WO2017122165A1 - On-board device for a vehicle - Google Patents

On-board device for a vehicle Download PDF

Info

Publication number
WO2017122165A1
WO2017122165A1 PCT/IB2017/050184 IB2017050184W WO2017122165A1 WO 2017122165 A1 WO2017122165 A1 WO 2017122165A1 IB 2017050184 W IB2017050184 W IB 2017050184W WO 2017122165 A1 WO2017122165 A1 WO 2017122165A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
memory
encrypted
short
processing unit
Prior art date
Application number
PCT/IB2017/050184
Other languages
English (en)
French (fr)
Inventor
Leonardo GARGIANI
Original Assignee
Autostrade Tech S.P.A.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Autostrade Tech S.P.A. filed Critical Autostrade Tech S.P.A.
Priority to EP17709787.0A priority Critical patent/EP3238182B1/de
Priority to ES17709787T priority patent/ES2735805T3/es
Priority to PL17709787T priority patent/PL3238182T3/pl
Publication of WO2017122165A1 publication Critical patent/WO2017122165A1/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B15/00Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points
    • G07B15/02Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points taking into account a variable factor such as distance or time, e.g. for passenger transport, parking systems or car rental systems
    • G07B15/04Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points taking into account a variable factor such as distance or time, e.g. for passenger transport, parking systems or car rental systems comprising devices to free a barrier, turnstile, or the like
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B15/00Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points
    • G07B15/06Arrangements for road pricing or congestion charging of vehicles or vehicle users, e.g. automatic toll systems
    • G07B15/063Arrangements for road pricing or congestion charging of vehicles or vehicle users, e.g. automatic toll systems using wireless information transmission between the vehicle and a fixed station

