claims.

  In step S52, the RAND message and parity data are extracted from the NMA request data Rq decoded in step S51. This parity data is data received by the in-vehicle device 200 from the QZS satellite 3, that is, received parity data. PRNID and TOW are further extracted from the RAND message extracted from the NMA request data Rq.

  In step S53, the NMA information DB 440 is accessed to search for NMA information corresponding to the PRNID and TOW acquired in step S52. If the NMA information corresponding to the PRNID and TOW acquired in step S52 exists in the NMA information DB 440, step S53 becomes YES and the process moves to step S54. On the other hand, if the NMA information corresponding to the PRNID and TOW acquired in step S52 does not exist in the NMA information DB 440, step S53 is NO and the process proceeds to step S57. This step S53 corresponds to the SC-side authenticated determination unit described in the claims.

  In step S54, it is determined whether the authenticated RAND message of the NMA information found in step S53 matches the RAND message extracted from the NMA request data Rq in step S52. If the RAND messages match, step S54 is YES and the process moves to step S55. In step S55, it is determined that the authentication is successful, and the process proceeds to step S62.

  Here, as in the first embodiment, the authentication is successful if the authenticated RAND message matches the RAND message extracted from the NMA request data Rq in step S52, but the configuration is not limited to this. Furthermore, a configuration may be adopted in which authentication success is determined when the received parity data matches the authenticated parity data.

  On the other hand, in step S54, if the authenticated RAND message found in step S53 and the RAND message extracted from NMA request data Rq do not match, step S54 is NO and the process moves to step S56 to determine authentication failure. Then, the process proceeds to step S62. These steps S54 to S56 correspond to the SC-side authenticated data verification authentication unit described in the claims.

  In step S57, the NMA request data Rq obtained and decrypted in step S51 is encrypted again using the public key distributed by the NMA information management center 300 and transmitted to the NMA information management center 300. That is, the NMA request data Rq transmitted from the in-vehicle device 200 is transferred to the NMA information management center 300 (this is referred to as secondary NMA request processing). This step S57 corresponds to the SC-side authentication request signal transmission processing unit described in the claims.

  When the NMA information management center 300 receives the NMA request data Rq from the service center 400, the NMA information management center 300 performs NMA authentication-related processing shown in FIG. This NMA authentication related process is the same as that of the first embodiment. However, the authentication results in steps S15, S16, S28, and S29 are transmitted to the service center 400. That is, the NMA information management center 300 returns whether the authentication is successful or unsuccessful as a response to the NMA request data Rq from the service center 400. The data indicating the authentication result transmitted by the NMA information management apparatus corresponds to the authentication result data described in the claims.

  Returning to FIG. 10 again, when the control unit 420 of the service center 400 receives the result of the authentication process from the NMA information management center 300 in step S58, the process proceeds to step S59. This step S58 corresponds to the authentication result acquisition unit recited in the claims.

  In step S59, it is determined whether the authentication result received from the NMA information management center 300 is an authentication success. If the authentication result is authentication success, step S59 becomes YES and the process moves to step S60. On the other hand, if the authentication is unsuccessful, step S59 is NO and the process proceeds to step S61.

  In step S60, the combination of the RAND data extracted from the NMA request data Rq acquired in step S51 and the received parity data is additionally stored in the NMA information DB 440 as NMA information. As a result, when NMA request data Rq including the same RAND message and received parity data is transmitted from another in-vehicle device, step S53 and step S54 are YES, and it can be determined that the authentication is successful. . That is, the secondary NMA request process in step S57 can be omitted from the next time. This step S60 corresponds to the SC-side authenticated data addition processing unit described in the claims. If the preservation | save process in step S60 is completed, it will move to step S62.

  In step S61, the RAND data extracted from the NMA request data and the received parity data are discarded. That is, the RAND data and the received parity data that have failed in authentication are not stored in the NMA information DB 440. When the process in step S61 is completed, the process proceeds to step S62.

  In step S62, whether or not the authentication process for the NMA request data Rq, that is, the authentication of the navigation message M received by the in-vehicle device 200 is successful is transmitted to the in-vehicle device 200, and the process proceeds to step S63. This step S62 corresponds to the authentication result transmission processing unit described in the claims.

  In step S63, the authentication status information of the in-vehicle device 200 is updated and this flow ends. For example, if the authentication process is successful, the in-vehicle device 200 is in an authentication state that it has received the normal navigation message M transmitted from the GPS satellite 2 identified from the PRNID included in the NMA request data Rq. Save to information.

  When acquiring the authentication result for the NMA request data Rq via the receiving unit 211, the control unit 220 of the in-vehicle device 200 stores the authentication result in the memory 221 in association with the PRNID. According to such a configuration, the control unit 220 refers to the storage area storing the authentication result for each PRNID in the memory 221, so that the authentication state of the GPS satellite 2 (that is, whether or not it has been authenticated). ) Can be recognized.

  In the present embodiment, the in-vehicle device 200 acquires the authentication result from the service center 400, but, of course, the authentication result may be acquired from the NMA information management center 300.

(Summary of Embodiment 2)
In the above configuration, when the in-vehicle device 200 receives the navigation message M from the GPS satellite 2, it generates NMA request data Rq for inquiring whether the navigation message M is really the navigation message M transmitted by the GPS satellite 2. To the service center 400. The NMA request data Rq includes a RAND message and reception parity data corresponding to the RAND message.

  The service center 400 uses the RAND message and the received parity data included in the NMA request data Rq and the NMA information stored in the NMA information DB 440, so that the navigation message M received by the in-vehicle device 200 is a regular navigation message. Perform some authentication. If the NMA information corresponding to the RAND message and the received parity data included in the NMA request data Rq does not exist in the NMA information DB 440, the authentication result is obtained by transmitting the NMA request data Rq to the NMA information management center 300. To get.

  That is, according to the above configuration, the navigation message M received by the in-vehicle device 200 can be authenticated while suppressing an increase in the cost of the in-vehicle device 200.

  In addition, since the service provider can grasp the authentication status of the in-vehicle device 200 used by the customer, the service provider can determine whether to provide the service based on the authentication status.

  Furthermore, the service center 400 returns the authentication result for the NMA request data Rq to the in-vehicle device 200 (step S63 in FIG. 10). As a result, the in-vehicle device 200 can confirm the reliability of the transmission source of the signal used for the positioning calculation, that is, whether it is the GPS satellite 2 or the simulator. For example, the source of the navigation message M that has failed in authentication can be estimated as a simulator. And since it turns out that the signal from a simulator is used for a calculation, it can cope with not using the signal from the transmission source used as authentication failure for the next positioning calculation.

<Modification 2>
In the second embodiment, when the NMA information corresponding to the PRNID and TOW included in the NMA request data Rq acquired from the in-vehicle device 200 does not exist in the NMA information DB 440 (step S53 NO), the NMA request data Rq is managed by the NMA information. Although it is configured to transmit to the center 300, the present invention is not limited to this.

  As shown in FIG. 11, the service center 400 includes a satellite receiver 430 similar to the satellite receiver 230, and the control unit 420 transmits the navigation message M transmitted by the GPS satellite 2 or the navigation message transmitted by the QZS satellite 3. The message N may be acquired sequentially (this is referred to as modified example 2). The satellite receiver 430 corresponds to the SC side satellite receiver described in the claims.

  When receiving a navigation message M and parity data that are a combination of PRNID and TOW that do not exist in the NMA information DB 440, the control unit 420 in the second modification generates NMA request data Rq corresponding to the navigation message M, and generates NMA. The information is transmitted to the information management center 300.

  If the authentication result for the NMA request data Rq is successful, the authenticated RAND message and the authenticated parity data corresponding to the combination of the PRNID and TOW are additionally stored in the NMA information DB 440.

  According to such a configuration, even if the NMA request data Rq is not received from the in-vehicle device 200, the data included in the NMA information DB 440 is updated as needed. Therefore, the control unit 420 can reduce the possibility of performing the secondary NMA request processing (step S57) on the NMA request data Rq from the in-vehicle device 200, and more with respect to the NMA request data Rq from the in-vehicle device 200. The authentication result can be obtained promptly.

