JP6683105B2 - Communications system - Google Patents

Description

  The present invention relates to a communication system in which a plurality of vehicle-mounted electronic control devices are network-connected.

  As is well known, a plurality of electronic control units (ECUs) mounted on a vehicle are connected to the same network, and information (vehicle information) that they have can be mutually transmitted and received. Often make up. An example of such a communication system is described in Patent Document 1.

  The communication system described in Patent Document 1 includes a transmitting terminal that transmits data and a receiving terminal that receives data from the transmitting terminal. The transmission terminal includes a data acquisition unit, a reception unit, a key acquisition unit, and a time-varying parameter management unit that receives challenge information from the reception unit and manages time-varying parameters. Further, the transmitting terminal receives the conversion data from the data conversion unit and the data conversion unit that converts the received communication data by using the received key information, the challenge information and the time-varying parameter, and generates the conversion data. And a transmitter for transmitting data to the receiving terminal. On the other hand, the receiving terminal includes a challenge generating unit that generates challenge information, a transmitting unit that transmits the challenge information to the transmitting terminal, a receiving unit that receives conversion data from the transmitting terminal, and key information that is the same as the key information in the transmitting terminal. And a key acquisition unit for acquiring. In addition, the receiving terminal uses the time-varying parameter determination unit that determines the novelty of the received converted data, and whether the received converted data is correctly converted using the received key information, challenge information, and time-varying parameter. And a data authentication unit that sends the authentication result to the time-varying parameter determination unit. Then, the time-varying parameter determination unit determines the novelty of the converted data based on the authentication result received from the data authentication unit.

JP 2011-66703 A

  According to the system described in Patent Document 1, the time-varying parameter included in the communication message suppresses the spoofing of the legitimate sender by an attacker who cannot appropriately change the time-varying parameter, and the reliability of the communication message is reduced. To improve the sex.

  As described above, the reliability of the communication message can be improved by using the time-varying parameter, but the receiving device and the transmitting device can be used after the power is turned on or after the reset until the time-varying parameter is synchronized. And the stored time-varying parameters may differ from each other. If the stored time-varying parameters are different, the receiving device will not only be able to authenticate the legitimate communication message sent by the sending device, but also determine that it is invalid. It will be.

  The present invention has been made in view of such circumstances, and an object of the present invention is to properly check whether a communication message is correct or incorrect, even when the reliability of the communication message is secured by using a time-varying parameter. It is to provide a communication system capable of making a judgment.

Hereinafter, the means for solving the above problems and the effects thereof will be described.
To achieve the above object, a communication system stores the first information of a management code formed by combining first information and second information, and stores the first information to be stored. A management device that manages the second information to be updated once based on multiple updates, and a reception device and a transmission device that are communicatively connected to the management device via a communication network, the management device transmits a synchronization message including the first information, the receiving apparatus and the transmitting apparatus, every time of receiving the synchronization message the management device transmits, included in synchronization the received message together is to hold the first information, the is intended to determine whether the receiving the synchronization message from the management apparatus, the transmitting apparatus, the management And managing the second information of the code, and generating an authenticator from communication data and the management code formed by combining the held first information and the managed second information. Then, while generating and transmitting a communication message including the communication data, the second information to be managed, and the generated authenticator, and not including the first information to be held, generation of the communication message The value of the second information to be managed is updated later, the receiving device receives the communication message transmitted by the transmitting device, the authenticator included in the received communication message, and the received communication message. For authenticating the received communication message based on a comparison with an authenticator regenerated based on the above, wherein the receiving device includes the first information held and the transmitting device. The management code is reconfigured by combining the second information acquired from the transmitted communication message, and the regenerated authentication is performed from the communication data acquired from the communication message transmitted by the transmission device and the reconfigured management code. Acquiring a child, the transmitting device does not transmit a communication message to the receiving device when the synchronization message including the first information transmitted by the management device has not been received , and The receiving device performs at least one of not authenticating a communication message received from the transmitting device when a synchronization message including the first information transmitted by the management device has not been received. .

  It is desirable to set the management code to the one-time value in order to further improve the reliability of communication, but if you try to set the management code to the one-time value over the period of use of the communication system, the amount of information required for the management code will decrease. It gets bigger. When this management code is included in the communication message, the management code occupies a large amount in the communication message, and there is a problem that the capacity that can be assigned to the message data that is the communication content to be transmitted becomes small.

In this respect, by including only the second information of the management code in the communication message transmitted by the transmitting device, it is possible to secure a large area for communication data.
Further, the first information of the management code is managed by the management device, and thus can be synchronized between the transmission device and the reception device. That is, the receiving device combines the first information transmitted from the management device with the second information included in the communication message transmitted from the transmitting device, and is used by the transmitting device to generate the authenticator. The management code can be reconfigured. That is, even if the size of the management code is set to a size required for ensuring reliability, it is possible to suppress the capacity required for storing the communication message to be small and suppress the decrease in the capacity for communication data.

  Further, when the first information of the management codes transmitted from the management device is received, the first information of the management codes received among the management codes stored in the reception device and the transmission device is The first information of is updated, i.e. synchronized. Thereby, even if the management code is divided into the first information and the second information, the communication message can be authenticated by the management code.

  Moreover, since the first information of the management codes stored in the receiving device and the transmitting device can be synchronized, the receiving device and the transmitting device can store the first information of the stored management codes in the first information. Even if the initialization is performed asynchronously by resetting or the like, the stored management code is synchronized and reset to a normal value, so that the authentication can be normally performed.

According to such a configuration, the transmission device does not transmit the communication message to the reception device when the synchronization message including the first information has not been received , and the reception device has the first configuration. At least one of not authenticating the communication message received from the transmission device when the synchronization message including the information cannot be received. That is, when the first information of the management code is not synchronized between those of the transmitting device and the receiving device, the communication message is not transmitted or authenticated. As a result, even when the reliability of the communication message is secured by using the time-varying parameter, it is determined that the communication message is invalid because the upper bits of the management code are not received. Is prevented, and the correctness / incorrectness of the communication message is properly determined.