Definitions

  • the present invention relates in general to the field of telematic traffic services.
  • the present invention relates to an on- board device for a vehicle, suitable for use in a system which supports a telematic traffic service.
  • Systems which support traffic telematic services comprise both services for the user (such as payment of tolls for access to road/motorway stretches, payment of car park fees, etc.) and administrator services (such as control of access to restricted-traffic urban zones, monitoring of traffic along a road/motorway stretch, etc.).
  • These systems generally comprise an on-board device (also known as “OBU”, i.e. “On Board Unit”) suitable for installation onboard a vehicle, and a plurality of road-side devices (also known as “RSU”, i.e. “Road Side Units”) suitable for installation on the road side, on gateways or at access points, or at toll stations.
  • OBU On Board Unit
  • RSU Road Side Units
  • both the on-board device and the road-side devices are provided with respective radiofrequency communication stages (typically, DSRC, i.e. "Dedicated Short Range Communication” stages) which allow the on-board device to exchange information with the road-side devices.
  • radiofrequency communication stages typically use radiofrequency carriers, for example within the frequency range 5-6 GHz.
  • Each on-board device typically has an associated unique identification code OBU-ID, with which it is configured via software during manufacture. Moreover, when an on-board device is assigned to a user, it may be configured with information about the user (for example, personal details) and information about the vehicle (number plate, etc.). The configuration of an on-board device generally involves also the loading of the software applications which provide the telematic traffic services supported by the device.
  • an on-board device After an on-board device has been configured and installed on- board, it may be necessary to modify its configuration, for example in order to update or activate the software applications already present, or load new applications, or remove or disable those applications which are no longer of interest for the user. This is for example the case where a user wishes to activate temporarily a toll payment service in a foreign country. In this case, the configuration of the user's on-board device must be modified by loading and activating temporarily a software application able to support this service.
  • an on-board device after an on-board device has been configured and installed on-board, it may be necessary to carry out checks on operation thereof and diagnostic tests, such as a check of the charge level of its battery. It might also be necessary to check the configuration information (relating to the user and/or to the vehicle) stored by the on-board device.
  • All the aforementioned operations require access to the on-board device in order to perform writing or reading of its memory and are generally carried out by means of equipment provided with radiofrequency communication stages able to communicate with the communication stage present in the on-board device.
  • This equipment is generally present at the operating centres managed by the company which provides the telematic traffic service or by the company which manages the road or the motorway along which the telematic traffic service is provided. If a user therefore wishes to modify the configuration of his/her on-board device or check operation thereof, generally he/she must go to one of these operating centres.
  • US 2014/0316685 describes an onboard device for a system supporting traffic telematic services, which comprises a near-range communication module for communication with a first external communication device (for example, the mobile phone of the user), a far-range communication module (for example, DSRC) for communication with second external devices (for example, the roadside devices of the system) and a non-volatile memory which is accessible by both the communication modules.
  • the near-range communication module may be for example a passive NFC tag. This is supplied by the user's mobile phone during communication and in this way may access the non-volatile memory, and in so doing can supply power to it, even when the rest of the on-board device is not in an operative condition.
  • the contents of the non-volatile memory may therefore be read and/or written by means of the connection between the user's mobile phone and the near-range communication module, irrespective as to whether the rest of the on-board device is in operating mode or not. It is thus possible to modify the configuration of the on-board device, for example writing configuration data in the non-volatile memory, via the user's mobile phone. Similarly it is possible to read the contents of the non-volatile memory via the user's mobile phone.
  • the Applicant has noticed that the near-range communication module included in this device, since it has direct access to the non-volatile memory of the device both during reading and during writing, disadvantageously reduces the security of the onboard device.
  • the short-range and near-field technologies (such as NFC technology) generally have mechanisms for authentication and protection of the connection which are not particularly secure, the security of the connection being mainly based on the fact of having a coverage range of only a few centimetres.
  • a third party should come into possession of the on-board device of a user, he/she could access the on-board device using his/her own mobile phone (or another device equipped with NFC reader), and thus modify the configuration thereof, or read information stored there and use it to clone the on-board device (i.e. copy it onto another on-board device).
  • the direct access to the non-volatile memory by the near-range communication module disadvantageously could result in inefficient use of the computational and storage resources of the onboard device.
  • the user could in fact decide, for example, to write configuration data in the memory (or, similarly, read configuration data from the memory) not knowing that, precisely in that moment, the on-board device is engaged in another priority activity, for example an exchange of data with one of the road-side devices.
  • the configuration data writing operation started by the user, while being lower priority could disadvantageously deprive the higher priority activity of computational resources, with the risk of slowing down or even stopping execution thereof.
  • the object of the present invention is to provide an on-board device for a motor vehicle, which is suitable for use in a system supporting a telematic traffic service and which solves the aforementioned problems.
  • the object of the present invention is to provide an on-board device for a motor vehicle, which is suitable for use in a system supporting a telematic traffic service, which is more secure and which uses more efficiently its associated computational and storage resources.
  • an on-board device for a vehicle which comprises a radiofrequency communication stage for communication with the road-side devices, a short-range communication stage for communication with an electronic device (for example a mobile phone) situated in the vicinity thereof, two memories and a data processing unit cooperating with both the communication stages.
  • a first memory acts as a central operating memory accessible by the data processing unit alone and stores at least one first encryption key.
