JP6441615B2 - Electronic key system - Google Patents

Description

  The present invention relates to an electronic key system that performs wireless ID verification between an electronic key and a communication target.

  2. Description of the Related Art Conventionally, an electronic key system is known that operates a vehicle by wirelessly collating an electronic key with an ID (see, for example, Patent Document 1). In this type of electronic key system, a request signal is transmitted from, for example, an LF (Low Frequency) band radio wave from a transmission antenna mounted on a vehicle. When receiving the request signal, the electronic key transmits a key ID signal written in the electronic key to the vehicle using radio waves in, for example, a UHF (Ultra High Frequency) band. When the vehicle verification ECU receives the key ID signal transmitted from the electronic key at the reception antenna of the vehicle, the vehicle verification ECU performs ID verification based on the key ID signal, and if the ID verification can be confirmed, for example, the vehicle door Permit / execute locking / unlocking and engine starting. At the time of ID verification, challenge response authentication is performed to enhance security.

JP 2005-262915 A

  By the way, in the electronic key system as described above, there is a side channel attack that intrudes into the vehicle itself and analyzes the operation state inside the apparatus to acquire information necessary for challenge response authentication. For example, there is a risk of analyzing a method for generating a response of challenge response authentication. When a side channel attack is received, information obtained by a third party who does not carry the electronic key is communicated to establish challenge response authentication, so that the third party can unlock the vehicle door without permission. There is a risk that engine start may be permitted or executed. Thus, there is a need for an electronic key system that can prevent unauthorized challenge-response authentication even when subjected to a side channel attack.

  The present invention has been made in view of such circumstances, and an object of the present invention is to provide an electronic key system that can prevent unauthorized challenge-response authentication due to a side channel attack.

Hereinafter, means for solving the above-described problems and the effects thereof will be described.
An electronic key system that solves the above problem is an electronic key system that enables control of the communication target based on the establishment of challenge response authentication between the electronic key and the communication target. A plurality of pairs of responses encrypted with an encryption key are generated in advance, a plurality of pairs of these responses and responses are stored, the stored challenge is transmitted, and the challenge and the pair are paired. A response is read, the electronic key that has received the challenge transmitted from the communication target transmits a response encrypted with an encryption key, and is transmitted from the response stored in the communication target and the electronic key When challenge response authentication is established when the response matches That serial communication target is determined is set to its gist.

  In the side channel attack, after transmitting a challenge, the communication target analyzes the power consumption when the response is generated by encrypting the challenge with the encryption key, and the encryption key is analyzed. Therefore, according to the above configuration, a plurality of challenge / response pairs are generated and stored in advance, and the stored challenge / response is read out to perform challenge-response authentication. For this reason, since encryption for generating a response is not performed after the challenge is transmitted, it is possible to prevent acquisition of power consumption or the like when encrypting the challenge. Therefore, unauthorized challenge response authentication due to side channel attacks can be prevented.

In the electronic key system, it is preferable that the communication target is used by randomly reading from a plurality of pairs of stored challenges and responses.
When generating the challenge and response in advance, the power consumption, etc. is acquired, and when reading from the stored challenge-response pair in order, the acquired power consumption, etc. Since it is possible to identify whether it is a thing, there is a risk of decryption of the encryption key by side channel attack. So, according to the said structure, regularity will be lose | eliminated in the order read out by reading randomly from several pairs of a challenge and a response. For this reason, it is possible to prevent the response generation method from being analyzed from the order of the challenge and response generated and stored in advance.

In the electronic key system, the communication target preferably stores a plurality of challenges having the same hamming weight and responses paired with the challenge.
For example, when multiple challenges with different hamming weights are generated, the challenge is inferred from the difference in hamming weights depending on the analysis of the side channel attack, and the acquired power consumption etc. is for encrypting which challenge. May be identified. Therefore, according to the above configuration, the challenge having the same hamming weight and the paired response are stored, so that it is possible to prevent the response generation method from being analyzed from the difference in the hamming weight.

  For the electronic key system, the communication target is a challenge and a response until the stored challenge and response pair reaches the predetermined value on condition that the stored challenge and response pair does not reach the predetermined value. It is preferable to generate and store a pair with the response.