The block diagram which shows the schematic structure about one Embodiment which materialized the communication system. The schematic diagram which shows the outline of the process performed by the gateway in the same embodiment. The schematic diagram which shows typically the schematic structure of the electronic control unit (ECU) in the same embodiment. The schematic diagram which shows typically the outline of the process which an electronic control unit (ECU) performs at the time of transmission in the same embodiment. The schematic diagram which shows typically the outline of the process which an electronic control unit (ECU) performs at the time of reception in the same embodiment. 6 is a flowchart showing a procedure on the gateway side when the message counters are synchronized in the same embodiment. The flowchart which shows the procedure by the side of ECU when a message counter is synchronized in the same embodiment. The flowchart which shows the transmission process of a communication message by an electronic control unit (ECU) in the same embodiment. The flowchart which shows the receiving process of a communication message by an electronic control unit (ECU) in the same embodiment.

  An embodiment in which the communication system is embodied will be described with reference to FIG. The communication system of the present embodiment is a communication system applied to an in-vehicle network mounted on a vehicle (not shown).

  As shown in FIG. 1, in the communication system, first to fourth electronic control units (ECUs) 21 to 24 as at least one of a transmission device and a reception device and first and second ECUs 21 and 22 are communicably connected. It has a communication bus L1 and a communication bus L2 to which the third and fourth ECUs 23 and 24 are communicatively connected. In this embodiment, the communication bus L1 and the communication bus L2 form a communication network. The communication system also includes a gateway 10 as a management device that is communicatively connected to the communication bus L1 and the communication bus L2. The gateway 10 can mutually transfer (relay) the communication message MB between the communication bus L1 and the communication bus L2. Therefore, the first and second ECUs 21 and 22 connected to the communication bus L1 and the third and fourth ECUs 23 and 24 connected to the communication bus L2 mutually transmit and receive the communication message MB via the gateway 10. Is possible.

  The communication system employs, for example, a CAN (Controller Area Network) protocol as a communication protocol. Further, the communication system may include wireless communication in a part of the communication path, or may include a path passing through another network via a gateway or the like.

  The CAN protocol defines a frame that is a structure of a communication message. In the frame, a storage area of a "message ID" as an identifier indicating the type of the communication message and a "message data" that is data specified by a user are specified. “Data field” which is a storage area of “” is provided. The “message ID” has a specific value defined for each type of communication message, and each ECU adds the “message ID” corresponding to the type to the communication message to be transmitted and transmits the received communication message. The type of message is determined based on the "message ID". In this communication system, it is limited to one defined ECU that a certain “message ID” can be added to a communication message and transmitted. The "data field", which is an area for storing "message data", is set to have a length of any of 0 to 64 bits (8 bits x 0 to 8 bytes).

  The gateway 10 is configured to include a microcomputer having an arithmetic unit (CPU) and a storage device. The gateway 10 includes an arithmetic unit that executes arithmetic operations of programs, a read-only memory (ROM) that stores the programs and data, and a volatile memory (RAM) that temporarily stores the arithmetic results of the arithmetic units. ) And are provided. As a result, the gateway 10 provides a predetermined function by reading the program stored in the storage device into the arithmetic device and executing the program. For example, the gateway 10 performs a process of transferring the communication message MB between the two communication buses L1 and L2 and a process of managing the message counter MC (see FIG. 2) as a management code. The gateway 10 also includes a backup memory that stores and holds set values and calculated values when power is constantly supplied from a battery.

  The gateway 10 includes a code management unit 11 that manages the message counter MC (see FIG. 2), a transmission unit 12 that transmits a part of the message counter MC, and communication buses L1 and L2 to which the gateway 10 is connected. And a communication I / F unit 13 for exchanging each communication message MB between them. Each function of the code management unit 11 and the transmission unit 12 is realized by the arithmetic processing of the program by the gateway 10.

  The communication I / F 13 transmits / receives a communication message MB based on the CAN protocol to / from the communication buses L1 and L2. Further, the communication I / F 13 exchanges the communication message MB with the transmission unit 12 and the like. As a result, the gateway 10 can transmit the synchronization message MA output by itself to the communication buses L1 and L2, and also obtains the communication message MB transmitted from another ECU via the communication buses L1 and L2. be able to. It should be noted that in the present embodiment, the synchronization message MA is given a message ID indicating that it is a synchronization message among normal communication messages based on the CAN protocol. Therefore, the synchronization message MA is broadcasted to the ECUs 21 to 24 connected to the communication buses L1 and L2, as in a normal communication message.

The code management unit 11 will be described with reference to FIG.
The code management unit 11 manages the message counter MC stored in the backup memory of the gateway 10. The code management unit 11 stores and manages the “upper bit MCH” of the message counter MC. Further, the code management unit 11 acquires the latest value of the “lower bit MCL” of the message counter MC from the communication message MB and stores it for monitoring the value. Hereinafter, the total length of the message counter MC will be simply referred to as the message counter MC.

  The message counter MC is a counter managed for each “message ID”, and its value is updated when a communication message having a corresponding “message ID” is newly generated. That is, the message counter MC corresponding to each "message ID" is updated. In this embodiment, the message counter MC is a counter that can be incremented by one. In the following, one "message ID" and a message counter MC corresponding to this will be described as an example, and for convenience of description, examples of other "message IDs" and corresponding message counters MC will be described. I will omit the explanation.

  In the present embodiment, the message counter MC is divided into two, that is, "upper bit MCH" as the first information and "lower bit MCL" as the second information. The "upper bit MCH" is stored, managed and transmitted by the gateway 10, and the "lower bit MCL" is stored, managed and transmitted by each ECU 21-24. Further, the message counter MC increases the value of the “upper bit MCH” by “1” in response to the change of the “lower bit MCL” from “0” to the maximum value, and The ECU repeatedly sets the "lower bit MCL" to the initial value "0" according to the increase of "MCH". As a result, the message counter MC never reaches the same value again. The gateway 10 stores and manages the “upper bit MCH” of the message counter MC in a storage area secured as an area for storing the message counter MC. At this time, the gateway 10 may manage the “lower bit MCL” of the message counter MC by putting it in a position corresponding to the lower bit of the secured storage area, or store the secured message counter MC. The message counter MC may be separately stored and managed in a storage area secured separately from the storage area. That is, the gateway 10 may put the “lower bit MCL” received in the communication message MB into the bit corresponding to the “lower bit MCL” of the message counter MC, or set a predetermined value. Alternatively, the management may be performed without including the bit corresponding to the “lower bit MCL”.