  • a second memory is directly accessible instead by the short- range communication stage, is electrically connected thereto or integrated therein and stores first data relating to the on-board device.
  • the short-range communication stage is configured to transmit to the electronic device this first data, also in power down mode or in the event of malfunctioning of the radiofrequency communication stage.
  • the short-range communication stage is moreover configured to receive encrypted second data from the electronic device and store it temporarily in the second memory.
  • the data processing unit is configured to decrypt, upon reception of a wake-up signal, this encrypted second data using the encryption key stored in the first central operating memory and to store the second data in the first central operating memory.
  • the on-board device is advantageously secure since, at the moment of reception of data from the electronic device via the short- range communication stage, the data to be decrypted and the encryption key which is needed to decrypt it are stored in two physically separate memories, one of which (namely that which stores the key) is accessible only by the data processing unit, i.e. cannot be directly accessed by the short-range communication stage.
  • the short-range communication stage allows an unprotected connection to be established between electronic device and on-board device
  • the onboard device is advantageously more secure.
  • the on-board device allows moreover more efficient use of its computational and storage resources, since the transfer of the data into the first central operating memory and the subsequent processing thereof are triggered upon reception of the wake-up signal in the data processing unit.
  • the present invention provides an on- board device for a vehicle, the on-board device being suitable for use in a system which provides a telematic traffic service, the on-board device comprising:
  • a radiofrequency communication stage configured to communicate with a road-side device of said system
  • a short-range communication stage configured to communicate with an electronic device located in the vicinity thereof;
  • a second memory electrically connected to or integrated in the short-range communication stage and directly accessible by the short-range communication stage, wherein the second memory stores first data relating to the on-board device, wherein the short-range communication stage is configured to transmit to the electronic device the first data, also in power down mode or in the event of malfunctioning of the radiofrequency communication stage and is moreover configured to receive from the electronic device encrypted second data and store it temporarily in the second memory, and
  • the data processing unit is configured, upon reception of a wake-up signal, to decrypt the encrypted second data using the at least one encryption key stored in the first central operating memory and to store the second data in the first central operating memory.
  • the first central operating memory is implemented inside in the data processing unit.
  • the first central operating memory is implemented outside the data processing unit, and the first central operating memory stores a hardware identifier UID 2 o of the data processing unit in a non-modifiable and non-erasable manner.
  • the device also comprises a hardware encryption interface between the first central operating memory and the data processing unit.
  • the short-range communication stage is configured to send said wake-up signal to the data processing unit.
  • the device also comprises a button manually accessible from the outside of the device, the button being configured so that, when pressed, said wake-up signal is sent to the data processing unit.
  • the first data is stored in the second memory, encrypted with a private key of an asymmetric encryption mechanism, and the short-range communication stage is configured to transmit the first data to the electronic device, encrypted with said private key.
  • the first data made available for reading and encrypted with private key in the second memory preferably comprises tag data of the on-board device, including in particular its unique identification code OBU-ID.
  • the short-range communication stage is configured to receive said first data from a central server via the electronic device and the short-range communication stage in a form encrypted with said private key, and to store directly in a permanent manner the encrypted first data in the second memory, without requesting any action of the data processing unit.
  • the short-range communication stage is configured to receive the first data from a central server via the electronic device and the short-range communication stage in a form not yet encrypted with said private key
  • the first central operating memory also stores said private key
  • the data processing unit is configured to encrypt said first data with said encrypted key and to store permanently the encrypted first data in the second memory.
  • the second memory also stores its hardware identifier UID-I 60, the hardware identifier UIDi 6 o being stored both unencrypted and encrypted with the private key together with the first data, and the short-range communication stage is configured to transmit to the electronic device the hardware identifier UIDi 6 o unencrypted and the hardware identifier UID 6 o also encrypted with the private key together with the first data, for further authentication of the first data by the electronic device.
  • the second data is received by the short-range communication stage in a form encrypted with a symmetric key identical to the encryption key stored in the first central operating memory.
  • the data processing unit is configured, upon reception of said wake-up signal, to transfer firstly the encrypted second data from the second memory to the first central operating memory and then decrypt it using the encryption key stored in the first central operating memory.
  • the data processing unit is configured, upon reception of said wake-up signal, to decrypt firstly the encrypted second data using the encryption key stored in the first central operating memory and then transfer the decrypted second data into the first central operating memory.
  • the encrypted second data is received in separate encrypted blocks and the data processing unit is configured to start decryption of the encrypted second data only after receiving, in the second memory, all the separate encrypted blocks.
  • the data processing unit is configured to read third data stored in the first central operating memory, to encrypt the third data using said encryption key stored in the first central operating memory and to forward the encrypted third data to the short-range communication stage, the short-range communication stage being configured to transmit the encrypted third data to a central server via the electronic device.
  • the second memory stores, together with said first data, also a unique identification code OBU-ID of the on-board device, the unique identification code OBU-ID of the device being stored both unencrypted and encrypted with the symmetric key, the short-range communication stage being configured to transmit to the central server via the electronic device also said unique identification code OBU-ID both unencrypted and encrypted with the symmetric key, so as to allow the central server to perform authentication of the device and decrypting of said third data.