  According to the above configuration, when the stored challenge-response pair does not reach the predetermined value, the challenge-response pair is generated and stored until the predetermined value is reached. For this reason, it is possible to maintain a state in which a predetermined value is stored for a pair of challenge and response, and to select from a plurality of pairs when reading a pair of challenge and response.

  In the electronic key system, it is preferable that the communication target confirms whether or not a stored challenge-response pair has the predetermined value immediately after transmitting the challenge.

  According to the above configuration, immediately after the challenge is transmitted, it is checked whether or not the stored challenge and response pair has a predetermined value. If there is no predetermined value, the challenge and response pair is transmitted immediately after the challenge is transmitted. Will be generated. For this reason, since the transmitted challenge and the generated challenge and response pair are mixed, the analysis by the side channel attack can be prevented.

  In the electronic key system, the communication target generates a challenge-response pair at a predetermined timing, and replaces the generated challenge-response pair with a stored challenge-response pair. Is preferred.

  According to the above configuration, the stored challenge-response pair is replaced with the generated challenge-response pair. Therefore, in addition to the stored number of challenge / response pairs, the number of replaced challenge / response pairs exists. Therefore, when a third party intercepts a challenge and selects and tries power consumption etc. with brute force, the number of brute force will increase, and what challenge the power consumption obtained will encrypt It can be made more difficult to specify whether it is.

  ADVANTAGE OF THE INVENTION According to this invention, the illegal challenge response authentication by a side channel attack can be prevented.

The block diagram which shows schematic structure of an electronic key system. The flowchart which shows the production | generation process of the challenge and response by the vehicle control apparatus. The flowchart which shows the authentication process by the control apparatus of a vehicle.

Hereinafter, an embodiment of an electronic key system will be described with reference to FIGS.
As shown in FIG. 1, a vehicle 20 that is a communication target is equipped with an electronic key system that performs ID verification wirelessly with the electronic key 10. The electronic key system is a system that performs ID collation by narrow-band radio, for example, triggered by communication from the vehicle 20. Hereinafter, the ID verification of the electronic key system is referred to as “smart verification”, and the communication is referred to as “smart communication”.

  The electronic key 10 includes a key control unit 11 that controls the operation of the electronic key 10, a receiving antenna 12 that enables radio reception by the electronic key 10, and a transmission antenna 13 that enables radio transmission by the electronic key 10. ing. An electronic key ID is written and stored in the memory 11 a of the key control unit 11 as a unique ID of the electronic key 10. The reception antenna 12 can receive radio waves in, for example, an LF (Low Frequency) band. The transmission antenna 13 can transmit radio waves in, for example, UHF (Ultra High Frequency) band.

  The vehicle 20 includes a collation ECU (Electric Control Unit) 21 that performs various collations with the electronic key 10, a body ECU 22 that manages the power source of the in-vehicle electrical components, and an engine ECU 23 that controls the engine 24. These are electrically connected through a communication line 25 in the vehicle. The communication line 25 is, for example, a CAN (Controller Area Network) or a LIN (Local Interconnect Network). The ID (electronic key ID) of the electronic key 10 registered in the vehicle 20 is written and stored in the memory 21a of the verification ECU 21.

  The vehicle 20 transmits from the outside transmitter 26 capable of transmitting radio waves outside the vehicle in ID verification communication, the in-vehicle transmitter 27 capable of transmitting radio waves inside the vehicle in ID verification communication, and the electronic key 10 in ID verification communication. And a vehicle receiver 28 capable of receiving received radio waves. These are electrically connected to the verification ECU 21. The vehicle transmitter 26 and the vehicle transmitter 27 can transmit, for example, LF band radio waves. The vehicle receiver 28 can receive, for example, UHF radio waves.

  The vehicle 20 includes a door lock mechanism 29 as a mechanical mechanism that switches between locking and unlocking the vehicle door. The body ECU 22 switches between locking and unlocking of the door lock mechanism 29 based on the verification result of the ID verification of the verification ECU 21. The door of the vehicle 20 is provided with a door button 40 that serves as a trigger for locking and unlocking the door.