  The message counter MC is set to an information amount capable of ensuring the reliability of the communication message MB, that is, a bit length (number of bits). For example, when the reliability of the communication message MB is ensured by never increasing the value of the message counter MC and never using the same value again, the message counter is calculated from the vehicle life and the transmission frequency of the communication message MB. The length (the number of bits) of MC needs to be 8 bytes in terms of calculation. Since the length of 8 bytes is the same as the maximum length of 64 bits (= 8 bytes) of the "data field", if the message counter MC is stored in the communication message MB and is transmitted, the communication message The "message data" which is the data specified by the user cannot be stored in the MB. Therefore, as described above, the message counter MC is divided into "upper bit MCH" and "lower bit MCL" and managed.

  More specifically, the code management unit 11 manages the “upper bit MCH” of the message counter MC. For example, in the present embodiment, when the message counter MC has a length of 8 bytes, the “upper bit MCH” has a length of 7 bytes (= 56 bits) and the “lower bit MCL” has a length of 1 byte (= 8 bits). In this case, the maximum value of the "lower bit MCL" is "255".

  The code management unit 11 updates and manages the “high-order bit MCH” of the message counter MC so that the message counter MC never becomes the same value again. Specifically, the code management unit 11 updates the “upper bit MCH” of the message counter MC by monotonically increasing at the update timing. The update timing is a timing when the “lower bit MCL” of the message counter MC reaches the maximum value, that is, a timing when all the patterns of the “lower bit MCL” are used up. For example, the code management unit 11 monitors the “lower bit MCL” of the message counter MC by receiving the communication message MB transmitted by the first ECU 21, and when the “lower bit MCL” becomes equal to or larger than the maximum value. Is the update timing.

  The code management unit 11 transmits the “upper bit MCH” of the message counter MC to the transmission unit 12 in response to updating the “upper bit MCH” of the message counter MC.

  The transmission unit 12 generates the "authenticator AC1" from the "upper bit MCH" of the message counter MC, and performs synchronization including the generated "authenticator AC1" and the "upper bit MCH" of the message counter MC. Message MA for use is generated. The synchronization message MA is a communication message in which the "upper bit MCH" of the message counter MC and the "authenticator AC1" obtained by encrypting the "upper bit MCH" of the message counter MC are stored in the "data field". Is. Then, the transmission unit 12 transmits the synchronization message MA to the first to fourth ECUs 21 to 24 via the communication I / F 13 as a communication message having a message ID having a high priority in the CAN protocol. Note that the message ID having a high priority is set in advance for the synchronization message MA. Then, the synchronization message MA notifies the “first bit MCH” of the message counter MC managed by the gateway 10 to the first to fourth ECUs 21 to 24, respectively, and the message counter managed by each ECU 21 to 24. The "upper bit MCH" of MC is synchronized.

  As shown in FIG. 2, the transmission unit 12 includes an encryption engine 111. The encryption engine 111 is set with the encryption key EK, inputs the “upper bit MCH” of the message counter MC from the code management unit 11, and inputs the “upper bit MCH” of the input message counter MC. The "certifier AC1" is generated by encrypting with the encryption key EK. Then, the transmission unit 12 generates the synchronization message MA from the “upper bit MCH” of the message counter MC and the “authenticator AC1”. Note that the encryption key EK is better if it cannot be acquired from the outside using a tamper resistant memory or the like.

  Further, the transmission unit 12 transmits the synchronization message MA to all the ECUs in response to the update of the “upper bit MCH” of the message counter MC. That is, the gateway 10 transmits the “upper bit MCH” of the message counter MC.

  The first to fourth ECUs 21 to 24 will be described with reference to FIGS. 3 and 4. Since the first to fourth ECUs 21 to 24 all have the same configuration, the first ECU 21 will be described in detail here, and the description of the configuration of the other ECUs will be omitted.

  The first ECU 21 is configured to include a microcomputer having an arithmetic unit (CPU) and a storage device. The first ECU 21 includes an arithmetic unit that executes arithmetic processing of a program, a read-only memory (ROM) that stores the program and data, and a volatile memory (RAM) that temporarily stores the arithmetic result of the arithmetic unit. ) And are provided. As a result, the first ECU 21 provides a predetermined function by reading the program stored in the storage device into the arithmetic device and executing the program. For example, the first ECU 21 performs a process of transmitting and receiving the communication message MB to and from the communication bus L1, a process of receiving the synchronization message MA, and a process of managing the message counter MC as a management code. The first ECU 21 is also provided with a backup memory that stores and holds set values and calculated values by being constantly supplied with electric power from a battery.

  As shown in FIGS. 3 and 4, the first ECU 21 includes a communication I / F 30 for CAN protocol, a plurality of MBOXs (Message Box) 31a, 31b, 31c in which communication messages are temporarily stored, and communication messages to be transmitted. An authenticator generation unit 33 that generates an “authenticator AC2” included in the MB or the like is provided. In addition, the first ECU 21 processes the communication message MB including the authenticator, which processes the communication message MB, the information processing unit 32 which processes “message data DT”, and whether or not the communication message MB can be transmitted and received by “upper bit”. And a transmission / reception determination unit 36 that determines according to the update state of “MCH”. Each function of the authenticator generation unit 33, the message processing unit 34, and the transmission / reception determination unit 36 is realized by the arithmetic processing of the program by the first ECU 21.

The communication I / F unit 30 receives the synchronization message MA and transmits / receives the communication message MB via the communication bus L1.
The plurality of MBOXs 31a, 31b, 31c relay the communication message MB received by the communication I / F unit 30. The plurality of MBOXs 31a, 31b, 31c relay the communication message MB transmitted from the communication I / F unit 30. For example, the MBOX 31a relays a communication message including no authenticator between the communication I / F unit 30 and the information processing unit 32. Further, the MBOX 31b relays a communication message between the communication I / F unit 30 and the authenticator generating unit 33. The MBOX 31b particularly relays the synchronization message MA required for managing the message counter MC. The MBOX 31c relays a communication message between the communication I / F unit 30 and the message processing unit 34. The MBOX 31c relays the communication message MB, among others.

  The information processing unit 32 executes various applications using the “message data DT” included in the communication message received by the first ECU 21. Further, the information processing section 32 outputs the data output by various applications as “message data DT” to be transmitted to the outside.