  • the present invention provides a system for providing a telematic traffic service, the system comprising a plurality of road-side devices, an electronic device and an on-board device for a vehicle, the on-board device being configured to communicate both with the plurality of road-side devices and with the electronic device, the on-board device being as described above.
  • FIG. 1 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to an embodiment of the present invention
  • FIG. 2 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to another embodiment of the present invention.
  • FIG 1 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to embodiments of the present invention.
  • This telematic traffic service may be a service for the users (such as payment of tolls for access to road/motorway stretches, payment of car park fees, etc.) or a service for the administrator (such as control of access to restricted-traffic urban zones, monitoring of traffic along a road/motorway stretch, etc.).
  • the system comprises an on-board device 100, electronic device 210, a plurality of road-side devices (for the sake of simplicity not shown in Figure 1 ), a communications network 600 and central server 700 which communicates with the electronic device 210 via the communications network 600.
  • the on-board device 100 is preferably suitable for installation onboard a vehicle (for the sake of simplicity not shown in Figure 1 ), for example a motor vehicle.
  • the road-side devices are instead configured to be installed in a fixed position, for example along a road side, on an overpass or on an access gateway (for example to a car park, an urban zone, a road or motorway section, etc.).
  • the on-board device 100 is configured to communicate via radio both with the road-side devices and with the electronic device 210.
  • the on-board device 100 preferably comprises a battery 1 10, a data processing unit 120, a first memory 130, a radiofrequency communication stage 140, a short- range communication stage 150 and a second memory 160.
  • the onboard device 100 may comprise other components (for example GNSS components for satellite positioning) which will not be described in greater detail hereinbelow since they are not useful for the purposes of the present description.
  • the battery 1 10 is preferably electrically connected directly or indirectly to each of the other components of the on-board device 100 (in particular to the data processing unit 120, to the first memory 130, to the radiofrequency stage 140 and to the short-range communication stage 150), so as to power them if and when necessary.
  • the first memory 130 is preferably electrically connected to the data processing unit 120.
  • the first memory 130 may be implemented on the outside or on the inside of the data processing unit 120. In any case, the first memory 130 is accessible by the data processing unit 120 alone (in particular it is not directly accessible by the short-range communication stage 150).
  • the first memory 130 preferably stores a hardware identifier UID 2 o of the data processing unit 120 (preferably, its silicon number) in a non-modifiable and nonerasable manner.
  • This hardware identifier UID 2 o is used by the processing unit 120 to check the authenticity of the data read from the first memory 130. This advantageously makes it possible to prevent the contents of the central operating memory of one onboard device from being cloned and transferred onto another on- board device.
  • the first memory 130 is implemented outside the data processing unit 120, an interface (not shown in the drawings) is provided between the unit 120 and the memory 130, said interface being configured to perform hardware encryption of the data which the unit 120 writes into the memory 130 and hardware decryption of the data which the unit 120 reads from the memory 130.
  • the data stored in the memory 130 is thus advantageously protected at the hardware level.
  • the first memory 130 is therefore a non-volatile memory which acts as a secure central operating memory of the on-board device 100.
  • the first memory 130 stores the unique identification code OBU-ID of the on-board device 100 and, optionally, information about the user who is owner of the vehicle and about the vehicle itself (for example number plate and/or toll class of vehicle).
  • the first memory 130 also preferably stores the software applications which provide the telematic traffic services for the user and/or for the administrator supported by the on-board device 100 and the data generated by communication of the on-board device 100 with the road-side devices of the system via the radiofrequency communication stage 140 (for example, data relating to the position of the vehicle or transit thereof through an access way).
  • the radiofrequency communication stage 140 is preferably configured to establish radio links with the road-side devices.
  • the radiofrequency stage 140 may be implemented using DSRC (Dedicated Short Range Communications) technology which, as is known, comprises radio channels and authentication, encoding and decoding procedures which have been specifically developed for telematic traffic services and uses frequency bands in the range of 5.7 - 5.9 GHz.
  • DSRC Dedicated Short Range Communications
  • the short-range communication stage 150 is preferably configured to support short-range radio links (maximum 10 cm) with the electronic device 210.
  • the electronic device 210 may belong to the same user who has been assigned the on-board device 100 or may belong to third parties (for example, the administrator of the road or motorway infrastructure along which the telematic traffic service supported by the on-board device 100 is provided, the telematic traffic service administrator, or the body or authority responsible for monitoring traffic offences).
  • the electronic device 210 is also preferably provided with cabled or wireless connectivity (for example WiFi or cellular network) to the communications network 600.
  • the electronic device 210 may be a smartphone, a tablet or a generic commercial or specially designed reader.
  • the electronic device 210 is also provided with a user interface 200 comprising input and/or output elements comprising for example pushbuttons, cursors, touchscreen, etc.
  • the electronic device 210 also comprises a short-range communication stage compatible with the short-range communication stage 150 of the on-board device 100.
  • the short-range communication stage 150 (and therefore also the corresponding short-range communication stage of the electronic device 210) is implemented using near-field technology, such as RFID (Radio-Frequency IDentification) technology with short range (i.e. radius less than 10 cm).
  • RFID Radio-Frequency IDentification
  • NFC Near Field Communication
  • the short-range communication stage included in the electronic device 210 is configured as initiator, while the short-range communication stage 150 is configured as target.
  • the short-range communication stage 150 is configured to receive from the short-range communication stage included in the electronic device 210 a radio carrier, from which it extracts its own power supply.
  • the configuration of the short-range communication stage 150 as reader is advantageous, since it allows the electronic complexity and software of the on-board unit to be reduced. It also allows the short- range communication stage 150 to operate (and therefore communicate with the corresponding short-range communication stage included in the electronic device 210) also when the battery 1 10 of the on-board device 100 is completely discharged, or when the remainder of the on-board device (in particular the data processing unit 120, the first memory 130 and the radiofrequency stage 140) is damaged or in any case not functioning.