  The vehicle 20 includes an engine switch 30 that is operated when the power state of the vehicle 20 is switched. The engine switch 30 includes an operation detection unit 31 that detects, for example, a push operation (on operation) to the engine switch 30. The operation detection unit 31 may be either a switch (for example, a micro switch) or a sensor (a magnetic sensor or an optical sensor). When the engine switch 30 is operated, the operation detection unit 31 outputs the operation signal Ssw to the verification ECU 21. The operation signal Ssw output when operating the engine switch 30 is, for example, an ON signal.

  The verification ECU 21 determines the power state of the vehicle 20 based on the operation signal Ssw input from the operation detection unit 31. The verification ECU 21 switches the power state of the vehicle 20 based on the determination result of the power state. The power supply state of the vehicle 20 is switched to any of IG off, ACC on, IG on, and engine start, for example.

  When the outside transmitter 26 forms a communication area for LF radio waves outside the vehicle, the smart communication outside the vehicle is executed when the electronic key 10 enters the communication area. Specifically, when the electronic key 10 receives the wake signal transmitted from the external transmitter 26, the electronic key 10 is activated to return an ACK, and in the subsequent communication process, vehicle code verification, challenge response authentication, electronic key Various verifications of ID verification are executed. The vehicle code collation is a collation in which a vehicle code that is a unique ID of the vehicle 20 is transmitted to the electronic key 10 and the electronic key 10 is checked for the vehicle code. In challenge response authentication, a challenge code (hereinafter referred to as “challenge”) whose code changes every time it is transmitted is transmitted from the vehicle 20 to the electronic key 10, and a response code (hereinafter referred to as “response”) is generated using the encryption key of the electronic key 10. A response is returned to the vehicle 20. Subsequently, the challenge response authentication is a verification for checking whether or not the response calculated in the vehicle 20 and the response of the electronic key 10 match. The electronic key ID verification is verification for transmitting the electronic key ID of the electronic key 10 to the vehicle 20 and confirming the electronic key ID in the vehicle 20. When the verification ECU 21 confirms that all of these verifications are established, the body ECU 22 permits or executes the locking / unlocking of the vehicle door, assuming that the smart verification outside the vehicle is established.

  When the electronic key 10 enters the vehicle, the in-vehicle smart collation similar to the out-of-vehicle smart collation is executed by the out-of-car transmitter 26 instead of forming the communication area in the vehicle. When the verification ECU 21 confirms that in-vehicle smart verification is established with the electronic key 10 located in the vehicle, the verification ECU 21 permits or executes switching of the vehicle power source (switching of engine start) by the engine switch 30.

  The electronic key system includes an immobilizer system that enables wireless ID verification with the vehicle 20 even if the electronic key 10 does not have a battery. The communication of the immobilizer system is, for example, short-range wireless (for example, RFID (Radio Frequency IDentification) having a communication distance of several to several tens of centimeters). Further, hereinafter, communication of the immobilizer system is referred to as “immobilizer communication”, and ID verification by the communication is referred to as “immobilizer verification”.

  The vehicle 20 includes a communication antenna 32 that can transmit and receive short-range radio waves in the vehicle 20. The electronic key 10 also includes a communication antenna 14 that can transmit and receive short-range radio waves in the electronic key 10. In each of the memories 11a and 21a, a transponder ID confirmed in the immobilizer system is written and stored. The communication antenna 32 is, for example, a bobbin provided on the outer periphery of the engine switch 30.

  When the electronic key 10 runs out of battery, the narrow area wireless communication cannot be used, so the immobilizer verification is performed. At this time, when the electronic key 10 is held over the communication antenna 32 of the vehicle 20, the transponder ID of the electronic key 10 is transmitted to the vehicle 20 by, for example, load modulation communication. The verification ECU 21 compares the transponder ID of the electronic key 10 with the transponder ID registered in itself, and if they match, for example, the engine switch 30 permits switching of the vehicle power supply (engine start switching).