  The authenticator generation unit 33 generates an “authenticator AC2” from the “message data DT” and the “message counter MC”. The authenticator generation unit 33 holds the “upper bit MCH” of the message counter MC and stores and manages the “lower bit MCL”. The authenticator generation unit 33 stores only one “upper bit MCH” and “lower bit MCL” of the message counter MC in the corresponding bit positions of the reserved storage area of the message counter MC. Alternatively, the “higher-order bit MCH” and the “lower-order bit MCL” may be stored in separately reserved storage areas.

  The transmission / reception determination unit 36 determines whether transmission / reception is possible based on the information exchanged between the authenticator generation unit 33 and the message processing unit 34. The transmission / reception determination unit 36 acquires the “high-order bit MCH” and its state stored in the authenticator generation unit 33, and outputs a transmission / reception availability result. In addition, the transmission / reception determination unit 36 acquires the “communication message MB” or the “message data DT” from the message processing unit 34, and outputs the transmission / reception availability result.

  More specifically, the transmission / reception determination unit 36 determines whether to transmit the communication message MB based on the “upper bit MCH” stored in the authenticator generation unit 33 in association with the “communication message MB” or the “message data DT”. Whether or not the reception is possible or not is determined, and the determination result is output to the message processing unit 34. Therefore, the transmission / reception determination unit 36 determines the state of the “upper bit MCH” stored in the authenticator generation unit 33 when determining whether the transmission is possible or not. If the state of the “high-order bit MCH” is appropriate in this determination, it is determined that the transmission or reception is “enabled”, and if the state is not appropriate, the transmission or reception is determined to be “no”. The appropriate state is determined based on the state in which the “high-order bit MCH” is regularly updated, the state within a predetermined period from the previous update, and the like. On the other hand, if the state is not appropriate, it means that the “high-order bit MCH” remains at the initial value, that the “high-order bit MCH” is not updated, or that a predetermined period has passed since the previous update. However, it is determined based on the fact that it is not updated. The transmission / reception determination unit 36 can determine whether transmission / reception is possible when the authenticator generation unit 33 needs to authenticate the authenticator, and output the determination result to the authenticator generation unit 33 or the message processing unit 34. .

The message processing unit 34 secures the reliability of the communication message MB transmitted / received as follows.
When receiving the communication message MB, the message processing unit 34 inputs the communication message MB from the MBOX 31c, and determines whether or not the input communication message MB can be received and performs an authentication process. Then, the message processing unit 34 outputs, to the information processing unit 32, the “message data DT” included in the communication message MB that has been authenticated based on the determination of reception “possible”. Specifically, the message processing unit 34 sends the received communication message MB to the transmission / reception determination unit 36 in order to determine the reception availability, and the transmission / reception determination unit 36 inputs the reception availability determination result. Then, the message processing unit 34 discards the input communication message MB when the reception “no” determination result is input regardless of the authentication result. On the other hand, when the determination result of the reception “possible” is input, the message processing unit 34 processes the input communication message MB according to the authentication result. Then, in order to perform the authentication process, the message processing unit 34 sends the received communication message MB to the authenticator generating unit 33, and the authenticator generating unit 33 obtains the authentication result for the communication message MB.

  Further, when transmitting the communication message MB, the message processing unit 34 inputs the “message data DT” from the information processing unit 32, determines whether or not the input “message data DT” can be transmitted, and the input “message”. The "certifier AC2" is generated based on the data DT. Then, when it is determined that the transmission is “permitted”, the message processing unit 34 generates a transmission communication message MB including “message data DT” and “authentication element AC2”, and outputs the generated transmission communication message MB. Output to MBOX 31c. Specifically, the message processing unit 34 sends the “message data DT” that is the transmission target to the transmission / reception determination unit 36 in order to determine whether or not the transmission is possible, and the transmission / reception determination result is input from the transmission / reception determination unit 36. It Then, the message processing unit 34 does not transmit the "message data DT" when the determination result of the transmission "reject" is input. On the other hand, when the determination result of the transmission “possible” is input, the message processing unit 34 generates the communication message MB including the input “message data DT”. That is, the message processing unit 34 sends the “message data DT” to the authenticator generating unit 33 to create the authenticator, and obtains the “authenticator AC2” for the “message data DT” from the authenticator generating unit 33. Then, the message processing unit 34 generates a communication message MB including the generated “authentication element AC2” and “message data DT”.

  The authenticator generation unit 33 manages “upper bit MCH” and “lower bit MCL” of the message counter MC. Note that the authenticator generation unit 33 stores only one “upper bit MCH” and “lower bit MCL” of the message counter MC in the corresponding positions of the reserved storage area of the message counter MC. Alternatively, the “higher-order bit MCH” and the “lower-order bit MCL” may be stored in separately reserved storage areas. Further, the authenticator generation unit 33 sets the value of the storage area for storing and holding the “lower bit MCL” and the storage area for storing and storing the “upper bit MCH” to the initial value by initialization by powering off or resetting. It is supposed to be done. This initialization often occurs asynchronously with other ECUs and the gateway 10.

The authenticator generation unit 33 performs a message counter synchronization process, a communication message transmission time process, and a communication message reception time process. Therefore, each process will be described in detail below.
[Message counter synchronization processing]
When the synchronization message MA is input from the MBOX 31b, the authenticator generation unit 33 authenticates the synchronization message MA, and includes the value of the “high-order bit MCH” in the synchronization message MA on condition that the synchronization message MA is authenticated. The value is updated by the value of the “high-order bit MCH” that is set. Further, the authenticator generation unit 33 initializes the value of the “lower bit MCL” to “0” on condition that the value of the “higher bit MCH” is updated. As a result, the "lower bit MCL" is set to be updatable in the range from "0" to the maximum value.

  Further, the authenticator generation unit 33 authenticates the synchronization message MA. The authenticator generation unit 33 acquires the “authenticator AC1” and the “high-order bit MCH” from the synchronization message MA input from the MBOX 31b. Then, the authenticator generation unit 33 encrypts the acquired “high-order bit MCH” with the encryption engine 35 and regenerates the authenticator. Then, the authenticator generation unit 33 compares the regenerated authenticator with the “authenticator AC1” acquired from the synchronization message MA, and determines that the synchronization message MA is authenticated if the comparison results match. If they do not match, it is determined that the synchronization message MA is not authenticated.

  That is, the “upper bit MCH” stored in the authenticator generation unit 33 is updated periodically or within a predetermined period by the input of the synchronization message MA. On the other hand, when the synchronization message MA is not input because it has not been received, the stored “high-order bit MCH” remains the initial value, the update is stopped, or a predetermined value from the previous update. The "high-order bit MCH" is in the state of the initial value for a predetermined period because it has not been updated even if it exceeds the period. The update stop is determined from the fact that the update is stopped for a long time, a flag externally input, or the like, and can be acquired from a clock or a clock in the ECU for a predetermined period.

  The authenticator generation unit 33 includes an encryption engine 35. The encryption engine 35 is set with the encryption key EK, inputs the message data DT and the message counter MC from the authenticator generation unit 33, and generates an authenticator by encrypting with the encryption key EK. Since the same encryption key EK as that of the gateway 10 is set, encrypted communication is possible between the first ECU 21 and the gateway 10 and between the first ECU 21 and the second to fourth ECUs 22 to 24. Is. Note that the encryption key EK is better if it cannot be acquired from the outside using a tamper resistant memory or the like.

[Processing when sending communication message]
The authenticator generation unit 33 performs an authenticator generation process of the communication message MB to be transmitted as a process at the time of transmitting the communication message MB. The “message data DT” is input to the authenticator generation unit 33 from the message processing unit 34. The authenticator generation unit 33 acquires the permission / prohibition of transmission from the transmission / reception determination unit 36 prior to the authenticator generation process. Continue processing.

  That is, as shown in FIG. 4, the authenticator generation unit 33 sets the message counter MC based on the “lower bit MCL” that it manages and the “upper bit MCH” that it acquires and holds from the synchronization message MA. Reconstruct. Then, the authenticator generating unit 33 uses the encryption engine 35 to encrypt the reconfigured message counter MC and the input message data DT with the encryption key EK to generate an “authenticator AC2”. Further, the authenticator generation unit 33 outputs the input “message data DT”, the “lower bit MCL” used to generate the “authenticator AC2”, and the generated “authenticator AC2” to the message processing unit 34. To do. Then, the message processing unit 34 generates a communication message MB to be transmitted from the “message data DT”, the “lower bit MCL”, and the “authentication element AC2” input from the authenticator generating unit 33, and the generated communication message MB. To the MBOX 31c. Further, the authenticator generation unit 33 updates the “lower bit MCL” to a value larger by 1 in response to the generation of the “authenticator AC2”. As a result, when the "certifier AC2" is generated, the message counter MC does not become the same value as the past value.

[Processing when receiving communication message]
The authenticator generation unit 33 performs the authentication process of the received communication message MB as the process at the time of receiving the communication message MB. Prior to the authentication process, the authenticator generation unit 33 acquires the acceptance / rejection of reception from the transmission / reception determination unit 36, terminates the authentication process if the reception is “No”, and continues the following process if the reception is “Yes”. . In the authentication process, the authentication based on the "authenticator AC2" is performed.

  That is, as shown in FIG. 5, the authenticator generation unit 33 includes the “message data DT” of the communication message MB received from the message processing unit 34, the “lower bit MCL” of the message counter MC, and the “authentication”. Child AC2 ”is input. The authenticator generation unit 33 reconfigures the message counter MC from the input “lower bit MCL” and the held “upper bit MCH”, and also reconfigures the message counter MC by the encryption engine 35. The "message data DT" input with is encrypted with the encryption key EK to regenerate the "certifier AC3". Further, the authenticator generation unit 33 compares the input “authenticator AC2” with the regenerated “authenticator AC3” and determines that the authentication is performed. If they do not match, the authentication is not performed. To judge. Then, the authenticator generation unit 33 outputs the authentication determination result to the message processing unit 34. In other words, the message processing unit 34 outputs “message data DT” of the communication message MB that has been received “Yes” and that has been authenticated, to the information processing unit 32, while receiving “No” or has not been authenticated. The "message data DT" of the communication message MB that has been deleted is discarded.

The operation of the communication system of this embodiment will be described.
Here, for convenience of explanation, it is assumed that the communication message MB is transmitted from the first ECU 21 and received by the third ECU 23.

[Upper bit update]
6 and 7 show a procedure for updating the “upper bit MCH” of the message counter MC held by the authenticator generating unit 33 of the ECU 21 to 24. This procedure is started in the gateway 10 or the ECUs 21 to 24 every predetermined cycle or every time a predetermined condition is satisfied.

  As shown in FIG. 6, the gateway 10 determines whether or not it is time to transmit the synchronization message MA (step S10 in FIG. 6). The transmission timing is, for example, when the “upper bit MCH” of the message counter MC is updated by the code management unit 11 of the gateway 10. When it is determined that it is not the transmission timing (NO in step S10 in FIG. 6), the process of updating the upper bits is temporarily terminated.

  On the other hand, when it is determined that it is the transmission timing (YES in step S10 in FIG. 6), the gateway 10 transmits the “synchronization message MA” to all the ECUs 21 to 24 (step S11 in FIG. 6). Then, the process of updating the high-order bits ends once.

  As shown in FIG. 7, each of the ECUs 21 to 24 determines whether or not the synchronization message MA is received (step S20 in FIG. 7). When it is determined that the synchronization message MA has not been received (NO in step S20 of FIG. 7), the process of updating the upper bit ends once. On the other hand, when it is determined that the synchronization message MA is received (YES in step S20 of FIG. 7), each of the ECUs 21 to 24 authenticates the “authenticator AC1” of the received synchronization message MA (step S21 of FIG. 7). ). The authentication of the "authentication element AC1" is performed by comparison with the authentication code regenerated by the authentication code generation unit 33. If the comparison result matches, the authentication is performed, whereas if the comparison result does not match, the authentication is not performed. If the “authenticator AC1” of the synchronization message MA cannot be authenticated (NO in step S21 of FIG. 7), the process of updating the high-order bit ends once.

  On the other hand, when the authenticator AC1 of the synchronization message MA is authenticated (YES in step S21 of FIG. 7), each of the ECUs 21 to 24 updates the “upper bit MCH” of the stored message counter MC (FIG. Step S22 of 7.). Then, the process of updating the high-order bits ends once.

[Communication message sending process]
The communication message transmission process shown in FIG. 8 is repeatedly executed at a predetermined cycle, or is executed in response to the generation of the message data DT.

  As shown in FIG. 8, in the first ECU 21, “message data DT” generated by the information processing unit 32 is input to the message processing unit 34 as a message transmission request (step S30 in FIG. 8). The first ECU 21 acquires from the transmission / reception determination unit 36 the determination result of the transmission permission / inhibition for the “message data DT” executed by the message processing unit 34. That is, the transmission / reception determination unit 36 determines whether or not the synchronization message MA is received (step S31 in FIG. 8). Here, whether or not the synchronization message MA is received is determined by whether or not a communication message having a message ID corresponding to the synchronization message MA is received, and whether or not the synchronization message MA is received and the “high-order bit MCH is received. Is determined to be appropriately updated or not. Therefore, the fact that the synchronization message MA has not been received means that the communication message having the message ID corresponding to the synchronization message MA has not been received, and even if the synchronization message MA has been received, the “high-order bit MCH Is not updated appropriately and is determined based on at least one of the above. Further, whether or not it is received is determined based on that the first ECU 21 is powered on, reset, or after a predetermined condition. The predetermined condition is that the gateway 10 has been reset, communication has been interrupted, or the like. Further, the fact that the update is appropriately performed is determined based on that the “high-order bit MCH” has been changed from the initial value, that the update has not been stopped, and that it has been updated regularly. . When it is determined that the synchronization message has not been received (NO in step S31 in FIG. 8), the first ECU 21 queues or discards the “message data DT” in the message processing unit 34 (step S32 in FIG. 8). ). Then, the transmission processing of the communication message is once ended. The queued “message data DT” is processed again as a message transmission request after a predetermined time has passed, and so-called transmission is retried.

  On the other hand, when it is determined that the synchronization message has been received (YES in step S31 of FIG. 8), the first ECU 21 sends the transmission request held in the message processing unit 34 to the authenticator generation unit 33 (FIG. 8). Step S33). That is, the “message data DT” is sent from the message processing unit 34 to the authenticator generation unit 33. Then, referring also to FIG. 4, the first ECU 21 causes the authenticator generation unit 33 to generate an “identifier AC2” based on the “message data DT” and the message counter MC (step S34 in FIG. 8). Further, the first ECU 21 generates the communication message MB from the “message data DT” when the “identifier AC2” is generated, the “lower bit MCL” of the message counter MC, and the generated “identifier AC2” (FIG. 8, and the generated communication message MB is transmitted to the communication bus L1 (step S36 of FIG. 8). The communication message MB transmitted to the communication bus L1 is transferred from the communication bus L1 to the communication bus L2 by the gateway 10 and can be received by the third ECU 23 connected to the communication bus L2. Then, the first ECU 21 once ends the communication message transmission process.

[Communication message reception processing]
The communication message receiving process shown in FIG. 9 is repeatedly executed at a predetermined cycle, or is executed in response to the reception of the communication message.

  As shown in FIG. 9, the third ECU 23 determines whether or not the transmission / reception determination unit 36 has received the synchronization message MA, based on the fact that the message processing unit 34 has acquired the received communication message MB (FIG. 9 step S40). Here, whether or not the synchronization message MA is received is determined by whether or not the message ID corresponding to the synchronization message MA is received and whether or not the synchronization message MA is received, as in the process of step S31 of FIG. It is determined based on at least one of whether or not the “high-order bit MCH” is received and appropriately updated. Therefore, the synchronization message MA is not received, the communication message having the message ID corresponding to the synchronization message MA is not received, and even if the synchronization message MA is received, the “high-order bit MCH Is not updated appropriately and is determined based on at least one of the above. Further, whether or not it is received is determined based on that the third ECU 23 is powered on, reset, or after a predetermined condition. The predetermined condition is that the gateway 10 has been reset, communication has been interrupted, or the like. When it is determined that the synchronization message MA has not been received (NO in step S40 in FIG. 9), the third ECU 23 discards the “message data DT” received by the message processing unit 34, and at the same time determines that the authentication failure has occurred in the information processing unit. The 32 applications are notified (step S45 of FIG. 9). Then, the third ECU 23 once ends the communication message reception process.

  On the other hand, when it is determined that the synchronization message MA is received (YES in step S40 of FIG. 9), referring also to FIG. 5, the third ECU 23 causes the authenticator generation unit 33 to output “message data” from the communication message MB. DT "," lower bit MCL "of the message counter MC, and" identifier AC2 "are acquired (step S41 in FIG. 9). Further, the third ECU 23 determines the message counter MC from the “lower bit MCL” of the message counter MC in the authenticator generating unit 33 and the “upper bit MCH” of the message counter MC previously acquired from the synchronization message MA. Reconfigure. Then, the third ECU 23 regenerates the "certifier AC3" from the "message data DT" and the reconstructed message counter MC in the encryption engine 35 (step S42 in FIG. 9). Subsequently, the 3ECU23 compares the acquired "identifier AC2" with the regenerated "authentication AC3" in the authenticator generation unit 33 and determines whether or not they match (step S43 in Fig. 9).

  When it is determined that they match (YES in step S43 of FIG. 9), the third ECU 23 sends “message data DT” to the application of the information processing section 32 (step S44 of FIG. 9). On the other hand, when it is determined that they do not match (NO in step S43 of FIG. 9), the third ECU 23 discards the message data DT received by the process of step S45 described above, that is, the message processing unit 34, and fails the authentication. Is notified to the application of the information processing unit 32. Then, the third ECU 23 once ends the communication message reception process.

  As a result, when the communication message MB is an unauthorized one transmitted by spoofing or the like, the “message data DT” included in this unauthorized communication message MB may be sent to the information processing unit 32 and processed. You will be prevented.

As described above, according to the communication system of this embodiment, the following effects can be obtained.
(1) Since the communication message MB includes only the "lower bit MCL" of the message counter MC, a large area can be reserved for the message data. Further, since the “high-order bit MCH” is managed by the gateway 10, the “upper bit MCH” is also synchronized among the respective ECUs 21 to 24. That is, each of the ECUs 21 to 24 on the receiving side combines the “upper bit MCH” from the gateway 10 with the “lower bit MCL” included in the communication message MB, so that each of the ECUs 21 to 24 on the transmitting side “authenticates”. The message counter MC used to generate "AC2" can be reconfigured. As a result, even if the size of the message counter MC is set to the size required for ensuring reliability, the capacity required for storing the communication message MB is suppressed to be small, and the decrease in capacity for message data is suppressed. You can As a result, it becomes possible to secure the reliability of the communication message MB while suppressing an increase in communication volume.

  (2) By receiving the “upper bit MCH” of the message counter MC transmitted from the gateway 10, the “upper bit MCH” of the message counter MC stored in each of the ECUs 21 to 24 is received. The higher-order bit MCH of the message counter MC is updated, that is, synchronized. As a result, even if the message counter MC is divided into "upper bit MCH" and "lower bit MCL", the communication message MB can be authenticated by the message counter MC.

  In addition, the “upper bit MCH” of the message counter MC stored in each of the ECUs 21 to 24 can be synchronized. Therefore, even if the “upper bit MCH” of the message counters MC stored in each of the ECUs 21 to 24 is asynchronously initialized due to reset of the ECUs 21 to 24, the stored message counters MC are normal. By setting the value again, it becomes possible to perform authentication normally.

  (3) Since the message counter MC is managed for each "message ID", the size of the message counter MC can be suppressed. In addition, if the "message ID" is different, a time margin can be obtained for updating the "lower bit MCL" of the message counter MC, so that the degree of freedom of synchronization of the message counter MC is increased.

  (4) By using the “certifier AC1” obtained by encrypting the “high-order bit MCH” of the message counter MC transmitted in the synchronization message MA using the encryption key EK, the synchronization is transmitted from the gateway 10 The reliability of the communication content of the "upper bit MCH" of the message counter MC transmitted by the message MA is maintained.

  That is, the “certifier AC1” transmitted from the gateway 10 in the synchronization message MA is the “certifier AC1” generated from the “upper bit MCH” of the message counter MC. Therefore, also in each of the ECUs 21 to 24 that have received this synchronization message MA, the “certifier AC1” transmitted in the synchronization message MA and the “upper order” of the message counter MC transmitted in this synchronization message MA. The authenticator regenerated from the bit MCH ”can be acquired, and the authentication of the synchronization message MA becomes possible by comparing these authenticators. Therefore, each of the ECUs 21 to 24 receives the synchronization message MA from the gateway 10 to acquire the “upper bit MCH” of the message counter MC whose reliability is ensured, and the synchronization message MA based on this. Will be able to authenticate.

  (5) Since the value of the message counter MC is updated so as not to be duplicated, even if the communication message MB once transmitted is retransmitted, it can be determined to be invalid.

  (6) The reliability of the authenticators AC1 and AC2, that is, the reliability of the communication message MB is secured by the common encryption key EK. It is better if the encryption key EK cannot be acquired from the outside by using a tamper resistant memory or the like.

  (7) The first ECU 21 does not transmit the communication message MB based on the failure to receive the “upper bit MCH” of the message counter MC, and the third ECU 23 has received the “upper bit MCH” of the message counter MC. At least one of not authenticating the received communication message MB based on the absence. That is, when the “upper bit MCH” of the message counter MC is not synchronized between those of the first ECU 21 and the third ECU 23, the communication message MB is not transmitted or is not authenticated. As a result, even when the reliability of the communication message MB is ensured by using the message counter MC which is a time-varying parameter, the communication is caused by the fact that the “upper bit MCH” of the message counter MC is not received. It is prevented that the message MB is determined to be invalid. That is, the correctness / incorrectness of the communication message MB can be properly determined.

(Other embodiments)
In addition, the above-mentioned embodiment can also be implemented in the following modes.
[Synchronization message]
In the above embodiment, the case where the message counter is transmitted by the synchronization message is illustrated. At this time, one message ID used for the synchronization message may be provided for each message ID. In this case, the number of message IDs may be doubled or more in the entire communication system.

  Further, for all the message IDs, only one message ID used for the synchronization message may be provided. In this case, the number of message IDs in the entire communication system increases by one. Further, one message ID used for the synchronization message may be provided for a plurality of message IDs that are less than all. That is, if the synchronization message can be shared, the number of message IDs assigned to the synchronization message can be reduced from the limited number of message IDs. If the number of message IDs is suppressed to a small number, it is possible to suppress an increase in area for storing message IDs and message data, suppress an increase in processing load, suppress an increase in communication load, and the like.

[gateway]
In the above embodiment, the gateway 10 exemplifies the case where the communication message is relayed between the plurality of communication buses L1 and L2. However, the present invention is not limited to this, and the gateway may be connected to one communication bus or may relay a communication message between more than two communication buses.

  In the above embodiment, the case where the gateway 10 manages and transmits the synchronization message MA has been illustrated. However, the present invention is not limited to this, and the ECU may manage and transmit the synchronization message.

  In the above embodiment, the case where one gateway 10 manages and transmits the synchronization message MA has been illustrated. However, the present invention is not limited to this, and a plurality of gateways or ECUs may share and manage the synchronization message.

  In the above embodiment, the code management unit 11 exemplifies the case of storing and managing the “upper bit MCH” of the message counter MC. However, the present invention is not limited to this, and the code management unit may hold the entire length of the message counter MC. Then, the bit portion corresponding to the “upper bit MCH” of the message counter MC may be managed. The "lower bit MCL" of the message counter MC may acquire the latest value from the communication message MB.

  In the above embodiment, the case where the transmission unit 12 transmits a part of the message counter MC has been illustrated. However, the present invention is not limited to this, and if the gateway holds the entire message counter, the transmitting unit may transmit the entire message counter (the total number of bits) as a synchronization message. Note that the ECU that receives the synchronization message may use only the portion corresponding to the higher-order bits of the entire message counter (total number of bits).

[Communication protocol]
In the above embodiment, the case where the communication protocol is the CAN protocol has been illustrated. However, the communication protocol is not limited to this, and if a message counter is used to secure the reliability of the communication message, the communication protocol is a protocol other than the CAN protocol, for example, a communication protocol such as Ethernet (registered trademark) or FlexRay (registered trademark). May be

[Message Counter]
In the above embodiment, the case where the message counter MC is composed of the “lower bit MCL” and the “upper bit MCH” has been illustrated. However, the present invention is not limited to this, and the message counter may have the positions of the high-order bits and the low-order bits of the bit string reversed, and separately reserved storage areas for the high-order bits and the low-order bits, respectively. May be treated as

  In the above embodiment, the case where the length of the message counter MC is 8 bytes (64 bits) has been illustrated. However, not limited to this, if the same value is never repeated, or if a long time interval can be secured even if the same value is repeated, the length of the message counter is 124 bits, which is longer than 64 bits. On the contrary, 32 bits shorter than 64 bits may be used.

  In the above embodiment, the code management unit 11 updates the “higher-order bit MCH” in response to the “lower-order bit MCL” reaching the maximum value, which is similar to the case where a carry occurs in the bit string. Illustrated. However, the present invention is not limited to this, and the code management unit may further update the “upper bit MCH” when a predetermined condition for transmitting the synchronization message MA is satisfied. The predetermined condition is that a predetermined time (for example, Ymsec: Y is a settable value) has elapsed since the ignition was switched from "off" to "on" or when the previous synchronization message was updated (transmitted). In such a case, one or a plurality of conditions and a combination of these conditions can be used.

  In the above embodiment, the value of the “upper bit MCH” is increased by “1” in the gateway 10 in response to the change of the “lower bit MCL” of the message counter MC from “0” to the maximum value (monotonically increasing). )) Case. However, the present invention is not limited to this, and if it is possible to prevent the message counter MC from reaching the same value again, the “upper bit MCH” is updated with the timing before the “lower bit MCL” exceeds the maximum value as the update timing. Good. At this time, if the update timing is set to a value that is as close to the maximum value of the “lower bit MCL” as possible, the number of bits of the message counter MC can be effectively used. For example, the code management unit monitors the “lower bit MCL” of the message counter by receiving the communication message transmitted by the ECU, and the “lower bit MCL” is a threshold value set to be less than the maximum value. The update timing may be set when the value becomes equal to or more than the value.

  In the above embodiment, the case where the “lower bit MCL” of the message counter MC changes from the initial value “0” toward the maximum value is illustrated. However, the present invention is not limited to this, and the initial value may be set to a value larger than “0”, returned to “0” after the maximum value, and changed to a value before the initial value.

  In the above embodiment, the message counter MC is illustrated as a case where the value is incremented by "1" each time a communication message is transmitted. However, the present invention is not limited to this, and if the reliability of the communication message is ensured, the message counter may be decreased from the maximum value to “0” so that the same value is never used again, or irregular. You may change. Since the high-order bit and the low-order bit are managed separately, the change mode of the high-order bit and the change mode of the low-order bit may be the same or may be different.

  In the above embodiment, the case where one message counter MC corresponds to one message ID has been illustrated. However, the present invention is not limited to this, and a plurality of message IDs may correspond to one message counter. When the message counter corresponds to a plurality of message IDs, the number of managed message counters can be reduced.

  In the above embodiment, the case where the message counter MC is set to never have the same value again has been described, but the present invention is not limited to this, and the message counter MC may temporarily have the same value. For example, if the update of the “high-order bit” is not in time or the synchronization cannot be performed, the message counter may temporarily have the same value as the past and may be used twice. Further, if the required reliability can be ensured, the same value may be reused a predetermined number of times.

  In the above embodiment, the case where the “upper bit MCH” is 7 bytes and the “lower bit MCL” is 1 byte is illustrated. However, the present invention is not limited to this, and the upper bits and the lower bits may be separated by other bytes, for example, “6 bytes” and “2 bytes”. Further, the data may be divided in bit units such as “60 bits” and “4 bits” instead of being divided in byte units.

[message-box]
In the above embodiment, the case where a plurality of MBOXs 31a, 31b, 31c are provided has been exemplified, but the present invention is not limited to this, and the MBOX relays and temporarily stores so that a communication message to be transmitted and received can be exchanged with an appropriate part in the ECU. If possible, the number may be one, two, or four or more.

[Authenticator generator]
-In the above-mentioned embodiment, the case where authentication based on "authenticator AC2" was performed was illustrated. At this time, prior to the authentication based on the "authenticator AC2", the "lower bit MCL" of the message counter MC is acquired from the communication message MB, and the acquired "lower bit MCL" is the previously acquired "lower bit MCL." It is possible to confirm whether or not it is larger than (is updated). Then, if it is large (updated), authentication based on the “authenticator AC2” is performed. On the contrary, if it is not large (not updated), it is determined that the authentication is not performed, and based on the “authenticator AC2”. Authentication may be omitted.

  10 ... Gateway, 11 ... Code management section, 12 ... Transmission section, 13 ... Communication I / F section, 21-24 ... First electronic control unit (ECU), 30 ... Communication I / F section, 31a, 31b, 31c ... MBOX, 32 ... Information processing unit, 33 ... Authenticator generation unit, 34 ... Message processing unit, 35 ... Encryption engine, 36 ... Transmission / reception determination unit, 111 ... Encryption engine, DT ... Message data, EK ... Encryption key, L1 , L2 ... Communication bus, MA ... Synchronization message, MB ... Communication message, MC ... Message counter, AC1, AC2 ... Authenticator.

Claims (1)

Storing the first information of the management code formed by combining the first information and the second information, and updating the stored first information of the second information a plurality of times. A management device that manages to update once based on
A receiving device and a transmitting device communicatively connected to the management device via a communication network,
The management device transmits a synchronization message including the first information, and the reception device and the transmission device include the synchronization message each time the management device transmits the synchronization message. Is for holding the first information, and for determining whether or not the synchronization message from the management device is received .
The transmission device manages the second information of the management code, and the management code is a combination of communication data, the first information held and the second information managed. To generate and transmit a communication message that includes the communication data, the second information to be managed, and the generated authenticator, and does not include the held first information. Together with updating the value of the second information managed after the generation of the communication message,
The receiving device receives the communication message transmitted by the transmitting device, and based on a comparison between an authenticator included in the received communication message and an authenticator regenerated based on the received communication message. Certifying the received communication message,
The receiving device reconfigures a management code by combining the held first information and the second information acquired from the communication message transmitted by the transmitting device, and acquires the management code from the communication message transmitted by the transmitting device. To obtain the regenerated authenticator from communication data and the reconfigured management code,
The transmitting device does not transmit a communication message to the receiving device when the synchronization message including the first information transmitted by the managing device has not been received ; and the receiving device includes the managing device. The communication system is characterized by performing at least one of not authenticating the communication message received from the transmitting device when the synchronization message including the first information transmitted by the above is not received.