  • the second memory 160 may be electrically connected to the short-range communication stage 150.
  • the second memory 160 may be integrated in the short-range communication stage 150.
  • the second memory 160 is directly accessible by the short-range communication stage 150 which may carry out on it both write operations and read operations also without involving the processing unit 120, as will be described in greater detail hereinbelow.
  • the second memory 160 is preferably a nonvolatile memory able to retain the data even when not electrically powered.
  • the second memory 16 may be a memory of the E 2 PROM type.
  • the second memory 160 preferably permanently stores a set of basic data relating to the on-board device 100, comprising a unique identification code OBU-ID of the on-board device 100 and, optionally, information about the user and/or the vehicle.
  • the second memory 160 moreover is suitable for storing in a temporary or transient manner data sent by the central server 700 and destined for the data processing unit 120 and/or for the first memory 130, as will be described in greater detail hereinbelow.
  • the communications protocol via which the short-range communication stage 150 and the corresponding short-range stage included in the electronic device 210 operate thus establishes automatically a radio link.
  • the radio link thus established is preferably a two-way point-to-point link which allows a two-way exchange of data between on-board device 100 and electronic device 210.
  • the short-range communication stage 150 may transmit to the electronic device 210 data read from the second memory 160 or other components of the on-board device 100, thus allowing the reading of this data from the on-board device 100 via the electronic device 210.
  • the data read may be displayed in the form of texts or graphics on the user interface 200 of the electronic device 210.
  • the data read may be transmitted from the electronic device 210 to the central server 700 via the communications network 600.
  • read operations may allow the user of the electronic device 210 (who may be the user who has been assigned the on-board device 1 10 or the personnel of the provider of the telematic traffic service supported by the on-board device 100) to carry out for example diagnostic checks or operational tests of the on-board device 100 (for example, checking of the charged level of its battery 1 10) or checking of the configuration information about the user and/or the motor vehicle stored by the on-board device 100.
  • diagnostic checks or operational tests of the on-board device 100 for example, checking of the charged level of its battery 1 10) or checking of the configuration information about the user and/or the motor vehicle stored by the on-board device 100.
  • the short- range communication stage 150 advantageously may read it even if the battery 1 10 is completely discharged, or when the data processing unit 120 and/or the first memory 130 are not functioning.
  • the basic data stored in the second memory 160 can therefore be advantageously read by means of the electronic device 210, irrespective as to whether the on-board device 100 is functioning or not.
  • the second memory 160 therefore advantageously performs substantially an electronic tag function.
  • the short-range communication stage 150 may read it only if the battery 1 10 is charged and the on-board device 100 (at least the data processing unit 120 and the first memory 130) is functioning correctly.
  • the electronic device 210 preferably sends a command signal to the short-range communication stage 150.
  • the short-range communication stage 150 retrieves the required data from the second memory 160 and sends it to the electronic device 210, without requesting any action by the data processing unit 120.
  • the short-range communication stage 150 forwards the command signal to the data processing unit 120 which retrieves the data required (for example from the first memory 130) and sends it to the short-range communication stage 150 which in turn forwards it the electronic device 210.
  • this command signal is preceded by a wake- up signal which activates the data processing unit 120.
  • the short-range communication stage 150 may receive from the electronic device 210 data to be supplied to the other components of the on-board device 100 (in particular to the data processing unit 120 and/or to the first memory 130 and/or to the second memory 160), thus allowing writing of this data onto the on-board device 100 via the electronic device 210.
  • These write operations may for example allow the user of the electronic device 210 (who may be the user who has been assigned the on-board device 100 or the personnel of the provider of the telematic traffic service supported by the on-board device 100) to modify the configuration of the on-board device 100, for example updating or activating the software applications which are already present or loading new applications or removing or deactivating those applications which are no longer of interest for the user.
  • These write operations may therefore be advantageously performed without having to visit a customer service operating centre.
  • a write operation preferably envisages that the central server 700 transmits the data to be written to the on-board device 100 via the communications network 600 and the electronic device 210.
  • the electronic device 210 preferably does not perform any processing of the data, merely performing a transducer function between the connection to the communications network 600 (for example Wi-Fi or cellular network) and the short-range radio link with the on-board device 100 (for example NFC).
  • the data transmitted on the short-range radio link between electronic device 210 and onboard device 100 is therefore the same as the data transmitted on the communication network 600 between the central server 700 and the electronic device 210.
  • the establishment of the short-range radio link does not require any manual setting or any pairing procedure and is therefore very quick (about 1/10th of a second).
  • the short-range link has a maximum radius of 10 cm, it is intrinsically not exposed to the risk of sniffing of the transmitted data which, in any case, as will be explained below, is preferably encrypted by the central server 700.
  • the short-range communication stage 150 preferably saves it temporarily in the second memory 160.
  • a passcode write protection mechanism is provided in order to prevent any overwriting or unauthorised access to the second memory 160.
  • the short-range communication stage 150 may identify and store said data directly in a permanent manner in the second memory 160 (without requiring any action by the data processing unit 120), for example in an address location of the second memory 160 dedicated for the permanent storage of the basic data.
  • the short-range communication stage 150 may forward the data to be written in a transparent manner to the data processing unit 120, which identifies said data and transfers it back into the second memory 160, for example in the address location of the second memory 160 dedicated for the permanent storage of basic data.