<Modification 3>
In the second embodiment, the control unit 220 of the in-vehicle device 200 selects a transmission destination of the NMA request data Rq from at least one of the service centers 400a and 400b (transmission destination) as shown in FIG. (Selection unit) 222 may be provided.

  The transmission destination selection unit 222 selects a service center 400 that is more preferable as the transmission destination of the NMA request data Rq from the current position information and the activated application. For example, if it is determined from the current position information and map data that the vehicle currently exists in the toll parking lot, the NMA request data Rq is transmitted to the service center 400 of the service provider that manages the toll parking lot. Further, if the game application using the position information is being activated, the NMA request data Rq may be transmitted to the service center 400 managed by the service provider providing the game.

  When a user can use a service using location information provided by a plurality of service providers, the vehicle-mounted device 200 used by the user needs to be authenticated by the service center 400 managed by each service provider. Can occur. Even in such a case, according to the configuration of the third modification, authentication can be performed by the service center 400 that is more suitable for the purpose of the user.

<Modification 4>
In the above description, the in-vehicle device 200 is configured to communicate with the service center 400 and the NMA information management center 300 using the wide area communication function, but of course, communication may be performed via a roadside device or the like. In addition, the control unit 220 has a function of appropriately selecting communication means so that the wide-area communication function is used when there is no roadside device in the communicable area formed by the narrow-area communication function of the communication unit 210. May be.

1.1a Navigation message authentication system, 100 control segment, 120 authentication center, 130 monitor control station, 2 GPS satellite (first satellite), 3 QZS satellite (second satellite), 200 onboard equipment (receiving terminal), 230 satellite reception Machine (terminal side satellite receiver), 300 NMA information management center (authentication processing device), 400 service center, S2 inspection data extraction unit, S5 authentication related data extraction unit, S7 authentication request signal generation unit, S8 authentication request signal transmission Processing unit, S11 authentication request signal reception processing unit, S20 authentication calculation unit

Claims (13)

At least one first satellite (2) for transmitting a first navigation message; and a second satellite (3) for transmitting a second navigation message including test data used for authentication processing of the first navigation message; A receiving terminal (200) for receiving the first navigation message and the second navigation message, wherein the first navigation message received by the receiving terminal using the inspection data included in the second navigation message is A navigation message authentication system (1) for performing an authentication process as to whether the first navigation message is transmitted by the first satellite,
The navigation message authentication system further includes an authentication processing device (300) provided outside the receiving terminal and communicating with the receiving terminal,
The inspection data is configured as matrix data obtained by multiplying a bit string arranged in a predetermined area of the first navigation message by an H matrix that is a predetermined matrix,
The receiving terminal is
A terminal-side satellite receiver (230) for receiving the first navigation message transmitted by the first satellite and the second navigation message transmitted by the second satellite;
An inspection data extraction unit (S2) for extracting the inspection data from the second navigation message received by the terminal-side satellite receiver;
Authentication-related data for extracting a bit string arranged in the predetermined area of the first navigation message received by the terminal-side satellite receiver as authentication-related data that is a part necessary for the authentication processing of the first navigation message An extraction unit (S5);
The authentication processing for the first navigation message received by the terminal-side satellite receiver includes the inspection data extracted by the inspection data extraction unit and the authentication-related data extracted by the authentication-related data extraction unit. An authentication request signal generation unit (S7) for generating an authentication request signal for requesting implementation;
An authentication request signal transmission processing unit (S8) for transmitting the authentication request signal generated by the authentication request signal generation unit,
The authentication processing device includes:
An authentication request signal reception processing unit (S11) for receiving the authentication request signal transmitted by the authentication request signal transmission processing unit;
Wherein together for the authentication request signal before Symbol authentication-related data that is included in calculating the comparative test data by multiplying the H matrix by comparing the inspection data with the comparative check data, wherein A navigation message authentication system comprising: an authentication calculation unit (S20) that performs an authentication process on the first navigation message received by the receiving terminal. In claim 1,
The inspection data included in the second navigation message is generated by an authentication center device (100) that acquires the first navigation message,
The authentication center device includes:
A first navigation message receiver (110) for receiving the first navigation message;
An authentication data generating unit (1221) for generating authentication data from the authentication related data of the first navigation message received by the first navigation message receiving unit;
An encryption key generation unit (1223) for generating an encryption key corresponding to the authentication data generated by the authentication data generation unit;
An inspection data generation unit (1224) that generates the inspection data using the authentication data generated by the authentication data generation unit and the encryption key corresponding to the authentication data;
A storage unit (124) for storing the encryption key generated by the encryption key generation unit in association with the authentication data using the encryption key;
An inspection data transmitter (130) for transmitting the inspection data generated by the inspection data generator to the second satellite;
A communication unit (126) that communicates with the authentication processing device,
The storage unit stores the encryption key in association with the inspection data and the first navigation message,
The authentication processing device includes:
An encryption key acquisition unit (S24 to 25) that acquires the encryption key corresponding to the authentication-related data included in the authentication request signal from the storage unit;
A comparison inspection data generation unit (S26) that generates comparison inspection data from the authentication related data included in the authentication request signal and the encryption key acquired by the encryption key acquisition unit;
The authentication operation unit receives the first received by the receiving terminal when the comparison inspection data generated by the comparison inspection data generation unit matches the inspection data included in the authentication request signal. On the other hand, it is determined that the authentication is successful with respect to the navigation message. On the other hand, if the comparison inspection data generated by the comparison inspection data generation unit does not match the inspection data included in the authentication request signal, the authentication fails. The navigation message authentication system characterized by determining. In claim 1 or 2,
The authentication processing device includes:
As a result of the authentication processing performed by the authentication calculation unit, an authenticated data storage unit (340) that stores, as authenticated data, a combination of the authentication related data and the inspection data that has been successfully authenticated;
Authenticated to determine whether or not the authenticated data corresponding to the authentication-related data included in the authentication request signal exists in the authenticated data stored in the authenticated data storage unit A determination unit (S13);
The authenticated determination unit determines that the authenticated data corresponding to the authentication related data included in the authentication request signal exists in the authenticated data stored in the authenticated data storage unit In this case, an authenticated data verification authentication unit (S14) that performs authentication processing of the first navigation message received by the receiving terminal from the authentication related data and the authenticated data corresponding to the authentication related data. To 16), and
In the authentication calculation unit, the authentication determination unit corresponds to the authentication-related data included in the authentication request signal in the authenticated data stored in the authenticated data storage unit. The navigation message authentication system is characterized in that the authentication process is performed when it is determined that there is no completed data. In claim 3,
The navigation message authentication system further includes at least one service center (400, 400a, 400b) that communicates with the authentication processing device and the receiving terminal,
The service center
A service center side (hereinafter SC side) authentication request signal reception processing unit (S51) that receives the authentication request signal transmitted by the authentication request signal transmission processing unit;
An SC-side authenticated data storage unit (440) that stores, as authenticated data, a combination of the authentication-related data and the inspection data that are successfully authenticated in the authentication process performed by the authentication calculation unit;