  Here, in the electronic key system, there is a risk of being subjected to a side channel attack in which the operation state inside the apparatus is analyzed and a method for generating a response necessary for challenge response authentication is analyzed, for example, by entering the vehicle 20 itself. . Therefore, the verification ECU 21 of the vehicle 20 previously generates and stores a plurality of pairs of challenges and responses, reads the stored challenges and responses, and performs challenge response authentication. By doing in this way, since a response is not produced | generated after transmitting a challenge, it can prevent acquiring the power consumption etc. at the time of producing | generating the response corresponding to the transmitted challenge.

  Further, the verification ECU 21 reads and uses a plurality of pairs of challenges and responses that have been generated and stored in advance, in a random order. By doing this, even if power consumption is acquired when multiple responses are generated in advance, reading the reading order prevents the encryption key from being analyzed by side channel attacks from being analyzed. it can.

  Further, the verification ECU 21 generates and stores a challenge having the same hamming weight in advance. By doing in this way, it can prevent specifying which challenge is what when the power consumption etc. which were acquired from the difference of Hamming weight are what is encrypted.

  The verification ECU 21 generates and stores a challenge-response pair until a predetermined value is reached when a specific condition is satisfied. The specific condition is that when the power of the vehicle 20 is turned on, that is, the battery is connected or the challenge is transmitted, the stored challenge-response pair is less than a predetermined value. It is.

Next, the operation of the electronic key system configured as described above will be described with reference to FIGS.
First, the challenge C and response R generation processing will be described with reference to FIG.

  The verification ECU 21 generates a pair of a challenge C and a response R triggered by the vehicle 20 being powered on or the challenge C being transmitted. Here, when the power of the vehicle 20 is turned on, the pair of challenge C and response R is not stored in the memory 21a. When the challenge C is transmitted, since the challenge C is used, the number of pairs (stored number) of the challenge C and the response R is reduced by at least one from the predetermined value N. Therefore, in such a case, it is necessary to generate a pair of challenge C and response R up to a predetermined value N and store it in the memory 21a.

  The verification ECU 21 generates a challenge C when the vehicle 20 is turned on or a challenge C is transmitted as a trigger (step S11). That is, the verification ECU 21 sets a value randomly selected from values having the same Hamming weight as the challenge C. Here, the challenge C to be generated is limited to those having the same hamming weight. Thus, even when N pieces of power consumption are acquired, it is specified which of the N pieces of power consumption is to be encrypted due to the difference in Hamming weight of Challenge C. Can be prevented.

  Subsequently, the verification ECU 21 generates a response R (step S12). That is, the verification ECU 21 generates the response R by encrypting the challenge C generated previously with the encryption key.

  Subsequently, the verification ECU 21 stores a pair of challenge C and response R (step S13). When the pair of challenge C and response R can be generated, the verification ECU 21 stores the pair of challenge C and response R in the memory 21a in the order of generation.

  Subsequently, the verification ECU 21 determines whether or not the stored number of pairs of challenge C and response R (number stored) is smaller than a predetermined value N (step S14). That is, since the verification ECU 21 wants to make the memory 21a store the pair of challenge C and response R with a predetermined value N, the quantity (stored number) of the pair of challenge C and response R is less than the predetermined value N. Judge whether there is.

  As a result, when the verification ECU 21 determines that the stored number of pairs of challenge C and response R is smaller than the predetermined value N (step S14: YES), the verification ECU 21 proceeds to step S11. That is, since the number of pairs of challenge C and response R has not reached the predetermined value N, the verification ECU 21 returns to step S11 to further generate and store a pair of challenge C and response R.

  On the other hand, when the collation ECU 21 determines that the stored number of pairs of challenge C and response R is greater than or equal to the predetermined value N (step S14: NO), the process ends. That is, the verification ECU 21 stops generating the challenge C and the response R because the number of pairs of the challenge C and the response R has reached the predetermined value N.

Next, the challenge response authentication process will be described with reference to FIG.
The verification ECU 21 performs ID verification by using an operation on the door button 40 or the engine switch 30 provided on the door of the vehicle 20 as a trigger. Here, description of vehicle code verification and electronic key ID verification will be omitted as ID verification, and only challenge response authentication will be described.