  • the short-range communication stage 150 forwards said data preferably in a transparent manner to the data processing unit 120, which processes it and if necessary writes it in the first memory 130.
  • the write operation involves the data processing unit 120, the battery 1 10 must be charged. If, on the other hand, the data processing unit 120 is not involved, the write operation may be performed even if the battery 1 10 is discharged.
  • the data processing unit 120 if it is involved in the write operation, it preferably starts processing of the data to be written upon reception of a wake-up signal.
  • This wake-up signal may be sent to the data processing unit 120 by the short-range communication stage 150 or by the user of the on-board device 100, for example by means of a special button which can be accessed manually on the outside of the on-board device 100.
  • the on-board device 100 may be provided with one or more indicators (for example LED light indicators) designed to provide the user with visual feedback as regards the outcome of the data write operation on the on-board device 100.
  • the on-board device 100 may be provided with a light indicator configured to signal to the user whether the operation of writing the data in the first memory 130 has been successfully completed.
  • the on-board device 100 therefore is substantially able to operate in three different operating configurations:
  • This operating configuration is generally useful for the purpose of verification of operation of the on-board device 100, for diagnostic purposes and, generally, for the purpose of reading the data contained in the first memory 130;
  • This operating configuration is generally useful for the purpose of configuration of the on-board device 100 (for example in order to modify the tag data, update or activate the software applications already present, or load new applications, or in order to remove or disable those applications which are no longer of interest for the user, see the aforementioned example where the user wishes to activate temporarily a toll payment service in a foreign country).
  • the system shown in Figure 1 is preferably configured to provide a secure connection between the on-board device 100 and electronic device 210 and optionally between central server 700 and on-board device 100.
  • a mechanism for ensuring the authenticity of the data read from the second memory 160 namely so that the electronic device 210 and/or the central server 700 can be sure that the read data really relates to the on-board device 100 and has not instead been cloned by another on-board device
  • a mechanism for protecting the data exchanged between the central server 700 and the on-board device 100 is preferably configured to provide a secure connection between the on-board device 100 and electronic device 210 and optionally between central server 700 and on-board device 100.
  • the mechanism for ensuring the authenticity of the data read from the second memory 160 is based on asymmetric encryption of the data made available during reading by means of permanent storage in the second memory 160.
  • the data which can be read from the second memory 160 is stored in the second memory 160 encrypted with a private key.
  • the central server 700 preferably sends to the onboard device 100 the data to be rendered readable from the second memory 160 in a form already encrypted with private key.
  • the short-range communication stage 150 may store it directly in the second memory 160, without requesting any action by the data processing unit 120.
  • the central server 700 may send to the on-board device 100 the data to be rendered readable from the second memory in a form not yet encrypted with private key.
  • the short-range communication stage 150 preferably forwards it to the data processing unit 120 which encrypts it with private key and stores it permanently in the second memory 160. In this second case, therefore, action by the data processing unit 120 and storage of the private key in the first memory 130 are required.
  • the electronic device 210 or the central server 700 requests reading of this data
  • said data is transmitted, encrypted with private key, to the electronic device 210 via the short-range communication stage 150.
  • no command is sent to the data processing unit 120 of the on-board device 100, which is not required to perform reading operations from the second memory 160.
  • the electronic device 210 preferably uses the public key in order to decrypt the read data which is encrypted with private key.
  • the public key since it may be freely distributed, is preferably saved locally in the electronic device 210 (for example within an application executed by the device 210 for managing reading of data from the device 100), thus freeing the electronic device 210 from the need to be connected to the central server 700 during the whole of the operation of reading of the data stored by the second memory 160.
  • the hardware identifier UIDi 6 o is preferably written by the manufacturer of the memory 160 in a specific area thereof so that it is stored permanently and is available in read-only mode and therefore cannot be modified.
  • the hardware identifier UID 6 o is stored both unencrypted and encrypted with private key together with the data to be rendered readable (for example the basic data) permanently saved in the second memory 160 (containing, as described above, the identifier OBU-ID and optionally data about the user and/or the vehicle).
  • the hardware identifier UIDi 6 o is preferably transmitted to the electronic device 210 unencrypted, together with the data to be read encrypted with private key.
  • the electronic device 210 After carrying out decryption of the data to be read with public key, the electronic device 210 preferably compares the hardware identifier UID-I 60 received unencrypted with the hardware identifier UIDi 6 o obtained from decryption with public key. If the two hardware identifiers coincide, the data to be read is further authenticated.
  • the private key (which is the same for encryption and decryption) is preferably known only to the central server 700 and to the on-board device 100. Therefore, reading of this data in electronic tag mode by the electronic device 210 requires in any case forwarding of the data to the central server 700 which decrypts it with the private key known to it and, if authenticated, retransmits it unencrypted to the electronic device 210.
  • the mechanism for protecting the data transmitted from the central server 700 to the on-board device 100 is preferably based on symmetric encryption of the transmitted data.
  • This symmetric encryption uses a same private key to encrypt and decrypt the data, which key must therefore be known both to the central server 700 and to the on-board device 100.
  • the private key is stored in the first memory 130 of the on-board device 100, preferably in a non-erasable and non-modifiable area of the first memory 130.
  • the central server 700 preferably encrypts the data to be written with the private key and transmits it to the electronic device 210 where, as described above, it is temporarily saved in the second memory 160.
  • the data processing unit 120 preferably (upon reception of a wake-up signal, as described above) decrypts the data to be written using the private key stored in the first memory 130 and stores it in the first memory 130. This operation may be performed in different ways.
  • the data processing unit 120 firstly transfers the encrypted data from the second memory 162 to the first memory 130 and then decrypts it, using the symmetric key stored in the first memory 130.