SC side authentication for performing authentication processing of the first navigation message received by the receiving terminal from the authentication related data included in the authentication request signal and the authenticated data corresponding to the authentication related data A navigation message authentication system comprising: a data verification unit (S54 to 56). In claim 4,
The service center
It is determined whether or not the authenticated data corresponding to the authentication related data included in the authentication request signal exists in the authenticated data stored in the SC-side authenticated data storage unit. SC-side authenticated determination unit (S53);
The SC-side authenticated determination unit includes the authenticated data corresponding to the authentication-related data included in the authentication request signal in the authenticated data stored in the SC-side authenticated data storage unit. An SC-side authentication request signal transmission processing unit (S57) that transmits the authentication request signal to the authentication processing device when it is determined that there is not present,
In the authentication processing device,
The authentication request signal reception processing unit receives the authentication request signal transmitted by the SC side authentication request signal transmission processing unit,
Either one of the authentication calculation unit and the authenticated data verification authentication unit performs an authentication process based on the authentication related data and the inspection data included in the authentication request signal,
The authentication processing device transmits authentication result data indicating a result of the authentication processing to the service center;
The service center further includes:
An authentication result acquisition unit (S58) for acquiring the authentication result data transmitted by the authentication processing device;
When the result indicated by the authentication result data acquired by the authentication result acquisition unit is successful, the SC-side authenticated data storage unit uses the combination of the authentication related data and the inspection data as authenticated data. A navigation message authentication system comprising: an SC-side authenticated data addition processing unit (S60) to be added to In claim 5,
The service center
A navigation message authentication system comprising: an authentication result transmission processing unit (S62) for transmitting an authentication result for the authentication request signal to the receiving terminal. Oite to claim 5 or 6,
The receiving terminal is
A navigation message authentication system comprising: a receiving unit (211) for receiving a result of the authentication process for the authentication request signal. In any one of Claims 5-7,
The service center
An SC side satellite receiver (430) for receiving the first navigation message and the second navigation message transmitted by the first satellite;
The SC-side authentication request signal transmission processing unit extracts the inspection data from the second navigation message received by the SC-side satellite receiver, and from the first navigation message received by the SC-side satellite receiver. A navigation message authentication system that extracts the authentication-related data, generates an authentication request signal including the inspection data and authentication-related data, and transmits the authentication request signal to the authentication processing device. In any one of Claims 4-8,
The navigation message authentication system includes a plurality of the service centers,
The receiving terminal includes a transmission destination selection unit (222) that selects a transmission destination of the authentication request signal from a plurality of the service centers.
The navigation message authentication system, wherein the authentication request signal transmission processing unit transmits the authentication request signal to the service center selected by the transmission destination selection unit. In any one of Claims 4-8,
The receiving terminal is
A terminal side transmission unit (212) that measures the position of the terminal based on the signal from the first satellite and transmits position information as a result of the positioning to the service center,
The service center includes an SC-side receiving unit (411) that receives the location information transmitted by the receiving terminal, and performs a service using the location information received by the SC-side receiving unit. Navigation message authentication system. In any one of Claims 1 to 10,
The navigation message authentication system, wherein the authentication related data includes information specific to a transmission source for specifying a transmission source of the first navigation message and transmission time information for specifying a transmission time. Matrix data obtained by multiplying a first navigation message transmitted by the first satellite and a bit string arranged in a predetermined area of the first navigation message transmitted by the second satellite by an H matrix that is a predetermined matrix. A terminal-side satellite receiver (230) for receiving a second navigation message including inspection data configured as :
An inspection data extraction unit (S2) for extracting the inspection data from the second navigation message received by the terminal-side satellite receiver;
Authentication-related data for extracting a bit string arranged in the predetermined area of the first navigation message received by the terminal-side satellite receiver as authentication-related data that is a part necessary for the authentication processing of the first navigation message An extraction unit (S5);
The authentication processing for the first navigation message received by the terminal-side satellite receiver includes the inspection data extracted by the inspection data extraction unit and the authentication-related data extracted by the authentication-related data extraction unit. An authentication request signal generation unit (S7) for generating an authentication request signal for requesting implementation;
An authentication request signal transmission processing unit (S8) that transmits the authentication request signal generated by the authentication request signal generation unit. Of the first navigation message transmitted by the first satellite, the authentication-related data that is a part necessary for the authentication process of the first navigation message and the first navigation message among the second navigation message transmitted by the second satellite. An authentication request signal reception processing unit (S11) for receiving an authentication request signal including the test data used in the authentication process of
An authentication calculation unit (S20) that performs an authentication process on the first navigation message based on the inspection data and the authentication-related data included in the authentication request signal ,
The inspection data is configured as matrix data obtained by multiplying a bit string arranged in a predetermined area of the first navigation message by an H matrix that is a predetermined matrix,
The authentication related data is data obtained by extracting a bit string arranged in the predetermined area of the first navigation message,
The authentication calculation unit calculates comparison inspection data by multiplying the authentication-related data included in the authentication request signal by the H matrix, and compares the comparison inspection data with the inspection data. it allows the authentication processing apparatus according to claim that you have been configured to perform an authentication process for the first navigation messages.

Images