  When there is an operation on the door button 40 or the engine switch 30 as a trigger, the verification ECU 21 randomly selects the challenge C stored in the memory 21a (step S21). That is, the verification ECU 21 selects and reads a pair of the challenge C and the response R at random so that the order is different from the order stored in the memory 21a.

  Subsequently, the verification ECU 21 transmits the selected challenge C (step S22). In other words, the verification ECU 21 transmits the challenge C of the pair of the selected challenge C and response R from the in-vehicle transmitter 26 if the door button 40 is operated, and in the vehicle if the engine switch 30 is operated. Transmit from transmitter 27.

  Subsequently, the verification ECU 21 compares the stored response R of the pair with the received response R (step S23). That is, the verification ECU 21 reads the response R paired with the transmitted challenge C stored in the memory 21a, receives the response R returned from the electronic key 10 that received the transmitted challenge C, and receives these responses R Compare

  Subsequently, the verification ECU 21 determines whether or not the stored response R matches the received response R (step S24). That is, the verification ECU 21 checks whether or not the response R read from the memory 21a matches the received response R.

  As a result, when the verification ECU 21 determines that the responses R do not match (step S24: NO), the process ends. That is, since the verification ECU 21 receives the response R from the electronic key 10 corresponding to the other vehicle 20, the challenge response authentication is not established, and the process ends without executing the request.

  On the other hand, when it is determined that the responses R match (step S24: YES), the verification ECU 21 executes the request (step S25). That is, since the challenge response authentication is established, the verification ECU 21 permits or executes the door locking / unlocking if the door button 40 is operated, and permits the vehicle power supply change if the engine switch 30 is operated. Or do it.

  In this way, since a plurality of pairs of challenge C and response R are generated and stored in advance, the response R is not generated after the challenge C is transmitted, so the method of generating the response R corresponding to the challenge C is analyzed. Can be prevented.

As described above, according to this embodiment, the following effects can be obtained.
(1) A plurality of pairs of challenge C and response R are generated and stored in advance, and the stored challenge C and response R are read and challenge response authentication is performed. For this reason, since the encryption for generating the response R is not performed after the challenge C is transmitted, it is possible to prevent the power consumption and the like when the challenge C is encrypted from being acquired. Therefore, unauthorized challenge response authentication due to side channel attacks can be prevented.

  (2) By randomly reading from a plurality of pairs of challenge C and response R, regularity is lost in the reading order. For this reason, it is possible to prevent the combination of the challenge C and the power consumption from being specified in the order of the challenge C and the response R generated and stored in advance.

  (3) Since the challenge C having the same Hamming weight and the response R as a pair are stored, it is possible to prevent the combination of the challenge C and the power consumption from being specified due to the difference in the Hamming weight.

  (4) When the stored pair of challenge C and response R does not reach the predetermined value N, the pair of challenge C and response R is generated and stored until the predetermined value N is reached. For this reason, the state in which the pair of the challenge C and the response R is stored for the predetermined value N can be maintained for a long period of time. When reading the pair of the challenge C and the response R, it is possible to select from a plurality of pairs. it can.

  (5) Immediately after transmitting the challenge C, it is checked whether or not the stored pair of challenge C and response R has a predetermined value N. A pair with the response R is generated. For this reason, since the transmitted challenge C and the pair of the generated challenge C and response R are mixed, the analysis by the side channel attack can be prevented.

In addition, the said embodiment can also be implemented with the following forms which changed this suitably.
In the above-described embodiment, a pair of challenge C and response R is generated and stored, triggered by the vehicle 20 being turned on or the challenge C being transmitted. However, before step S11, as a trigger, it is determined whether the number of stored pairs of challenge C and response R is smaller than a predetermined value N, and when the number of stored pairs is smaller than a predetermined value N A pair of challenge C and response R may be generated and stored.

  In the above embodiment, the challenge C and the response R are generated and stored when the challenge is transmitted, but the challenge C and the response R may be generated and stored when the response is received.

  In the above embodiment, when the number of stored pairs of challenge C and response R is smaller than a predetermined value N, a pair of challenge C and response R is generated and stored. However, regardless of the predetermined value N, a pair of challenge C and response R may be generated and stored each time the challenge C is transmitted. Further, regardless of the predetermined value N, a pair of challenge C and response R may be generated and stored each time the response R is read.

  In the above embodiment, the response R having the same Hamming weight is generated and stored. However, if there is no possibility of guessing the response R due to the difference in the Hamming weight, the response R having a different Hamming weight may be generated and stored.

  In the above embodiment, the pair of challenge C and response R is stored in order, and the pair of challenge C and response R is randomly read so that the order is different from the stored order. However, the pair of challenge C and response R may be stored randomly, and the pair of challenge C and response R may be read in the stored order.

  In the above embodiment, the stored challenge C and response R are randomly read from a plurality of pairs and used. However, if there is no possibility of being inferred from the order of a plurality of pairs of the stored challenge C and response R, the stored pairs of the challenge C and response R may be read out and used in order.

  In the above embodiment, the stored pair of challenge C and response R may be replaced with a pair of challenge C and response R generated at a predetermined timing. For example, when the number of stored pairs of challenge C and response R is N, it is assumed that there are n number of replaced pairs of challenge C and response R. In such a case, when a third party intercepts one of the challenges C and selects and tries power consumption etc. with brute force, the brute force number is required in addition to N (n pieces) N + n), it is possible to make it more difficult to specify which challenge C the acquired power consumption is for encrypting.

-In the said embodiment, although applied with respect to the smart collation in smart communication, you may apply to the immobilizer collation in immobilizer communication.
-In the said embodiment, although applied to the electronic key system with which a vehicle is equipped, you may apply to the electronic key system with which buildings, such as a house, are equipped.

  DESCRIPTION OF SYMBOLS 10 ... Electronic key, 11 ... Key control part, 11a ... Memory, 12 ... Reception antenna, 13 ... Transmission antenna, 14 ... Communication antenna, 20 ... Vehicle, 21 ... Collation ECU, 21a ... Memory, 22 ... Body ECU, 23 ... Engine ECU, 24 ... Engine, 25 ... Communication line, 26 ... Outside transmitter, 27 ... In-vehicle transmitter, 28 ... Vehicle receiver, 29 ... Door lock mechanism, 30 ... Engine switch, 31 ... Operation detector, 32 ... Communication Antenna, 40 ... door button.

Claims (4)

In the electronic key system that enables control of the communication target based on the establishment of challenge response authentication between the electronic key and the communication target,
The communication target generates a plurality of pairs of a challenge and a response obtained by encrypting the challenge with an encryption key, stores a plurality of pairs of the challenge and the response, and stores the stored challenge. Sending the response that is paired with the challenge, sending the response that the electronic key that received the challenge sent from the communication target is encrypted with an encryption key, and storing the response in the communication target The communication object determines that challenge response authentication is established when the response and the response transmitted from the electronic key match,
The communication target is an electronic key system that generates a challenge and response pair at a predetermined timing, and replaces the generated challenge and response pair with a stored challenge and response pair. In the electronic key system that enables control of the communication target based on the establishment of challenge response authentication between the electronic key and the communication target,
The communication target generates a plurality of pairs of a challenge and a response obtained by encrypting the challenge with an encryption key, stores a plurality of pairs of the challenge and the response, and stores the stored challenge. Sending the response that is paired with the challenge, sending the response that the electronic key that received the challenge sent from the communication target is encrypted with an encryption key, and storing the response in the communication target The communication object determines that challenge response authentication is established when the response and the response transmitted from the electronic key match,
The communication target generates a challenge-response pair until the stored challenge-response pair reaches the predetermined value, provided that the stored challenge-response pair does not reach the predetermined value. Electronic key system to memorize. The communication object, the electronic key system according to claim 1 or 2, more memory and challenge Hamming weight is the same, and a response to be the challenge and pair. The electronic key system according to claim 2 , wherein the communication target confirms whether or not a pair of stored challenge and response is the predetermined value immediately after transmitting the challenge.

Images