  • the data processing unit 120 firstly recovers the symmetric key from the first memory 130, then uses it to decrypt the data (for example saved temporarily in an associated internal RAM memory), and finally transfers it into the first memory 130.
  • the data to be decrypted and the private key which is used to decrypt said data reside in two physically separate memories, one of which (namely the first memory 130 which stores the private key) is accessible only for the data processing unit 120 and therefore is not directly accessible by the short-range communication stage 150.
  • the short-range communication stage 150 allows an unprotected connection to be established between electronic device 210 and on-board device 100, the on-board device 100 is advantageously very secure.
  • the central server 700 divides the data to be written into blocks (before or after performing symmetric-key encryption of said data), which it then transmits to the on-board device 100 via the electronic device 210.
  • the data processing unit 120 waits for reception of all the encrypted blocks in the second memory 160. This advantageously further increases the security and reliability of the communication between central server 700 and on-board device 100 since the blocks, before being written in the memory 130, must be decrypted by a process which is totally external to the memory 160 in which it is temporarily stored.
  • the security of the private key used for symmetric encryption is preferably ensured in the manner described below.
  • personalisation at the factory of the on-board device 100 is performed, this operation comprising the following steps:
  • the secure server stores (in a manner not accessible from outside) at least one master key, on the basis of which it then calculates at least one derived key using the OBU-ID code received as diversifier.
  • the secure server then provides at its output the at least one derived key calculated.
  • the secure server stores a master administration key MAdBTKey and a master application key MApBTKey on the basis of which it calculates, respectively, a derived administration key DAdBTKey and a derived application key DApBTKey, using the OBU-ID code received as diversifier.
  • the two derived keys, output by the secure server may be used for different applications.
  • this operation is preferably performed at the factory, the at least one derived key being sent to the onboard device 100 via the radiofrequency communication stage 140.
  • the derived key(s) is/are then stored in the first memory 130 so that it/they is/are protected (non-readable), non- modifiable and non-erasable without the action of the processing unit 120.
  • the central server 700 preferably uses a second secure HSM server (also containing the master key(s)), supplying it with the unique identification code OBU-ID of the on- board device 100 and obtaining from it the specific derived key to be used for communication with the on-board device 100.
  • the transmitted data, encrypted by the central server 700 with derived key is received as described above by the data processing unit 120 which, using the appropriate derived key stored in its first memory 130, decrypts the data received which is finally stored in the first memory 130.
  • a first step preferably envisages that the electronic device 210, after being registered (logged in) with the central server 700, obtains from the on-board device 100 via the short-range link with the short- range communication stage 150 the following data read from the second memory 160:
  • the central server 700 preferably uses the aforementioned second secure HSM server (indicated by the reference number 710 in Figure 2), supplying it with the unique identification code OBU-ID of the on-board device 100 received unencrypted and obtaining from it the specific derived key to be used for communication with the on-board device 100. Once the derived key has been obtained, the central server 700 decrypts the data received and validates its correctness.
  • the configuration data sent from the central server 700 to the onboard device 100 and encrypted with derived key may also comprise data to be stored in the second memory 160, so that it remains readable by the electronic device 210 via short-range radio communication. This data may or may not be already encrypted by the central server 700 for the purposes of authentication, as described above.
  • the data processing unit 120 once the message with the derived key has been decrypted, identifies the data to be made available for reading and establishes whether it is already encrypted for the purposes of authentication. If this is so, it permanently stores it in the second memory 160. If this is not the case, it retrieves from the first memory 130 the private key of the asymmetric encryption intended to allow authentication of the data read, uses it to encrypt the data and stores it permanently in the second memory 160.
  • a session key may also be used for communication between the central server 700 and the on-board device 100.
  • the sender namely the central server 700 if data is written in the on-board device 100, or the on-board device 100 if data is read from the on-board device 100 calculates a session key, for example based on the derived key and a random number. The session key is recalculated (and is therefore different) for each communication session.
  • the sender preferably uses the calculated session key to further encrypt the data to be transmitted, already encrypted with the derived key of the symmetric encryption mechanism.
  • the sender also preferably encrypts the calculated session key, using for example the public key of the recipient (namely the on-board device 100 if data is written, or the central server 700 if data is read) and also sends this to the recipient.
  • the recipient upon reception of the data and the encrypted session key, decrypts the session key using the associated private key and then uses the session key to decrypt the data received (to be further decrypted using the derived key).
  • This mechanism is advantageous since it represents a solution which is less complex from a computational point of view compared to asymmetric encryption of all the data exchanged between central server 700 and on-board device 100 and which allows the calculation time necessary for encryption and decryption of the exchanged data to be reduced significantly.
  • protection with the session key is used only on the link between electronic device 210 and central server 700.
  • the management of the session keys in this case is entrusted to the electronic device 210 and not to the on-board device 100.
  • writing of the data in the second memory 160 may be managed by the data processing unit 120, interfaced in this case with the data connection interface (for example the radio communication technology internal modem or Bluetooth interface).
  • the data connection interface for example the radio communication technology internal modem or Bluetooth interface.
  • the short-range communication stage 150 may be used solely for the function of reading data from the memory 160.
  • the on-board device described in addition to allowing the reading of data (for example for verification or diagnostic purposes) and the writing of data (for example for configurational purposes) by the electronic device 210 allows in fact the exchange of data with the electronic device 210 and the central server 700 to be managed in a particularly secure manner.

Landscapes

  • Business, Economics & Management (AREA)
  • Finance (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mobile Radio Communication Systems (AREA)
PCT/IB2017/050184 2016-01-14 2017-01-13 On-board device for a vehicle WO2017122165A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP17709787.0A EP3238182B1 (de) 2016-01-14 2017-01-13 Bordvorrichtung für ein fahrzeug
ES17709787T ES2735805T3 (es) 2016-01-14 2017-01-13 Dispositivo de a bordo para un vehículo
PL17709787T PL3238182T3 (pl) 2016-01-14 2017-01-13 Urządzenie pokładowe do pojazdu

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ITUB2016A009991A ITUB20169991A1 (it) 2016-01-14 2016-01-14 Sistema di comunicazione per dispositivi di esazione pedaggi autostradali o controllo accessi, dispositivo e metodo associato.
IT102016000002887 2016-01-14

Publications (1)

Publication Number Publication Date
WO2017122165A1 true WO2017122165A1 (en) 2017-07-20

Family

ID=55861096

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2017/050184 WO2017122165A1 (en) 2016-01-14 2017-01-13 On-board device for a vehicle

Country Status (6)

Country Link
EP (1) EP3238182B1 (de)
CL (1) CL2018001747A1 (de)
ES (1) ES2735805T3 (de)
IT (1) ITUB20169991A1 (de)
PL (1) PL3238182T3 (de)
WO (1) WO2017122165A1 (de)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112365614A (zh) * 2020-10-10 2021-02-12 浙江省交通运输科学研究院 一种用于高速公路的车载交互装置、信息交互及收费系统

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IT201900010758A1 (it) * 2019-07-03 2021-01-03 Telepass S P A Dispositivo di bordo per servizi di traffico telematico
IT202100016715A1 (it) * 2021-06-25 2022-12-25 Telepass S P A Unita’ di bordo veicolare per servizi di traffico stradale con trasponder di comunicazione a radiofrequenza

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0769763A2 (de) * 1995-10-19 1997-04-23 Denso Corporation In einem Fahrzeug eingebaute Kommunikationsvorrichtung und Fahrzeugüberwachungssystem mit vorher verschlüsselten Daten zum hochzuverlässigen Kommunikationsbetrieb
US20140316992A1 (en) * 2013-04-19 2014-10-23 Kapsch Trafficcom Ag Method for charging an onboard-unit with an electronic ticket
US20140316685A1 (en) * 2013-04-19 2014-10-23 Kapsch Trafficcom Ag Onboard-installation for a vehicle
US20150006912A1 (en) * 2013-06-28 2015-01-01 International Business Machines Corporation Firmware for protecting data from software threats field of the invention
US20150100394A1 (en) * 2013-10-08 2015-04-09 Kapsch Trafficcom Ag Method for checking toll transactions and components therefor

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0769763A2 (de) * 1995-10-19 1997-04-23 Denso Corporation In einem Fahrzeug eingebaute Kommunikationsvorrichtung und Fahrzeugüberwachungssystem mit vorher verschlüsselten Daten zum hochzuverlässigen Kommunikationsbetrieb
US20140316992A1 (en) * 2013-04-19 2014-10-23 Kapsch Trafficcom Ag Method for charging an onboard-unit with an electronic ticket
US20140316685A1 (en) * 2013-04-19 2014-10-23 Kapsch Trafficcom Ag Onboard-installation for a vehicle
US20150006912A1 (en) * 2013-06-28 2015-01-01 International Business Machines Corporation Firmware for protecting data from software threats field of the invention
US20150100394A1 (en) * 2013-10-08 2015-04-09 Kapsch Trafficcom Ag Method for checking toll transactions and components therefor

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112365614A (zh) * 2020-10-10 2021-02-12 浙江省交通运输科学研究院 一种用于高速公路的车载交互装置、信息交互及收费系统

Also Published As

Publication number Publication date
EP3238182B1 (de) 2019-04-24
ITUB20169991A1 (it) 2017-07-14
CL2018001747A1 (es) 2018-10-26
EP3238182A1 (de) 2017-11-01
PL3238182T3 (pl) 2019-11-29
ES2735805T3 (es) 2019-12-20

Similar Documents

Publication Publication Date Title
US11212100B2 (en) Systems and methods of providing and electronically validating tickets and tokens
US10078831B2 (en) Connected toll pass
EP2498225B1 (de) Straßenmautsystem und Verfahren
US9098950B2 (en) Method and system for the user-specific initialization of identification devices in the field
CN104468784B (zh) 一种通过dsrc接口实现车载单元软件升级的系统及方法
JP4167490B2 (ja) 道路通行料徴収システム
KR20120116924A (ko) 차량 액세스 제어 서비스 및 플랫폼
JP2014509414A (ja) ゲートのあるエリアへの安全なアクセスのための方法、装置、およびシステム
US11716194B2 (en) Vehicle communication for authorized entry
EP3238182B1 (de) Bordvorrichtung für ein fahrzeug
CN112888607B (zh) 辨识输送的乘客和货物的方法和设备
JP3445490B2 (ja) 移動体通信方法および移動体通信システム
EP3416352B1 (de) Bordvorrichtung für ein fahrzeug
JP2013258491A (ja) カーシェアリングシステム、カーシェアリング提供方法
JP2014215705A (ja) 車載器制御システム
JP5310090B2 (ja) 決済システム
JP2002109593A (ja) 無線通信装置および情報変更方法
EP4109416A1 (de) Fahrzeugeinheit für den strassenverkehr mit einem transponder für funkkommunikation
CN109840959A (zh) 车载通信设备和收费方法
JP5556920B2 (ja) 決済システム及び警告方法
KR20180122538A (ko) 무인으로 운영되는 아파트 지하주차장에서 자동차의 손상, 분실 등을 억제하는 비상벨 장치
JP2003006791A (ja) 情報処理システム,車載機,路側機
JP6580868B2 (ja) 情報提供システム、情報提供方法及びコンピュータプログラム
JP2002095050A (ja) 情報伝送システム、無線通信装置および移動体
CN114973435A (zh) 一种检票的方法、闸机、服务器、移动终端及存储介质

Legal Events

Date Code Title Description
REEP Request for entry into the european phase

Ref document number: 2017709787

Country of ref document: EP

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17709787

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE