WO2017126322A1 - In-car computer system, vehicle, key generation device, management method, key generation method, and computer program - Google Patents

In-car computer system, vehicle, key generation device, management method, key generation method, and computer program Download PDF

Info

Publication number
WO2017126322A1
WO2017126322A1 PCT/JP2017/000105 JP2017000105W WO2017126322A1 WO 2017126322 A1 WO2017126322 A1 WO 2017126322A1 JP 2017000105 W JP2017000105 W JP 2017000105W WO 2017126322 A1 WO2017126322 A1 WO 2017126322A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
vehicle
vehicle computer
authentication code
ecu
Prior art date
Application number
PCT/JP2017/000105
Other languages
French (fr)
Japanese (ja)
Inventor
竹森 敬祐
誠一郎 溝口
秀明 川端
歩 窪田
Original Assignee
Kddi株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2016150269A external-priority patent/JP6260066B2/en
Application filed by Kddi株式会社 filed Critical Kddi株式会社
Priority to US16/068,804 priority Critical patent/US10855460B2/en
Priority to EP17741202.0A priority patent/EP3407534B1/en
Priority to CN201780007461.3A priority patent/CN108496322B/en
Publication of WO2017126322A1 publication Critical patent/WO2017126322A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to an in-vehicle computer system, a vehicle, a key generation device, a management method, a key generation method, and a computer program.
  • This application claims priority based on Japanese Patent Application No. 2016-007432 filed in Japan on January 18, 2016 and Japanese Patent Application No. 2016-150269 filed in Japan on July 29, 2016. The contents are incorporated here.
  • Non-Patent Document 1 discloses a security technique for an in-vehicle control system configured by connecting a plurality of ECUs to a CAN (Controller Area Network).
  • Keisuke Takemori “Protection of in-vehicle control systems based on secure elements-Organizing and considering elemental technologies”, IEICE, IEICE Technical Report, vol.vol114, no. 508, pp. 73-78, 2015 March STMicroelectronics, “AN4240 Application Note”, Sep. 2013., Internet ⁇ URL: http://www.st.com/web/en/resource/technical/document/application_note/DM00075575.pdf>
  • the ECU includes an encryption processing chip, and the encryption processing chip executes encryption processing, thereby improving the safety of data in the in-vehicle control system.
  • the encryption processing chip executes encryption processing, thereby improving the safety of data in the in-vehicle control system.
  • data safety cannot be sufficiently maintained.
  • the present invention has been made in consideration of such circumstances, and improves the safety of data in an in-vehicle control system by executing an encryption processing procedure according to an encryption processing chip provided in an in-vehicle computer such as an ECU. It is an object of the present invention to provide an in-vehicle computer system, a vehicle, a management method, and a computer program. It is another object of the present invention to provide a key generation device, a key generation method, and a computer program that can flexibly generate a key stored in the in-vehicle computer.
  • a first vehicle-mounted computer including a first arithmetic processing device, a first SHE (Secure Hardware Extension), and a first storage unit;
  • a second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle.
  • the second SHE has an initial key set as one KEY_N key that can be used for message authentication code generation processing and verification processing
  • the first SHE has a message authentication code
  • An identifier of the second in-vehicle computer for generating a message authentication code used as the initial key in one KEY_N key that can be used for generating and verifying A master key to be used together with the first SHE, and the first arithmetic processing unit receives a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer as the first SHE. Is generated using the master key, and the authentication processing of the validity of the second in-vehicle computer is executed using the generated message authentication code.
  • the first arithmetic processing unit uses the master key by the first SHE and the MEK key of the second SHE.
  • KEY_N key that can be used for encryption and decryption of the second SHE using the MEK key by the first SHE, or the message authentication code of the second SHE Generating a key registration message for registering a key exchange key in one KEY_N key that can be used for the generation process and the verification process, and transmitting the key registration message to the second in-vehicle computer.
  • the first arithmetic processing unit uses the key exchange key by the first SHE, and the second SHE A key registration message for registering the MAC key in the RAM_KEY key is generated, and the key registration message is transmitted to the second in-vehicle computer.
  • the second arithmetic processing unit sends the key registration message to the second SHE by the key registration message.
  • the second storage unit stores a key registration message for registering a MAC key in the RAM_KEY key of the second SHE in a nonvolatile memory.
  • the second arithmetic processing unit registers a MAC key in the second SHE by a key registration message stored in the nonvolatile memory, and the first in-vehicle computer and the second in-vehicle computer.
  • a first vehicle-mounted computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit;
  • a second in-vehicle computer including an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are provided in the communication network provided in the vehicle.
  • SHE an initial key is set as one KEY_N key that can be used for generating and verifying a message authentication code.
  • a message authentication code used as the initial key is set.
  • the master key used together with the identifier of the second in-vehicle computer is stored in the generation of the first on-board computer, and the first arithmetic processing unit
  • a message authentication code for the identifier of the second in-vehicle computer received from the in-vehicle computer is generated by the HSM using the master key, and the second in-vehicle computer is generated using the generated message authentication code.
  • the first arithmetic processing unit in the in-vehicle computer system according to (5), the first arithmetic processing unit generates the MEK key of the SHE using the master key by the HSM, and the HSM To the KEY_N key that can be used for the encryption and decryption processing of the SHE, or the KEY_N key that can be used for the generation processing and verification processing of the message authentication code of the SHE.
  • a key registration message for registering a key exchange key is generated, and the key registration message is transmitted to the second in-vehicle computer.
  • the second arithmetic processing unit registers a key exchange key in the SHE by the key registration message.
  • the first arithmetic processing unit uses the key exchange key by the HSM and assigns a MAC key to the RAM_KEY key of the SHE.
  • An in-vehicle computer system that generates a key registration message to be registered, transmits the key registration message to the second in-vehicle computer, and the second arithmetic processing unit registers the MAC key in the SHE by the key registration message. It is.
  • the second storage unit stores a key registration message for registering a MAC key in the RAM_KEY key of the SHE in a nonvolatile memory.
  • the second arithmetic processing unit registers a MAC key in the SHE by a key registration message stored in the nonvolatile memory, and the first in-vehicle computer and the second in-vehicle computer are the non-volatile It is an in-vehicle computer system that executes validity authentication processing based on a MAC key registered in the RAM_KEY key of the SHE by a key registration message stored in a memory.
  • a first vehicle-mounted computer including a first arithmetic processing device, a first SHE (Secure Hardware Extension), and a first storage unit;
  • a second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle.
  • An initial key is set as one KEY_N key that is connected to a network and can be used for message authentication code generation processing and verification processing in the second SHE.
  • the second A message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer is generated, and the authentication process of the validity of the second in-vehicle computer using the generated message authentication code is performed in the secure element
  • the first arithmetic processing unit generates the second SHE MEK key using the master key by the secure element.
  • a first vehicle-mounted computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit;
  • a second in-vehicle computer including an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are provided in the communication network provided in the vehicle.
  • SHE an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing, and the first arithmetic processing unit is used as the initial key.
  • a message authentication code for the identifier of the second vehicle-mounted computer received from the second vehicle-mounted computer is generated, and the authentication process of the validity of the second vehicle-mounted computer using the generated message authentication code is performed.
  • This is an in-vehicle computer system that is executed by a secure element.
  • the first arithmetic processing unit in the in-vehicle computer system according to (11), the first arithmetic processing unit generates the MEK key of the SHE using the master key by the secure element, One KEY_N key that can be used for encryption and decryption processing of the SHE using the MEK key by a secure element, or one KEY_N that can be used for generation and verification processing of the message authentication code of the SHE
  • a key registration message for registering a key exchange key in a key is generated, and the key registration message is transmitted to the second in-vehicle computer, and the second arithmetic processing unit sends the key exchange key to the SHE by the key registration message. Is an in-vehicle computer system for registering.
  • One aspect of the present invention is a vehicle including the on-vehicle computer system according to any one of (1) to (12).
  • an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit; A second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle.
  • a first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit
  • a second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle.
  • the second SHE has an initial key set as one KEY_N key that can be used for message authentication code generation processing and verification processing
  • the first SHE has a message authentication code
  • An identifier of the second in-vehicle computer for generating a message authentication code used as the initial key
  • a master key to be used is set, and the first arithmetic processing unit receives the message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer as the first SHE.
  • generating a message authentication code using the master key and the first arithmetic processing unit uses the generated message authentication code to execute the authentication process of the validity of the second in-vehicle computer. And an authentication step.
  • an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit; A second in-vehicle computer having an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are a communication network provided in the vehicle.
  • SHE an initial key is set as one KEY_N key that can be used for generating and verifying a message authentication code.
  • HSM a message authentication code used as the initial key is set.
  • a master key used together with the identifier of the second in-vehicle computer is stored, and the first arithmetic processing unit transmits the second A message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the in-vehicle computer by using the master key by the HSM; and the first arithmetic processing unit includes the generation And an authentication step of executing an authenticity authentication process for the second in-vehicle computer using the message authentication code.
  • an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit; A second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle.
  • the second SHE has an initial key set as one KEY_N key that can be used for message authentication code generation processing and verification processing.
  • the second A message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the in-vehicle computer, and the first arithmetic processing unit using the generated message authentication code.
  • an authentication step for causing the secure element to execute the authenticity authentication process of the in-vehicle computer.
  • an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit; A second in-vehicle computer having an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are a communication network provided in the vehicle.
  • SHE Secure Hardware Extension
  • an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing, and the first arithmetic processing unit is used as the initial key.
  • an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit; A second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle.
  • a first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit
  • a second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle.
  • the second SHE has an initial key set as one KEY_N key that can be used for message authentication code generation processing and verification processing
  • the first SHE has a message authentication code
  • An identifier of the second in-vehicle computer for generating a message authentication code used as the initial key
  • a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer in the computer as the first arithmetic processing unit of the in-vehicle computer system in which the master key used for the computer is set Generating a message authentication code using the master key by the first SHE, and performing authentication processing for authenticating the second in-vehicle computer using the generated message authentication code
  • a computer program for executing the steps.
  • an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit; A second in-vehicle computer having an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are a communication network provided in the vehicle.
  • SHE an initial key is set as one KEY_N key that can be used for generating and verifying a message authentication code.
  • HSM a message authentication code used as the initial key is set.
  • a master key used together with an identifier of the second in-vehicle computer for generation of the second in-vehicle computer system is stored. Generating a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer by using the master key by the HSM And an authentication step of executing an authentication process for the validity of the second in-vehicle computer using the generated message authentication code.
  • an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit; A second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle.
  • a first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit
  • a second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle.
  • the first arithmetic processing unit of the in-vehicle computer system connected to a network and having an initial key set as one KEY_N key that can be used for message authentication code generation processing and verification processing in the second SHE
  • a master used together with the identifier of the second in-vehicle computer to generate a message authentication code used as the initial key
  • a message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer with respect to the secure element storing the message, and using the generated message authentication code
  • An authentication step for causing the secure element to execute the authentication process for the validity of the second in-vehicle computer.
  • an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit; A second in-vehicle computer having an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are a communication network provided in the vehicle.
  • an initial key is set as one KEY_N key that can be used for generating and verifying a message authentication code.
  • the computer as the first arithmetic processing unit of the in-vehicle computer system is connected to the SHE.
  • a message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer with respect to the secure element storing the key, and the generated message authentication code An authentication step for causing the secure element to execute the authentication process of the validity of the second in-vehicle computer that uses the computer program.
  • One aspect of the present invention uses a storage unit that stores a master key, a master key stored in the storage unit, an identifier of an in-vehicle computer provided in the vehicle, and a variable that represents a key type. And a calculation unit that calculates a key.
  • a key generation device stores a master key in a storage unit, the key generation device stores a master key stored in the storage unit, and an in-vehicle computer provided in a vehicle And a calculation step of calculating a key using the identifier and the variable representing the key type.
  • a computer stores a master key in a storage unit, a master key stored in the storage unit, an identifier of an in-vehicle computer provided in the vehicle, and a key type.
  • the present invention it is possible to improve the safety of data in the in-vehicle control system by executing the encryption processing procedure corresponding to the encryption processing chip provided in the in-vehicle computer such as the ECU. Moreover, the effect that the key stored in the vehicle-mounted computer can be produced
  • FIG. 1 is a diagram illustrating a configuration example of an in-vehicle computer system provided in an automobile 1 according to the present embodiment.
  • an in-vehicle computer system provided in an automobile 1 is configured by connecting a first ECU (electronic control unit) 10 and a plurality of second ECUs 20 to a CAN 30.
  • This in-vehicle computer system can be applied to the in-vehicle control system of the automobile 1.
  • the first ECU 10 and the second ECU 20 are in-vehicle computers provided in the automobile 1.
  • the first ECU 10 is an ECU having a key management function among the ECUs mounted on the automobile 1.
  • the first ECU 10 may be referred to as a key management ECU 10.
  • the second ECU 20 is an ECU having functions such as engine control among the ECUs mounted in the automobile 1. Examples of the second ECU 20 include an ECU having an engine control function, an ECU having a handle control function, and an ECU having a brake control function.
  • the second ECU 20 is an ECU whose validity is authenticated by the first ECU 10. Hereinafter, the second ECU 20 may be referred to as an authenticated ECU 20.
  • CAN 30 is a communication network. CAN is known as one of communication networks mounted on vehicles.
  • the first ECU 10 exchanges data with each second ECU 20 via the CAN 30.
  • the second ECU 20 exchanges data with the other second ECU 20 via the CAN 30.
  • a communication network other than CAN is provided in the automobile 1, and exchange of data between the first ECU 10 and the second ECU 20 via the communication network other than CAN, and Data exchange between the second ECUs 20 may be performed.
  • the automobile 1 may be provided with LIN (Local Interconnect Network).
  • the automobile 1 may be provided with CAN and LIN.
  • the automobile 1 may include a second ECU 20 connected to the LIN.
  • the first ECU 10 may be connected to CAN and LIN.
  • the first ECU 10 exchanges data with the second ECU 20 connected to the CAN via the CAN, and between the first ECU 10 and the second ECU 20 connected to the LIN via the LIN. You may exchange data with.
  • the second ECUs 20 may exchange data via the LIN.
  • the first ECU 10 includes a CPU (Central Processing Unit) 11, a storage unit 12, and a SHE (Secure Hardware Extension) 13.
  • the CPU 11 executes a computer program for realizing the function of the first ECU 10.
  • the storage unit 12 stores a computer program executed by the CPU 11 and various data.
  • the SHE 13 has a cryptographic processing function.
  • SHE13 has tamper resistance.
  • SHE 13 is an example of a secure element (Secure Element: SE).
  • SE Secure Element
  • the secure element has tamper resistance.
  • SHE13 may be referred to as SHE-A13.
  • the second ECU 20 includes a CPU 21, a storage unit 22, and a SHE 23.
  • the CPU 21 executes a computer program for realizing the function of the second ECU 20.
  • the storage unit 22 stores a computer program executed by the CPU 21 and various data.
  • the SHE 23 has a cryptographic processing function.
  • SHE23 has tamper resistance.
  • SHE23 is an example of a secure element.
  • SHE23 may be referred to as SHE-B23.
  • SHE 13 and SHE 23 are simply referred to as SHE when not particularly distinguished.
  • the first ECU 10 and the second ECU 20 include a SHE that is an example of a cryptographic processing chip.
  • SHE has a cryptographic processing function.
  • One of the encryption processing functions of SHE is encryption and decryption.
  • One of the encryption processing functions of SHE is generation and verification of a MAC (Message Authentication Code).
  • MAC Message Authentication Code
  • CMAC Cipher-based Message Authentication Code
  • the SHE key includes a MASTER_ECU_KEY (MEK) key, a BOOT_MAC_KEY (BMK) key, a BOOT_MAC (BM) key, a KEY_N key (where N is an integer from 1 to 10), and a RAM_KEY key.
  • MEK MASTER_ECU_KEY
  • BMK BOOT_MAC_KEY
  • BM BOOT_MAC
  • KEY_N key where N is an integer from 1 to 10
  • MEK MASTER_ECU_KEY (MEK) key
  • the MEK key is a key used for updating the MEK key, the BMK key, the BM key, and the KEY_N key.
  • the MEK key cannot be used for encryption processing and decryption processing, and MAC generation processing and verification processing. There is a limit to the number of MEK key rewrites.
  • the BMK key is a key used for CMAC calculation in secure boot.
  • the BMK key can be used to update the BMK key and the BM key.
  • the BMK key cannot be used for encryption processing and decryption processing, and MAC generation processing and verification processing. There is a limit to the number of times the BMK key can be rewritten.
  • the BM key is an expected value of CMAC in secure boot.
  • the BM key cannot be used for encryption processing and decryption processing, and MAC generation processing and verification processing. There is a limit to the number of times the BM key can be rewritten.
  • Each KEY_N key can be used in either one of mode 0 that can be used for encryption processing and decryption processing, and mode 1 that can be used for MAC generation processing and verification processing.
  • Each KEY_N key can be used to update only its own key. For example, if the KEY_1 key is used, the KEY_1 key can be updated. There is a limit to the number of times each KEY_N key can be rewritten.
  • RAM_KEY key is a key that can be registered in plain text by the command CMD_LOAD_PLAIN_KEY.
  • the RAM_KEY key can also be registered using the values M1, M2 and M3 by the command CMD_LOAD_KEY.
  • the counter value Counter is not included in the value M2 described later. For this reason, it is vulnerable to replay attacks.
  • the KEY_N key can be used to update the RAM_KEY key. There is no limit to the number of times the RAM_KEY key can be rewritten.
  • Initial key KEY_1 key
  • the initial key is used in a process in which the first ECU 10 authenticates the validity of the second ECU 20.
  • the second ECU 20 for example, when the second ECU 20 is manufactured, its own initial key is set in advance as the KEY — 1 key of the SHE 23.
  • the KEY_1 key is a key that can be used for MAC generation processing and verification processing.
  • Key exchange key (used for mode 0 (encryption process and decryption process)), KEY_3 key (used for mode 1 (MAC generation process and verification process))
  • the key exchange key is used in the process in which the first ECU 10 distributes the MAC key to the second ECU 20.
  • the key exchange key is generated by the first ECU 10 and distributed to the second ECU 20.
  • As the key exchange key a common value in the automobile 1 is used.
  • MAC key RAM_KEY key
  • the MAC key is used in MAC generation processing and verification processing.
  • the MAC key is generated by the first ECU 10 and encrypted with the key exchange key, and then distributed to the second ECU 20 whose validity has been authenticated.
  • MS is a master key (MASTER_SECRET: MS).
  • the master key MS is used for generating an initial key.
  • ID a is an identifier of the second ECU 20.
  • C MASTER_ECU_KEY is a character string representing the MEK key.
  • C BOOT_MAC_KEY is a character string representing a BMK key.
  • C KEY_N is a character string representing a KEY_N key.
  • FIG. 2 is a sequence chart showing an ECU authentication method according to the present embodiment.
  • the master key MS is set in advance in the KEY_10 key of the SHE-A 13 of the key management ECU 10 when, for example, the key management ECU 10 is manufactured.
  • the initial key of the authenticated ECU 20 is calculated by the following equation (3).
  • CMAC is used as a digest.
  • the initial key of the to-be-authenticated ECU 20 is calculated by the following equation (4).
  • ECU_ID is an identifier of the authenticated ECU 20.
  • the master key MS is used for calculating the CMAC in the above equation (4).
  • the key management ECU 10 executes a process of sharing the initial key of the authenticated ECU 20, and verifies the authenticity of the authenticated ECU 20 by a challenge and response method based on the shared initial key.
  • Step S101 In the authenticated ECU 20, the CPU 21 transmits the identifier ECU_ID of its own authenticated ECU 20 to the key management ECU 10.
  • Step S102 In the key management ECU 10, the CPU 11 inputs the command CMD_GENERATE_MAC (ECU_ID
  • CMD_GENERATE_MAC ECU_ID
  • Step S103 In the key management ECU 10, the SHE-A 13 generates a CMAC according to the command CMD_GENERATE_MAC (ECU_ID
  • CMD_GENERATE_MAC ECU_ID
  • Step S104 In the key management ECU 10, the CPU 11 uses the CMAC received from the SHE-A 13 to input a command CMD_LOAD_PLAIN_KEY (CMAC) to the SHE-A 13.
  • CMAC CMD_LOAD_PLAIN_KEY
  • Step S105 In the key management ECU 10, the SHE-A 13 registers the CMAC included in the command CMD_LOAD_PLAIN_KEY (CMAC) in the RAM_KEY key in response to the command CMD_LOAD_PLAIN_KEY (CMAC) input from the CPU 11. As a result, the initial key of the authenticated ECU 20 is registered in the RAM_KEY key of the SHE-A13. The SHE-A 13 returns a RAM_KEY key registration completion “OK” to the CPU 11.
  • Step S106 In the key management ECU 10, the CPU 11 inputs a command CMD_RND to the SHE-A 13.
  • Step S107 In the key management ECU 10, the SHE-A 13 generates a random number rand in response to the command CMD_RND input from the CPU 11. The SHE-A 13 outputs the generated random number rand to the CPU 11.
  • Step S108 In the key management ECU 10, the CPU 11 transmits the random number rand received from the SHE-A 13 to the authenticated ECU 20.
  • Step S109 In the authenticated ECU 20, the CPU 21 uses the random number rand received from the key management ECU 10 to input the command CMD_GENERATE_MAC (rand) to the SHE-B 23.
  • Step S110 In the authenticated ECU 20, the SHE-B 23 generates a CMAC in response to the command CMD_GENERATE_MAC (rand) input from the CPU 21. In the generation of the CMAC, the SHE-B 23 calculates the CMAC for the random number rand included in the command CMD_GENERATE_MAC (rand) using the initial key set as the KEY_1 key. The SHE-B 23 outputs the generated CMAC to the CPU 21.
  • Step S111 In the authenticated ECU 20, the CPU 21 transmits the identifier ECU_ID of the authenticated ECU 20 and the CMAC received from the SHE-B 23 to the key management ECU 10.
  • Step S112 In the key management ECU 10, the CPU 11 inputs a command CMD_VERIFY_MAC (rand, CMAC) to the SHE-A 13 using the random number rand transmitted to the authenticated ECU 20 and the CMAC received from the authenticated ECU 20.
  • CMD_VERIFY_MAC rand, CMAC
  • Step S113 In the key management ECU 10, the SHE-A 13 verifies the CMAC included in the command CMD_VERIFY_MAC (rand, CMAC) according to the command CMD_VERIFY_MAC (rand, CMAC) input from the CPU 11. In this CMAC verification, the SHE-A 13 uses the value registered in the RAM_KEY key, that is, the initial key of the authenticated ECU 20. The SHE-A 13 outputs the CMAC verification result “pass (OK) or fail (NG)” to the CPU 11. When the CMAC verification result received from the SHE-A 13 is acceptable (OK), the CPU 11 determines that the authentication of the authenticity of the authenticated ECU 20 is successful, while the CMAC received from the SHE-A 13 is verified. When the result is rejected (NG), it is determined that the authentication of the authenticity of the authenticated ECU 20 is rejected.
  • FIG. 3 is a sequence chart showing a key exchange key distribution method according to the present embodiment.
  • two key exchange keys are used.
  • One first key exchange key is used for encryption processing and decryption processing.
  • the other second key exchange key is used for MAC generation processing and verification processing.
  • the first key exchange key and the second key exchange key are preferably different values.
  • the key management ECU 10 distributes the first key exchange key and the second key exchange key to the authenticated ECU 20.
  • the first key exchange key is set to the KEY_2 key of SHE-B23
  • the second key exchange key is set to the KEY_3 key of SHE-B23.
  • the distribution of the second key exchange key is the same as the distribution of the first key exchange key.
  • Step S121 In the key management ECU 10, the CPU 11 sends a command CMD_GENERATE_MAC (ECU_ID
  • CMD_GENERATE_MAC ECU_ID
  • Step S122 In the key management ECU 10, the SHE-A 13 generates a CMAC according to the command CMD_GENERATE_MAC (ECU_ID
  • Step S123 In the key management ECU 10, the CPU 11 uses the CMAC received from the SHE-A 13 to input a command CMD_LOAD_PLAIN_KEY (CMAC) to the SHE-A 13.
  • CMAC CMD_LOAD_PLAIN_KEY
  • Step S124 In the key management ECU 10, the SHE-A 13 registers the CMAC included in the command CMD_LOAD_PLAIN_KEY (CMAC) in the RAM_KEY key according to the command CMD_LOAD_PLAIN_KEY (CMAC) input from the CPU 11. As a result, the MEK key of SHE-B23 of the authenticated ECU 20 is registered in the RAM_KEY key of SHE-A13. The SHE-A 13 returns a RAM_KEY key registration completion “OK” to the CPU 11.
  • Step S125 In the key management ECU 10, the CPU 11 inputs the command CMD_RND to the SHE-A 13.
  • Step S126 In the key management ECU 10, the SHE-A 13 generates a random number rand according to the command CMD_RND input from the CPU 11. The SHE-A 13 outputs the generated random number rand to the CPU 11. This random number rand is used as the first key exchange key, that is, the KEY_2 key of the SHE-B 23 of the ECU 20 to be authenticated.
  • Step S127 In the key management ECU 10, the CPU 11 generates values M1, M2, and M3. These values M1, M2, and M3 are values for registering the random number rand received by the CPU 11 from the SHE-A 13, that is, the first key exchange key, in the KEY_2 key of the SHE-B 23 of the authenticated ECU 20.
  • the CPU 11 When generating the value M2, the CPU 11 causes the SHE-A 13 to execute an encryption process using the command “CMD_ENC_CBC with RAM_KEY”.
  • the value M2 includes the random number rand received from the SHE-A 13 by the CPU 11, that is, the first key exchange key.
  • the CPU 11 causes the SHE-A 13 to generate CMAC by the command “CMD_GENERATE_MAC with RAM_KEY”.
  • the CPU 11 transmits the generated values M1, M2, and M3 to the authenticated ECU 20.
  • Step S128) In the authenticated ECU 20, the CPU 21 uses the values M1, M2, and M3 received from the key management ECU 10 to input a command CMD_LOAD_KEY (M1, M2, M3) to the SHE-B23.
  • Step S129 In the to-be-authenticated ECU 20, the SHE-B 23 responds to the command CMD_LOAD_KEY (M1, M2, M3) input from the CPU 21, and the random number rand, that is, the first random number included in the command CMD_LOAD_KEY (M1, M2, M3).
  • the key exchange key is registered in the KEY_2 key.
  • the SHE-B 23 responds to the CPU 11 with the completion of registration of the KEY_2 key “OK”.
  • Step S ⁇ b> 130 In the authenticated ECU 20, the CPU 21 transmits registration completion “OK” of the first key exchange key to the key management ECU 10.
  • Step S131 In the key management ECU 10, the CPU 11 inputs a command CMD_ENC_CBC (rand) to the SHE-A 13 using the random number rand transmitted to the authenticated ECU 20, that is, the first key exchange key.
  • Step S132 In the key management ECU 10, in response to the command CMD_ENC_CBC (rand) input from the CPU 11, the SHE-A 13 uses the KEY_9 key as the random number rand, that is, the first key exchange key included in the command CMD_ENC_CBC (rand). Encrypt.
  • the KEY_9 key a value is set in advance as a mode 0 that can be used for encryption processing and decryption processing.
  • the SHE-A 13 outputs the encrypted first key exchange key to the CPU 11.
  • the CPU 11 stores the encrypted first key exchange key received from the SHE-A 13 in the storage unit 12.
  • the key management ECU 10 needs to individually create a key registration message (values M1, M2, and M3) for each authenticated ECU 20.
  • the first key exchange key is updated for the second and subsequent times, the first key exchange key of each authenticated ECU 20 (the value of the KEY_2 key of SHE-B23) is the same. For this reason, in the second and subsequent updates of the first key exchange key, it is possible to create a key registration message using the first key exchange key. There is no need to create it. This point can be similarly applied when distributing the second key exchange key.
  • FIGS. 4 and 5 are sequence charts showing a MAC key distribution method according to the present embodiment.
  • the MAC key has two requirements of “high speed processing speed” and “resistance to frequent rewriting”.
  • the KEY_N key of SHE has a limit on the number of rewrites. For this reason, in the present embodiment, the MAC key is registered in the RAM_KEY key of the SHE. By using the RAM_KEY key as the MAC key, encryption and decryption, and MAC generation and verification can be performed at high speed.
  • the SHE-B 23 of the authenticated ECU 20 is configured to authenticate the validity of the key management ECU 10. Specifically, the SHE-B 23 generates a random number, sends this random number to the key management ECU 10, the key management ECU 10 generates a CMAC of the random number and sends it to the SHE-B 23, and the SHE-B 23 verifies the CMAC. .
  • a first key exchange key (used for encryption processing and decryption processing) is registered in the KEY_2 key, and a second key exchange key (MAC generation) is registered in the KEY_3 key. Used for processing and verification processing).
  • the storage unit 12 of the key management ECU 10 stores the data (encrypted first key exchange key) obtained by encrypting the first key exchange key with the KEY_9 key of the SHE-A 13 of the key management ECU 10 and the second key exchange key.
  • the data (encrypted second key exchange key) encrypted with the KEY_9 key of the SHE-A13 of the key management ECU 10 and the non-volatile memory are stored.
  • first key exchange key has the same value as the KEY_2 key of the SHE-B 23 of the authenticated ECU 20, and is referred to as a first key exchange key KEY_2.
  • the second key exchange key has the same value as the KEY_3 key of SHE-B23 of the authenticated ECU 20, and is referred to as a second key exchange key KEY_3.
  • the first stage of the MAC key distribution process according to the present embodiment will be described with reference to FIG.
  • the first stage of the MAC key distribution process shown in FIG. 4 is started when the engine is started after elapse of a predetermined period after the engine of the automobile 1 is stopped, for example. For example, when the engine is started for the first time in a certain day, the first stage of the MAC key distribution process is started.
  • Step S141 In the key management ECU 10, the CPU 11 requests the authenticated ECU 20 for a random number.
  • Step S142 In the authenticated ECU 20, the CPU 21 inputs a command CMD_RND to the SHE-B 23 in response to a request from the key management ECU 10.
  • Step S143 In the authenticated ECU 20, the SHE-B 23 generates a random number 1 in response to the command CMD_RND input from the CPU 21. The SHE-B 23 outputs the generated random number 1 to the CPU 21.
  • Step S144 In the authenticated ECU 20, the CPU 21 transmits the random number 1 received from the SHE-B 23 and the identifier ECU_ID of its own authenticated ECU 20 to the key management ECU 10.
  • the random number 1 generated in the SHE-B 23 and the identifier ECU_ID of the self-authenticated ECU 20 may be sent to the key management ECU 10 voluntarily from the authenticated ECU 20.
  • Step S145 In the key management ECU 10, the CPU 11 inputs the command CMD_RND to the SHE-A 13.
  • Step S146 In the key management ECU 10, the SHE-A 13 generates a random number 2 in response to the command CMD_RND input from the CPU 11. The SHE-A 13 outputs the generated random number 2 to the CPU 11. This random number 2 is used for the MAC key.
  • the CPU 11 inputs the command CMD_ENC_CBC (random number 2) to the SHE-A 13 using the random number 2 received from the SHE-A 13, that is, the MAC key.
  • the SHE-A 13 encrypts the random number 2, that is, the MAC key included in the command CMD_ENC_CBC (random number 2) with the KEY_9 key.
  • the SHE-A 13 outputs the encrypted MAC key to the CPU 11.
  • the CPU 11 stores the encrypted MAC key received from the SHE-A 13 in the storage unit 12.
  • Step S147 In the key management ECU 10, the CPU 11 uses the encrypted second key exchange key to decrypt the encrypted second key exchange key stored in the storage unit 12, and executes a command CMD_DEC_CBC ( (Encrypted second key exchange key) is input to SHE-A13.
  • CMD_DEC_CBC Encrypted second key exchange key
  • Step S148 In the key management ECU 10, the SHE-A 13 is included in the command CMD_DEC_CBC (encrypted second key exchange key) according to the command CMD_DEC_CBC (encrypted second key exchange key) input from the CPU 11.
  • the encrypted second key exchange key is decrypted with the KEY_9 key.
  • the KEY_9 key is a key used for encryption of the encrypted first key exchange key and the encrypted second key exchange key.
  • the SHE-A 13 outputs the second key exchange key KEY_3, which is the result of decryption of the encrypted second key exchange key, to the CPU 11.
  • Step S149 In the key management ECU 10, the CPU 11 inputs the command CMD_LOAD_PLAIN_KEY (KEY_3) to the SHE-A13 using the second key exchange key KEY_3 received from the SHE-A13.
  • Step S150 In the key management ECU 10, the SHE-A 13 registers the second key exchange key KEY_3 included in the command CMD_LOAD_PLAIN_KEY (KEY_3) in the RAM_KEY key according to the command CMD_LOAD_PLAIN_KEY (KEY_3) input from the CPU 11. .
  • the SHE-A 13 returns a RAM_KEY key registration completion “OK” to the CPU 11.
  • Step S151 In the key management ECU 10, the CPU 11 generates values M1, M2, and M3. These values M1, M2 and M3 are values for registering the random number 2 received by the CPU 11 from the SHE-A 13, that is, the MAC key, into the RAM_KEY key of the SHE-B 23 of the ECU 20 to be authenticated.
  • the CPU 11 When generating the value M2, the CPU 11 causes the SHE-A 13 to execute an encryption process using the command “CMD_ENC_CBC with RAM_KEY”.
  • the value M2 includes the random number 2 that the CPU 11 received from the SHE-A 13, that is, the MAC key.
  • the CPU 11 When generating the value M3, the CPU 11 causes the SHE-A 13 to generate CMAC by the command “CMD_GENERATE_MAC with RAM_KEY”. Further, the CPU 11 inputs a command CMD_GENERATE_MAC (random number 1) to the SHE-A 13 using the random number 1 received from the authenticated ECU 20.
  • Step S152 In the key management ECU 10, the SHE-A 13 generates a CMAC according to the command CMD_GENERATE_MAC (random number 1) input from the CPU 11. In this CMAC generation, the SHE-A 13 generates a random number 1 CMAC using the RAM_KEY key, that is, the second key exchange key KEY_3. The SHE-A 13 outputs the generated CMAC of the random number 1 to the CPU 11.
  • Step S153 In the key management ECU 10, the CPU 11 transmits the generated values M1, M2, and M3 and the CMAC of the random number 1 received from the SHE-A 13 to the authenticated ECU 20.
  • Step S154 In the authenticated ECU 20, the CPU 21 inputs a command CMD_VERIFY_MAC to the SHE-A 13 in order to verify the CMAC received from the key management ECU 10.
  • Step S155 In the authenticated ECU 20, the SHE-B 23 verifies the CMAC included in the command CMD_VERIFY_MAC according to the command CMD_VERIFY_MAC input from the CPU 21. In this CMAC verification, the SHE-B 23 uses the random number 1 generated by itself and the KEY_3 key, that is, the second key exchange key KEY_3. The SHE-B 23 outputs the CMAC verification result “pass (OK) or fail (NG)” to the CPU 21.
  • the CPU 21 determines that the authentication of the validity of the key management ECU 10 is successful, while verifying the CMAC received from the SHE-B 23 If the result is rejected (NG), it is determined that the authenticity of the key management ECU 10 is rejected. If the authentication of the validity of the key management ECU 10 is successful, the process proceeds to step S156. On the other hand, if the authentication of the validity of the key management ECU 10 fails, the process of FIG. 4 is terminated.
  • Step S156 In the authenticated ECU 20, the CPU 21 uses the values M1, M2, and M3 received from the key management ECU 10 to input a command CMD_LOAD_KEY (M1, M2, M3) to the SHE-B23.
  • Step S157 In the ECU 20 to be authenticated, the SHE-B 23 responds to the command CMD_LOAD_KEY (M1, M2, M3) input from the CPU 21, and the random number 2, that is, the MAC key included in the command CMD_LOAD_KEY (M1, M2, M3). Is registered in the RAM_KEY key. The SHE-B 23 returns a RAM_KEY key registration completion “OK” to the CPU 21.
  • the second stage of the MAC key distribution process is performed after the MAC key is registered in the RAM_KEY key of the SHE-B 23 of the authenticated ECU 20 in the first stage of the MAC key distribution process shown in FIG.
  • the authenticated ECU 20 stores the values M1, M2, and M3 received from the key management ECU 10 in step S153 of the first stage of the MAC key distribution process in the nonvolatile memory of the storage unit 22.
  • the second stage of the MAC key distribution process shown in FIG. 5 is started when the engine is restarted within a predetermined period after the engine is stopped by parking or the like when the automobile 1 is traveling.
  • Step S171 In the authenticated ECU 20, the CPU 21 uses the values M1, M2, and M3 stored in the nonvolatile memory of the storage unit 22 to input the command CMD_LOAD_KEY (M1, M2, M3) to the SHE-B23. To do.
  • Step S 172 In the authenticated ECU 20, the SHE-B 23 responds to the command CMD_LOAD_KEY (M 1, M 2, M 3) input from the CPU 21 and the random number 2 included in the command CMD_LOAD_KEY (M 1, M 2, M 3), that is, the MAC key Is registered in the RAM_KEY key.
  • the SHE-B 23 returns a RAM_KEY key registration completion “OK” to the CPU 21.
  • Step S173 In the authenticated ECU 20, the CPU 21 inputs the command CMD_RND to the SHE-B23.
  • Step S174 In the authenticated ECU 20, the SHE-B 23 generates a random number 1 in response to the command CMD_RND input from the CPU 21. The SHE-B 23 outputs the generated random number 1 to the CPU 21.
  • Step S175) In the authenticated ECU 20, the CPU 21 inputs the command CMD_GENERATE_MAC (ECU_ID, random number 1) to the SHE-B 23 using the identifier ECU_ID of the ECU 20 to be authenticated and the random number 1.
  • CMD_GENERATE_MAC ECU_ID, random number 1
  • Step S176 In the authenticated ECU 20, the SHE-B 23 generates a CMAC according to the command CMD_GENERATE_MAC (ECU_ID, random number 1) input from the CPU 21. In the generation of the CMAC, the SHE-B 23 generates the CMAC for the ECU_ID and the random number 1 using the RAM_KEY key, that is, the MAC key. For example, the CMAC for the concatenated data of ECU_ID and random number 1 is generated. The SHE-B 23 outputs the generated CMAC to the CPU 21.
  • CMD_GENERATE_MAC ECU_ID, random number 1
  • Step S177 In the authenticated ECU 20, the CPU 21 transmits the random number 1 received from the SHE-B 23, the identifier ECU_ID of its own authenticated ECU 20 and the CMAC received from the SHE-B 23 to the key management ECU 10.
  • Step S178 In the key management ECU 10, the CPU 11 uses the encrypted MAC key to decrypt a command CMD_DEC_CBC (encrypted) in order to decrypt the encrypted MAC key stored in the storage unit 12.
  • MAC key is input to SHE-A13.
  • the SHE-A 13 decrypts the encrypted MAC key included in the command CMD_DEC_CBC (encrypted MAC key) with the KEY_9 key.
  • the KEY_9 key is a key used for encrypting the encrypted MAC key.
  • the SHE-A 13 outputs a MAC key, which is a result of decryption of the encrypted MAC key, to the CPU 11.
  • the CPU 11 uses the MAC key received from the SHE-A 13 to input a command CMD_LOAD_PLAIN_KEY (MAC key) to the SHE-A 13.
  • the SHE-A 13 registers the MAC key included in the command CMD_LOAD_PLAIN_KEY (MAC key) in the RAM_KEY key.
  • the SHE-A 13 returns a RAM_KEY key registration completion “OK” to the CPU 11.
  • the CPU 11 inputs a command CMD_VERIFY_MAC (CMAC) to the SHE-A 13 using the random number 1 received from the authenticated ECU 20, the identifier ECU_ID of the authenticated ECU 20, and the CMAC.
  • CMAC command CMD_VERIFY_MAC
  • Step S179 In the key management ECU 10, the SHE-A 13 verifies the CMAC included in the command CMD_VERIFY_MAC (CMAC) according to the command CMD_VERIFY_MAC (CMAC) input from the CPU 11. In this CMAC verification, the SHE-A 13 uses the random number 1 included in the command CMD_VERIFY_MAC (CMAC), the identifier ECU_ID of the ECU 20 to be authenticated, and the MAC key registered in the RAM_KEY key.
  • the SHE-A 13 outputs the CMAC verification result “pass (OK) or fail (NG)” to the CPU 11.
  • the CPU 11 determines that the authentication of the authenticity of the authenticated ECU 20 is successful, while the CMAC received from the SHE-A 13 is verified.
  • the result is rejected (NG) it is determined that the authentication of the authenticity of the authenticated ECU 20 is rejected. If the authentication of the authenticator ECU 20 is successful, the process proceeds to step S180.
  • the process of FIG. When the authenticity of the authenticated ECU 20 is unacceptable, the first stage of the MAC key distribution process shown in FIG. 4 may be performed.
  • steps S180 to S186 are executed.
  • Steps S180 to S186 are the same as steps S151 to S157 shown in FIG.
  • the values M1, M2, and M3 generated in step S180 are values for registering the new MAC key in the RAM_KEY key of the SHE-B 23 of the authenticated ECU 20.
  • the new random number 2 generated by the SHE-A 13 may be used in the same manner as in steps S145 to S146 shown in FIG.
  • the update to the new MAC key is performed by the second stage of the MAC key distribution process shown in FIG.
  • step S180 of FIG. 5 described above the CMAC of the random number 1 is generated. If the CMAC verification result is acceptable (OK) in step S179, a character string indicating that the CMAC verification is successful, for example, “ A CMAC for “OK” and the identifier ECU_ID of the authenticated ECU 20 may be generated. For example, the CMAC for the concatenated data between the character string “OK” and the identifier ECU_ID of the authenticated ECU 20 is generated.
  • step S180 of FIG. 5 described above the new MAC key is updated. If the CMAC verification result is OK (OK) in step S179, the SHE is not performed without performing the update to the new MAC key. -The MAC key currently registered in the RAM_KEY key of B23 may be used. As a result, there is no need to send the values M1, M2 and M3 from the key management ECU 10 to the authenticated ECU 20, so that the processing speed can be increased.
  • the key management ECU 10 may transmit only the values M2 and M3 to the authenticated ECU 20, and may not transmit the value M1 to the authenticated ECU 20.
  • the authenticated ECU 20 uses the value M1 calculated by itself and the values M2 and M3 received from the key management ECU 10 in combination. As a result, there is no need to send the value M1 from the key management ECU 10 to the authenticated ECU 20, so that the processing speed can be increased.
  • FIG. 6 is a diagram illustrating a configuration example of an in-vehicle computer system provided in the automobile 1 according to the present embodiment.
  • SHE is used as the cryptographic processing chip.
  • HSM Hardware Security Module
  • Evita-medium is used as the cryptographic processing chip. use.
  • the first ECU 10 includes a CPU 11, a storage unit 12, and an HSM 14.
  • the HSM 14 is an HSM called “Evita-medium”.
  • the HSM 14 has a cryptographic processing function.
  • HSM14 has tamper resistance.
  • the HSM 14 is an example of a secure element.
  • the second ECU 20 includes a CPU 21, a storage unit 22, and a SHE 23.
  • FIG. 7 is a sequence chart showing an ECU authentication method according to the present embodiment.
  • the master key MS is set in the HSM 14 of the key management ECU 10 in advance, for example, when the key management ECU 10 is manufactured.
  • Step S201 In the authenticated ECU 20, the CPU 21 transmits the identifier ECU_ID of its own authenticated ECU 20 to the key management ECU 10.
  • Step S202 In the key management ECU 10, the CPU 11 inputs the identifier ECU_ID of the authenticated ECU 20 received from the authenticated ECU 20 to the HSM 14.
  • Step S203 In the key management ECU 10, the HSM 14 generates an initial key of the authenticated ECU 20 using the identifier ECU_ID of the authenticated ECU 20 input from the CPU 11 and the master key MS held by itself.
  • the CMAC is calculated by the above equation (4). This calculated CMAC is the same value as the initial key of the authenticated ECU 20 and the value set in the KEY_1 key of the SHE-B 23 of the authenticated ECU 20.
  • the initial key of the ECU 20 to be authenticated is referred to as an initial key KEY_1.
  • the HSM 14 stores the calculated CMAC, that is, the initial key KEY_1 in its own memory. Further, the HSM 14 generates a random number rand. The HSM 14 outputs the generated random number rand to the CPU 11. The HSM 14 stores the generated random number rand in its own memory.
  • Step S204 In the key management ECU 10, the CPU 11 transmits the random number rand received from the HSM 14 to the ECU 20 to be authenticated.
  • Steps S205 to S207 are the same as steps S109 to S111 shown in FIG.
  • Step S208 In the key management ECU 10, the CPU 11 inputs the identifier ECU_ID and CMAC of the authenticated ECU 20 received from the authenticated ECU 20 to the HSM 14.
  • Step S209 In the key management ECU 10, the HSM 14 verifies the CMAC input from the CPU 11. In this CMAC verification, the HSM 14 calculates the CMAC for the random number rand stored in its own memory using the initial key KEY_1 stored in its own memory. Next, the HSM 14 compares the calculated CMAC with the CMAC input from the CPU 11. As a result of the comparison, if the two match, the CMAC verification is passed, while if the two do not match, the CMAC verification fails. The HSM 14 outputs the CMAC verification result “pass (OK) or fail (NG)” to the CPU 11.
  • the CPU 11 determines that the authentication of the authenticity of the authenticated ECU 20 is acceptable, while the verification result of the CMAC received from the HSM 14 is unacceptable. In the case of (NG), it is determined that the authentication of the authenticity of the authenticated ECU 20 has failed.
  • FIG. 8 is a sequence chart showing the key exchange key distribution method according to the present embodiment.
  • the first key exchange key (the key used for the encryption process and the decryption process)
  • the second key exchange key (used for the MAC generation process and the verification process). Key).
  • the distribution of the second key exchange key is the same as the distribution of the first key exchange key.
  • Step S211 In the key management ECU 10, the CPU 11 inputs a key exchange key creation request (ECU_ID) to the HSM 14 using the identifier ECU_ID of the authenticated ECU 20 to which the key exchange key is distributed.
  • ECU_ID key exchange key creation request
  • Step S212 In the key management ECU 10, the HSM 14 generates values M1, M2, and M3.
  • the values M1, M2, and M3 are values for registering the first key exchange key in the KEY_2 key of the SHE-B 23 of the authenticated ECU 20.
  • the HSM 14 generates a MEK key from the master key MS.
  • the HSM 14 generates a random number and uses the generated random number as the first key exchange key.
  • the HSM 14 may generate the first key exchange key from the master key MS.
  • the HSM 14 stores the first key exchange key in its own memory.
  • the HSM 14 outputs the generated values M1, M2, and M3 to the CPU 11.
  • Step S213 In the key management ECU 10, the CPU 11 transmits the values M1, M2, and M3 received from the HSM 14 to the authenticated ECU 20.
  • Steps S214 to S216 are the same as steps S128 to S130 shown in FIG.
  • the key registration message (values M1, M2, and M3) is generated by using the registered first key exchange key.
  • M1, M2 and M3) can be commonly used for each ECU 20 to be authenticated.
  • the key registration message (values M1, M2, and M3) can be broadcast. This point can be similarly applied when distributing the second key exchange key.
  • FIGS. 9 and 10 are sequence charts showing the MAC key distribution method according to the present embodiment.
  • a first key exchange key (used for encryption processing and decryption processing) is registered in the KEY_2 key
  • a second key exchange key (MAC generation) is registered in the KEY_3 key. Used for processing and verification processing).
  • the HSM 14 of the key management ECU 10 stores the first key exchange key and the second key exchange key in its own memory.
  • first key exchange key has the same value as the KEY_2 key of the SHE-B 23 of the authenticated ECU 20, and is referred to as a first key exchange key KEY_2.
  • the second key exchange key has the same value as the KEY_3 key of SHE-B23 of the authenticated ECU 20, and is referred to as a second key exchange key KEY_3.
  • the first stage of the MAC key distribution process according to the present embodiment will be described with reference to FIG.
  • the first stage of the MAC key distribution process shown in FIG. 9 is started when the engine is started after elapse of a predetermined period after the engine of the automobile 1 is stopped, for example. For example, when the engine is started for the first time in a certain day, the first stage of the MAC key distribution process is started.
  • Steps S231 to S234 are executed. Steps S231 to S234 are the same as steps S141 to S144 shown in FIG.
  • Step S ⁇ b> 235 In the key management ECU 10, the CPU 11 inputs the random number 1 received from the authenticated ECU 20 to the HSM 14.
  • Step S236 In the key management ECU 10, the HSM 14 generates a random number and uses the generated random number as the MAC key.
  • the HSM 14 stores the MAC key in its own memory.
  • HSM 14 generates values M1, M2 and M3.
  • the values M1, M2, and M3 are values for registering the MAC key in the RAM_KEY key of the SHE-B23 of the ECU 20 to be authenticated.
  • the HSM 14 generates values M1, M2, and M3 using the first key exchange key KEY_2 stored in its own memory.
  • the HSM 14 generates a CMAC for the random number 1 input from the CPU 11. In the generation of the CMAC, the HSM 14 generates the CMAC of the random number 1 using the second key exchange key KEY_3 stored in its own memory.
  • the HSM 14 outputs the generated values M1, M2, and M3 and CMAC to the CPU 11.
  • Step S237) In the key management ECU 10, the CPU 11 transmits the values M1, M2, M3 and CMAC received from the HSM 14 to the authenticated ECU 20.
  • Steps S238 to S241 are the same as steps S154 to S157 shown in FIG.
  • Step S ⁇ b> 242 In the authenticated ECU 20, the CPU 21 transmits a MAC key registration completion “OK” to the key management ECU 10.
  • the second stage of the MAC key distribution process is performed after the MAC key is registered in the RAM_KEY key of the SHE-B 23 of the authenticated ECU 20 in the first stage of the MAC key distribution process shown in FIG.
  • the authenticated ECU 20 stores the values M1, M2, and M3 received from the key management ECU 10 in step S237 of the first stage of the MAC key distribution process in the nonvolatile memory of the storage unit 22.
  • the second stage of the MAC key distribution process shown in FIG. 10 is started when the engine is restarted within a predetermined period after the engine is stopped by parking or the like when the automobile 1 is traveling.
  • Steps S261 to S267 are executed. Steps S261 to S267 are the same as steps S171 to S177 shown in FIG.
  • Step S268 In the key management ECU 10, the CPU 11 inputs the random number 1 received from the authenticated ECU 20, the identifier ECU_ID and CMAC of the authenticated ECU 20 to the HSM 14.
  • Step S269) In the key management ECU 10, the HSM 14 verifies the CMAC input from the CPU 11. In this CMAC verification, the HSM 14 uses a MAC key stored in its own memory.
  • the HSM 14 outputs the CMAC verification result “pass (OK) or fail (NG)” to the CPU 11.
  • the CPU 11 determines that the authentication of the authenticity of the authenticated ECU 20 is acceptable, while the verification result of the CMAC received from the HSM 14 is unacceptable.
  • (NG) it is determined that the authentication of the authenticity of the authenticated ECU 20 has failed. If the authenticity of the authenticated ECU 20 is passed, the subsequent processing is executed.
  • the process of FIG. When the authenticity of the authenticated ECU 20 is unacceptable, the first stage of the MAC key distribution process shown in FIG. 9 may be performed.
  • the HSM 14 generates a CMAC for the random number 1 input from the CPU 11. In the generation of the CMAC, the HSM 14 generates the CMAC of the random number 1 using the second key exchange key KEY_3 stored in its own memory.
  • the HSM 14 generates a new MAC key and generates values M1, M2 and M3.
  • the values M1, M2, and M3 are values for registering a new MAC key in the RAM_KEY key of the SHE-B 23 of the authenticated ECU 20.
  • a new random number is generated for the new MAC key, and the generated random number is used as the new MAC key. If the MAC key of the authenticated ECU 20 is not updated to a new MAC key, the generation of a new MAC key and the values M1, M2, and M3 are not performed.
  • the HSM 14 outputs the generated CMAC and the values M1, M2, and M3 to the CPU 11.
  • Step S270 In the key management ECU 10, the CPU 11 transmits the values M1, M2, M3 and CMAC received from the HSM 14 to the authenticated ECU 20.
  • Steps S271 to S275 are the same as steps S238 to S242 shown in FIG.
  • the update to the new MAC key is performed by the second stage of the MAC key distribution process shown in FIG.
  • FIG. 11 is a diagram illustrating a configuration example of an in-vehicle computer system provided in the automobile 1 according to the present embodiment.
  • parts corresponding to those in FIG. 1 are given the same reference numerals, and explanation thereof is omitted.
  • parts different from the first embodiment will be mainly described.
  • the automobile 1 includes a communication module 40.
  • the communication module 40 performs wireless communication using a wireless communication network.
  • the communication module 40 includes a SIM (Subscriber Identity Module) 41.
  • the SIM 41 is a SIM in which information for using the wireless communication network is written.
  • the communication module 40 can perform wireless communication by connecting to the wireless communication network by using the SIM 41.
  • SIM 41 Embedded Subscriber Identity Module
  • SIM and eSIM have tamper resistance.
  • SIM and eSIM are examples of secure elements.
  • SIM and eSIM are a kind of computer, and a desired function is realized by a computer program.
  • the communication module 40 is connected to the first ECU 10.
  • the first ECU 10 exchanges data with the communication module 40.
  • the communication module 40 is connected to or provided in another device such as an infotainment device provided in the automobile 1, and the first ECU 10 is connected to the other device such as the infotainment device via Data may be exchanged with the communication module 40.
  • a communication module 40 is provided in a device external to the automobile 1 connected to a diagnostic port of the automobile 1, for example, a diagnostic port called an OBD (On-board Diagnostics) port, and the first ECU 10 passes through the diagnostic port.
  • OBD On-board Diagnostics
  • the data may be exchanged with the communication module 40 of the external device connected to the diagnostic port.
  • the first ECU 10 may include a communication module 40 including the SIM 41.
  • the SIM 41 provided in the communication module 40 is used, but an IC (Integrated Circuit) chip having tamper resistance may be used instead of the SIM.
  • an IC chip incorporated in an IC card may be used.
  • the first ECU 10 includes a CPU 11, a storage unit 12, and a SHE 13.
  • the second ECU 20 includes a CPU 21, a storage unit 22, and a SHE 23.
  • FIG. 12 is a sequence chart showing an ECU authentication method according to the present embodiment.
  • the master key MS is set in the SIM 41 of the communication module 40 in advance, for example, when the SIM 41 is manufactured. Since the SIM 41 has a relatively robust tamper resistance, the security of the master key MS is high.
  • the key management ECU 10 exchanges data with the SIM 41 via the communication module 40. Legitimacy authentication is performed between the key management ECU 10 and the SIM 41. When the validity authentication between the key management ECU 10 and the SIM 41 passes, the exchange of data between the key management ECU 10 and the SIM 41 is performed safely. On the other hand, when the authentication of the legitimacy between the key management ECU 10 and the SIM 41 fails, the exchange of data between the key management ECU 10 and the SIM 41 is restricted.
  • Step S301 In the authenticated ECU 20, the CPU 21 transmits the identifier ECU_ID of its own authenticated ECU 20 to the key management ECU 10.
  • Step S302 In the key management ECU 10, the CPU 11 transmits the identifier ECU_ID of the authenticated ECU 20 received from the authenticated ECU 20 to the SIM 41.
  • Step S303 The SIM 41 generates an initial key of the authenticated ECU 20 using the identifier ECU_ID of the authenticated ECU 20 received from the key management ECU 10 and the master key MS held by itself.
  • the CMAC is calculated by the above equation (4).
  • the calculated CMAC is the same value as the initial key of the authenticated ECU 20 and the value set in the KEY_1 key of the SHE 23 of the authenticated ECU 20.
  • the initial key of the ECU 20 to be authenticated is referred to as an initial key KEY_1.
  • the SIM 41 stores the calculated CMAC, that is, the initial key KEY_1 in its own memory. Also, the SIM 41 generates a random number rand.
  • the SIM 41 transmits the generated random number rand to the key management ECU 10.
  • the SIM 41 stores the generated random number rand in its own memory.
  • Step S304 In the key management ECU 10, the CPU 11 transmits the random number rand received from the SIM 41 to the ECU 20 to be authenticated.
  • Steps S305 to S307 are the same as steps S109 to S111 shown in FIG.
  • Step S308 In the key management ECU 10, the CPU 11 transmits the identifier ECU_ID and CMAC of the authenticated ECU 20 received from the authenticated ECU 20 to the SIM 41.
  • Step S309 The SIM 41 verifies the CMAC received from the key management ECU 10. In this CMAC verification, the SIM 41 calculates the CMAC for the random number rand stored in its own memory, using the initial key KEY_1 stored in its own memory. Next, the SIM 41 compares the calculated CMAC with the CMAC received from the key management ECU 10. As a result of the comparison, if the two match, the CMAC verification is passed, while if the two do not match, the CMAC verification fails. The SIM 41 transmits the CMAC verification result “pass (OK) or fail (NG)” to the key management ECU 10.
  • the CPU 11 of the key management ECU 10 determines that the authenticity of the authenticated ECU 20 is valid, while verifying the CMAC received from the HSM 14.
  • the result is rejected (NG) it is determined that the authentication of the authenticity of the authenticated ECU 20 is rejected.
  • FIG. 13 is a sequence chart showing the key exchange key distribution method according to the present embodiment.
  • the first key exchange key (the key used for the encryption process and the decryption process)
  • the second key exchange key (used for the MAC generation process and the verification process). Key).
  • the distribution of the second key exchange key is the same as the distribution of the first key exchange key.
  • Step S311 In the key management ECU 10, the CPU 11 transmits a key exchange key creation request (ECU_ID) to the SIM 41 using the identifier ECU_ID of the authenticated ECU 20 to which the key exchange key is distributed.
  • ECU_ID key exchange key creation request
  • Step S312 The SIM 41 generates values M1, M2, and M3. These values M1, M2 and M3 are values for registering the first key exchange key in the KEY_2 key of the SHE 23 of the ECU 20 to be authenticated.
  • the SIM 41 generates a MEK key from the master key MS.
  • the SIM 41 generates a random number and uses the generated random number as the first key exchange key.
  • the SIM 41 may generate a first key exchange key from the master key MS.
  • the SIM 41 stores the first key exchange key in its own memory.
  • the SIM 41 transmits the generated values M1, M2, and M3 to the key management ECU 10.
  • Step S313 In the key management ECU 10, the CPU 11 transmits the values M1, M2, and M3 received from the SIM 41 to the authenticated ECU 20. Using the values M1, M2, and M3 received from the SIM 41, the CPU 11 causes the SHE 13 to generate data (encrypted first key exchange key) obtained by encrypting the first key exchange key with the KEY_9 key of the SHE 13. . The CPU 11 stores the encrypted first key exchange key generated by the SHE 13 in the storage unit 12.
  • Steps S314 to S316 are the same as steps S128 to S130 shown in FIG.
  • the key exchange key distribution process of the first embodiment shown in FIG. 3 can be applied to the distribution of the first key exchange key for the second and subsequent times.
  • the key management ECU 10 is set in the first first key exchange key distribution by the key exchange key distribution process of the present embodiment shown in FIG. This is because the values M1, M2, and M3 can be generated using the first key exchange key. This point can be similarly applied when distributing the second key exchange key.
  • the MAC key distribution process of the first embodiment shown in FIGS. 4 and 5 can be applied to the distribution of the MAC key of the third embodiment.
  • FIG. 14 is a diagram illustrating a configuration example of an in-vehicle computer system provided in the automobile 1 according to the present embodiment.
  • FIG. 11 parts corresponding to those in FIG. 6 are given the same reference numerals, and explanation thereof is omitted.
  • parts different from the second embodiment will be mainly described.
  • the automobile 1 includes a communication module 40.
  • the communication module 40 performs wireless communication using a wireless communication network.
  • the communication module 40 includes a SIM 41.
  • the SIM 41 is a SIM in which information for using the wireless communication network is written.
  • the communication module 40 can perform wireless communication by connecting to the wireless communication network by using the SIM 41.
  • SIM41 SIM and eSIM have tamper resistance.
  • SIM and eSIM are examples of secure elements.
  • SIM and eSIM are a kind of computer, and a desired function is realized by a computer program.
  • the communication module 40 is connected to the first ECU 10.
  • the first ECU 10 exchanges data with the communication module 40.
  • the communication module 40 is connected to or provided in another device such as an infotainment device provided in the automobile 1, and the first ECU 10 is connected to the other device such as the infotainment device via Data may be exchanged with the communication module 40.
  • a communication module 40 is provided in a device external to the automobile 1 connected to a diagnostic port of the automobile 1, for example, a diagnostic port called an OBD port, and the first ECU 10 is connected to the diagnostic port via the diagnostic port.
  • the data may be exchanged with the communication module 40 of the external device.
  • the first ECU 10 may include a communication module 40 including the SIM 41.
  • the SIM 41 provided in the communication module 40 is used, but an IC chip having tamper resistance may be used instead of the SIM.
  • an IC chip incorporated in an IC card may be used.
  • the first ECU 10 includes a CPU 11, a storage unit 12, and an HSM 14.
  • the second ECU 20 includes a CPU 21, a storage unit 22, and a SHE 23.
  • FIG. 15 is a sequence chart showing an ECU authentication method according to the present embodiment.
  • the master key MS is set in the SIM 41 of the communication module 40 in advance, for example, when the SIM 41 is manufactured. Since the SIM 41 has a relatively robust tamper resistance, the security of the master key MS is high.
  • the key management ECU 10 exchanges data with the SIM 41 via the communication module 40. Legitimacy authentication is performed between the key management ECU 10 and the SIM 41. When the validity authentication between the key management ECU 10 and the SIM 41 passes, the exchange of data between the key management ECU 10 and the SIM 41 is performed safely. On the other hand, when the authentication of the legitimacy between the key management ECU 10 and the SIM 41 fails, the exchange of data between the key management ECU 10 and the SIM 41 is restricted.
  • Step S401 In the authenticated ECU 20, the CPU 21 transmits the identifier ECU_ID of its own authenticated ECU 20 to the key management ECU 10.
  • Step S402 In the key management ECU 10, the CPU 11 transmits the identifier ECU_ID of the authenticated ECU 20 received from the authenticated ECU 20 to the SIM 41.
  • Step S403 The SIM 41 generates an initial key for the authenticated ECU 20 using the identifier ECU_ID of the authenticated ECU 20 received from the key management ECU 10 and the master key MS held by itself.
  • the CMAC is calculated by the above equation (4).
  • the calculated CMAC is the same value as the initial key of the authenticated ECU 20 and the value set in the KEY_1 key of the SHE 23 of the authenticated ECU 20.
  • the initial key of the ECU 20 to be authenticated is referred to as an initial key KEY_1.
  • the SIM 41 stores the calculated CMAC, that is, the initial key KEY_1 in its own memory. Also, the SIM 41 generates a random number rand.
  • the SIM 41 transmits the generated random number rand to the key management ECU 10.
  • the SIM 41 stores the generated random number rand in its own memory.
  • Step S404 In key management ECU10, CPU11 transmits the random number rand received from SIM41 to to-be-authenticated ECU20.
  • Steps S405 to S407 are the same as steps S205 to S207 shown in FIG.
  • Step S ⁇ b> 408 In the key management ECU 10, the CPU 11 transmits the identifier ECU_ID and CMAC of the authenticated ECU 20 received from the authenticated ECU 20 to the SIM 41.
  • Step S409 The SIM 41 verifies the CMAC received from the key management ECU 10. In this CMAC verification, the SIM 41 calculates the CMAC for the random number rand stored in its own memory, using the initial key KEY_1 stored in its own memory. Next, the SIM 41 compares the calculated CMAC with the CMAC received from the key management ECU 10. As a result of the comparison, if the two match, the CMAC verification is passed, while if the two do not match, the CMAC verification fails. The SIM 41 transmits the CMAC verification result “pass (OK) or fail (NG)” to the key management ECU 10.
  • the CPU 11 of the key management ECU 10 determines that the authenticity of the authenticated ECU 20 is valid, while verifying the CMAC received from the HSM 14.
  • the result is rejected (NG) it is determined that the authentication of the authenticity of the authenticated ECU 20 is rejected.
  • FIGS. 16 and 17 are sequence charts showing a key exchange key distribution method according to the present embodiment.
  • the first key exchange key (the key used for the encryption process and the decryption process)
  • the second key exchange key (the MAC generation process and the verification process are used). Key).
  • Step S411 In the key management ECU 10, the CPU 11 transmits a key exchange key creation request (ECU_ID) to the SIM 41 using the identifier ECU_ID of the authenticated ECU 20 to which the key exchange key is distributed.
  • ECU_ID key exchange key creation request
  • Step S412 The SIM 41 generates values M1, M2, and M3. These values M1, M2 and M3 are values for registering the first key exchange key in the KEY_2 key of the SHE 23 of the ECU 20 to be authenticated.
  • the SIM 41 generates a MEK key from the master key MS.
  • the SIM 41 generates a random number and uses the generated random number as the first key exchange key.
  • the SIM 41 may generate a first key exchange key from the master key MS.
  • the SIM 41 stores the first key exchange key in its own memory.
  • the SIM 41 transmits the generated values M1, M2, and M3 to the key management ECU 10.
  • Step S413 In the key management ECU 10, the CPU 11 transmits the values M1, M2, and M3 received from the SIM 41 to the authenticated ECU 20.
  • the CPU 11 causes the HSM 14 to acquire the first key exchange key using the values M1, M2, and M3 received from the SIM 41.
  • the HSM 14 stores the first key exchange key in its own memory.
  • Steps S414 to S416 are the same as steps S214 to S216 shown in FIG.
  • the key exchange key distribution process shown in FIG. 17 can be applied to the distribution of the first key exchange key for the second and subsequent times. This is because the key management ECU 10 is set in the first delivery of the first key exchange key by the key exchange key delivery process of the present embodiment shown in FIG. This is because the values M1, M2, and M3 can be generated using the first key exchange key. This point can be similarly applied when distributing the second key exchange key. With reference to FIG. 17, the second and subsequent delivery of the first key exchange key will be described.
  • Step S421 In the key management ECU 10, the CPU 11 inputs a key exchange key creation request to the HSM 14.
  • Step S422 In the key management ECU 10, the HSM 14 generates values M1, M2 and M3. These values M1, M2, and M3 are values for registering a new first key exchange key in the KEY_2 key of the SHE 23 of the ECU 20 to be authenticated.
  • the HSM 14 generates a random number and uses the generated random number as a new first key exchange key.
  • the HSM 14 stores the new first key exchange key in its own memory.
  • the HSM 14 outputs the generated values M1, M2, and M3 to the CPU 11.
  • Step S423 In the key management ECU 10, the CPU 11 transmits the values M1, M2, and M3 received from the HSM 14 to the authenticated ECU 20.
  • Steps S424 to S426 are the same as steps S214 to S216 shown in FIG.
  • the MAC key distribution process of the second embodiment shown in FIGS. 9 and 10 can be applied to the distribution of the MAC key of the fourth embodiment.
  • the initial key is used for authenticating the validity of the ECU. For this reason, considering the influence when the initial key is leaked, it is preferable to have a different initial key for each ECU so that the initial key can be managed in units of ECUs. In this case, a method of sharing an initial key between the key management ECU 10 and each authenticated ECU 20 is a problem.
  • an initial key generation method for solving the problem will be described.
  • the initial key is calculated by the following equation using the master key MS and the identifier ECU_ID of the ECU to be authenticated.
  • Initial key digest (MS, ECU_ID)
  • the digest is, for example, CMAC.
  • the digest is, for example, an exclusive OR. This initial key has a different value for each ECU.
  • the master key MS is securely stored in the key management ECU 10 or the SIM 41, leakage of the initial key can be prevented.
  • the key management ECU 10 when the key management ECU 10 securely stores the master key MS, the key management ECU 10 acquires the identifier ECU_ID of the authenticated ECU 20, generates an initial key of the authenticated ECU 20, and generates the generated initial key. It can be safely shared with the authentication ECU 20.
  • the initial key writing device is provided in the ECU vendor.
  • the initial key writing device includes a master key MS, generates an initial key of the authenticated ECU 20 using the master key MS and the input identifier ECU_ID of the authenticated ECU 20, and generates the generated initial key. Write to the authentication ECU 20.
  • the master key MS is securely stored.
  • the master key writing device includes an ECU vendor of the key management ECU 10 in which the master key MS is set, a SIM vendor of the SIM 41 in which the master key MS is set, and a vendor such as an IC card including an IC chip in which the master key MS is set. Provided.
  • the master key writing device generates a master key MS and writes the generated master key MS to the device to be written. In the master key writing device, generation and storage of the master key MS are performed securely.
  • a xor B is an exclusive OR of the value A and the value B.
  • the master key writing device it is included in the generation condition of the master key MS that each value A, B, C is input separately.
  • the master key writing device generates the master key MS only when the values A, B, and C are separately input by different user IDs that have been authenticated. Thereby, leakage of the master key MS can be suppressed.
  • the formula for calculating the master key MS is not limited to the exclusive OR operation described above.
  • the calculation formula for the master key MS may be a calculation formula that can be generated only when a plurality of values, for example, the values A, B, and C are all obtained.
  • the ECU vendor may obtain a list of ECU identifiers ECU_ID from the ECU manufacturer, generate a list of initial keys corresponding to each identifier ECU_ID, and provide the generated initial key list to the ECU manufacturer.
  • the initial key of the authenticated ECU 20 once authenticated after being mounted on the automobile 1 may be deleted from the authenticated ECU 20. Thereby, for example, it is possible to prevent the initial key from leaking from the second ECU 20 removed from the automobile 1 by replacing the second ECU 20.
  • a management server that manages the authentication performance of the authenticated ECU 20 may be provided so that the authentication status of the authenticated ECU 20 can be grasped by the management server.
  • FIG. 18 is a diagram illustrating a configuration example of the key generation device 100 according to the present embodiment.
  • the key generation device 100 includes an input unit 101, a digest calculation unit 102, an output unit 103, and a master key storage unit 104.
  • the input unit 101 inputs information used for key generation.
  • the master key storage unit 104 stores a master key used for key generation.
  • the digest calculation unit 102 calculates a digest using the information input by the input unit 101 and the master key stored in the master key storage unit 104.
  • the output unit 103 outputs the digest (key) calculated by the digest calculation unit 102.
  • the key generation device 100 calculates a key by the following equation.
  • Key digest (master key, ECU identifier, N_key)
  • the master key is a master key stored in the master key storage unit 104.
  • the ECU identifier is an identifier of the ECU that stores the key.
  • N_key is a variable representing the type of key. Examples of the digest include a value calculated by a hash function, a value calculated by an exclusive OR operation, or CMAC.
  • FIG. 19 is a sequence chart illustrating an example of a key generation method according to the present embodiment.
  • FIG. 19 shows an example of a procedure for generating a key (initial key) to be initially set for the SHE 23 of the second ECU 20.
  • the value K MASTER_ECU_KEY is initially set to the MEK key
  • the value K BOOT_MAC_KEY is initially set to the BMK key
  • the value K is set to the SHE 23 of the second ECU 20.
  • KEY ⁇ N> is initialized to the KEY_N key.
  • the master key storage unit 104 of the key generation device 100 stores a master key MS in advance.
  • the procedure of the key generation method in FIG. 19 may be applied to the second ECU 20 mounted on the automobile 1 in the automobile manufacturing process, for example, in an automobile manufacturing factory.
  • the key generation device 100 communicates with the automobile 1 by wire or wirelessly, and transmits / receives data to / from the second ECU 20 mounted on the automobile 1.
  • Step S1000 The input unit 101 of the key generation device 100 accepts designation of a variable N_key.
  • the variable N_key representing the MEK key is a character string C MASTER_ECU_KEY .
  • a variable N_key representing the BMK key is a character string C BOOT_MAC_KEY .
  • a variable N_key representing the KEY_N key is a character string C KEY_N .
  • the designation of the variable N_key may be one or more.
  • the key generation device 100 generates a key for the specified variable N_key. Note that a key type variable N_key to be generated may be specified in advance for the key generation device 100.
  • Step S1001 The input unit 101 of the key generation device 100 acquires the ECU identifier ECUID of the second ECU 20 to which the initial key is stored. Note that the ECU identifier ECUID of the second ECU 20 that stores the initial key may be set in advance for the key generation device 100.
  • Step S1002 The digest calculation unit 102 of the key generation device 100 specifies the master key MS stored in the master key storage unit 104, the ECU identifier ECUID of the second ECU 20 that stores the initial key, and the specified key “Digest (MS, ECUID, N_key)” is calculated using the variable N_key.
  • Step S1003 The output unit 103 of the key generation device 100 outputs the “digest (MS, ECUID, N_key)” calculated by the digest calculation unit 102 as an initial key of the type represented by the variable N_key.
  • the second ECU 20 receives the output initial key.
  • Step S1004 The second ECU 20 stores the initial key received from the key generation device 100 in the SHE 23 as a corresponding type of key of the SHE 23.
  • an initial key may be generated and set for the SHE 13 of the first ECU 10 as well as the second ECU 20 described above.
  • a plurality of types of keys can be flexibly generated from the same master key and ECU identifier by changing the variable N_key.
  • an automobile is taken as an example of a vehicle, but the present invention can also be applied to other vehicles such as a motorbike and a railway vehicle.
  • a computer program for realizing the functions of each device described above may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read into a computer system and executed.
  • the “computer system” may include an OS and hardware such as peripheral devices.
  • “Computer-readable recording medium” refers to a flexible disk, a magneto-optical disk, a ROM, a writable nonvolatile memory such as a flash memory, a portable medium such as a DVD (Digital Versatile Disc), and a built-in computer system.
  • a storage device such as a hard disk.
  • the “computer-readable recording medium” means a volatile memory (for example, DRAM (Dynamic DRAM) in a computer system that becomes a server or a client when a program is transmitted through a network such as the Internet or a communication line such as a telephone line. Random Access Memory)), etc., which hold programs for a certain period of time.
  • the program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium.
  • the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
  • the program may be for realizing a part of the functions described above. Furthermore, what can implement
  • the present invention can also be applied to uses where it is essential to improve the safety of data.
  • SYMBOLS 1 Motor vehicle, 10 ... 1st ECU (key management ECU), 11, 21 ... CPU, 12, 22 ... Memory

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Lock And Its Accessories (AREA)

Abstract

In an SHE_B, an initial key is set to a KEY_N key usable in a verification process and generation process for a message authentication code. In an SHE_A, a master key used together with the identifier of an ECU to be authenticated in the generation of the message authentication code used as the initial key is set to a KEY_N key usable in the verification process and generation process for the message authentication code. In a CPU, the message authentication code for the identifier of the ECU to be authenticated is generated by the SHE-A using the master key, and a process to authenticate the validity of the ECU to be authenticated is executed using the generated message authentication code.

Description

車載コンピュータシステム、車両、鍵生成装置、管理方法、鍵生成方法、及びコンピュータプログラムIn-vehicle computer system, vehicle, key generation device, management method, key generation method, and computer program
 本発明は、車載コンピュータシステム、車両、鍵生成装置、管理方法、鍵生成方法、及びコンピュータプログラムに関する。
 本願は、2016年1月18日に日本に出願された特願2016-007432号と、2016年7月29日に日本に出願された特願2016-150269号とに基づき優先権を主張し、その内容をここに援用する。 The present invention relates to an in-vehicle computer system, a vehicle, a key generation device, a management method, a key generation method, and a computer program.
This application claims priority based on Japanese Patent Application No. 2016-007432 filed in Japan on January 18, 2016 and Japanese Patent Application No. 2016-150269 filed in Japan on July 29, 2016. The contents are incorporated here.
 従来、自動車は、ECU(Electronic Control Unit:電子制御装置)を有し、ECUによってエンジン制御等の機能を実現する。ECUは、コンピュータの一種であり、コンピュータプログラムによって所望の機能を実現する。複数のECUをCAN(Controller Area Network)に接続して構成される車載制御システムについてのセキュリティ技術が例えば非特許文献1に記載されている。 Conventionally, an automobile has an ECU (Electronic Control Unit), and functions such as engine control are realized by the ECU. The ECU is a kind of computer and realizes a desired function by a computer program. For example, Non-Patent Document 1 discloses a security technique for an in-vehicle control system configured by connecting a plurality of ECUs to a CAN (Controller Area Network).
 ECUは暗号処理チップを備え、暗号処理チップが暗号処理を実行することによって、車載制御システムにおけるデータの安全性の向上を図っている。しかしながら、ECUに備わる暗号処理チップの種類によっては、データの安全性が十分に保てない可能性があった。 The ECU includes an encryption processing chip, and the encryption processing chip executes encryption processing, thereby improving the safety of data in the in-vehicle control system. However, depending on the type of cryptographic processing chip provided in the ECU, there is a possibility that data safety cannot be sufficiently maintained.
 本発明は、このような事情を考慮してなされたものであり、ECU等の車載コンピュータに備わる暗号処理チップに応じた暗号処理手順を実行することによって、車載制御システムにおけるデータの安全性を向上させることができる、車載コンピュータシステム、車両、管理方法、及びコンピュータプログラムを提供することを課題とする。
 また、その車載コンピュータに格納される鍵を柔軟に生成することができる、鍵生成装置、鍵生成方法、及びコンピュータプログラムを提供することを課題とする。 The present invention has been made in consideration of such circumstances, and improves the safety of data in an in-vehicle control system by executing an encryption processing procedure according to an encryption processing chip provided in an in-vehicle computer such as an ECU. It is an object of the present invention to provide an in-vehicle computer system, a vehicle, a management method, and a computer program.
It is another object of the present invention to provide a key generation device, a key generation method, and a computer program that can flexibly generate a key stored in the in-vehicle computer.
(1)本発明の一態様は、車両に備わる車載コンピュータシステムにおいて、第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、前記第1のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が設定されてあり、前記第1の演算処理装置は、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記第1のSHEによって前記マスター鍵を使用して生成させ、該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する、車載コンピュータシステムである。
(2)本発明の一態様は、上記(1)の車載コンピュータシステムにおいて、前記第1の演算処理装置は、前記第1のSHEによって前記マスター鍵を使用して前記第2のSHEのMEK鍵を生成させ、前記第1のSHEによって前記MEK鍵を使用して、前記第2のSHEの暗号化処理及び復号処理に使用可能な一のKEY_N鍵、又は、前記第2のSHEのメッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に鍵交換鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、前記第2の演算処理装置は、該鍵登録メッセージによって前記第2のSHEに鍵交換鍵を登録する、車載コンピュータシステムである。
(3)本発明の一態様は、上記(2)の車載コンピュータシステムにおいて、前記第1の演算処理装置は、前記第1のSHEによって前記鍵交換鍵を使用して、前記第2のSHEのRAM_KEY鍵にMAC鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、前記第2の演算処理装置は、該鍵登録メッセージによって前記第2のSHEにMAC鍵を登録する、車載コンピュータシステムである。
(4)本発明の一態様は、上記(3)の車載コンピュータシステムにおいて、前記第2の記憶部は、前記第2のSHEのRAM_KEY鍵にMAC鍵を登録する鍵登録メッセージを不揮発性メモリに格納し、前記第2の演算処理装置は、前記不揮発性メモリに格納されている鍵登録メッセージによって前記第2のSHEにMAC鍵を登録し、前記第1の車載コンピュータと前記第2の車載コンピュータとは、前記不揮発性メモリに格納されている鍵登録メッセージによって前記第2のSHEのRAM_KEY鍵に登録されたMAC鍵に基づいて正当性の認証処理を実行する、車載コンピュータシステムである。 (1) According to one aspect of the present invention, in a vehicle-mounted computer system provided in a vehicle, a first vehicle-mounted computer including a first arithmetic processing device, a first SHE (Secure Hardware Extension), and a first storage unit; A second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle. Connected to the network, the second SHE has an initial key set as one KEY_N key that can be used for message authentication code generation processing and verification processing, and the first SHE has a message authentication code An identifier of the second in-vehicle computer for generating a message authentication code used as the initial key in one KEY_N key that can be used for generating and verifying A master key to be used together with the first SHE, and the first arithmetic processing unit receives a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer as the first SHE. Is generated using the master key, and the authentication processing of the validity of the second in-vehicle computer is executed using the generated message authentication code.
(2) According to one aspect of the present invention, in the in-vehicle computer system according to (1), the first arithmetic processing unit uses the master key by the first SHE and the MEK key of the second SHE. KEY_N key that can be used for encryption and decryption of the second SHE using the MEK key by the first SHE, or the message authentication code of the second SHE Generating a key registration message for registering a key exchange key in one KEY_N key that can be used for the generation process and the verification process, and transmitting the key registration message to the second in-vehicle computer. Is an in-vehicle computer system that registers a key exchange key in the second SHE by the key registration message.
(3) According to one aspect of the present invention, in the in-vehicle computer system according to (2), the first arithmetic processing unit uses the key exchange key by the first SHE, and the second SHE A key registration message for registering the MAC key in the RAM_KEY key is generated, and the key registration message is transmitted to the second in-vehicle computer. The second arithmetic processing unit sends the key registration message to the second SHE by the key registration message. An in-vehicle computer system for registering a MAC key.
(4) According to one aspect of the present invention, in the in-vehicle computer system according to (3), the second storage unit stores a key registration message for registering a MAC key in the RAM_KEY key of the second SHE in a nonvolatile memory. And the second arithmetic processing unit registers a MAC key in the second SHE by a key registration message stored in the nonvolatile memory, and the first in-vehicle computer and the second in-vehicle computer. Is an in-vehicle computer system that executes validity authentication processing based on a MAC key registered in the RAM_KEY key of the second SHE by a key registration message stored in the nonvolatile memory.
(5)本発明の一態様は、車両に備わる車載コンピュータシステムにおいて、第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、前記HSMには、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が格納されてあり、前記第1の演算処理装置は、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記HSMによって前記マスター鍵を使用して生成させ、該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する、車載コンピュータシステムである。
(6)本発明の一態様は、上記(5)の車載コンピュータシステムにおいて、前記第1の演算処理装置は、前記HSMによって前記マスター鍵を使用して前記SHEのMEK鍵を生成させ、前記HSMによって前記MEK鍵を使用して、前記SHEの暗号化処理及び復号処理に使用可能な一のKEY_N鍵、又は、前記SHEのメッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に鍵交換鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、前記第2の演算処理装置は、該鍵登録メッセージによって前記SHEに鍵交換鍵を登録する、車載コンピュータシステムである。
(7)本発明の一態様は、上記(6)の車載コンピュータシステムにおいて、前記第1の演算処理装置は、前記HSMによって前記鍵交換鍵を使用して、前記SHEのRAM_KEY鍵にMAC鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、前記第2の演算処理装置は、該鍵登録メッセージによって前記SHEにMAC鍵を登録する、車載コンピュータシステムである。
(8)本発明の一態様は、上記(7)の車載コンピュータシステムにおいて、前記第2の記憶部は、前記SHEのRAM_KEY鍵にMAC鍵を登録する鍵登録メッセージを不揮発性メモリに格納し、前記第2の演算処理装置は、前記不揮発性メモリに格納されている鍵登録メッセージによって前記SHEにMAC鍵を登録し、前記第1の車載コンピュータと前記第2の車載コンピュータとは、前記不揮発性メモリに格納されている鍵登録メッセージによって前記SHEのRAM_KEY鍵に登録されたMAC鍵に基づいて正当性の認証処理を実行する、車載コンピュータシステムである。 (5) According to one aspect of the present invention, in a vehicle-mounted computer system provided in a vehicle, a first vehicle-mounted computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit; A second in-vehicle computer including an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are provided in the communication network provided in the vehicle. In the SHE, an initial key is set as one KEY_N key that can be used for generating and verifying a message authentication code. In the HSM, a message authentication code used as the initial key is set. The master key used together with the identifier of the second in-vehicle computer is stored in the generation of the first on-board computer, and the first arithmetic processing unit A message authentication code for the identifier of the second in-vehicle computer received from the in-vehicle computer is generated by the HSM using the master key, and the second in-vehicle computer is generated using the generated message authentication code. This is an in-vehicle computer system that executes authentication processing of
(6) According to one aspect of the present invention, in the in-vehicle computer system according to (5), the first arithmetic processing unit generates the MEK key of the SHE using the master key by the HSM, and the HSM To the KEY_N key that can be used for the encryption and decryption processing of the SHE, or the KEY_N key that can be used for the generation processing and verification processing of the message authentication code of the SHE. A key registration message for registering a key exchange key is generated, and the key registration message is transmitted to the second in-vehicle computer. The second arithmetic processing unit registers a key exchange key in the SHE by the key registration message. In-vehicle computer system.
(7) According to one aspect of the present invention, in the in-vehicle computer system according to (6), the first arithmetic processing unit uses the key exchange key by the HSM and assigns a MAC key to the RAM_KEY key of the SHE. An in-vehicle computer system that generates a key registration message to be registered, transmits the key registration message to the second in-vehicle computer, and the second arithmetic processing unit registers the MAC key in the SHE by the key registration message. It is.
(8) According to one aspect of the present invention, in the in-vehicle computer system according to (7), the second storage unit stores a key registration message for registering a MAC key in the RAM_KEY key of the SHE in a nonvolatile memory. The second arithmetic processing unit registers a MAC key in the SHE by a key registration message stored in the nonvolatile memory, and the first in-vehicle computer and the second in-vehicle computer are the non-volatile It is an in-vehicle computer system that executes validity authentication processing based on a MAC key registered in the RAM_KEY key of the SHE by a key registration message stored in a memory.
(9)本発明の一態様は、車両に備わる車載コンピュータシステムにおいて、第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、前記第1の演算処理装置は、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させ、該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる、車載コンピュータシステムである。
(10)本発明の一態様は、上記(9)の車載コンピュータシステムにおいて、前記第1の演算処理装置は、前記セキュアエレメントによって前記マスター鍵を使用して前記第2のSHEのMEK鍵を生成させ、前記セキュアエレメントによって前記MEK鍵を使用して、前記第2のSHEの暗号化処理及び復号処理に使用可能な一のKEY_N鍵、又は、前記第2のSHEのメッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に鍵交換鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、前記第2の演算処理装置は、該鍵登録メッセージによって前記第2のSHEに鍵交換鍵を登録する、車載コンピュータシステムである。 (9) According to one aspect of the present invention, in a vehicle-mounted computer system provided in a vehicle, a first vehicle-mounted computer including a first arithmetic processing device, a first SHE (Secure Hardware Extension), and a first storage unit; A second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle. An initial key is set as one KEY_N key that is connected to a network and can be used for message authentication code generation processing and verification processing in the second SHE. For a secure element storing a master key used with an identifier of the second in-vehicle computer to generate a message authentication code used as a key, the second A message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer is generated, and the authentication process of the validity of the second in-vehicle computer using the generated message authentication code is performed in the secure element This is an in-vehicle computer system to be executed.
(10) In one aspect of the present invention, in the in-vehicle computer system according to (9), the first arithmetic processing unit generates the second SHE MEK key using the master key by the secure element. The KEY_N key that can be used for the encryption process and the decryption process of the second SHE or the message authentication code generation process of the second SHE using the MEK key by the secure element, and A key registration message for registering a key exchange key with one KEY_N key that can be used for verification processing is generated, the key registration message is transmitted to the second in-vehicle computer, and the second arithmetic processing unit An in-vehicle computer system for registering a key exchange key in the second SHE by a registration message.
(11)本発明の一態様は、車両に備わる車載コンピュータシステムにおいて、第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、前記第1の演算処理装置は、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させ、該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる、車載コンピュータシステムである。
(12)本発明の一態様は、上記(11)の車載コンピュータシステムにおいて、前記第1の演算処理装置は、前記セキュアエレメントによって前記マスター鍵を使用して前記SHEのMEK鍵を生成させ、前記セキュアエレメントによって前記MEK鍵を使用して、前記SHEの暗号化処理及び復号処理に使用可能な一のKEY_N鍵、又は、前記SHEのメッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に鍵交換鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、前記第2の演算処理装置は、該鍵登録メッセージによって前記SHEに鍵交換鍵を登録する、車載コンピュータシステムである。 (11) According to one aspect of the present invention, in a vehicle-mounted computer system provided in a vehicle, a first vehicle-mounted computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit; A second in-vehicle computer including an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are provided in the communication network provided in the vehicle. In the SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing, and the first arithmetic processing unit is used as the initial key. For a secure element that stores a master key used with the identifier of the second in-vehicle computer to generate a message authentication code A message authentication code for the identifier of the second vehicle-mounted computer received from the second vehicle-mounted computer is generated, and the authentication process of the validity of the second vehicle-mounted computer using the generated message authentication code is performed. This is an in-vehicle computer system that is executed by a secure element.
(12) According to one aspect of the present invention, in the in-vehicle computer system according to (11), the first arithmetic processing unit generates the MEK key of the SHE using the master key by the secure element, One KEY_N key that can be used for encryption and decryption processing of the SHE using the MEK key by a secure element, or one KEY_N that can be used for generation and verification processing of the message authentication code of the SHE A key registration message for registering a key exchange key in a key is generated, and the key registration message is transmitted to the second in-vehicle computer, and the second arithmetic processing unit sends the key exchange key to the SHE by the key registration message. Is an in-vehicle computer system for registering.
(13)本発明の一態様は、上記(1)から(12)のいずれかの車載コンピュータシステムを備える車両である。 (13) One aspect of the present invention is a vehicle including the on-vehicle computer system according to any one of (1) to (12).
(14)本発明の一態様は、車両に備わる車載コンピュータシステムが、第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、前記第1のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が設定されてあり、前記第1の演算処理装置が、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記第1のSHEによって前記マスター鍵を使用して生成させるメッセージ認証コード生成ステップと、前記第1の演算処理装置が、該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する認証ステップと、を含む管理方法である。 (14) According to one aspect of the present invention, an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit; A second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle. Connected to the network, the second SHE has an initial key set as one KEY_N key that can be used for message authentication code generation processing and verification processing, and the first SHE has a message authentication code An identifier of the second in-vehicle computer for generating a message authentication code used as the initial key; A master key to be used is set, and the first arithmetic processing unit receives the message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer as the first SHE. And generating a message authentication code using the master key, and the first arithmetic processing unit uses the generated message authentication code to execute the authentication process of the validity of the second in-vehicle computer. And an authentication step.
(15)本発明の一態様は、車両に備わる車載コンピュータシステムが、第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、前記HSMには、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が格納されてあり、前記第1の演算処理装置が、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記HSMによって前記マスター鍵を使用して生成させるメッセージ認証コード生成ステップと、前記第1の演算処理装置が、該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する認証ステップと、を含む管理方法である。 (15) According to one aspect of the present invention, an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit; A second in-vehicle computer having an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are a communication network provided in the vehicle. In the SHE, an initial key is set as one KEY_N key that can be used for generating and verifying a message authentication code. In the HSM, a message authentication code used as the initial key is set. A master key used together with the identifier of the second in-vehicle computer is stored, and the first arithmetic processing unit transmits the second A message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the in-vehicle computer by using the master key by the HSM; and the first arithmetic processing unit includes the generation And an authentication step of executing an authenticity authentication process for the second in-vehicle computer using the message authentication code.
(16)本発明の一態様は、車両に備わる車載コンピュータシステムが、第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、前記第1の演算処理装置が、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させるメッセージ認証コード生成ステップと、前記第1の演算処理装置が、該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる認証ステップと、を含む管理方法である。 (16) According to one aspect of the present invention, an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit; A second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle. Connected to the network, the second SHE has an initial key set as one KEY_N key that can be used for message authentication code generation processing and verification processing. For a secure element that stores a master key used with an identifier of the second in-vehicle computer to generate a message authentication code used as a key, the second A message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the in-vehicle computer, and the first arithmetic processing unit using the generated message authentication code. And an authentication step for causing the secure element to execute the authenticity authentication process of the in-vehicle computer.
(17)本発明の一態様は、車両に備わる車載コンピュータシステムが、第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、前記第1の演算処理装置が、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させるメッセージ認証コード生成ステップと、前記第1の演算処理装置が、該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる認証ステップと、を含む管理方法である。 (17) In one aspect of the present invention, an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit; A second in-vehicle computer having an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are a communication network provided in the vehicle. In the SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing, and the first arithmetic processing unit is used as the initial key. For a secure element that stores a master key used with the identifier of the second in-vehicle computer to generate a message authentication code A message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer, and the first arithmetic processing unit uses the generated message authentication code. And an authentication step for causing the secure element to execute the authentication process of the validity of the second in-vehicle computer.
(18)本発明の一態様は、車両に備わる車載コンピュータシステムが、第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、前記第1のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が設定されてある前記車載コンピュータシステムの前記第1の演算処理装置としてのコンピュータに、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記第1のSHEによって前記マスター鍵を使用して生成させるメッセージ認証コード生成ステップと、該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する認証ステップと、を実行させるためのコンピュータプログラムである。 (18) According to one aspect of the present invention, an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit; A second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle. Connected to the network, the second SHE has an initial key set as one KEY_N key that can be used for message authentication code generation processing and verification processing, and the first SHE has a message authentication code An identifier of the second in-vehicle computer for generating a message authentication code used as the initial key; A message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer in the computer as the first arithmetic processing unit of the in-vehicle computer system in which the master key used for the computer is set Generating a message authentication code using the master key by the first SHE, and performing authentication processing for authenticating the second in-vehicle computer using the generated message authentication code A computer program for executing the steps.
(19)本発明の一態様は、車両に備わる車載コンピュータシステムが、第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、前記HSMには、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が格納されてある前記車載コンピュータシステムの前記第1の演算処理装置としてのコンピュータに、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記HSMによって前記マスター鍵を使用して生成させるメッセージ認証コード生成ステップと、該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する認証ステップと、を実行させるためのコンピュータプログラムである。 (19) In one aspect of the present invention, an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit; A second in-vehicle computer having an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are a communication network provided in the vehicle. In the SHE, an initial key is set as one KEY_N key that can be used for generating and verifying a message authentication code. In the HSM, a message authentication code used as the initial key is set. A master key used together with an identifier of the second in-vehicle computer for generation of the second in-vehicle computer system is stored. Generating a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer by using the master key by the HSM And an authentication step of executing an authentication process for the validity of the second in-vehicle computer using the generated message authentication code.
(20)本発明の一態様は、車両に備わる車載コンピュータシステムが、第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてある前記車載コンピュータシステムの前記第1の演算処理装置としてのコンピュータに、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させるメッセージ認証コード生成ステップと、該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる認証ステップと、を実行させるためのコンピュータプログラムである。 (20) According to one aspect of the present invention, an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit; A second in-vehicle computer including a second arithmetic processing unit, a second SHE, and a second storage unit, and the first in-vehicle computer and the second in-vehicle computer communicate with each other in the vehicle. The first arithmetic processing unit of the in-vehicle computer system connected to a network and having an initial key set as one KEY_N key that can be used for message authentication code generation processing and verification processing in the second SHE As a master used together with the identifier of the second in-vehicle computer to generate a message authentication code used as the initial key A message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer with respect to the secure element storing the message, and using the generated message authentication code An authentication step for causing the secure element to execute the authentication process for the validity of the second in-vehicle computer.
(21)本発明の一態様は、車両に備わる車載コンピュータシステムが、第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてある前記車載コンピュータシステムの前記第1の演算処理装置としてのコンピュータに、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させるメッセージ認証コード生成ステップと、該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる認証ステップと、を実行させるためのコンピュータプログラムである。 (21) In one aspect of the present invention, an in-vehicle computer system provided in a vehicle includes a first in-vehicle computer including a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit; A second in-vehicle computer having an arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit, wherein the first in-vehicle computer and the second in-vehicle computer are a communication network provided in the vehicle. In the SHE, an initial key is set as one KEY_N key that can be used for generating and verifying a message authentication code. The computer as the first arithmetic processing unit of the in-vehicle computer system is connected to the SHE. A mask used together with the identifier of the second in-vehicle computer to generate a message authentication code used as the initial key. A message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer with respect to the secure element storing the key, and the generated message authentication code An authentication step for causing the secure element to execute the authentication process of the validity of the second in-vehicle computer that uses the computer program.
(22)本発明の一態様は、マスター鍵を記憶する記憶部と、前記記憶部に記憶されているマスター鍵と、車両に備わる車載コンピュータの識別子と、鍵の種類を表す変数とを使用して、鍵を算出する算出部と、を備える鍵生成装置である。
(23)本発明の一態様は、鍵生成装置が、マスター鍵を記憶部に記憶する記憶ステップと、前記鍵生成装置が、前記記憶部に記憶されているマスター鍵と、車両に備わる車載コンピュータの識別子と、鍵の種類を表す変数とを使用して、鍵を算出する算出ステップと、を含む鍵生成方法である。
(24)本発明の一態様は、コンピュータに、マスター鍵を記憶部に記憶する記憶ステップと、前記記憶部に記憶されているマスター鍵と、車両に備わる車載コンピュータの識別子と、鍵の種類を表す変数とを使用して、鍵を算出する算出ステップと、を実行させるためのコンピュータプログラムである。 (22) One aspect of the present invention uses a storage unit that stores a master key, a master key stored in the storage unit, an identifier of an in-vehicle computer provided in the vehicle, and a variable that represents a key type. And a calculation unit that calculates a key.
(23) According to one aspect of the present invention, a key generation device stores a master key in a storage unit, the key generation device stores a master key stored in the storage unit, and an in-vehicle computer provided in a vehicle And a calculation step of calculating a key using the identifier and the variable representing the key type.
(24) In one aspect of the present invention, a computer stores a master key in a storage unit, a master key stored in the storage unit, an identifier of an in-vehicle computer provided in the vehicle, and a key type. A computer program for executing a calculation step of calculating a key using a variable to represent.
 本発明によれば、ECU等の車載コンピュータに備わる暗号処理チップに応じた暗号処理手順を実行することによって、車載制御システムにおけるデータの安全性を向上させることができるという効果が得られる。また、その車載コンピュータに格納される鍵を柔軟に生成することができるという効果が得られる。 According to the present invention, it is possible to improve the safety of data in the in-vehicle control system by executing the encryption processing procedure corresponding to the encryption processing chip provided in the in-vehicle computer such as the ECU. Moreover, the effect that the key stored in the vehicle-mounted computer can be produced | generated flexibly is acquired.
第1実施形態に係る自動車に備わる車載コンピュータシステムの構成例を示す図である。It is a figure which shows the structural example of the vehicle-mounted computer system with which the motor vehicle which concerns on 1st Embodiment is equipped. 第1実施形態に係るECU認証方法を示すシーケンスチャートである。It is a sequence chart which shows the ECU authentication method which concerns on 1st Embodiment. 第1実施形態に係る鍵交換鍵配信方法を示すシーケンスチャートである。It is a sequence chart which shows the key exchange key delivery method which concerns on 1st Embodiment. 第1実施形態に係るMAC鍵配信方法を示すシーケンスチャートである。It is a sequence chart which shows the MAC key delivery method which concerns on 1st Embodiment. 第1実施形態に係るMAC鍵配信方法を示すシーケンスチャートである。It is a sequence chart which shows the MAC key delivery method which concerns on 1st Embodiment. 第2実施形態に係る自動車に備わる車載コンピュータシステムの構成例を示す図である。It is a figure which shows the structural example of the vehicle-mounted computer system with which the motor vehicle which concerns on 2nd Embodiment is equipped. 第2実施形態に係るECU認証方法を示すシーケンスチャートである。It is a sequence chart which shows the ECU authentication method which concerns on 2nd Embodiment. 第2実施形態に係る鍵交換鍵配信方法を示すシーケンスチャートである。It is a sequence chart which shows the key exchange key delivery method which concerns on 2nd Embodiment. 第2実施形態に係るMAC鍵配信方法を示すシーケンスチャートである。It is a sequence chart which shows the MAC key delivery method concerning 2nd Embodiment. 第2実施形態に係るMAC鍵配信方法を示すシーケンスチャートである。It is a sequence chart which shows the MAC key delivery method concerning 2nd Embodiment. 第3実施形態に係る自動車に備わる車載コンピュータシステムの構成例を示す図である。It is a figure which shows the structural example of the vehicle-mounted computer system with which the motor vehicle which concerns on 3rd Embodiment is equipped. 第3実施形態に係るECU認証方法を示すシーケンスチャートである。It is a sequence chart which shows the ECU authentication method which concerns on 3rd Embodiment. 第3実施形態に係る鍵交換鍵配信処理を説明する。A key exchange key distribution process according to the third embodiment will be described. 第4実施形態に係る自動車に備わる車載コンピュータシステムの構成例を示す図である。It is a figure which shows the structural example of the vehicle-mounted computer system with which the motor vehicle which concerns on 4th Embodiment is equipped. 第4実施形態に係るECU認証方法を示すシーケンスチャートである。It is a sequence chart which shows the ECU authentication method which concerns on 4th Embodiment. 第4実施形態に係る鍵交換鍵配信方法を示すシーケンスチャートである。It is a sequence chart which shows the key exchange key delivery method which concerns on 4th Embodiment. 第4実施形態に係る鍵交換鍵配信方法を示すシーケンスチャートである。It is a sequence chart which shows the key exchange key delivery method which concerns on 4th Embodiment. 第5実施形態に係る鍵生成装置の構成例を示す図である。It is a figure which shows the structural example of the key generation apparatus which concerns on 5th Embodiment. 第5実施形態に係る鍵生成方法の一例を示すシーケンスチャートである。It is a sequence chart which shows an example of the key generation method which concerns on 5th Embodiment.
 以下、図面を参照し、本発明の実施形態について説明する。なお、以下に示す実施形態では、車両として自動車を例に挙げて説明する。 Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the following embodiment, a vehicle will be described as an example of a vehicle.
[第1実施形態]
 図1は、本実施形態に係る自動車1に備わる車載コンピュータシステムの構成例を示す図である。図1において、自動車1に備わる車載コンピュータシステムは、第1のECU(電子制御装置)10と複数の第2のECU20とがCAN30に接続されて構成される。この車載コンピュータシステムは、自動車1の車載制御システムに適用できる。 [First Embodiment]
FIG. 1 is a diagram illustrating a configuration example of an in-vehicle computer system provided in an automobile 1 according to the present embodiment. In FIG. 1, an in-vehicle computer system provided in an automobile 1 is configured by connecting a first ECU (electronic control unit) 10 and a plurality of second ECUs 20 to a CAN 30. This in-vehicle computer system can be applied to the in-vehicle control system of the automobile 1.
 第1のECU10及び第2のECU20は、自動車1に備わる車載コンピュータである。第1のECU10は、自動車1に搭載されたECUのうち、鍵管理機能を有するECUである。以下、第1のECU10のことを鍵管理ECU10と称する場合がある。 The first ECU 10 and the second ECU 20 are in-vehicle computers provided in the automobile 1. The first ECU 10 is an ECU having a key management function among the ECUs mounted on the automobile 1. Hereinafter, the first ECU 10 may be referred to as a key management ECU 10.
 第2のECU20は、自動車1に搭載されたECUのうち、エンジン制御等の機能を有するECUである。第2のECU20として、例えば、エンジン制御機能を有するECU、ハンドル制御機能を有するECU、ブレーキ制御機能を有するECUなどがある。第2のECU20は、第1のECU10によって正当性が認証されるECUである。以下、第2のECU20のことを被認証ECU20と称する場合がある。 The second ECU 20 is an ECU having functions such as engine control among the ECUs mounted in the automobile 1. Examples of the second ECU 20 include an ECU having an engine control function, an ECU having a handle control function, and an ECU having a brake control function. The second ECU 20 is an ECU whose validity is authenticated by the first ECU 10. Hereinafter, the second ECU 20 may be referred to as an authenticated ECU 20.
 CAN30は通信ネットワークである。CANは車両に搭載される通信ネットワークの一つとして知られている。第1のECU10は、CAN30を介して、各第2のECU20との間でデータを交換する。第2のECU20は、CAN30を介して、他の第2のECU20との間でデータを交換する。 CAN 30 is a communication network. CAN is known as one of communication networks mounted on vehicles. The first ECU 10 exchanges data with each second ECU 20 via the CAN 30. The second ECU 20 exchanges data with the other second ECU 20 via the CAN 30.
 なお、車両に搭載される通信ネットワークとして、CAN以外の通信ネットワークを自動車1に備え、CAN以外の通信ネットワークを介して、第1のECU10と第2のECU20との間のデータの交換、及び、第2のECU20同士の間のデータの交換が行われてもよい。例えば、LIN(Local Interconnect Network)を自動車1に備えてもよい。また、CANとLINとを自動車1に備えてもよい。また、自動車1において、LINに接続する第2のECU20を備えてもよい。また、第1のECU10は、CANとLINとに接続されてもよい。また、第1のECU10は、CANを介して該CANに接続される第2のECU20との間でデータを交換し、また、LINを介して該LINに接続される第2のECU20との間でデータを交換してもよい。また、第2のECU20同士が、LINを介してデータを交換してもよい。 In addition, as a communication network mounted on a vehicle, a communication network other than CAN is provided in the automobile 1, and exchange of data between the first ECU 10 and the second ECU 20 via the communication network other than CAN, and Data exchange between the second ECUs 20 may be performed. For example, the automobile 1 may be provided with LIN (Local Interconnect Network). Further, the automobile 1 may be provided with CAN and LIN. Further, the automobile 1 may include a second ECU 20 connected to the LIN. Further, the first ECU 10 may be connected to CAN and LIN. Further, the first ECU 10 exchanges data with the second ECU 20 connected to the CAN via the CAN, and between the first ECU 10 and the second ECU 20 connected to the LIN via the LIN. You may exchange data with. Further, the second ECUs 20 may exchange data via the LIN.
 第1のECU10は、CPU(Central Processing Unit:中央演算処理装置)11と記憶部12とSHE(Secure Hardware Extension)13とを備える。CPU11は、第1のECU10の機能を実現させるためのコンピュータプログラムを実行する。記憶部12は、CPU11で実行されるコンピュータプログラムや各種のデータを記憶する。SHE13は暗号処理機能を有する。SHE13は耐タンパー性(Tamper Resistant)を有する。SHE13はセキュアエレメント(Secure Element:SE)の例である。セキュアエレメントは耐タンパー性を有する。以下、SHE13のことをSHE-A13と称する場合がある。 The first ECU 10 includes a CPU (Central Processing Unit) 11, a storage unit 12, and a SHE (Secure Hardware Extension) 13. The CPU 11 executes a computer program for realizing the function of the first ECU 10. The storage unit 12 stores a computer program executed by the CPU 11 and various data. The SHE 13 has a cryptographic processing function. SHE13 has tamper resistance. SHE 13 is an example of a secure element (Secure Element: SE). The secure element has tamper resistance. Hereinafter, SHE13 may be referred to as SHE-A13.
 第2のECU20は、CPU21と記憶部22とSHE23とを備える。CPU21は、第2のECU20の機能を実現させるためのコンピュータプログラムを実行する。記憶部22は、CPU21で実行されるコンピュータプログラムや各種のデータを記憶する。SHE23は暗号処理機能を有する。SHE23は耐タンパー性を有する。SHE23はセキュアエレメントの例である。以下、SHE23のことをSHE-B23と称する場合がある。 The second ECU 20 includes a CPU 21, a storage unit 22, and a SHE 23. The CPU 21 executes a computer program for realizing the function of the second ECU 20. The storage unit 22 stores a computer program executed by the CPU 21 and various data. The SHE 23 has a cryptographic processing function. SHE23 has tamper resistance. SHE23 is an example of a secure element. Hereinafter, SHE23 may be referred to as SHE-B23.
 以下の説明において、SHE13とSHE23とを特に区別しないときは単にSHEと称する。 In the following description, SHE 13 and SHE 23 are simply referred to as SHE when not particularly distinguished.
[SHEの説明]
 本実施形態では、第1のECU10及び第2のECU20は、暗号処理チップの一例であるSHEを備える。以下、SHEについて説明する。SHEは暗号処理機能を有する。SHEの暗号処理機能の一つとして暗号化及び復号がある。SHEの暗号処理機能の一つとしてMAC(Message Authentication Code:メッセージ認証コード)の生成及び検証がある。SHEが扱うMACとしてCMAC(Cipher-based Message Authentication Code)がある。 [Description of SHE]
In the present embodiment, the first ECU 10 and the second ECU 20 include a SHE that is an example of a cryptographic processing chip. Hereinafter, SHE will be described. SHE has a cryptographic processing function. One of the encryption processing functions of SHE is encryption and decryption. One of the encryption processing functions of SHE is generation and verification of a MAC (Message Authentication Code). There is CMAC (Cipher-based Message Authentication Code) as a MAC handled by SHE.
(SHEの鍵の構成)
 SHEでは、複数の種類の鍵を使用することができる。SHEの鍵には、MASTER_ECU_KEY(MEK)鍵、BOOT_MAC_KEY(BMK)鍵、BOOT_MAC(BM)鍵、KEY_N鍵(但し、Nは1から10までのいずれかの整数)、及び、RAM_KEY鍵がある。以下にSHEの鍵について説明する。 (SHE key structure)
In SHE, multiple types of keys can be used. The SHE key includes a MASTER_ECU_KEY (MEK) key, a BOOT_MAC_KEY (BMK) key, a BOOT_MAC (BM) key, a KEY_N key (where N is an integer from 1 to 10), and a RAM_KEY key. The SHE key will be described below.
(1)MASTER_ECU_KEY(MEK)鍵
 MEK鍵は、MEK鍵、BMK鍵、BM鍵、及び、KEY_N鍵の更新に使用される鍵である。MEK鍵は、暗号化処理及び復号処理、並びに、MACの生成処理及び検証処理には使用できない。MEK鍵の書き換え回数には制限がある。 (1) MASTER_ECU_KEY (MEK) key The MEK key is a key used for updating the MEK key, the BMK key, the BM key, and the KEY_N key. The MEK key cannot be used for encryption processing and decryption processing, and MAC generation processing and verification processing. There is a limit to the number of MEK key rewrites.
(2)BOOT_MAC_KEY(BMK)鍵
 BMK鍵は、セキュアブートにおけるCMACの算出に使用される鍵である。BMK鍵は、BMK鍵及びBM鍵の更新に使用できる。BMK鍵は、暗号化処理及び復号処理、並びに、MACの生成処理及び検証処理には使用できない。BMK鍵の書き換え回数には制限がある。 (2) BOOT_MAC_KEY (BMK) key The BMK key is a key used for CMAC calculation in secure boot. The BMK key can be used to update the BMK key and the BM key. The BMK key cannot be used for encryption processing and decryption processing, and MAC generation processing and verification processing. There is a limit to the number of times the BMK key can be rewritten.
(3)BOOT_MAC(BM)鍵
 BM鍵は、セキュアブートにおけるCMACの期待値である。BM鍵は、暗号化処理及び復号処理、並びに、MACの生成処理及び検証処理には使用できない。BM鍵の書き換え回数には制限がある。 (3) BOOT_MAC (BM) key The BM key is an expected value of CMAC in secure boot. The BM key cannot be used for encryption processing and decryption processing, and MAC generation processing and verification processing. There is a limit to the number of times the BM key can be rewritten.
(4)KEY_N鍵(但し、Nは1から10までのいずれかの整数)
 KEY_N鍵として、KEY_1~KEY_10の10個がある。各KEY_N鍵は、暗号化処理及び復号処理に使用可能なモード0と、MACの生成処理及び検証処理に使用可能なモード1とのうちいずれか一方のモードで使用できる。各KEY_N鍵は、自己の鍵のみの更新に使用できる。例えば、KEY_1鍵を使用すれば、KEY_1鍵を更新できる。各KEY_N鍵の書き換え回数には制限がある。 (4) KEY_N key (where N is any integer from 1 to 10)
There are 10 KEY_N keys KEY_1 to KEY_10. Each KEY_N key can be used in either one of mode 0 that can be used for encryption processing and decryption processing, and mode 1 that can be used for MAC generation processing and verification processing. Each KEY_N key can be used to update only its own key. For example, if the KEY_1 key is used, the KEY_1 key can be updated. There is a limit to the number of times each KEY_N key can be rewritten.
(5)RAM_KEY鍵
 RAM_KEY鍵は、コマンドCMD_LOAD_PLAIN_KEYによって、平文で登録できる鍵である。また、RAM_KEY鍵は、コマンドCMD_LOAD_KEYによって、値M1,M2及びM3を使用して登録することもできる。但し、コマンドCMD_LOAD_KEYによってRAM_KEY鍵を登録する場合には、後述する値M2にカウンタ値Counterを含まない。このため、リプレイ攻撃に対する脆弱性がある。RAM_KEY鍵の更新には、KEY_N鍵を使用できる。RAM_KEY鍵の書き換え回数には制限がない。 (5) RAM_KEY key The RAM_KEY key is a key that can be registered in plain text by the command CMD_LOAD_PLAIN_KEY. The RAM_KEY key can also be registered using the values M1, M2 and M3 by the command CMD_LOAD_KEY. However, when the RAM_KEY key is registered by the command CMD_LOAD_KEY, the counter value Counter is not included in the value M2 described later. For this reason, it is vulnerable to replay attacks. The KEY_N key can be used to update the RAM_KEY key. There is no limit to the number of times the RAM_KEY key can be rewritten.
(SHEの鍵の更新方法)
(1)コマンドCMD_LOAD_KEY
 コマンドCMD_LOAD_KEYによって、MEK鍵、BMK鍵、BM鍵、KEY_N鍵、及び、RAM_KEY鍵を更新できる。コマンドCMD_LOAD_KEYでは、次の式(1)で示される値M1,M2及びM3を生成し、鍵の更新を行う。 (SHE key update method)
(1) Command CMD_LOAD_KEY
The MEK key, BMK key, BM key, KEY_N key, and RAM_KEY key can be updated by the command CMD_LOAD_KEY. The command CMD_LOAD_KEY generates values M1, M2, and M3 represented by the following expression (1), and updates the key.
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
 但し、「A||B」はAとBとの連結を示す。 However, “A || B” indicates the connection between A and B.
(2)コマンドCMD_LOAD_PLAIN_KEY
 コマンドCMD_LOAD_PLAIN_KEYによって、RAM_KEY鍵を平文で登録できる。コマンドCMD_LOAD_PLAIN_KEYによって平文で登録できる鍵は、RAM_KEY鍵のみである。 (2) Command CMD_LOAD_PLAIN_KEY
The RAM_KEY key can be registered in plain text by the command CMD_LOAD_PLAIN_KEY. The only key that can be registered in plain text by the command CMD_LOAD_PLAIN_KEY is the RAM_KEY key.
 以上がSHEについての説明である。 The above is an explanation of SHE.
[SHEに対する鍵の割り当て]
 本実施形態では、SHEに対して、以下に示すように、初期鍵、鍵交換鍵、及び、MAC鍵を割り当てる。 [Key assignment to SHE]
In this embodiment, an initial key, a key exchange key, and a MAC key are assigned to SHE as shown below.
(1)初期鍵:KEY_1鍵
 初期鍵は、第1のECU10が第2のECU20の正当性を認証する処理で使用される。第2のECU20において、予め、例えば第2のECU20の製造時などに、自己の初期鍵がSHE23のKEY_1鍵に設定される。KEY_1鍵は、MACの生成処理及び検証処理に使用可能な鍵である。 (1) Initial key: KEY_1 key The initial key is used in a process in which the first ECU 10 authenticates the validity of the second ECU 20. In the second ECU 20, for example, when the second ECU 20 is manufactured, its own initial key is set in advance as the KEY — 1 key of the SHE 23. The KEY_1 key is a key that can be used for MAC generation processing and verification processing.
(2)鍵交換鍵:KEY_2鍵(モード0(暗号化処理及び復号処理)に使用)、KEY_3鍵(モード1(MACの生成処理及び検証処理)に使用)
 鍵交換鍵は、第1のECU10が第2のECU20へMAC鍵を配信する処理で使用される。鍵交換鍵は、第1のECU10によって生成されて第2のECU20へ配信される。鍵交換鍵は、自動車1内で共通の値が使用される。 (2) Key exchange key: KEY_2 key (used for mode 0 (encryption process and decryption process)), KEY_3 key (used for mode 1 (MAC generation process and verification process))
The key exchange key is used in the process in which the first ECU 10 distributes the MAC key to the second ECU 20. The key exchange key is generated by the first ECU 10 and distributed to the second ECU 20. As the key exchange key, a common value in the automobile 1 is used.
(3)MAC鍵:RAM_KEY鍵
 MAC鍵は、MACの生成処理及び検証処理で使用される。MAC鍵は、第1のECU10によって生成されて鍵交換鍵で暗号化されてから、正当性が認証済みである第2のECU20へ配信される。 (3) MAC key: RAM_KEY key The MAC key is used in MAC generation processing and verification processing. The MAC key is generated by the first ECU 10 and encrypted with the key exchange key, and then distributed to the second ECU 20 whose validity has been authenticated.
[SHEにおける鍵の初期値]
 SHEにおいて、SHEに固有の各鍵の初期値は0である。このままでは、SHEに対して不正に鍵が設定される可能性がある。このため、本実施形態では、第2のECU20のSHE23に対して、次の式(2)で示される値のうち、値KMASTER_ECU_KEYをMEK鍵に初期設定し、値KBOOT_MAC_KEYをBMK鍵に初期設定し、値KKEY<N>をKEY_N鍵に初期設定する。これにより、第2のECU20のSHE23に対して、不正に鍵が設定されることを防止する。なお、第1のECU10のSHE13に対しても、第2のECU20と同様に、鍵の初期設定を行ってもよい。 [Initial value of key in SHE]
In SHE, the initial value of each key unique to SHE is zero. In this state, there is a possibility that the key is set illegally for SHE. For this reason, in the present embodiment, the value K MASTER_ECU_KEY is initialized to the MEK key and the value K BOOT_MAC_KEY is initialized to the BMK key among the values expressed by the following equation (2) for the SHE 23 of the second ECU 20. Set and initialize the value K KEY <N> to the KEY_N key. This prevents an unauthorized key from being set for the SHE 23 of the second ECU 20. Note that the key may be initialized for the SHE 13 of the first ECU 10 as well as the second ECU 20.
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
 但し、MSはマスター鍵(MASTER_SECRET:MS)である。マスター鍵MSは、初期鍵の生成に使用される。IDは、第2のECU20の識別子である。CMASTER_ECU_KEYはMEK鍵を表す文字列である。CBOOT_MAC_KEYはBMK鍵を表す文字列である。CKEY_NはKEY_N鍵を表す文字列である。各文字列CMASTER_ECU_KEY、CBOOT_MAC_KEY、及びCKEY_Nを含めることによって、鍵の種類を識別することができる。なお、上記の式(2)において、具体的にはダイジェストとしてCMACを使用する。 However, MS is a master key (MASTER_SECRET: MS). The master key MS is used for generating an initial key. ID a is an identifier of the second ECU 20. C MASTER_ECU_KEY is a character string representing the MEK key. C BOOT_MAC_KEY is a character string representing a BMK key. C KEY_N is a character string representing a KEY_N key. By including each of the character strings C MASTER_ECU_KEY , C BOOT_MAC_KEY , and C KEY_N , the key type can be identified. In the above formula (2), specifically, CMAC is used as a digest.
 次に、図2から図5を参照して、本実施形態に係るECU認証処理、鍵交換鍵配信処理、及び、MAC鍵配信処理を説明する。 Next, an ECU authentication process, a key exchange key distribution process, and a MAC key distribution process according to the present embodiment will be described with reference to FIGS.
[ECU認証処理]
 図2を参照して本実施形態に係るECU認証処理を説明する。図2は、本実施形態に係るECU認証方法を示すシーケンスチャートである。鍵管理ECU10のSHE-A13のKEY_10鍵には、予め、例えば鍵管理ECU10の製造時などに、マスター鍵MSが設定される。被認証ECU20の初期鍵は、次の式(3)により算出される。 [ECU certification process]
The ECU authentication process according to this embodiment will be described with reference to FIG. FIG. 2 is a sequence chart showing an ECU authentication method according to the present embodiment. The master key MS is set in advance in the KEY_10 key of the SHE-A 13 of the key management ECU 10 when, for example, the key management ECU 10 is manufactured. The initial key of the authenticated ECU 20 is calculated by the following equation (3).
Figure JPOXMLDOC01-appb-M000003
Figure JPOXMLDOC01-appb-M000003
 具体的にはダイジェストとしてCMACを使用する。これにより、被認証ECU20の初期鍵は、次の式(4)により算出される。 Specifically, CMAC is used as a digest. Thereby, the initial key of the to-be-authenticated ECU 20 is calculated by the following equation (4).
Figure JPOXMLDOC01-appb-M000004
Figure JPOXMLDOC01-appb-M000004
 但し、ECU_IDは被認証ECU20の識別子である。上記の式(4)のCMACの算出には、マスター鍵MSが使用される。 However, ECU_ID is an identifier of the authenticated ECU 20. The master key MS is used for calculating the CMAC in the above equation (4).
 本実施形態では、鍵管理ECU10は、被認証ECU20の初期鍵を共有する処理を実行し、共有された初期鍵に基づいてチャレンジ・アンド・レスポンス方式により被認証ECU20の正当性を検証する。 In the present embodiment, the key management ECU 10 executes a process of sharing the initial key of the authenticated ECU 20, and verifies the authenticity of the authenticated ECU 20 by a challenge and response method based on the shared initial key.
(ステップS101)被認証ECU20において、CPU21は、自己の被認証ECU20の識別子ECU_IDを鍵管理ECU10へ送信する。 (Step S101) In the authenticated ECU 20, the CPU 21 transmits the identifier ECU_ID of its own authenticated ECU 20 to the key management ECU 10.
(ステップS102)鍵管理ECU10において、CPU11は、被認証ECU20から受信した被認証ECU20の識別子ECU_IDと文字列CKEY_1とを使用して、コマンドCMD_GENERATE_MAC(ECU_ID||CKEY_1)をSHE-A13へ入力する。 (Step S102) In the key management ECU 10, the CPU 11 inputs the command CMD_GENERATE_MAC (ECU_ID || CKEY_1 ) to the SHE-A13 using the identifier ECU_ID and the character string CKEY_1 of the ECU20 to be authenticated received from the ECU20 to be authenticated. To do.
(ステップS103)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_GENERATE_MAC(ECU_ID||CKEY_1)に応じて、CMACを生成する。このCMACの生成では、SHE-A13は、KEY_10鍵に設定されているマスター鍵MSを使用して、上記の式(4)によりCMACを算出する。この算出されるCMACは、被認証ECU20の初期鍵であって被認証ECU20のSHE-B23のKEY_1鍵に設定されている値と同じ値である。SHE-A13は、生成したCMACをCPU11へ出力する。 (Step S103) In the key management ECU 10, the SHE-A 13 generates a CMAC according to the command CMD_GENERATE_MAC (ECU_ID || CKEY_1 ) input from the CPU 11. In the generation of the CMAC, the SHE-A 13 calculates the CMAC by the above equation (4) using the master key MS set for the KEY_10 key. This calculated CMAC is the same value as the initial key of the authenticated ECU 20 and the value set in the KEY_1 key of the SHE-B 23 of the authenticated ECU 20. The SHE-A 13 outputs the generated CMAC to the CPU 11.
(ステップS104)鍵管理ECU10において、CPU11は、SHE-A13から受け取ったCMACを使用して、コマンドCMD_LOAD_PLAIN_KEY(CMAC)をSHE-A13へ入力する。 (Step S104) In the key management ECU 10, the CPU 11 uses the CMAC received from the SHE-A 13 to input a command CMD_LOAD_PLAIN_KEY (CMAC) to the SHE-A 13.
(ステップS105)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_LOAD_PLAIN_KEY(CMAC)に応じて、該コマンドCMD_LOAD_PLAIN_KEY(CMAC)に含まれるCMACをRAM_KEY鍵に登録する。これにより、SHE-A13のRAM_KEY鍵に、被認証ECU20の初期鍵が登録されたことになる。SHE-A13は、RAM_KEY鍵の登録完了「OK」をCPU11へ応答する。 (Step S105) In the key management ECU 10, the SHE-A 13 registers the CMAC included in the command CMD_LOAD_PLAIN_KEY (CMAC) in the RAM_KEY key in response to the command CMD_LOAD_PLAIN_KEY (CMAC) input from the CPU 11. As a result, the initial key of the authenticated ECU 20 is registered in the RAM_KEY key of the SHE-A13. The SHE-A 13 returns a RAM_KEY key registration completion “OK” to the CPU 11.
(ステップS106)鍵管理ECU10において、CPU11は、コマンドCMD_RNDをSHE-A13へ入力する。 (Step S106) In the key management ECU 10, the CPU 11 inputs a command CMD_RND to the SHE-A 13.
(ステップS107)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_RNDに応じて、乱数randを生成する。SHE-A13は、生成した乱数randをCPU11へ出力する。 (Step S107) In the key management ECU 10, the SHE-A 13 generates a random number rand in response to the command CMD_RND input from the CPU 11. The SHE-A 13 outputs the generated random number rand to the CPU 11.
(ステップS108)鍵管理ECU10において、CPU11は、SHE-A13から受け取った乱数randを被認証ECU20へ送信する。 (Step S108) In the key management ECU 10, the CPU 11 transmits the random number rand received from the SHE-A 13 to the authenticated ECU 20.
(ステップS109)被認証ECU20において、CPU21は、鍵管理ECU10から受信した乱数randを使用して、コマンドCMD_GENERATE_MAC(rand)をSHE-B23へ入力する。 (Step S109) In the authenticated ECU 20, the CPU 21 uses the random number rand received from the key management ECU 10 to input the command CMD_GENERATE_MAC (rand) to the SHE-B 23.
(ステップS110)被認証ECU20において、SHE-B23は、CPU21から入力されたコマンドCMD_GENERATE_MAC(rand)に応じて、CMACを生成する。このCMACの生成では、SHE-B23は、KEY_1鍵に設定されている初期鍵を使用して、該コマンドCMD_GENERATE_MAC(rand)に含まれる乱数randについてCMACを算出する。SHE-B23は、生成したCMACをCPU21へ出力する。 (Step S110) In the authenticated ECU 20, the SHE-B 23 generates a CMAC in response to the command CMD_GENERATE_MAC (rand) input from the CPU 21. In the generation of the CMAC, the SHE-B 23 calculates the CMAC for the random number rand included in the command CMD_GENERATE_MAC (rand) using the initial key set as the KEY_1 key. The SHE-B 23 outputs the generated CMAC to the CPU 21.
(ステップS111)被認証ECU20において、CPU21は、自己の被認証ECU20の識別子ECU_IDとSHE-B23から受け取ったCMACとを鍵管理ECU10へ送信する。 (Step S111) In the authenticated ECU 20, the CPU 21 transmits the identifier ECU_ID of the authenticated ECU 20 and the CMAC received from the SHE-B 23 to the key management ECU 10.
(ステップS112)鍵管理ECU10において、CPU11は、被認証ECU20へ送信した乱数randと、被認証ECU20から受信したCMACとを使用して、コマンドCMD_VERIFY_MAC(rand,CMAC)をSHE-A13へ入力する。 (Step S112) In the key management ECU 10, the CPU 11 inputs a command CMD_VERIFY_MAC (rand, CMAC) to the SHE-A 13 using the random number rand transmitted to the authenticated ECU 20 and the CMAC received from the authenticated ECU 20.
(ステップS113)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_VERIFY_MAC(rand,CMAC)に応じて、該コマンドCMD_VERIFY_MAC(rand,CMAC)に含まれるCMACを検証する。このCMACの検証では、SHE-A13は、RAM_KEY鍵に登録されている値つまり被認証ECU20の初期鍵を使用する。SHE-A13は、CMACの検証結果「合格(OK)又は不合格(NG)」をCPU11へ出力する。CPU11は、SHE-A13から受け取ったCMACの検証結果が合格(OK)である場合には被認証ECU20の正当性の認証が合格であると判断し、一方、SHE-A13から受け取ったCMACの検証結果が不合格(NG)である場合には被認証ECU20の正当性の認証が不合格であると判断する。 (Step S113) In the key management ECU 10, the SHE-A 13 verifies the CMAC included in the command CMD_VERIFY_MAC (rand, CMAC) according to the command CMD_VERIFY_MAC (rand, CMAC) input from the CPU 11. In this CMAC verification, the SHE-A 13 uses the value registered in the RAM_KEY key, that is, the initial key of the authenticated ECU 20. The SHE-A 13 outputs the CMAC verification result “pass (OK) or fail (NG)” to the CPU 11. When the CMAC verification result received from the SHE-A 13 is acceptable (OK), the CPU 11 determines that the authentication of the authenticity of the authenticated ECU 20 is successful, while the CMAC received from the SHE-A 13 is verified. When the result is rejected (NG), it is determined that the authentication of the authenticity of the authenticated ECU 20 is rejected.
[鍵交換鍵配信処理]
 図3を参照して本実施形態に係る鍵交換鍵配信処理を説明する。図3は、本実施形態に係る鍵交換鍵配信方法を示すシーケンスチャートである。本実施形態では、2個の鍵交換鍵を使用する。一方の第1の鍵交換鍵は暗号化処理及び復号処理に使用される。もう一方の第2の鍵交換鍵はMACの生成処理及び検証処理に使用される。第1の鍵交換鍵と第2の鍵交換鍵とは異なる値であることが好ましい。鍵管理ECU10は、第1の鍵交換鍵と第2の鍵交換鍵とを被認証ECU20へ配信する。被認証ECU20において、第1の鍵交換鍵はSHE-B23のKEY_2鍵に設定され、第2の鍵交換鍵はSHE-B23のKEY_3鍵に設定される。 [Key exchange key distribution processing]
A key exchange key distribution process according to the present embodiment will be described with reference to FIG. FIG. 3 is a sequence chart showing a key exchange key distribution method according to the present embodiment. In this embodiment, two key exchange keys are used. One first key exchange key is used for encryption processing and decryption processing. The other second key exchange key is used for MAC generation processing and verification processing. The first key exchange key and the second key exchange key are preferably different values. The key management ECU 10 distributes the first key exchange key and the second key exchange key to the authenticated ECU 20. In the authenticated ECU 20, the first key exchange key is set to the KEY_2 key of SHE-B23, and the second key exchange key is set to the KEY_3 key of SHE-B23.
 以下、図3を参照して第1の鍵交換鍵を配信する場合を例に挙げて説明する。第2の鍵交換鍵を配信する場合も、第1の鍵交換鍵を配信する場合と同様である。 Hereinafter, a case where the first key exchange key is distributed will be described as an example with reference to FIG. The distribution of the second key exchange key is the same as the distribution of the first key exchange key.
(ステップS121)鍵管理ECU10において、CPU11は、鍵交換鍵の配信先の被認証ECU20の識別子ECU_IDと文字列CMASTER_ECU_KEYとを使用して、コマンドCMD_GENERATE_MAC(ECU_ID||CMASTER_ECU_KEY)をSHE-A13へ入力する。 (Step S121) In the key management ECU 10, the CPU 11 sends a command CMD_GENERATE_MAC (ECU_ID || CMASTER_ECU_KEY ) to the SHE-A13 using the identifier ECU_ID of the authenticated ECU 20 to which the key exchange key is distributed and the character string C MASTER_ECU_KEY . input.
(ステップS122)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_GENERATE_MAC(ECU_ID||CMASTER_ECU_KEY)に応じて、CMACを生成する。このCMACの生成では、SHE-A13は、KEY_10鍵に設定されているマスター鍵MSを使用して、上記の式(4)と同様にCMACを算出する。この算出されるCMACは、被認証ECU20のSHE-B23のMEK鍵に設定されている値と同じ値である。SHE-A13は、生成したCMACをCPU11へ出力する。 (Step S122) In the key management ECU 10, the SHE-A 13 generates a CMAC according to the command CMD_GENERATE_MAC (ECU_ID || C MASTER_ECU_KEY ) input from the CPU 11. In the generation of the CMAC, the SHE-A 13 calculates the CMAC using the master key MS set for the KEY_10 key in the same manner as the above equation (4). The calculated CMAC is the same value as the value set in the MEK key of the SHE-B 23 of the ECU 20 to be authenticated. The SHE-A 13 outputs the generated CMAC to the CPU 11.
(ステップS123)鍵管理ECU10において、CPU11は、SHE-A13から受け取ったCMACを使用して、コマンドCMD_LOAD_PLAIN_KEY(CMAC)をSHE-A13へ入力する。 (Step S123) In the key management ECU 10, the CPU 11 uses the CMAC received from the SHE-A 13 to input a command CMD_LOAD_PLAIN_KEY (CMAC) to the SHE-A 13.
(ステップS124)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_LOAD_PLAIN_KEY(CMAC)に応じて、該コマンドCMD_LOAD_PLAIN_KEY(CMAC)に含まれるCMACをRAM_KEY鍵に登録する。これにより、SHE-A13のRAM_KEY鍵に、被認証ECU20のSHE-B23のMEK鍵が登録されたことになる。SHE-A13は、RAM_KEY鍵の登録完了「OK」をCPU11へ応答する。 (Step S124) In the key management ECU 10, the SHE-A 13 registers the CMAC included in the command CMD_LOAD_PLAIN_KEY (CMAC) in the RAM_KEY key according to the command CMD_LOAD_PLAIN_KEY (CMAC) input from the CPU 11. As a result, the MEK key of SHE-B23 of the authenticated ECU 20 is registered in the RAM_KEY key of SHE-A13. The SHE-A 13 returns a RAM_KEY key registration completion “OK” to the CPU 11.
(ステップS125)鍵管理ECU10において、CPU11は、コマンドCMD_RNDをSHE-A13へ入力する。 (Step S125) In the key management ECU 10, the CPU 11 inputs the command CMD_RND to the SHE-A 13.
(ステップS126)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_RNDに応じて、乱数randを生成する。SHE-A13は、生成した乱数randをCPU11へ出力する。この乱数randは、第1の鍵交換鍵つまり被認証ECU20のSHE-B23のKEY_2鍵に使用される。 (Step S126) In the key management ECU 10, the SHE-A 13 generates a random number rand according to the command CMD_RND input from the CPU 11. The SHE-A 13 outputs the generated random number rand to the CPU 11. This random number rand is used as the first key exchange key, that is, the KEY_2 key of the SHE-B 23 of the ECU 20 to be authenticated.
(ステップS127)鍵管理ECU10において、CPU11は、値M1,M2及びM3を生成する。この値M1,M2及びM3は、CPU11がSHE-A13から受け取った乱数randつまり第1の鍵交換鍵を、被認証ECU20のSHE-B23のKEY_2鍵に登録するための各値である。CPU11は、値M2を生成する際には、コマンド「CMD_ENC_CBC with RAM_KEY」によってSHE-A13に暗号化処理を実行させる。値M2には、CPU11がSHE-A13から受け取った乱数randつまり第1の鍵交換鍵を含める。CPU11は、値M3を生成する際には、コマンド「CMD_GENERATE_MAC with RAM_KEY」によってSHE-A13にCMACを生成させる。CPU11は、生成した値M1,M2及びM3を被認証ECU20へ送信する。 (Step S127) In the key management ECU 10, the CPU 11 generates values M1, M2, and M3. These values M1, M2, and M3 are values for registering the random number rand received by the CPU 11 from the SHE-A 13, that is, the first key exchange key, in the KEY_2 key of the SHE-B 23 of the authenticated ECU 20. When generating the value M2, the CPU 11 causes the SHE-A 13 to execute an encryption process using the command “CMD_ENC_CBC with RAM_KEY”. The value M2 includes the random number rand received from the SHE-A 13 by the CPU 11, that is, the first key exchange key. When generating the value M3, the CPU 11 causes the SHE-A 13 to generate CMAC by the command “CMD_GENERATE_MAC with RAM_KEY”. The CPU 11 transmits the generated values M1, M2, and M3 to the authenticated ECU 20.
(ステップS128)被認証ECU20において、CPU21は、鍵管理ECU10から受信した値M1,M2及びM3を使用して、コマンドCMD_LOAD_KEY(M1,M2,M3)をSHE-B23へ入力する。 (Step S128) In the authenticated ECU 20, the CPU 21 uses the values M1, M2, and M3 received from the key management ECU 10 to input a command CMD_LOAD_KEY (M1, M2, M3) to the SHE-B23.
(ステップS129)被認証ECU20において、SHE-B23は、CPU21から入力されたコマンドCMD_LOAD_KEY(M1,M2,M3)に応じて、該コマンドCMD_LOAD_KEY(M1,M2,M3)に含まれる乱数randつまり第1の鍵交換鍵をKEY_2鍵に登録する。SHE-B23は、KEY_2鍵の登録完了「OK」をCPU11へ応答する。 (Step S129) In the to-be-authenticated ECU 20, the SHE-B 23 responds to the command CMD_LOAD_KEY (M1, M2, M3) input from the CPU 21, and the random number rand, that is, the first random number included in the command CMD_LOAD_KEY (M1, M2, M3). The key exchange key is registered in the KEY_2 key. The SHE-B 23 responds to the CPU 11 with the completion of registration of the KEY_2 key “OK”.
(ステップS130)被認証ECU20において、CPU21は、第1の鍵交換鍵の登録完了「OK」を鍵管理ECU10へ送信する。 (Step S <b> 130) In the authenticated ECU 20, the CPU 21 transmits registration completion “OK” of the first key exchange key to the key management ECU 10.
(ステップS131)鍵管理ECU10において、CPU11は、被認証ECU20へ送信した乱数randつまり第1の鍵交換鍵を使用して、コマンドCMD_ENC_CBC(rand)をSHE-A13へ入力する。 (Step S131) In the key management ECU 10, the CPU 11 inputs a command CMD_ENC_CBC (rand) to the SHE-A 13 using the random number rand transmitted to the authenticated ECU 20, that is, the first key exchange key.
(ステップS132)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_ENC_CBC(rand)に応じて、該コマンドCMD_ENC_CBC(rand)に含まれる乱数randつまり第1の鍵交換鍵をKEY_9鍵で暗号化する。KEY_9鍵には、予め、暗号化処理及び復号処理に使用可能なモード0として値が設定される。SHE-A13は、暗号化された第1の鍵交換鍵をCPU11へ出力する。CPU11は、SHE-A13から受け取った暗号化された第1の鍵交換鍵を記憶部12に格納する。 (Step S132) In the key management ECU 10, in response to the command CMD_ENC_CBC (rand) input from the CPU 11, the SHE-A 13 uses the KEY_9 key as the random number rand, that is, the first key exchange key included in the command CMD_ENC_CBC (rand). Encrypt. In the KEY_9 key, a value is set in advance as a mode 0 that can be used for encryption processing and decryption processing. The SHE-A 13 outputs the encrypted first key exchange key to the CPU 11. The CPU 11 stores the encrypted first key exchange key received from the SHE-A 13 in the storage unit 12.
 なお、初回の第1の鍵交換鍵の配信時には、被認証ECU20のSHE-B23の鍵登録に必要となるMEK鍵又は予め設定されるKEY_2鍵は、被認証ECU20毎に異なる。このため、鍵管理ECU10は、被認証ECU20毎に、鍵登録メッセージ(値M1,M2及びM3)を個別に作成する必要がある。一方、二回目以降の第1の鍵交換鍵の更新時には、各被認証ECU20の第1の鍵交換鍵(SHE-B23のKEY_2鍵の値)は同一になっている。このため、二回目以降の第1の鍵交換鍵の更新では、第1の鍵交換鍵を使用して鍵登録メッセージを作成することが可能であり、被認証ECU20毎に個別に鍵登録メッセージを作成する必要はない。この点についても、第2の鍵交換鍵を配信する場合に同様に適用できる。 Note that when the first first key exchange key is delivered for the first time, the MEK key or the preset KEY_2 key required for the key registration of the SHE-B 23 of the authenticated ECU 20 is different for each authenticated ECU 20. For this reason, the key management ECU 10 needs to individually create a key registration message (values M1, M2, and M3) for each authenticated ECU 20. On the other hand, when the first key exchange key is updated for the second and subsequent times, the first key exchange key of each authenticated ECU 20 (the value of the KEY_2 key of SHE-B23) is the same. For this reason, in the second and subsequent updates of the first key exchange key, it is possible to create a key registration message using the first key exchange key. There is no need to create it. This point can be similarly applied when distributing the second key exchange key.
[MAC鍵配信処理]
 図4及び図5を参照して本実施形態に係るMAC鍵配信処理を説明する。図4及び図5は、本実施形態に係るMAC鍵配信方法を示すシーケンスチャートである。自動車1の車載制御システムにおいて、MAC鍵には、「高速な処理速度」と「頻繁な書き換えに対する耐性」との二つの要求がある。SHEのKEY_N鍵には、書き換え回数に制限がある。このため、本実施形態では、SHEのRAM_KEY鍵にMAC鍵を登録する。MAC鍵にRAM_KEY鍵を使用することにより、暗号化及び復号、並びに、MACの生成及び検証を高速に行うことができる。KEY_N鍵とRAM_KEY鍵とを各々MAC鍵に使用した場合の処理速度の比較を以下に示す。KEY_N鍵とRAM_KEY鍵との両者共に同じベンチマークテストを実施した結果である。
 KEY_N鍵をMAC鍵に使用した場合のMAC生成処理時間:42.8マイクロ秒
 RAM_KEY鍵をMAC鍵に使用した場合のMAC生成処理時間:19.1マイクロ秒 [MAC key distribution processing]
The MAC key distribution process according to the present embodiment will be described with reference to FIGS. 4 and 5 are sequence charts showing a MAC key distribution method according to the present embodiment. In the in-vehicle control system of the automobile 1, the MAC key has two requirements of “high speed processing speed” and “resistance to frequent rewriting”. The KEY_N key of SHE has a limit on the number of rewrites. For this reason, in the present embodiment, the MAC key is registered in the RAM_KEY key of the SHE. By using the RAM_KEY key as the MAC key, encryption and decryption, and MAC generation and verification can be performed at high speed. A comparison of processing speeds when the KEY_N key and the RAM_KEY key are respectively used as MAC keys is shown below. Both the KEY_N key and the RAM_KEY key are the results of the same benchmark test.
MAC generation processing time when the KEY_N key is used as the MAC key: 42.8 microseconds MAC generation processing time when the RAM_KEY key is used as the MAC key: 19.1 microseconds
 なお、コマンドCMD_LOAD_KEYによってRAM_KEY鍵を登録する場合には、鍵登録メッセージ内の値M2にカウンタ値Counterを含まないので、リプレイ攻撃に対する脆弱性がある。このため、本実施形態では、被認証ECU20のSHE-B23が鍵管理ECU10の正当性を認証するように構成する。具体的には、SHE-B23が乱数を発生し、この乱数を鍵管理ECU10へ送り、鍵管理ECU10が該乱数のCMACを生成してSHE-B23へ送り、SHE-B23が該CMACを検証する。 Note that when the RAM_KEY key is registered by the command CMD_LOAD_KEY, the value M2 in the key registration message does not include the counter value Counter, and is vulnerable to a replay attack. Therefore, in this embodiment, the SHE-B 23 of the authenticated ECU 20 is configured to authenticate the validity of the key management ECU 10. Specifically, the SHE-B 23 generates a random number, sends this random number to the key management ECU 10, the key management ECU 10 generates a CMAC of the random number and sends it to the SHE-B 23, and the SHE-B 23 verifies the CMAC. .
 被認証ECU20のSHE-B23には、KEY_2鍵に第1の鍵交換鍵(暗号化処理及び復号処理に使用される)が登録されており、KEY_3鍵に第2の鍵交換鍵(MACの生成処理及び検証処理に使用される)が登録されている。鍵管理ECU10の記憶部12は、第1の鍵交換鍵を鍵管理ECU10のSHE-A13のKEY_9鍵で暗号化したデータ(暗号化第1の鍵交換鍵)と、第2の鍵交換鍵を鍵管理ECU10のSHE-A13のKEY_9鍵で暗号化したデータ(暗号化第2の鍵交換鍵)と、を不揮発性メモリに格納している。 In the SHE-B 23 of the authenticated ECU 20, a first key exchange key (used for encryption processing and decryption processing) is registered in the KEY_2 key, and a second key exchange key (MAC generation) is registered in the KEY_3 key. Used for processing and verification processing). The storage unit 12 of the key management ECU 10 stores the data (encrypted first key exchange key) obtained by encrypting the first key exchange key with the KEY_9 key of the SHE-A 13 of the key management ECU 10 and the second key exchange key. The data (encrypted second key exchange key) encrypted with the KEY_9 key of the SHE-A13 of the key management ECU 10 and the non-volatile memory are stored.
 なお、第1の鍵交換鍵は被認証ECU20のSHE-B23のKEY_2鍵と同じ値であり、第1の鍵交換鍵KEY_2と称する。第2の鍵交換鍵は被認証ECU20のSHE-B23のKEY_3鍵と同じ値であり、第2の鍵交換鍵KEY_3と称する。 Note that the first key exchange key has the same value as the KEY_2 key of the SHE-B 23 of the authenticated ECU 20, and is referred to as a first key exchange key KEY_2. The second key exchange key has the same value as the KEY_3 key of SHE-B23 of the authenticated ECU 20, and is referred to as a second key exchange key KEY_3.
 図4を参照して本実施形態に係るMAC鍵配信処理の第1段階を説明する。図4に示すMAC鍵配信処理の第1段階は、例えば自動車1のエンジンが停止された後、所定期間以上経過してから、エンジンが始動された時に開始される。例えば、ある一日において初めてエンジンが始動された時に、MAC鍵配信処理の第1段階が開始される。 The first stage of the MAC key distribution process according to the present embodiment will be described with reference to FIG. The first stage of the MAC key distribution process shown in FIG. 4 is started when the engine is started after elapse of a predetermined period after the engine of the automobile 1 is stopped, for example. For example, when the engine is started for the first time in a certain day, the first stage of the MAC key distribution process is started.
(ステップS141)鍵管理ECU10において、CPU11は、被認証ECU20に対して乱数の要求を行う。 (Step S141) In the key management ECU 10, the CPU 11 requests the authenticated ECU 20 for a random number.
(ステップS142)被認証ECU20において、CPU21は、鍵管理ECU10からの要求に応じて、コマンドCMD_RNDをSHE-B23へ入力する。 (Step S142) In the authenticated ECU 20, the CPU 21 inputs a command CMD_RND to the SHE-B 23 in response to a request from the key management ECU 10.
(ステップS143)被認証ECU20において、SHE-B23は、CPU21から入力されたコマンドCMD_RNDに応じて、乱数1を生成する。SHE-B23は、生成した乱数1をCPU21へ出力する。 (Step S143) In the authenticated ECU 20, the SHE-B 23 generates a random number 1 in response to the command CMD_RND input from the CPU 21. The SHE-B 23 outputs the generated random number 1 to the CPU 21.
(ステップS144)被認証ECU20において、CPU21は、SHE-B23から受け取った乱数1と、自己の被認証ECU20の識別子ECU_IDとを鍵管理ECU10へ送信する。 (Step S144) In the authenticated ECU 20, the CPU 21 transmits the random number 1 received from the SHE-B 23 and the identifier ECU_ID of its own authenticated ECU 20 to the key management ECU 10.
 なお、被認証ECU20から自発的に、SHE-B23で発生した乱数1と、自己の被認証ECU20の識別子ECU_IDとを鍵管理ECU10へ送ってもよい。 Note that the random number 1 generated in the SHE-B 23 and the identifier ECU_ID of the self-authenticated ECU 20 may be sent to the key management ECU 10 voluntarily from the authenticated ECU 20.
(ステップS145)鍵管理ECU10において、CPU11は、コマンドCMD_RNDをSHE-A13へ入力する。 (Step S145) In the key management ECU 10, the CPU 11 inputs the command CMD_RND to the SHE-A 13.
(ステップS146)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_RNDに応じて、乱数2を生成する。SHE-A13は、生成した乱数2をCPU11へ出力する。この乱数2は、MAC鍵に使用される。CPU11は、SHE-A13から受け取った乱数2つまりMAC鍵を使用して、コマンドCMD_ENC_CBC(乱数2)をSHE-A13へ入力する。SHE-A13は、CPU11から入力されたコマンドCMD_ENC_CBC(乱数2)に応じて、該コマンドCMD_ENC_CBC(乱数2)に含まれる乱数2つまりMAC鍵をKEY_9鍵で暗号化する。SHE-A13は、暗号化されたMAC鍵をCPU11へ出力する。CPU11は、SHE-A13から受け取った暗号化されたMAC鍵を記憶部12に格納する。 (Step S146) In the key management ECU 10, the SHE-A 13 generates a random number 2 in response to the command CMD_RND input from the CPU 11. The SHE-A 13 outputs the generated random number 2 to the CPU 11. This random number 2 is used for the MAC key. The CPU 11 inputs the command CMD_ENC_CBC (random number 2) to the SHE-A 13 using the random number 2 received from the SHE-A 13, that is, the MAC key. In response to the command CMD_ENC_CBC (random number 2) input from the CPU 11, the SHE-A 13 encrypts the random number 2, that is, the MAC key included in the command CMD_ENC_CBC (random number 2) with the KEY_9 key. The SHE-A 13 outputs the encrypted MAC key to the CPU 11. The CPU 11 stores the encrypted MAC key received from the SHE-A 13 in the storage unit 12.
(ステップS147)鍵管理ECU10において、CPU11は、記憶部12に格納されている暗号化第2の鍵交換鍵を復号するために、該暗号化第2の鍵交換鍵を使用してコマンドCMD_DEC_CBC(暗号化第2の鍵交換鍵)をSHE-A13へ入力する。 (Step S147) In the key management ECU 10, the CPU 11 uses the encrypted second key exchange key to decrypt the encrypted second key exchange key stored in the storage unit 12, and executes a command CMD_DEC_CBC ( (Encrypted second key exchange key) is input to SHE-A13.
(ステップS148)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_DEC_CBC(暗号化第2の鍵交換鍵)に応じて、該コマンドCMD_DEC_CBC(暗号化第2の鍵交換鍵)に含まれる暗号化第2の鍵交換鍵をKEY_9鍵で復号する。KEY_9鍵は、暗号化第1の鍵交換鍵及び暗号化第2の鍵交換鍵の暗号化に使用された鍵である。SHE-A13は、暗号化第2の鍵交換鍵の復号の結果である第2の鍵交換鍵KEY_3をCPU11へ出力する。 (Step S148) In the key management ECU 10, the SHE-A 13 is included in the command CMD_DEC_CBC (encrypted second key exchange key) according to the command CMD_DEC_CBC (encrypted second key exchange key) input from the CPU 11. The encrypted second key exchange key is decrypted with the KEY_9 key. The KEY_9 key is a key used for encryption of the encrypted first key exchange key and the encrypted second key exchange key. The SHE-A 13 outputs the second key exchange key KEY_3, which is the result of decryption of the encrypted second key exchange key, to the CPU 11.
(ステップS149)鍵管理ECU10において、CPU11は、SHE-A13から受け取った第2の鍵交換鍵KEY_3を使用して、コマンドCMD_LOAD_PLAIN_KEY(KEY_3)をSHE-A13へ入力する。 (Step S149) In the key management ECU 10, the CPU 11 inputs the command CMD_LOAD_PLAIN_KEY (KEY_3) to the SHE-A13 using the second key exchange key KEY_3 received from the SHE-A13.
(ステップS150)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_LOAD_PLAIN_KEY(KEY_3)に応じて、該コマンドCMD_LOAD_PLAIN_KEY(KEY_3)に含まれる第2の鍵交換鍵KEY_3をRAM_KEY鍵に登録する。SHE-A13は、RAM_KEY鍵の登録完了「OK」をCPU11へ応答する。 (Step S150) In the key management ECU 10, the SHE-A 13 registers the second key exchange key KEY_3 included in the command CMD_LOAD_PLAIN_KEY (KEY_3) in the RAM_KEY key according to the command CMD_LOAD_PLAIN_KEY (KEY_3) input from the CPU 11. . The SHE-A 13 returns a RAM_KEY key registration completion “OK” to the CPU 11.
(ステップS151)鍵管理ECU10において、CPU11は、値M1,M2及びM3を生成する。この値M1,M2及びM3は、CPU11がSHE-A13から受け取った乱数2つまりMAC鍵を、被認証ECU20のSHE-B23のRAM_KEY鍵に登録するための各値である。CPU11は、値M2を生成する際には、コマンド「CMD_ENC_CBC with RAM_KEY」によってSHE-A13に暗号化処理を実行させる。値M2には、CPU11がSHE-A13から受け取った乱数2つまりMAC鍵を含める。CPU11は、値M3を生成する際には、コマンド「CMD_GENERATE_MAC with RAM_KEY」によってSHE-A13にCMACを生成させる。また、CPU11は、被認証ECU20から受信した乱数1を使用して、コマンドCMD_GENERATE_MAC(乱数1)をSHE-A13へ入力する。 (Step S151) In the key management ECU 10, the CPU 11 generates values M1, M2, and M3. These values M1, M2 and M3 are values for registering the random number 2 received by the CPU 11 from the SHE-A 13, that is, the MAC key, into the RAM_KEY key of the SHE-B 23 of the ECU 20 to be authenticated. When generating the value M2, the CPU 11 causes the SHE-A 13 to execute an encryption process using the command “CMD_ENC_CBC with RAM_KEY”. The value M2 includes the random number 2 that the CPU 11 received from the SHE-A 13, that is, the MAC key. When generating the value M3, the CPU 11 causes the SHE-A 13 to generate CMAC by the command “CMD_GENERATE_MAC with RAM_KEY”. Further, the CPU 11 inputs a command CMD_GENERATE_MAC (random number 1) to the SHE-A 13 using the random number 1 received from the authenticated ECU 20.
(ステップS152)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_GENERATE_MAC(乱数1)に応じて、CMACを生成する。このCMACの生成では、SHE-A13は、RAM_KEY鍵つまり第2の鍵交換鍵KEY_3を使用して乱数1のCMACを生成する。SHE-A13は、生成した乱数1のCMACをCPU11へ出力する。 (Step S152) In the key management ECU 10, the SHE-A 13 generates a CMAC according to the command CMD_GENERATE_MAC (random number 1) input from the CPU 11. In this CMAC generation, the SHE-A 13 generates a random number 1 CMAC using the RAM_KEY key, that is, the second key exchange key KEY_3. The SHE-A 13 outputs the generated CMAC of the random number 1 to the CPU 11.
(ステップS153)鍵管理ECU10において、CPU11は、生成した値M1,M2及びM3と、SHE-A13から受け取った乱数1のCMACとを被認証ECU20へ送信する。 (Step S153) In the key management ECU 10, the CPU 11 transmits the generated values M1, M2, and M3 and the CMAC of the random number 1 received from the SHE-A 13 to the authenticated ECU 20.
(ステップS154)被認証ECU20において、CPU21は、鍵管理ECU10から受信したCMACを検証するために、コマンドCMD_VERIFY_MACをSHE-A13へ入力する。 (Step S154) In the authenticated ECU 20, the CPU 21 inputs a command CMD_VERIFY_MAC to the SHE-A 13 in order to verify the CMAC received from the key management ECU 10.
(ステップS155)被認証ECU20において、SHE-B23は、CPU21から入力されたコマンドCMD_VERIFY_MACに応じて、該コマンドCMD_VERIFY_MACに含まれるCMACを検証する。このCMACの検証では、SHE-B23は、自己が生成した乱数1と、KEY_3鍵つまり第2の鍵交換鍵KEY_3とを使用する。SHE-B23は、CMACの検証結果「合格(OK)又は不合格(NG)」をCPU21へ出力する。CPU21は、SHE-B23から受け取ったCMACの検証結果が合格(OK)である場合には鍵管理ECU10の正当性の認証が合格であると判断し、一方、SHE-B23から受け取ったCMACの検証結果が不合格(NG)である場合には鍵管理ECU10の正当性の認証が不合格であると判断する。鍵管理ECU10の正当性の認証が合格である場合にはステップS156に進む。一方、鍵管理ECU10の正当性の認証が不合格である場合には図4の処理を終了する。 (Step S155) In the authenticated ECU 20, the SHE-B 23 verifies the CMAC included in the command CMD_VERIFY_MAC according to the command CMD_VERIFY_MAC input from the CPU 21. In this CMAC verification, the SHE-B 23 uses the random number 1 generated by itself and the KEY_3 key, that is, the second key exchange key KEY_3. The SHE-B 23 outputs the CMAC verification result “pass (OK) or fail (NG)” to the CPU 21. When the verification result of the CMAC received from the SHE-B 23 is acceptable (OK), the CPU 21 determines that the authentication of the validity of the key management ECU 10 is successful, while verifying the CMAC received from the SHE-B 23 If the result is rejected (NG), it is determined that the authenticity of the key management ECU 10 is rejected. If the authentication of the validity of the key management ECU 10 is successful, the process proceeds to step S156. On the other hand, if the authentication of the validity of the key management ECU 10 fails, the process of FIG. 4 is terminated.
(ステップS156)被認証ECU20において、CPU21は、鍵管理ECU10から受信した値M1,M2及びM3を使用して、コマンドCMD_LOAD_KEY(M1,M2,M3)をSHE-B23へ入力する。 (Step S156) In the authenticated ECU 20, the CPU 21 uses the values M1, M2, and M3 received from the key management ECU 10 to input a command CMD_LOAD_KEY (M1, M2, M3) to the SHE-B23.
(ステップS157)被認証ECU20において、SHE-B23は、CPU21から入力されたコマンドCMD_LOAD_KEY(M1,M2,M3)に応じて、該コマンドCMD_LOAD_KEY(M1,M2,M3)に含まれる乱数2つまりMAC鍵をRAM_KEY鍵に登録する。SHE-B23は、RAM_KEY鍵の登録完了「OK」をCPU21へ応答する。 (Step S157) In the ECU 20 to be authenticated, the SHE-B 23 responds to the command CMD_LOAD_KEY (M1, M2, M3) input from the CPU 21, and the random number 2, that is, the MAC key included in the command CMD_LOAD_KEY (M1, M2, M3). Is registered in the RAM_KEY key. The SHE-B 23 returns a RAM_KEY key registration completion “OK” to the CPU 21.
 次に図5を参照して本実施形態に係るMAC鍵配信処理の第2段階を説明する。MAC鍵配信処理の第2段階は、上述した図4に示すMAC鍵配信処理の第1段階によって被認証ECU20のSHE-B23のRAM_KEY鍵にMAC鍵が登録された後に実施される。被認証ECU20は、MAC鍵配信処理の第1段階のステップS153において鍵管理ECU10から受信した値M1,M2及びM3を、記憶部22の不揮発性メモリに格納している。図5に示すMAC鍵配信処理の第2段階は、例えば自動車1の走行の際に駐車等によりエンジンが停止された後、所定期間内にエンジンが再始動された時に開始される。 Next, the second stage of the MAC key distribution process according to this embodiment will be described with reference to FIG. The second stage of the MAC key distribution process is performed after the MAC key is registered in the RAM_KEY key of the SHE-B 23 of the authenticated ECU 20 in the first stage of the MAC key distribution process shown in FIG. The authenticated ECU 20 stores the values M1, M2, and M3 received from the key management ECU 10 in step S153 of the first stage of the MAC key distribution process in the nonvolatile memory of the storage unit 22. The second stage of the MAC key distribution process shown in FIG. 5 is started when the engine is restarted within a predetermined period after the engine is stopped by parking or the like when the automobile 1 is traveling.
(ステップS171)被認証ECU20において、CPU21は、記憶部22の不揮発性メモリに格納されている値M1,M2及びM3を使用して、コマンドCMD_LOAD_KEY(M1,M2,M3)をSHE-B23へ入力する。 (Step S171) In the authenticated ECU 20, the CPU 21 uses the values M1, M2, and M3 stored in the nonvolatile memory of the storage unit 22 to input the command CMD_LOAD_KEY (M1, M2, M3) to the SHE-B23. To do.
(ステップS172)被認証ECU20において、SHE-B23は、CPU21から入力されたコマンドCMD_LOAD_KEY(M1,M2,M3)に応じて、該コマンドCMD_LOAD_KEY(M1,M2,M3)に含まれる乱数2つまりMAC鍵をRAM_KEY鍵に登録する。SHE-B23は、RAM_KEY鍵の登録完了「OK」をCPU21へ応答する。 (Step S 172) In the authenticated ECU 20, the SHE-B 23 responds to the command CMD_LOAD_KEY (M 1, M 2, M 3) input from the CPU 21 and the random number 2 included in the command CMD_LOAD_KEY (M 1, M 2, M 3), that is, the MAC key Is registered in the RAM_KEY key. The SHE-B 23 returns a RAM_KEY key registration completion “OK” to the CPU 21.
(ステップS173)被認証ECU20において、CPU21は、コマンドCMD_RNDをSHE-B23へ入力する。 (Step S173) In the authenticated ECU 20, the CPU 21 inputs the command CMD_RND to the SHE-B23.
(ステップS174)被認証ECU20において、SHE-B23は、CPU21から入力されたコマンドCMD_RNDに応じて、乱数1を生成する。SHE-B23は、生成した乱数1をCPU21へ出力する。 (Step S174) In the authenticated ECU 20, the SHE-B 23 generates a random number 1 in response to the command CMD_RND input from the CPU 21. The SHE-B 23 outputs the generated random number 1 to the CPU 21.
(ステップS175)被認証ECU20において、CPU21は、自己の被認証ECU20の識別子ECU_IDと乱数1とを使用して、コマンドCMD_GENERATE_MAC(ECU_ID,乱数1)をSHE-B23へ入力する。 (Step S175) In the authenticated ECU 20, the CPU 21 inputs the command CMD_GENERATE_MAC (ECU_ID, random number 1) to the SHE-B 23 using the identifier ECU_ID of the ECU 20 to be authenticated and the random number 1.
(ステップS176)被認証ECU20において、SHE-B23は、CPU21から入力されたコマンドCMD_GENERATE_MAC(ECU_ID,乱数1)に応じて、CMACを生成する。このCMACの生成では、SHE-B23は、RAM_KEY鍵つまりMAC鍵を使用して、ECU_ID及び乱数1についてのCMACを生成する。例えば、ECU_IDと乱数1との連結データについてのCMACを生成する。SHE-B23は、生成したCMACをCPU21へ出力する。 (Step S176) In the authenticated ECU 20, the SHE-B 23 generates a CMAC according to the command CMD_GENERATE_MAC (ECU_ID, random number 1) input from the CPU 21. In the generation of the CMAC, the SHE-B 23 generates the CMAC for the ECU_ID and the random number 1 using the RAM_KEY key, that is, the MAC key. For example, the CMAC for the concatenated data of ECU_ID and random number 1 is generated. The SHE-B 23 outputs the generated CMAC to the CPU 21.
(ステップS177)被認証ECU20において、CPU21は、SHE-B23から受け取った乱数1と、自己の被認証ECU20の識別子ECU_IDと、SHE-B23から受け取ったCMACとを鍵管理ECU10へ送信する。 (Step S177) In the authenticated ECU 20, the CPU 21 transmits the random number 1 received from the SHE-B 23, the identifier ECU_ID of its own authenticated ECU 20 and the CMAC received from the SHE-B 23 to the key management ECU 10.
(ステップS178)鍵管理ECU10において、CPU11は、記憶部12に格納されている暗号化されたMAC鍵を復号するために、該暗号化されたMAC鍵を使用してコマンドCMD_DEC_CBC(暗号化されたMAC鍵)をSHE-A13へ入力する。SHE-A13は、CPU11から入力されたコマンドCMD_DEC_CBC(暗号化されたMAC鍵)に応じて、該コマンドCMD_DEC_CBC(暗号化されたMAC鍵)に含まれる暗号化されたMAC鍵をKEY_9鍵で復号する。KEY_9鍵は、暗号化されたMAC鍵の暗号化に使用された鍵である。SHE-A13は、暗号化されたMAC鍵の復号の結果であるMAC鍵をCPU11へ出力する。CPU11は、SHE-A13から受け取ったMAC鍵を使用して、コマンドCMD_LOAD_PLAIN_KEY(MAC鍵)をSHE-A13へ入力する。SHE-A13は、CPU11から入力されたコマンドCMD_LOAD_PLAIN_KEY(MAC鍵)に応じて、該コマンドCMD_LOAD_PLAIN_KEY(MAC鍵)に含まれるMAC鍵をRAM_KEY鍵に登録する。SHE-A13は、RAM_KEY鍵の登録完了「OK」をCPU11へ応答する。CPU11は、被認証ECU20から受信した乱数1と被認証ECU20の識別子ECU_IDとCMACとを使用して、コマンドCMD_VERIFY_MAC(CMAC)をSHE-A13へ入力する。 (Step S178) In the key management ECU 10, the CPU 11 uses the encrypted MAC key to decrypt a command CMD_DEC_CBC (encrypted) in order to decrypt the encrypted MAC key stored in the storage unit 12. MAC key) is input to SHE-A13. In response to the command CMD_DEC_CBC (encrypted MAC key) input from the CPU 11, the SHE-A 13 decrypts the encrypted MAC key included in the command CMD_DEC_CBC (encrypted MAC key) with the KEY_9 key. . The KEY_9 key is a key used for encrypting the encrypted MAC key. The SHE-A 13 outputs a MAC key, which is a result of decryption of the encrypted MAC key, to the CPU 11. The CPU 11 uses the MAC key received from the SHE-A 13 to input a command CMD_LOAD_PLAIN_KEY (MAC key) to the SHE-A 13. In response to the command CMD_LOAD_PLAIN_KEY (MAC key) input from the CPU 11, the SHE-A 13 registers the MAC key included in the command CMD_LOAD_PLAIN_KEY (MAC key) in the RAM_KEY key. The SHE-A 13 returns a RAM_KEY key registration completion “OK” to the CPU 11. The CPU 11 inputs a command CMD_VERIFY_MAC (CMAC) to the SHE-A 13 using the random number 1 received from the authenticated ECU 20, the identifier ECU_ID of the authenticated ECU 20, and the CMAC.
(ステップS179)鍵管理ECU10において、SHE-A13は、CPU11から入力されたコマンドCMD_VERIFY_MAC(CMAC)に応じて、該コマンドCMD_VERIFY_MAC(CMAC)に含まれるCMACを検証する。このCMACの検証では、SHE-A13は、該コマンドCMD_VERIFY_MAC(CMAC)に含まれる乱数1及び被認証ECU20の識別子ECU_IDと、RAM_KEY鍵に登録されているMAC鍵と、を使用する。 (Step S179) In the key management ECU 10, the SHE-A 13 verifies the CMAC included in the command CMD_VERIFY_MAC (CMAC) according to the command CMD_VERIFY_MAC (CMAC) input from the CPU 11. In this CMAC verification, the SHE-A 13 uses the random number 1 included in the command CMD_VERIFY_MAC (CMAC), the identifier ECU_ID of the ECU 20 to be authenticated, and the MAC key registered in the RAM_KEY key.
 SHE-A13は、CMACの検証結果「合格(OK)又は不合格(NG)」をCPU11へ出力する。CPU11は、SHE-A13から受け取ったCMACの検証結果が合格(OK)である場合には被認証ECU20の正当性の認証が合格であると判断し、一方、SHE-A13から受け取ったCMACの検証結果が不合格(NG)である場合には被認証ECU20の正当性の認証が不合格であると判断する。被認証ECU20の正当性の認証が合格である場合にはステップS180に進む。一方、被認証ECU20の正当性の認証が不合格である場合には図5の処理を終了する。被認証ECU20の正当性の認証が不合格である場合には図4に示すMAC鍵配信処理の第1段階を行ってもよい。 The SHE-A 13 outputs the CMAC verification result “pass (OK) or fail (NG)” to the CPU 11. When the CMAC verification result received from the SHE-A 13 is acceptable (OK), the CPU 11 determines that the authentication of the authenticity of the authenticated ECU 20 is successful, while the CMAC received from the SHE-A 13 is verified. When the result is rejected (NG), it is determined that the authentication of the authenticity of the authenticated ECU 20 is rejected. If the authentication of the authenticator ECU 20 is successful, the process proceeds to step S180. On the other hand, when the authentication of the authenticity of the authenticated ECU 20 fails, the process of FIG. When the authenticity of the authenticated ECU 20 is unacceptable, the first stage of the MAC key distribution process shown in FIG. 4 may be performed.
 次いでステップS180からS186までが実行される。ステップS180からS186までは、図4に示すステップS151からS157までと同じである。但し、ステップS180で生成する値M1,M2及びM3は、新しいMAC鍵を、被認証ECU20のSHE-B23のRAM_KEY鍵に登録するための各値である。新しいMAC鍵には、図4に示すステップS145からS146と同様にしてSHE-A13で発生させた新しい乱数2を使用してもよい。 Next, steps S180 to S186 are executed. Steps S180 to S186 are the same as steps S151 to S157 shown in FIG. However, the values M1, M2, and M3 generated in step S180 are values for registering the new MAC key in the RAM_KEY key of the SHE-B 23 of the authenticated ECU 20. For the new MAC key, the new random number 2 generated by the SHE-A 13 may be used in the same manner as in steps S145 to S146 shown in FIG.
 上述した図5に示すMAC鍵配信処理の第2段階によって、新しいMAC鍵への更新が行われる。 The update to the new MAC key is performed by the second stage of the MAC key distribution process shown in FIG.
 なお、上述した図5のステップS180では、乱数1のCMACを生成するが、ステップS179においてCMACの検証結果が合格(OK)である場合には、CMACの検証の合格を示す文字列、例えば「OK」と被認証ECU20の識別子ECU_IDとについてのCMACを生成してもよい。例えば、文字列「OK」と被認証ECU20の識別子ECU_IDとの連結データについてのCMACを生成する。 Note that in step S180 of FIG. 5 described above, the CMAC of the random number 1 is generated. If the CMAC verification result is acceptable (OK) in step S179, a character string indicating that the CMAC verification is successful, for example, “ A CMAC for “OK” and the identifier ECU_ID of the authenticated ECU 20 may be generated. For example, the CMAC for the concatenated data between the character string “OK” and the identifier ECU_ID of the authenticated ECU 20 is generated.
 さらに、上述した図5のステップS180では、新しいMAC鍵への更新を行うが、ステップS179においてCMACの検証結果が合格(OK)である場合には、新しいMAC鍵への更新を実施しないでSHE-B23のRAM_KEY鍵に現在登録されているMAC鍵を使用してもよい。これにより、鍵管理ECU10から被認証ECU20へ値M1,M2及びM3を送る必要がなくなるので、処理の高速化が可能である。 Further, in step S180 of FIG. 5 described above, the new MAC key is updated. If the CMAC verification result is OK (OK) in step S179, the SHE is not performed without performing the update to the new MAC key. -The MAC key currently registered in the RAM_KEY key of B23 may be used. As a result, there is no need to send the values M1, M2 and M3 from the key management ECU 10 to the authenticated ECU 20, so that the processing speed can be increased.
 また、本実施形態において、値M1の算出には鍵を使用しない。このため、鍵管理ECU10は、値M2及びM3のみを被認証ECU20へ送信し、値M1については被認証ECU20へ送信しないようにしてもよい。この場合、被認証ECU20は、自己が算出した値M1と、鍵管理ECU10から受信した値M2及びM3とを組み合わせて使用する。これにより、鍵管理ECU10から被認証ECU20へ値M1を送る必要がなくなるので、処理の高速化が可能である。 In the present embodiment, no key is used to calculate the value M1. For this reason, the key management ECU 10 may transmit only the values M2 and M3 to the authenticated ECU 20, and may not transmit the value M1 to the authenticated ECU 20. In this case, the authenticated ECU 20 uses the value M1 calculated by itself and the values M2 and M3 received from the key management ECU 10 in combination. As a result, there is no need to send the value M1 from the key management ECU 10 to the authenticated ECU 20, so that the processing speed can be increased.
[第2実施形態]
 図6は、本実施形態に係る自動車1に備わる車載コンピュータシステムの構成例を示す図である。図6において、図1の各部に対応する部分には同一の符号を付け、その説明を省略する。以下、第1実施形態と異なる部分を主に説明する。第1実施形態に係る第1のECU10では暗号処理チップとしてSHEを使用したが、第2実施形態に係る第1のECU10では暗号処理チップとして「Evita-medium」と呼ばれるHSM(Hardware Security Module)を使用する。 [Second Embodiment]
FIG. 6 is a diagram illustrating a configuration example of an in-vehicle computer system provided in the automobile 1 according to the present embodiment. In FIG. 6, parts corresponding to those in FIG. Hereinafter, parts different from the first embodiment will be mainly described. In the first ECU 10 according to the first embodiment, SHE is used as the cryptographic processing chip. However, in the first ECU 10 according to the second embodiment, an HSM (Hardware Security Module) called “Evita-medium” is used as the cryptographic processing chip. use.
 図6において、第1のECU10は、CPU11と記憶部12とHSM14とを備える。HSM14は、「Evita-medium」と呼ばれるHSMである。HSM14は暗号処理機能を有する。HSM14は耐タンパー性を有する。HSM14はセキュアエレメントの例である。第2のECU20は、CPU21と記憶部22とSHE23とを備える。 In FIG. 6, the first ECU 10 includes a CPU 11, a storage unit 12, and an HSM 14. The HSM 14 is an HSM called “Evita-medium”. The HSM 14 has a cryptographic processing function. HSM14 has tamper resistance. The HSM 14 is an example of a secure element. The second ECU 20 includes a CPU 21, a storage unit 22, and a SHE 23.
 次に、図7から図10を参照して、本実施形態に係るECU認証処理、鍵交換鍵配信処理、及び、MAC鍵配信処理を説明する。 Next, an ECU authentication process, a key exchange key distribution process, and a MAC key distribution process according to the present embodiment will be described with reference to FIGS.
[ECU認証処理]
 図7を参照して本実施形態に係るECU認証処理を説明する。図7は、本実施形態に係るECU認証方法を示すシーケンスチャートである。鍵管理ECU10のHSM14には、予め、例えば鍵管理ECU10の製造時などに、マスター鍵MSが設定される。 [ECU certification process]
An ECU authentication process according to this embodiment will be described with reference to FIG. FIG. 7 is a sequence chart showing an ECU authentication method according to the present embodiment. The master key MS is set in the HSM 14 of the key management ECU 10 in advance, for example, when the key management ECU 10 is manufactured.
(ステップS201)被認証ECU20において、CPU21は、自己の被認証ECU20の識別子ECU_IDを鍵管理ECU10へ送信する。 (Step S201) In the authenticated ECU 20, the CPU 21 transmits the identifier ECU_ID of its own authenticated ECU 20 to the key management ECU 10.
(ステップS202)鍵管理ECU10において、CPU11は、被認証ECU20から受信した被認証ECU20の識別子ECU_IDをHSM14へ入力する。 (Step S202) In the key management ECU 10, the CPU 11 inputs the identifier ECU_ID of the authenticated ECU 20 received from the authenticated ECU 20 to the HSM 14.
(ステップS203)鍵管理ECU10において、HSM14は、CPU11から入力された被認証ECU20の識別子ECU_IDと、自己が保持するマスター鍵MSとを使用して、被認証ECU20の初期鍵を生成する。この初期鍵の生成では、上記の式(4)によりCMACを算出する。この算出されるCMACは、被認証ECU20の初期鍵であって被認証ECU20のSHE-B23のKEY_1鍵に設定されている値と同じ値である。被認証ECU20の初期鍵のことを初期鍵KEY_1と称する。HSM14は、算出したCMACつまり初期鍵KEY_1を自己のメモリに格納する。また、HSM14は、乱数randを生成する。HSM14は、生成した乱数randをCPU11へ出力する。HSM14は、生成した乱数randを自己のメモリに格納する。 (Step S203) In the key management ECU 10, the HSM 14 generates an initial key of the authenticated ECU 20 using the identifier ECU_ID of the authenticated ECU 20 input from the CPU 11 and the master key MS held by itself. In generating the initial key, the CMAC is calculated by the above equation (4). This calculated CMAC is the same value as the initial key of the authenticated ECU 20 and the value set in the KEY_1 key of the SHE-B 23 of the authenticated ECU 20. The initial key of the ECU 20 to be authenticated is referred to as an initial key KEY_1. The HSM 14 stores the calculated CMAC, that is, the initial key KEY_1 in its own memory. Further, the HSM 14 generates a random number rand. The HSM 14 outputs the generated random number rand to the CPU 11. The HSM 14 stores the generated random number rand in its own memory.
(ステップS204)鍵管理ECU10において、CPU11は、HSM14から受け取った乱数randを被認証ECU20へ送信する。 (Step S204) In the key management ECU 10, the CPU 11 transmits the random number rand received from the HSM 14 to the ECU 20 to be authenticated.
 次いでステップS205からS207までが実行される。ステップS205からS207までは、図2に示すステップS109からS111までと同じである。 Next, steps S205 to S207 are executed. Steps S205 to S207 are the same as steps S109 to S111 shown in FIG.
(ステップS208)鍵管理ECU10において、CPU11は、被認証ECU20から受信した被認証ECU20の識別子ECU_IDとCMACとをHSM14へ入力する。 (Step S208) In the key management ECU 10, the CPU 11 inputs the identifier ECU_ID and CMAC of the authenticated ECU 20 received from the authenticated ECU 20 to the HSM 14.
(ステップS209)鍵管理ECU10において、HSM14は、CPU11から入力されたCMACの検証を行う。このCMACの検証では、HSM14は、自己のメモリに格納されている初期鍵KEY_1を使用して、自己のメモリに格納されている乱数randについてCMACを算出する。次いで、HSM14は、該算出したCMACと、CPU11から入力されたCMACとを比較する。この比較の結果、両者が一致する場合にはCMACの検証が合格であり、一方、両者が不一致である場合にはCMACの検証が不合格である。HSM14は、該CMACの検証結果「合格(OK)又は不合格(NG)」をCPU11へ出力する。CPU11は、HSM14から受け取ったCMACの検証結果が合格(OK)である場合には被認証ECU20の正当性の認証が合格であると判断し、一方、HSM14から受け取ったCMACの検証結果が不合格(NG)である場合には被認証ECU20の正当性の認証が不合格であると判断する。 (Step S209) In the key management ECU 10, the HSM 14 verifies the CMAC input from the CPU 11. In this CMAC verification, the HSM 14 calculates the CMAC for the random number rand stored in its own memory using the initial key KEY_1 stored in its own memory. Next, the HSM 14 compares the calculated CMAC with the CMAC input from the CPU 11. As a result of the comparison, if the two match, the CMAC verification is passed, while if the two do not match, the CMAC verification fails. The HSM 14 outputs the CMAC verification result “pass (OK) or fail (NG)” to the CPU 11. When the verification result of the CMAC received from the HSM 14 is acceptable (OK), the CPU 11 determines that the authentication of the authenticity of the authenticated ECU 20 is acceptable, while the verification result of the CMAC received from the HSM 14 is unacceptable. In the case of (NG), it is determined that the authentication of the authenticity of the authenticated ECU 20 has failed.
[鍵交換鍵配信処理]
 図8を参照して本実施形態に係る鍵交換鍵配信処理を説明する。図8は、本実施形態に係る鍵交換鍵配信方法を示すシーケンスチャートである。本実施形態では、第1実施形態と同様に、第1の鍵交換鍵(暗号化処理及び復号処理に使用される鍵)と第2の鍵交換鍵(MACの生成処理及び検証処理に使用される鍵)とを使用する。 [Key exchange key distribution processing]
A key exchange key distribution process according to the present embodiment will be described with reference to FIG. FIG. 8 is a sequence chart showing the key exchange key distribution method according to the present embodiment. In the present embodiment, as in the first embodiment, the first key exchange key (the key used for the encryption process and the decryption process) and the second key exchange key (used for the MAC generation process and the verification process). Key).
 以下、図8を参照して第1の鍵交換鍵を配信する場合を例に挙げて説明する。第2の鍵交換鍵を配信する場合も、第1の鍵交換鍵を配信する場合と同様である。 Hereinafter, a case where the first key exchange key is distributed will be described as an example with reference to FIG. The distribution of the second key exchange key is the same as the distribution of the first key exchange key.
(ステップS211)鍵管理ECU10において、CPU11は、鍵交換鍵の配信先の被認証ECU20の識別子ECU_IDを使用して、鍵交換鍵作成依頼(ECU_ID)をHSM14へ入力する。 (Step S211) In the key management ECU 10, the CPU 11 inputs a key exchange key creation request (ECU_ID) to the HSM 14 using the identifier ECU_ID of the authenticated ECU 20 to which the key exchange key is distributed.
(ステップS212)鍵管理ECU10において、HSM14は、値M1,M2及びM3を生成する。この値M1,M2及びM3は、第1の鍵交換鍵を被認証ECU20のSHE-B23のKEY_2鍵に登録するための各値である。HSM14は、マスター鍵MSからMEK鍵を生成する。HSM14は、乱数を生成し、生成した乱数を第1の鍵交換鍵に使用する。なお、HSM14は、マスター鍵MSから第1の鍵交換鍵を生成してもよい。HSM14は、第1の鍵交換鍵を自己のメモリに格納する。HSM14は、生成した値M1,M2及びM3をCPU11へ出力する。 (Step S212) In the key management ECU 10, the HSM 14 generates values M1, M2, and M3. The values M1, M2, and M3 are values for registering the first key exchange key in the KEY_2 key of the SHE-B 23 of the authenticated ECU 20. The HSM 14 generates a MEK key from the master key MS. The HSM 14 generates a random number and uses the generated random number as the first key exchange key. The HSM 14 may generate the first key exchange key from the master key MS. The HSM 14 stores the first key exchange key in its own memory. The HSM 14 outputs the generated values M1, M2, and M3 to the CPU 11.
(ステップS213)鍵管理ECU10において、CPU11は、HSM14から受け取った値M1,M2及びM3を被認証ECU20へ送信する。 (Step S213) In the key management ECU 10, the CPU 11 transmits the values M1, M2, and M3 received from the HSM 14 to the authenticated ECU 20.
 次いでステップS214からS216までが実行される。ステップS214からS216までは、図3に示すステップS128からS130までと同じである。 Next, steps S214 to S216 are executed. Steps S214 to S216 are the same as steps S128 to S130 shown in FIG.
 なお、2回目以降の鍵交換鍵の配信では、登録済みの第1の鍵交換鍵を使用して、鍵登録メッセージ(値M1,M2及びM3)を生成することにより、該鍵登録メッセージ(値M1,M2及びM3)を各被認証ECU20に対して共通に使用できる。例えば、該鍵登録メッセージ(値M1,M2及びM3)をブロードキャストすることが可能である。この点についても、第2の鍵交換鍵を配信する場合に同様に適用できる。 In the second and subsequent key exchange key distribution, the key registration message (values M1, M2, and M3) is generated by using the registered first key exchange key. M1, M2 and M3) can be commonly used for each ECU 20 to be authenticated. For example, the key registration message (values M1, M2, and M3) can be broadcast. This point can be similarly applied when distributing the second key exchange key.
[MAC鍵配信処理]
 図9及び図10を参照して本実施形態に係るMAC鍵配信処理を説明する。図9及び図10は、本実施形態に係るMAC鍵配信方法を示すシーケンスチャートである。被認証ECU20のSHE-B23には、KEY_2鍵に第1の鍵交換鍵(暗号化処理及び復号処理に使用される)が登録されており、KEY_3鍵に第2の鍵交換鍵(MACの生成処理及び検証処理に使用される)が登録されている。鍵管理ECU10のHSM14は、第1の鍵交換鍵をと第2の鍵交換鍵とを自己のメモリに格納している。 [MAC key distribution processing]
The MAC key distribution processing according to the present embodiment will be described with reference to FIGS. 9 and 10 are sequence charts showing the MAC key distribution method according to the present embodiment. In the SHE-B 23 of the authenticated ECU 20, a first key exchange key (used for encryption processing and decryption processing) is registered in the KEY_2 key, and a second key exchange key (MAC generation) is registered in the KEY_3 key. Used for processing and verification processing). The HSM 14 of the key management ECU 10 stores the first key exchange key and the second key exchange key in its own memory.
 なお、第1の鍵交換鍵は被認証ECU20のSHE-B23のKEY_2鍵と同じ値であり、第1の鍵交換鍵KEY_2と称する。第2の鍵交換鍵は被認証ECU20のSHE-B23のKEY_3鍵と同じ値であり、第2の鍵交換鍵KEY_3と称する。 Note that the first key exchange key has the same value as the KEY_2 key of the SHE-B 23 of the authenticated ECU 20, and is referred to as a first key exchange key KEY_2. The second key exchange key has the same value as the KEY_3 key of SHE-B23 of the authenticated ECU 20, and is referred to as a second key exchange key KEY_3.
 図9を参照して本実施形態に係るMAC鍵配信処理の第1段階を説明する。図9に示すMAC鍵配信処理の第1段階は、例えば自動車1のエンジンが停止された後、所定期間以上経過してから、エンジンが始動された時に開始される。例えば、ある一日において初めてエンジンが始動された時に、MAC鍵配信処理の第1段階が開始される。 The first stage of the MAC key distribution process according to the present embodiment will be described with reference to FIG. The first stage of the MAC key distribution process shown in FIG. 9 is started when the engine is started after elapse of a predetermined period after the engine of the automobile 1 is stopped, for example. For example, when the engine is started for the first time in a certain day, the first stage of the MAC key distribution process is started.
 ステップS231からS234までが実行される。ステップS231からS234までは、図4に示すステップS141からS144までと同じである。 Steps S231 to S234 are executed. Steps S231 to S234 are the same as steps S141 to S144 shown in FIG.
(ステップS235)鍵管理ECU10において、CPU11は、被認証ECU20から受信した乱数1をHSM14へ入力する。 (Step S <b> 235) In the key management ECU 10, the CPU 11 inputs the random number 1 received from the authenticated ECU 20 to the HSM 14.
(ステップS236)鍵管理ECU10において、HSM14は、乱数を生成し、生成した乱数をMAC鍵に使用する。HSM14は、MAC鍵を自己のメモリに格納する。HSM14は、値M1,M2及びM3を生成する。この値M1,M2及びM3は、MAC鍵を被認証ECU20のSHE-B23のRAM_KEY鍵に登録するための各値である。HSM14は、自己のメモリに格納されている第1の鍵交換鍵KEY_2を使用して、値M1,M2及びM3を生成する。HSM14は、CPU11から入力された乱数1についてCMACを生成する。このCMACの生成では、HSM14は、自己のメモリに格納されている第2の鍵交換鍵KEY_3を使用して乱数1のCMACを生成する。HSM14は、生成した値M1,M2及びM3と、CMACとをCPU11へ出力する。 (Step S236) In the key management ECU 10, the HSM 14 generates a random number and uses the generated random number as the MAC key. The HSM 14 stores the MAC key in its own memory. HSM 14 generates values M1, M2 and M3. The values M1, M2, and M3 are values for registering the MAC key in the RAM_KEY key of the SHE-B23 of the ECU 20 to be authenticated. The HSM 14 generates values M1, M2, and M3 using the first key exchange key KEY_2 stored in its own memory. The HSM 14 generates a CMAC for the random number 1 input from the CPU 11. In the generation of the CMAC, the HSM 14 generates the CMAC of the random number 1 using the second key exchange key KEY_3 stored in its own memory. The HSM 14 outputs the generated values M1, M2, and M3 and CMAC to the CPU 11.
(ステップS237)鍵管理ECU10において、CPU11は、HSM14から受け取った値M1,M2及びM3とCMACとを被認証ECU20へ送信する。 (Step S237) In the key management ECU 10, the CPU 11 transmits the values M1, M2, M3 and CMAC received from the HSM 14 to the authenticated ECU 20.
 次いでステップS238からS241までが実行される。ステップS238からS241までは、図4に示すステップS154からS157までと同じである。 Next, steps S238 to S241 are executed. Steps S238 to S241 are the same as steps S154 to S157 shown in FIG.
(ステップS242)被認証ECU20において、CPU21は、MAC鍵の登録完了「OK」を鍵管理ECU10へ送信する。 (Step S <b> 242) In the authenticated ECU 20, the CPU 21 transmits a MAC key registration completion “OK” to the key management ECU 10.
 次に図10を参照して本実施形態に係るMAC鍵配信処理の第2段階を説明する。MAC鍵配信処理の第2段階は、上述した図9に示すMAC鍵配信処理の第1段階によって被認証ECU20のSHE-B23のRAM_KEY鍵にMAC鍵が登録された後に実施される。被認証ECU20は、MAC鍵配信処理の第1段階のステップS237において鍵管理ECU10から受信した値M1,M2及びM3を、記憶部22の不揮発性メモリに格納している。図10に示すMAC鍵配信処理の第2段階は、例えば自動車1の走行の際に駐車等によりエンジンが停止された後、所定期間内にエンジンが再始動された時に開始される。 Next, the second stage of the MAC key distribution process according to this embodiment will be described with reference to FIG. The second stage of the MAC key distribution process is performed after the MAC key is registered in the RAM_KEY key of the SHE-B 23 of the authenticated ECU 20 in the first stage of the MAC key distribution process shown in FIG. The authenticated ECU 20 stores the values M1, M2, and M3 received from the key management ECU 10 in step S237 of the first stage of the MAC key distribution process in the nonvolatile memory of the storage unit 22. The second stage of the MAC key distribution process shown in FIG. 10 is started when the engine is restarted within a predetermined period after the engine is stopped by parking or the like when the automobile 1 is traveling.
 ステップS261からS267までが実行される。ステップS261からS267までは、図5に示すステップS171からS177までと同じである。 Steps S261 to S267 are executed. Steps S261 to S267 are the same as steps S171 to S177 shown in FIG.
(ステップS268)鍵管理ECU10において、CPU11は、被認証ECU20から受信した乱数1と被認証ECU20の識別子ECU_IDとCMACとをHSM14へ入力する。 (Step S268) In the key management ECU 10, the CPU 11 inputs the random number 1 received from the authenticated ECU 20, the identifier ECU_ID and CMAC of the authenticated ECU 20 to the HSM 14.
(ステップS269)鍵管理ECU10において、HSM14は、CPU11から入力されたCMACを検証する。このCMACの検証では、HSM14は、自己のメモリに格納されているMAC鍵を使用する。 (Step S269) In the key management ECU 10, the HSM 14 verifies the CMAC input from the CPU 11. In this CMAC verification, the HSM 14 uses a MAC key stored in its own memory.
 HSM14は、CMACの検証結果「合格(OK)又は不合格(NG)」をCPU11へ出力する。CPU11は、HSM14から受け取ったCMACの検証結果が合格(OK)である場合には被認証ECU20の正当性の認証が合格であると判断し、一方、HSM14から受け取ったCMACの検証結果が不合格(NG)である場合には被認証ECU20の正当性の認証が不合格であると判断する。被認証ECU20の正当性の認証が合格である場合には以降の処理を実行する。一方、被認証ECU20の正当性の認証が不合格である場合には図10の処理を終了する。被認証ECU20の正当性の認証が不合格である場合には図9に示すMAC鍵配信処理の第1段階を行ってもよい。 The HSM 14 outputs the CMAC verification result “pass (OK) or fail (NG)” to the CPU 11. When the verification result of the CMAC received from the HSM 14 is acceptable (OK), the CPU 11 determines that the authentication of the authenticity of the authenticated ECU 20 is acceptable, while the verification result of the CMAC received from the HSM 14 is unacceptable. In the case of (NG), it is determined that the authentication of the authenticity of the authenticated ECU 20 has failed. If the authenticity of the authenticated ECU 20 is passed, the subsequent processing is executed. On the other hand, when the authentication of the authenticity of the ECU 20 to be authenticated fails, the process of FIG. When the authenticity of the authenticated ECU 20 is unacceptable, the first stage of the MAC key distribution process shown in FIG. 9 may be performed.
 HSM14は、CPU11から入力された乱数1についてCMACを生成する。このCMACの生成では、HSM14は、自己のメモリに格納されている第2の鍵交換鍵KEY_3を使用して乱数1のCMACを生成する。 The HSM 14 generates a CMAC for the random number 1 input from the CPU 11. In the generation of the CMAC, the HSM 14 generates the CMAC of the random number 1 using the second key exchange key KEY_3 stored in its own memory.
 HSM14は、新しいMAC鍵を生成し、値M1,M2及びM3を生成する。この値M1,M2及びM3は、新しいMAC鍵を、被認証ECU20のSHE-B23のRAM_KEY鍵に登録するための各値である。新しいMAC鍵には、新たに乱数を生成し、生成した乱数を新しいMAC鍵に使用する。なお、被認証ECU20のMAC鍵を新しいMAC鍵に更新しない場合には、新しいMAC鍵の生成と値M1,M2及びM3の生成とを行わない。 The HSM 14 generates a new MAC key and generates values M1, M2 and M3. The values M1, M2, and M3 are values for registering a new MAC key in the RAM_KEY key of the SHE-B 23 of the authenticated ECU 20. A new random number is generated for the new MAC key, and the generated random number is used as the new MAC key. If the MAC key of the authenticated ECU 20 is not updated to a new MAC key, the generation of a new MAC key and the values M1, M2, and M3 are not performed.
 HSM14は、生成したCMACと値M1,M2及びM3とをCPU11へ出力する。 The HSM 14 outputs the generated CMAC and the values M1, M2, and M3 to the CPU 11.
(ステップS270)鍵管理ECU10において、CPU11は、HSM14から受け取った値M1,M2及びM3とCMACとを被認証ECU20へ送信する。 (Step S270) In the key management ECU 10, the CPU 11 transmits the values M1, M2, M3 and CMAC received from the HSM 14 to the authenticated ECU 20.
 次いでステップS271からS275までが実行される。ステップS271からS275までは、図9に示すステップS238からS242までと同じである。 Next, steps S271 to S275 are executed. Steps S271 to S275 are the same as steps S238 to S242 shown in FIG.
 上述した図10に示すMAC鍵配信処理の第2段階によって、新しいMAC鍵への更新が行われる。 The update to the new MAC key is performed by the second stage of the MAC key distribution process shown in FIG.
[第3実施形態]
 図11は、本実施形態に係る自動車1に備わる車載コンピュータシステムの構成例を示す図である。図11において、図1の各部に対応する部分には同一の符号を付け、その説明を省略する。以下、第1実施形態と異なる部分を主に説明する。 [Third Embodiment]
FIG. 11 is a diagram illustrating a configuration example of an in-vehicle computer system provided in the automobile 1 according to the present embodiment. In FIG. 11, parts corresponding to those in FIG. 1 are given the same reference numerals, and explanation thereof is omitted. Hereinafter, parts different from the first embodiment will be mainly described.
 第3実施形態では、自動車1は通信モジュール40を備える。通信モジュール40は、無線通信ネットワークを利用して無線通信を行う。通信モジュール40は、SIM(Subscriber Identity Module)41を備える。SIM41は、無線通信ネットワークを利用するための情報が書き込まれたSIMである。通信モジュール40は、SIM41を使用することにより該無線通信ネットワークに接続して無線通信を行うことができる。 In the third embodiment, the automobile 1 includes a communication module 40. The communication module 40 performs wireless communication using a wireless communication network. The communication module 40 includes a SIM (Subscriber Identity Module) 41. The SIM 41 is a SIM in which information for using the wireless communication network is written. The communication module 40 can perform wireless communication by connecting to the wireless communication network by using the SIM 41.
 なお、SIM41として、eSIM(Embedded Subscriber Identity Module)を使用してもよい。SIM及びeSIMは耐タンパー性を有する。SIM及びeSIMはセキュアエレメントの例である。SIM及びeSIMは、コンピュータの一種であり、コンピュータプログラムによって所望の機能を実現する。 Note that an eSIM (Embedded Subscriber Identity Module) may be used as the SIM 41. SIM and eSIM have tamper resistance. SIM and eSIM are examples of secure elements. SIM and eSIM are a kind of computer, and a desired function is realized by a computer program.
 通信モジュール40は第1のECU10に接続される。第1のECU10は、通信モジュール40とデータを交換する。 The communication module 40 is connected to the first ECU 10. The first ECU 10 exchanges data with the communication module 40.
 なお、図11の構成では第1のECU10と通信モジュール40とを直接接続することにより第1のECU10と通信モジュール40の間でデータを交換するが、これに限定されない。例えば、通信モジュール40を自動車1に備わるインフォテイメント機器等の他の装置に接続したり又は該他の装置に備えたりし、第1のECU10が、該他の装置例えばインフォテイメント機器を介して、通信モジュール40とデータを交換してもよい。又は、自動車1の診断ポート、例えばOBD(On-board Diagnostics)ポートと呼ばれる診断ポートに接続される自動車1の外部の装置に通信モジュール40を備え、第1のECU10が、該診断ポートを介して、該診断ポートに接続された該外部の装置の通信モジュール40とデータを交換してもよい。又は、第1のECU10が、SIM41を含む通信モジュール40を備えてもよい。 In the configuration shown in FIG. 11, data is exchanged between the first ECU 10 and the communication module 40 by directly connecting the first ECU 10 and the communication module 40, but the present invention is not limited to this. For example, the communication module 40 is connected to or provided in another device such as an infotainment device provided in the automobile 1, and the first ECU 10 is connected to the other device such as the infotainment device via Data may be exchanged with the communication module 40. Alternatively, a communication module 40 is provided in a device external to the automobile 1 connected to a diagnostic port of the automobile 1, for example, a diagnostic port called an OBD (On-board Diagnostics) port, and the first ECU 10 passes through the diagnostic port. The data may be exchanged with the communication module 40 of the external device connected to the diagnostic port. Alternatively, the first ECU 10 may include a communication module 40 including the SIM 41.
 また、本実施形態では、通信モジュール40に備わるSIM41を使用するが、SIMの代わりに、耐タンパー性を有するIC(Integrated Circuit)チップを使用してもよい。例えば、ICカードに組み込まれたICチップを使用してもよい。又は、自動車1の診断ポートに接続される自動車1の外部のメインテナンスツールに備わる制御モジュールに搭載されたICチップを使用してもよい。 In this embodiment, the SIM 41 provided in the communication module 40 is used, but an IC (Integrated Circuit) chip having tamper resistance may be used instead of the SIM. For example, an IC chip incorporated in an IC card may be used. Or you may use the IC chip mounted in the control module with which the maintenance tool of the exterior of the motor vehicle 1 connected to the diagnostic port of the motor vehicle 1 is equipped.
 図11において、第1のECU10は、CPU11と記憶部12とSHE13とを備える。第2のECU20は、CPU21と記憶部22とSHE23とを備える。 In FIG. 11, the first ECU 10 includes a CPU 11, a storage unit 12, and a SHE 13. The second ECU 20 includes a CPU 21, a storage unit 22, and a SHE 23.
 次に、本実施形態に係るECU認証処理、鍵交換鍵配信処理、及び、MAC鍵配信処理を説明する。 Next, ECU authentication processing, key exchange key distribution processing, and MAC key distribution processing according to the present embodiment will be described.
[ECU認証処理]
 図12を参照して本実施形態に係るECU認証処理を説明する。図12は、本実施形態に係るECU認証方法を示すシーケンスチャートである。通信モジュール40のSIM41には、予め、例えばSIM41の製造時などに、マスター鍵MSが設定される。SIM41は、比較的堅牢な耐タンパー性を有するので、マスター鍵MSの安全性は高い。 [ECU certification process]
The ECU authentication process according to the present embodiment will be described with reference to FIG. FIG. 12 is a sequence chart showing an ECU authentication method according to the present embodiment. The master key MS is set in the SIM 41 of the communication module 40 in advance, for example, when the SIM 41 is manufactured. Since the SIM 41 has a relatively robust tamper resistance, the security of the master key MS is high.
 鍵管理ECU10は、通信モジュール40を介してSIM41とデータを交換する。鍵管理ECU10とSIM41との間では正当性の認証が行われる。鍵管理ECU10とSIM41との間の正当性の認証が合格した場合には、鍵管理ECU10とSIM41との間のデータの交換が安全に行われる。一方、鍵管理ECU10とSIM41との間の正当性の認証が不合格になった場合には、鍵管理ECU10とSIM41との間のデータの交換は制限される。 The key management ECU 10 exchanges data with the SIM 41 via the communication module 40. Legitimacy authentication is performed between the key management ECU 10 and the SIM 41. When the validity authentication between the key management ECU 10 and the SIM 41 passes, the exchange of data between the key management ECU 10 and the SIM 41 is performed safely. On the other hand, when the authentication of the legitimacy between the key management ECU 10 and the SIM 41 fails, the exchange of data between the key management ECU 10 and the SIM 41 is restricted.
(ステップS301)被認証ECU20において、CPU21は、自己の被認証ECU20の識別子ECU_IDを鍵管理ECU10へ送信する。 (Step S301) In the authenticated ECU 20, the CPU 21 transmits the identifier ECU_ID of its own authenticated ECU 20 to the key management ECU 10.
(ステップS302)鍵管理ECU10において、CPU11は、被認証ECU20から受信した被認証ECU20の識別子ECU_IDをSIM41へ送信する。 (Step S302) In the key management ECU 10, the CPU 11 transmits the identifier ECU_ID of the authenticated ECU 20 received from the authenticated ECU 20 to the SIM 41.
(ステップS303)SIM41は、鍵管理ECU10から受信した被認証ECU20の識別子ECU_IDと、自己が保持するマスター鍵MSとを使用して、被認証ECU20の初期鍵を生成する。この初期鍵の生成では、上記の式(4)によりCMACを算出する。この算出されるCMACは、被認証ECU20の初期鍵であって被認証ECU20のSHE23のKEY_1鍵に設定されている値と同じ値である。被認証ECU20の初期鍵のことを初期鍵KEY_1と称する。SIM41は、算出したCMACつまり初期鍵KEY_1を自己のメモリに格納する。また、SIM41は、乱数randを生成する。SIM41は、生成した乱数randを鍵管理ECU10へ送信する。SIM41は、生成した乱数randを自己のメモリに格納する。 (Step S303) The SIM 41 generates an initial key of the authenticated ECU 20 using the identifier ECU_ID of the authenticated ECU 20 received from the key management ECU 10 and the master key MS held by itself. In generating the initial key, the CMAC is calculated by the above equation (4). The calculated CMAC is the same value as the initial key of the authenticated ECU 20 and the value set in the KEY_1 key of the SHE 23 of the authenticated ECU 20. The initial key of the ECU 20 to be authenticated is referred to as an initial key KEY_1. The SIM 41 stores the calculated CMAC, that is, the initial key KEY_1 in its own memory. Also, the SIM 41 generates a random number rand. The SIM 41 transmits the generated random number rand to the key management ECU 10. The SIM 41 stores the generated random number rand in its own memory.
(ステップS304)鍵管理ECU10において、CPU11は、SIM41から受信した乱数randを被認証ECU20へ送信する。 (Step S304) In the key management ECU 10, the CPU 11 transmits the random number rand received from the SIM 41 to the ECU 20 to be authenticated.
 次いでステップS305からS307までが実行される。ステップS305からS307までは、図2に示すステップS109からS111までと同じである。 Next, steps S305 to S307 are executed. Steps S305 to S307 are the same as steps S109 to S111 shown in FIG.
(ステップS308)鍵管理ECU10において、CPU11は、被認証ECU20から受信した被認証ECU20の識別子ECU_IDとCMACとをSIM41へ送信する。 (Step S308) In the key management ECU 10, the CPU 11 transmits the identifier ECU_ID and CMAC of the authenticated ECU 20 received from the authenticated ECU 20 to the SIM 41.
(ステップS309)SIM41は、鍵管理ECU10から受信したCMACの検証を行う。このCMACの検証では、SIM41は、自己のメモリに格納されている初期鍵KEY_1を使用して、自己のメモリに格納されている乱数randについてCMACを算出する。次いで、SIM41は、該算出したCMACと、鍵管理ECU10から受信したCMACとを比較する。この比較の結果、両者が一致する場合にはCMACの検証が合格であり、一方、両者が不一致である場合にはCMACの検証が不合格である。SIM41は、該CMACの検証結果「合格(OK)又は不合格(NG)」を鍵管理ECU10へ送信する。鍵管理ECU10のCPU11は、SIM41から受信したCMACの検証結果が合格(OK)である場合には被認証ECU20の正当性の認証が合格であると判断し、一方、HSM14から受け取ったCMACの検証結果が不合格(NG)である場合には被認証ECU20の正当性の認証が不合格であると判断する。 (Step S309) The SIM 41 verifies the CMAC received from the key management ECU 10. In this CMAC verification, the SIM 41 calculates the CMAC for the random number rand stored in its own memory, using the initial key KEY_1 stored in its own memory. Next, the SIM 41 compares the calculated CMAC with the CMAC received from the key management ECU 10. As a result of the comparison, if the two match, the CMAC verification is passed, while if the two do not match, the CMAC verification fails. The SIM 41 transmits the CMAC verification result “pass (OK) or fail (NG)” to the key management ECU 10. When the CMAC verification result received from the SIM 41 is acceptable (OK), the CPU 11 of the key management ECU 10 determines that the authenticity of the authenticated ECU 20 is valid, while verifying the CMAC received from the HSM 14. When the result is rejected (NG), it is determined that the authentication of the authenticity of the authenticated ECU 20 is rejected.
[鍵交換鍵配信処理]
 図13を参照して本実施形態に係る鍵交換鍵配信処理を説明する。図13は、本実施形態に係る鍵交換鍵配信方法を示すシーケンスチャートである。本実施形態では、第1実施形態と同様に、第1の鍵交換鍵(暗号化処理及び復号処理に使用される鍵)と第2の鍵交換鍵(MACの生成処理及び検証処理に使用される鍵)とを使用する。 [Key exchange key distribution processing]
A key exchange key distribution process according to the present embodiment will be described with reference to FIG. FIG. 13 is a sequence chart showing the key exchange key distribution method according to the present embodiment. In the present embodiment, as in the first embodiment, the first key exchange key (the key used for the encryption process and the decryption process) and the second key exchange key (used for the MAC generation process and the verification process). Key).
 以下、図13を参照して第1の鍵交換鍵を配信する場合を例に挙げて説明する。第2の鍵交換鍵を配信する場合も、第1の鍵交換鍵を配信する場合と同様である。 Hereinafter, a case where the first key exchange key is distributed will be described as an example with reference to FIG. The distribution of the second key exchange key is the same as the distribution of the first key exchange key.
(ステップS311)鍵管理ECU10において、CPU11は、鍵交換鍵の配信先の被認証ECU20の識別子ECU_IDを使用して、鍵交換鍵作成依頼(ECU_ID)をSIM41へ送信する。 (Step S311) In the key management ECU 10, the CPU 11 transmits a key exchange key creation request (ECU_ID) to the SIM 41 using the identifier ECU_ID of the authenticated ECU 20 to which the key exchange key is distributed.
(ステップS312)SIM41は、値M1,M2及びM3を生成する。この値M1,M2及びM3は、第1の鍵交換鍵を被認証ECU20のSHE23のKEY_2鍵に登録するための各値である。SIM41は、マスター鍵MSからMEK鍵を生成する。SIM41は、乱数を生成し、生成した乱数を第1の鍵交換鍵に使用する。なお、SIM41は、マスター鍵MSから第1の鍵交換鍵を生成してもよい。SIM41は、第1の鍵交換鍵を自己のメモリに格納する。SIM41は、生成した値M1,M2及びM3を鍵管理ECU10へ送信する。 (Step S312) The SIM 41 generates values M1, M2, and M3. These values M1, M2 and M3 are values for registering the first key exchange key in the KEY_2 key of the SHE 23 of the ECU 20 to be authenticated. The SIM 41 generates a MEK key from the master key MS. The SIM 41 generates a random number and uses the generated random number as the first key exchange key. The SIM 41 may generate a first key exchange key from the master key MS. The SIM 41 stores the first key exchange key in its own memory. The SIM 41 transmits the generated values M1, M2, and M3 to the key management ECU 10.
(ステップS313)鍵管理ECU10において、CPU11は、SIM41から受信した値M1,M2及びM3を被認証ECU20へ送信する。CPU11は、SIM41から受信した値M1,M2及びM3を使用して、SHE13により、第1の鍵交換鍵をSHE13のKEY_9鍵で暗号化したデータ(暗号化第1の鍵交換鍵)を生成させる。CPU11は、SHE13によって生成された暗号化第1の鍵交換鍵を記憶部12に格納する。 (Step S313) In the key management ECU 10, the CPU 11 transmits the values M1, M2, and M3 received from the SIM 41 to the authenticated ECU 20. Using the values M1, M2, and M3 received from the SIM 41, the CPU 11 causes the SHE 13 to generate data (encrypted first key exchange key) obtained by encrypting the first key exchange key with the KEY_9 key of the SHE 13. . The CPU 11 stores the encrypted first key exchange key generated by the SHE 13 in the storage unit 12.
 次いでステップS314からS316までが実行される。ステップS314からS316までは、図3に示すステップS128からS130までと同じである。 Next, steps S314 to S316 are executed. Steps S314 to S316 are the same as steps S128 to S130 shown in FIG.
 なお、2回目以降の第1の鍵交換鍵の配信には、図3に示される第1実施形態の鍵交換鍵配信処理を適用できる。これは、2回目以降の第1の鍵交換鍵の配信では、鍵管理ECU10は、図13に示される本実施形態の鍵交換鍵配信処理により初回の第1の鍵交換鍵の配信で設定された第1の鍵交換鍵を使用して、値M1,M2及びM3を生成できるからである。この点についても、第2の鍵交換鍵を配信する場合に同様に適用できる。 Note that the key exchange key distribution process of the first embodiment shown in FIG. 3 can be applied to the distribution of the first key exchange key for the second and subsequent times. In the first and subsequent first key exchange key distribution, the key management ECU 10 is set in the first first key exchange key distribution by the key exchange key distribution process of the present embodiment shown in FIG. This is because the values M1, M2, and M3 can be generated using the first key exchange key. This point can be similarly applied when distributing the second key exchange key.
[MAC鍵配信処理]
 第3実施形態のMAC鍵の配信には、図4及び図5に示される第1実施形態のMAC鍵配信処理を適用できる。 [MAC key distribution processing]
The MAC key distribution process of the first embodiment shown in FIGS. 4 and 5 can be applied to the distribution of the MAC key of the third embodiment.
[第4実施形態]
 図14は、本実施形態に係る自動車1に備わる車載コンピュータシステムの構成例を示す図である。図11において、図6の各部に対応する部分には同一の符号を付け、その説明を省略する。以下、第2実施形態と異なる部分を主に説明する。 [Fourth Embodiment]
FIG. 14 is a diagram illustrating a configuration example of an in-vehicle computer system provided in the automobile 1 according to the present embodiment. In FIG. 11, parts corresponding to those in FIG. 6 are given the same reference numerals, and explanation thereof is omitted. Hereinafter, parts different from the second embodiment will be mainly described.
 第4実施形態では、自動車1は通信モジュール40を備える。通信モジュール40は、無線通信ネットワークを利用して無線通信を行う。通信モジュール40は、SIM41を備える。SIM41は、無線通信ネットワークを利用するための情報が書き込まれたSIMである。通信モジュール40は、SIM41を使用することにより該無線通信ネットワークに接続して無線通信を行うことができる。 In the fourth embodiment, the automobile 1 includes a communication module 40. The communication module 40 performs wireless communication using a wireless communication network. The communication module 40 includes a SIM 41. The SIM 41 is a SIM in which information for using the wireless communication network is written. The communication module 40 can perform wireless communication by connecting to the wireless communication network by using the SIM 41.
 なお、SIM41として、eSIMを使用してもよい。SIM及びeSIMは耐タンパー性を有する。SIM及びeSIMはセキュアエレメントの例である。SIM及びeSIMは、コンピュータの一種であり、コンピュータプログラムによって所望の機能を実現する。 In addition, you may use eSIM as SIM41. SIM and eSIM have tamper resistance. SIM and eSIM are examples of secure elements. SIM and eSIM are a kind of computer, and a desired function is realized by a computer program.
 通信モジュール40は第1のECU10に接続される。第1のECU10は、通信モジュール40とデータを交換する。 The communication module 40 is connected to the first ECU 10. The first ECU 10 exchanges data with the communication module 40.
 なお、図14の構成では第1のECU10と通信モジュール40とを直接接続することにより第1のECU10と通信モジュール40の間でデータを交換するが、これに限定されない。例えば、通信モジュール40を自動車1に備わるインフォテイメント機器等の他の装置に接続したり又は該他の装置に備えたりし、第1のECU10が、該他の装置例えばインフォテイメント機器を介して、通信モジュール40とデータを交換してもよい。又は、自動車1の診断ポート、例えばOBDポートと呼ばれる診断ポートに接続される自動車1の外部の装置に通信モジュール40を備え、第1のECU10が、該診断ポートを介して、該診断ポートに接続された該外部の装置の通信モジュール40とデータを交換してもよい。又は、第1のECU10が、SIM41を含む通信モジュール40を備えてもよい。 In the configuration of FIG. 14, data is exchanged between the first ECU 10 and the communication module 40 by directly connecting the first ECU 10 and the communication module 40, but the present invention is not limited to this. For example, the communication module 40 is connected to or provided in another device such as an infotainment device provided in the automobile 1, and the first ECU 10 is connected to the other device such as the infotainment device via Data may be exchanged with the communication module 40. Alternatively, a communication module 40 is provided in a device external to the automobile 1 connected to a diagnostic port of the automobile 1, for example, a diagnostic port called an OBD port, and the first ECU 10 is connected to the diagnostic port via the diagnostic port. The data may be exchanged with the communication module 40 of the external device. Alternatively, the first ECU 10 may include a communication module 40 including the SIM 41.
 また、本実施形態では、通信モジュール40に備わるSIM41を使用するが、SIMの代わりに、耐タンパー性を有するICチップを使用してもよい。例えば、ICカードに組み込まれたICチップを使用してもよい。又は、自動車1の診断ポートに接続される自動車1の外部のメインテナンスツールに備わる制御モジュールに搭載されたICチップを使用してもよい。 In this embodiment, the SIM 41 provided in the communication module 40 is used, but an IC chip having tamper resistance may be used instead of the SIM. For example, an IC chip incorporated in an IC card may be used. Or you may use the IC chip mounted in the control module with which the maintenance tool of the exterior of the motor vehicle 1 connected to the diagnostic port of the motor vehicle 1 is equipped.
 図14において、第1のECU10は、CPU11と記憶部12とHSM14とを備える。第2のECU20は、CPU21と記憶部22とSHE23とを備える。 In FIG. 14, the first ECU 10 includes a CPU 11, a storage unit 12, and an HSM 14. The second ECU 20 includes a CPU 21, a storage unit 22, and a SHE 23.
 次に、本実施形態に係るECU認証処理、鍵交換鍵配信処理、及び、MAC鍵配信処理を説明する。 Next, ECU authentication processing, key exchange key distribution processing, and MAC key distribution processing according to the present embodiment will be described.
[ECU認証処理]
 図15を参照して本実施形態に係るECU認証処理を説明する。図15は、本実施形態に係るECU認証方法を示すシーケンスチャートである。通信モジュール40のSIM41には、予め、例えばSIM41の製造時などに、マスター鍵MSが設定される。SIM41は、比較的堅牢な耐タンパー性を有するので、マスター鍵MSの安全性は高い。 [ECU certification process]
The ECU authentication process according to the present embodiment will be described with reference to FIG. FIG. 15 is a sequence chart showing an ECU authentication method according to the present embodiment. The master key MS is set in the SIM 41 of the communication module 40 in advance, for example, when the SIM 41 is manufactured. Since the SIM 41 has a relatively robust tamper resistance, the security of the master key MS is high.
 鍵管理ECU10は、通信モジュール40を介してSIM41とデータを交換する。鍵管理ECU10とSIM41との間では正当性の認証が行われる。鍵管理ECU10とSIM41との間の正当性の認証が合格した場合には、鍵管理ECU10とSIM41との間のデータの交換が安全に行われる。一方、鍵管理ECU10とSIM41との間の正当性の認証が不合格になった場合には、鍵管理ECU10とSIM41との間のデータの交換は制限される。 The key management ECU 10 exchanges data with the SIM 41 via the communication module 40. Legitimacy authentication is performed between the key management ECU 10 and the SIM 41. When the validity authentication between the key management ECU 10 and the SIM 41 passes, the exchange of data between the key management ECU 10 and the SIM 41 is performed safely. On the other hand, when the authentication of the legitimacy between the key management ECU 10 and the SIM 41 fails, the exchange of data between the key management ECU 10 and the SIM 41 is restricted.
(ステップS401)被認証ECU20において、CPU21は、自己の被認証ECU20の識別子ECU_IDを鍵管理ECU10へ送信する。 (Step S401) In the authenticated ECU 20, the CPU 21 transmits the identifier ECU_ID of its own authenticated ECU 20 to the key management ECU 10.
(ステップS402)鍵管理ECU10において、CPU11は、被認証ECU20から受信した被認証ECU20の識別子ECU_IDをSIM41へ送信する。 (Step S402) In the key management ECU 10, the CPU 11 transmits the identifier ECU_ID of the authenticated ECU 20 received from the authenticated ECU 20 to the SIM 41.
(ステップS403)SIM41は、鍵管理ECU10から受信した被認証ECU20の識別子ECU_IDと、自己が保持するマスター鍵MSとを使用して、被認証ECU20の初期鍵を生成する。この初期鍵の生成では、上記の式(4)によりCMACを算出する。この算出されるCMACは、被認証ECU20の初期鍵であって被認証ECU20のSHE23のKEY_1鍵に設定されている値と同じ値である。被認証ECU20の初期鍵のことを初期鍵KEY_1と称する。SIM41は、算出したCMACつまり初期鍵KEY_1を自己のメモリに格納する。また、SIM41は、乱数randを生成する。SIM41は、生成した乱数randを鍵管理ECU10へ送信する。SIM41は、生成した乱数randを自己のメモリに格納する。 (Step S403) The SIM 41 generates an initial key for the authenticated ECU 20 using the identifier ECU_ID of the authenticated ECU 20 received from the key management ECU 10 and the master key MS held by itself. In generating the initial key, the CMAC is calculated by the above equation (4). The calculated CMAC is the same value as the initial key of the authenticated ECU 20 and the value set in the KEY_1 key of the SHE 23 of the authenticated ECU 20. The initial key of the ECU 20 to be authenticated is referred to as an initial key KEY_1. The SIM 41 stores the calculated CMAC, that is, the initial key KEY_1 in its own memory. Also, the SIM 41 generates a random number rand. The SIM 41 transmits the generated random number rand to the key management ECU 10. The SIM 41 stores the generated random number rand in its own memory.
(ステップS404)鍵管理ECU10において、CPU11は、SIM41から受信した乱数randを被認証ECU20へ送信する。 (Step S404) In key management ECU10, CPU11 transmits the random number rand received from SIM41 to to-be-authenticated ECU20.
 次いでステップS405からS407までが実行される。ステップS405からS407までは、図7に示すステップS205からS207までと同じである。 Next, steps S405 to S407 are executed. Steps S405 to S407 are the same as steps S205 to S207 shown in FIG.
(ステップS408)鍵管理ECU10において、CPU11は、被認証ECU20から受信した被認証ECU20の識別子ECU_IDとCMACとをSIM41へ送信する。 (Step S <b> 408) In the key management ECU 10, the CPU 11 transmits the identifier ECU_ID and CMAC of the authenticated ECU 20 received from the authenticated ECU 20 to the SIM 41.
(ステップS409)SIM41は、鍵管理ECU10から受信したCMACの検証を行う。このCMACの検証では、SIM41は、自己のメモリに格納されている初期鍵KEY_1を使用して、自己のメモリに格納されている乱数randについてCMACを算出する。次いで、SIM41は、該算出したCMACと、鍵管理ECU10から受信したCMACとを比較する。この比較の結果、両者が一致する場合にはCMACの検証が合格であり、一方、両者が不一致である場合にはCMACの検証が不合格である。SIM41は、該CMACの検証結果「合格(OK)又は不合格(NG)」を鍵管理ECU10へ送信する。鍵管理ECU10のCPU11は、SIM41から受信したCMACの検証結果が合格(OK)である場合には被認証ECU20の正当性の認証が合格であると判断し、一方、HSM14から受け取ったCMACの検証結果が不合格(NG)である場合には被認証ECU20の正当性の認証が不合格であると判断する。 (Step S409) The SIM 41 verifies the CMAC received from the key management ECU 10. In this CMAC verification, the SIM 41 calculates the CMAC for the random number rand stored in its own memory, using the initial key KEY_1 stored in its own memory. Next, the SIM 41 compares the calculated CMAC with the CMAC received from the key management ECU 10. As a result of the comparison, if the two match, the CMAC verification is passed, while if the two do not match, the CMAC verification fails. The SIM 41 transmits the CMAC verification result “pass (OK) or fail (NG)” to the key management ECU 10. When the CMAC verification result received from the SIM 41 is acceptable (OK), the CPU 11 of the key management ECU 10 determines that the authenticity of the authenticated ECU 20 is valid, while verifying the CMAC received from the HSM 14. When the result is rejected (NG), it is determined that the authentication of the authenticity of the authenticated ECU 20 is rejected.
[鍵交換鍵配信処理]
 図16、図17を参照して本実施形態に係る鍵交換鍵配信処理を説明する。図16、図17は、本実施形態に係る鍵交換鍵配信方法を示すシーケンスチャートである。本実施形態では、第2実施形態と同様に、第1の鍵交換鍵(暗号化処理及び復号処理に使用される鍵)と第2の鍵交換鍵(MACの生成処理及び検証処理に使用される鍵)とを使用する。 [Key exchange key distribution processing]
A key exchange key distribution process according to the present embodiment will be described with reference to FIGS. 16 and 17 are sequence charts showing a key exchange key distribution method according to the present embodiment. In this embodiment, as in the second embodiment, the first key exchange key (the key used for the encryption process and the decryption process) and the second key exchange key (the MAC generation process and the verification process are used). Key).
 以下、図16、図17を参照して第1の鍵交換鍵を配信する場合を例に挙げて説明する。第2の鍵交換鍵を配信する場合も、第1の鍵交換鍵を配信する場合と同様である。初めに図16を参照して初回の第1の鍵交換鍵の配信について説明する。 Hereinafter, a case where the first key exchange key is distributed will be described with reference to FIGS. 16 and 17 as an example. The distribution of the second key exchange key is the same as the distribution of the first key exchange key. First, the first delivery of the first key exchange key will be described with reference to FIG.
(ステップS411)鍵管理ECU10において、CPU11は、鍵交換鍵の配信先の被認証ECU20の識別子ECU_IDを使用して、鍵交換鍵作成依頼(ECU_ID)をSIM41へ送信する。 (Step S411) In the key management ECU 10, the CPU 11 transmits a key exchange key creation request (ECU_ID) to the SIM 41 using the identifier ECU_ID of the authenticated ECU 20 to which the key exchange key is distributed.
(ステップS412)SIM41は、値M1,M2及びM3を生成する。この値M1,M2及びM3は、第1の鍵交換鍵を被認証ECU20のSHE23のKEY_2鍵に登録するための各値である。SIM41は、マスター鍵MSからMEK鍵を生成する。SIM41は、乱数を生成し、生成した乱数を第1の鍵交換鍵に使用する。なお、SIM41は、マスター鍵MSから第1の鍵交換鍵を生成してもよい。SIM41は、第1の鍵交換鍵を自己のメモリに格納する。SIM41は、生成した値M1,M2及びM3を鍵管理ECU10へ送信する。 (Step S412) The SIM 41 generates values M1, M2, and M3. These values M1, M2 and M3 are values for registering the first key exchange key in the KEY_2 key of the SHE 23 of the ECU 20 to be authenticated. The SIM 41 generates a MEK key from the master key MS. The SIM 41 generates a random number and uses the generated random number as the first key exchange key. The SIM 41 may generate a first key exchange key from the master key MS. The SIM 41 stores the first key exchange key in its own memory. The SIM 41 transmits the generated values M1, M2, and M3 to the key management ECU 10.
(ステップS413)鍵管理ECU10において、CPU11は、SIM41から受信した値M1,M2及びM3を被認証ECU20へ送信する。CPU11は、SIM41から受信した値M1,M2及びM3を使用して、HSM14に、第1の鍵交換鍵を取得させる。HSM14は、第1の鍵交換鍵を自己のメモリに格納する。 (Step S413) In the key management ECU 10, the CPU 11 transmits the values M1, M2, and M3 received from the SIM 41 to the authenticated ECU 20. The CPU 11 causes the HSM 14 to acquire the first key exchange key using the values M1, M2, and M3 received from the SIM 41. The HSM 14 stores the first key exchange key in its own memory.
 次いでステップS414からS416までが実行される。ステップS414からS416までは、図8に示すステップS214からS216までと同じである。 Next, steps S414 to S416 are executed. Steps S414 to S416 are the same as steps S214 to S216 shown in FIG.
 なお、2回目以降の第1の鍵交換鍵の配信には、図17に示される鍵交換鍵配信処理を適用できる。これは、2回目以降の第1の鍵交換鍵の配信では、鍵管理ECU10は、図16に示される本実施形態の鍵交換鍵配信処理により初回の第1の鍵交換鍵の配信で設定された第1の鍵交換鍵を使用して、値M1,M2及びM3を生成できるからである。この点についても、第2の鍵交換鍵を配信する場合に同様に適用できる。図17を参照して2回目以降の第1の鍵交換鍵の配信について説明する。 It should be noted that the key exchange key distribution process shown in FIG. 17 can be applied to the distribution of the first key exchange key for the second and subsequent times. This is because the key management ECU 10 is set in the first delivery of the first key exchange key by the key exchange key delivery process of the present embodiment shown in FIG. This is because the values M1, M2, and M3 can be generated using the first key exchange key. This point can be similarly applied when distributing the second key exchange key. With reference to FIG. 17, the second and subsequent delivery of the first key exchange key will be described.
(ステップS421)鍵管理ECU10において、CPU11は、鍵交換鍵作成依頼をHSM14へ入力する。 (Step S421) In the key management ECU 10, the CPU 11 inputs a key exchange key creation request to the HSM 14.
(ステップS422)鍵管理ECU10において、HSM14は、値M1,M2及びM3を生成する。この値M1,M2及びM3は、新しい第1の鍵交換鍵を被認証ECU20のSHE23のKEY_2鍵に登録するための各値である。HSM14は、乱数を生成し、生成した乱数を新しい第1の鍵交換鍵に使用する。HSM14は、新しい第1の鍵交換鍵を自己のメモリに格納する。HSM14は、生成した値M1,M2及びM3をCPU11へ出力する。 (Step S422) In the key management ECU 10, the HSM 14 generates values M1, M2 and M3. These values M1, M2, and M3 are values for registering a new first key exchange key in the KEY_2 key of the SHE 23 of the ECU 20 to be authenticated. The HSM 14 generates a random number and uses the generated random number as a new first key exchange key. The HSM 14 stores the new first key exchange key in its own memory. The HSM 14 outputs the generated values M1, M2, and M3 to the CPU 11.
(ステップS423)鍵管理ECU10において、CPU11は、HSM14から受け取った値M1,M2及びM3を被認証ECU20へ送信する。 (Step S423) In the key management ECU 10, the CPU 11 transmits the values M1, M2, and M3 received from the HSM 14 to the authenticated ECU 20.
 次いでステップS424からS426までが実行される。ステップS424からS426までは、図8に示すステップS214からS216までと同じである。 Next, steps S424 to S426 are executed. Steps S424 to S426 are the same as steps S214 to S216 shown in FIG.
[MAC鍵配信処理]
 第4実施形態のMAC鍵の配信には、図9及び図10に示される第2実施形態のMAC鍵配信処理を適用できる。 [MAC key distribution processing]
The MAC key distribution process of the second embodiment shown in FIGS. 9 and 10 can be applied to the distribution of the MAC key of the fourth embodiment.
 上述した各実施形態によれば、第1のECU10及び第2のECU20に備わる暗号処理チップ(SHE又はHSM)に応じた暗号処理手順を実行することができる。これにより、自動車1の車載制御システムにおけるデータの安全性を向上させることができるという効果が得られる。 According to each embodiment described above, it is possible to execute a cryptographic processing procedure corresponding to a cryptographic processing chip (SHE or HSM) provided in the first ECU 10 and the second ECU 20. Thereby, the effect that the safety | security of the data in the vehicle-mounted control system of the motor vehicle 1 can be improved is acquired.
[鍵の管理方法]
 鍵の管理方法の例について説明する。 [Key management method]
An example of a key management method will be described.
(鍵の管理単位)
(1)初期鍵
(1-a)ECU単位
 ECU毎に異なる初期鍵を持つ場合、もしある初期鍵が漏洩したときの影響は小さい。一方、個々のECUの初期鍵を鍵管理ECU10と共有することになるので、鍵の管理コストは大きくなる。
(1-b)全ECU共通
 全ECUで共通の初期鍵を持つ場合、もし初期鍵が漏洩したときの影響は大きい。一方、鍵の管理コストは小さい。 (Key management unit)
(1) Initial key (1-a) ECU unit When there is a different initial key for each ECU, the influence when an initial key leaks is small. On the other hand, since the initial key of each ECU is shared with the key management ECU 10, the key management cost is increased.
(1-b) Common to all ECUs If all ECUs have a common initial key, the effect of leaking the initial key is significant. On the other hand, the key management cost is small.
(2)鍵交換鍵
(2-a)ECU単位
 ECU毎に異なる鍵交換鍵を持つ場合、ECU毎に個別の鍵交換鍵を使用してMAC鍵を配信することになるので、MAC鍵の配信に要する時間は長くなる。一方、もし鍵交換鍵が漏洩したときの影響は小さい。
(2-b)全ECU共通
 全ECUで共通の鍵交換鍵を持つ場合、一つの自動車内では同じ鍵交換鍵を使用して全ECUに共通にMAC鍵を配信できるので、MAC鍵の配信に要する時間は短くできる。一方、もし鍵交換鍵が漏洩したときの影響は大きい。
(2-c)自動車単位
 自動車毎に異なる鍵交換鍵を持つ場合、一つの自動車内では同じ鍵交換鍵を使用して全ECUに共通にMAC鍵を配信できるので、MAC鍵の配信に要する時間は短くできる。また、もし鍵交換鍵が漏洩したときの影響は、一自動車の範囲に留まるので小さい。 (2) Key exchange key (2-a) ECU unit When each ECU has a different key exchange key, the MAC key is distributed using an individual key exchange key for each ECU. It takes longer time to complete. On the other hand, if the key exchange key is leaked, the influence is small.
(2-b) Common to all ECUs When all ECUs have a common key exchange key, the same key exchange key can be used to distribute the MAC key to all ECUs in one vehicle. The time required can be shortened. On the other hand, if the key exchange key is leaked, the effect is great.
(2-c) Unit of vehicle When each vehicle has a different key exchange key, the same key exchange key can be used to distribute the MAC key to all ECUs in one vehicle. Can be shortened. Also, if the key exchange key is leaked, the effect is small because it is limited to one car.
(3)MAC鍵
(3-a)全ECU共通
 全ECUで共通のMAC鍵を持つ場合、もしMAC鍵が漏洩したときの影響は大きい。
(3-b)自動車単位
 自動車毎に異なるMAC鍵を持つ場合、もしMAC鍵が漏洩したときの影響は、一自動車の範囲に留まるので小さい。 (3) MAC key (3-a) common to all ECUs If all of the ECUs have a common MAC key, the impact if the MAC key leaks is large.
(3-b) Vehicle unit When a different MAC key is used for each vehicle, the effect when the MAC key is leaked is small because it remains within the range of one vehicle.
(初期鍵の生成方法)
 初期鍵はECUの正当性の認証に使用される。このため、初期鍵が漏洩したときの影響を考慮すると、ECU単位で初期鍵を管理できるように、ECU毎に異なる初期鍵を持つことが好ましい。この場合、鍵管理ECU10と各被認証ECU20との初期鍵の共有方法が課題である。以下、その課題を解決するための初期鍵生成方法の例を説明する。 (Initial key generation method)
The initial key is used for authenticating the validity of the ECU. For this reason, considering the influence when the initial key is leaked, it is preferable to have a different initial key for each ECU so that the initial key can be managed in units of ECUs. In this case, a method of sharing an initial key between the key management ECU 10 and each authenticated ECU 20 is a problem. Hereinafter, an example of an initial key generation method for solving the problem will be described.
 マスター鍵(MASTER_SECRET:MS)を使用した初期鍵の生成方法について説明する。
 初期鍵は、マスター鍵MSと被認証ECUの識別子ECU_IDとを使用して次式により算出される。
 初期鍵 = ダイジェスト(MS,ECU_ID)
 ダイジェストは例えばCMACである。又は、ダイジェストは例えば排他的論理和である。この初期鍵は、ECU毎に異なる値になる。また、マスター鍵MSが鍵管理ECU10やSIM41で安全に保管されることにより、初期鍵の漏洩を防ぐことができる。例えば鍵管理ECU10がマスター鍵MSを安全に保管することにより、鍵管理ECU10は、被認証ECU20の識別子ECU_IDを取得して該被認証ECU20の初期鍵を生成し、該生成した初期鍵を該被認証ECU20と安全に共有できる。 An initial key generation method using the master key (MASTER_SECRET: MS) will be described.
The initial key is calculated by the following equation using the master key MS and the identifier ECU_ID of the ECU to be authenticated.
Initial key = digest (MS, ECU_ID)
The digest is, for example, CMAC. Alternatively, the digest is, for example, an exclusive OR. This initial key has a different value for each ECU. In addition, since the master key MS is securely stored in the key management ECU 10 or the SIM 41, leakage of the initial key can be prevented. For example, when the key management ECU 10 securely stores the master key MS, the key management ECU 10 acquires the identifier ECU_ID of the authenticated ECU 20, generates an initial key of the authenticated ECU 20, and generates the generated initial key. It can be safely shared with the authentication ECU 20.
 初期鍵書込み装置は、ECUベンダに設けられる。初期鍵書込み装置は、マスター鍵MSを備え、該マスター鍵MSと、入力された被認証ECU20の識別子ECU_IDとを使用して該被認証ECU20の初期鍵を生成し、生成した初期鍵を該被認証ECU20へ書き込む。初期鍵書込み装置において、マスター鍵MSは安全に保管される。 The initial key writing device is provided in the ECU vendor. The initial key writing device includes a master key MS, generates an initial key of the authenticated ECU 20 using the master key MS and the input identifier ECU_ID of the authenticated ECU 20, and generates the generated initial key. Write to the authentication ECU 20. In the initial key writing device, the master key MS is securely stored.
 マスター鍵書込み装置は、マスター鍵MSが設定される鍵管理ECU10のECUベンダ、マスター鍵MSが設定されるSIM41のSIMベンダ、及び、マスター鍵MSが設定されるICチップを備えるICカード等のベンダに設けられる。マスター鍵書込み装置は、マスター鍵MSを生成し、生成したマスター鍵MSを被書込み装置へ書き込む。マスター鍵書込み装置において、マスター鍵MSの生成及び保管は安全に行われる。 The master key writing device includes an ECU vendor of the key management ECU 10 in which the master key MS is set, a SIM vendor of the SIM 41 in which the master key MS is set, and a vendor such as an IC card including an IC chip in which the master key MS is set. Provided. The master key writing device generates a master key MS and writes the generated master key MS to the device to be written. In the master key writing device, generation and storage of the master key MS are performed securely.
 マスター鍵MSは、例えば次式により算出される。
 MS = A xor B xor C
但し、「A xor B」は値Aと値Bの排他的論理和である。
 マスター鍵書込み装置において、各値A,B,Cが別々に入力されることをマスター鍵MSの生成条件に含める。例えば、マスター鍵書込み装置は、正当性認証済みの異なるユーザIDよって各値A,B,Cが別々に入力された場合にのみ、マスター鍵MSを生成する。これにより、マスター鍵MSの漏洩を抑制することができる。なお、マスター鍵MSの算出式は、上記の排他的論理和演算に限定されない。マスター鍵MSの算出式としては、複数の値、例えば値A,B及びCが全て得られた場合にのみ生成できる算出式であればよい。 The master key MS is calculated by the following equation, for example.
MS = A xor B xor C
However, “A xor B” is an exclusive OR of the value A and the value B.
In the master key writing device, it is included in the generation condition of the master key MS that each value A, B, C is input separately. For example, the master key writing device generates the master key MS only when the values A, B, and C are separately input by different user IDs that have been authenticated. Thereby, leakage of the master key MS can be suppressed. The formula for calculating the master key MS is not limited to the exclusive OR operation described above. The calculation formula for the master key MS may be a calculation formula that can be generated only when a plurality of values, for example, the values A, B, and C are all obtained.
 また、ECUベンダは、ECUメーカからECUの識別子ECU_IDのリストを取得し、各識別子ECU_IDに対応する初期鍵のリストを生成し、生成した初期鍵のリストをECUメーカへ提供してもよい。 Further, the ECU vendor may obtain a list of ECU identifiers ECU_ID from the ECU manufacturer, generate a list of initial keys corresponding to each identifier ECU_ID, and provide the generated initial key list to the ECU manufacturer.
 また、上述した初期鍵生成方法の例では、もし初期鍵が漏洩すると、漏洩した初期鍵を不正にECUに設定することによって被認証ECU20のなりすましが可能である。このため、自動車1に搭載された後に一度認証された被認証ECU20の初期鍵は該被認証ECU20から消去するようにしてもよい。これにより、例えば第2のECU20の交換によって自動車1から取り外された第2のECU20から初期鍵が漏洩することを防止できる。また、被認証ECU20の認証実績を管理する管理サーバを設け、管理サーバによって被認証ECU20の認証状況を把握できるようにしてもよい。 In the example of the initial key generation method described above, if the initial key is leaked, it is possible to impersonate the authenticated ECU 20 by improperly setting the leaked initial key in the ECU. For this reason, the initial key of the authenticated ECU 20 once authenticated after being mounted on the automobile 1 may be deleted from the authenticated ECU 20. Thereby, for example, it is possible to prevent the initial key from leaking from the second ECU 20 removed from the automobile 1 by replacing the second ECU 20. Further, a management server that manages the authentication performance of the authenticated ECU 20 may be provided so that the authentication status of the authenticated ECU 20 can be grasped by the management server.
[第5実施形態]
 図18は、本実施形態に係る鍵生成装置100の構成例を示す図である。図18において、鍵生成装置100は、入力部101とダイジェスト算出部102と出力部103とマスター鍵記憶部104とを備える。入力部101は、鍵の生成に使用される情報を入力する。マスター鍵記憶部104は、鍵の生成に使用されるマスター鍵を記憶する。ダイジェスト算出部102は、入力部101により入力された情報と、マスター鍵記憶部104に記憶されているマスター鍵とを使用して、ダイジェストを算出する。出力部103は、ダイジェスト算出部102により算出されたダイジェスト(鍵)を出力する。 [Fifth Embodiment]
FIG. 18 is a diagram illustrating a configuration example of the key generation device 100 according to the present embodiment. In FIG. 18, the key generation device 100 includes an input unit 101, a digest calculation unit 102, an output unit 103, and a master key storage unit 104. The input unit 101 inputs information used for key generation. The master key storage unit 104 stores a master key used for key generation. The digest calculation unit 102 calculates a digest using the information input by the input unit 101 and the master key stored in the master key storage unit 104. The output unit 103 outputs the digest (key) calculated by the digest calculation unit 102.
 本実施形態では、鍵生成装置100は、次式により鍵を算出する。
 鍵=ダイジェスト(マスター鍵、ECU識別子、N_key)
 但し、マスター鍵は、マスター鍵記憶部104に格納されているマスター鍵である。ECU識別子は、鍵を格納する先のECUの識別子である。N_keyは、鍵の種類を表す変数である。ダイジェストとして、例えば、ハッシュ(hash)関数により算出される値、排他的論理和演算により算出される値、又は、CMACなどが挙げられる。 In the present embodiment, the key generation device 100 calculates a key by the following equation.
Key = digest (master key, ECU identifier, N_key)
However, the master key is a master key stored in the master key storage unit 104. The ECU identifier is an identifier of the ECU that stores the key. N_key is a variable representing the type of key. Examples of the digest include a value calculated by a hash function, a value calculated by an exclusive OR operation, or CMAC.
 次に図19を参照して本実施形態に係る鍵生成方法を説明する。図19は、本実施形態に係る鍵生成方法の一例を示すシーケンスチャートである。図19には、第2のECU20のSHE23に対して、初期設定する鍵(初期鍵)を生成する手順の一例が示されている。ここでは、第2のECU20のSHE23に対して、上記の式(2)で示される値のうち、値KMASTER_ECU_KEYをMEK鍵に初期設定し、値KBOOT_MAC_KEYをBMK鍵に初期設定し、値KKEY<N>をKEY_N鍵に初期設定する。鍵生成装置100のマスター鍵記憶部104は、マスター鍵MSを予め格納している。 Next, a key generation method according to the present embodiment will be described with reference to FIG. FIG. 19 is a sequence chart illustrating an example of a key generation method according to the present embodiment. FIG. 19 shows an example of a procedure for generating a key (initial key) to be initially set for the SHE 23 of the second ECU 20. Here, the value K MASTER_ECU_KEY is initially set to the MEK key, the value K BOOT_MAC_KEY is initially set to the BMK key, and the value K is set to the SHE 23 of the second ECU 20. KEY <N> is initialized to the KEY_N key. The master key storage unit 104 of the key generation device 100 stores a master key MS in advance.
 図19の鍵生成方法の手順は、例えば、自動車の製造工場において、自動車の製造工程で自動車1に搭載された第2のECU20に適用してもよい。ここでは、一例として、鍵生成装置100は、有線又は無線により自動車1と通信を行い、該自動車1に搭載された第2のECU20とデータを送受する。 The procedure of the key generation method in FIG. 19 may be applied to the second ECU 20 mounted on the automobile 1 in the automobile manufacturing process, for example, in an automobile manufacturing factory. Here, as an example, the key generation device 100 communicates with the automobile 1 by wire or wirelessly, and transmits / receives data to / from the second ECU 20 mounted on the automobile 1.
(ステップS1000)鍵生成装置100の入力部101は、変数N_keyの指定を受け付ける。この例では、MEK鍵を表す変数N_keyは文字列CMASTER_ECU_KEYである。また、BMK鍵を表す変数N_keyは文字列CBOOT_MAC_KEYである。また、KEY_N鍵を表す変数N_keyは文字列CKEY_Nである。変数N_keyの指定は一つでもよく、又は複数でもよい。鍵生成装置100は、指定された変数N_keyについての鍵を生成する。なお、鍵生成装置100に対して、生成する鍵の種類の変数N_keyを予め指定しておいてもよい。 (Step S1000) The input unit 101 of the key generation device 100 accepts designation of a variable N_key. In this example, the variable N_key representing the MEK key is a character string C MASTER_ECU_KEY . A variable N_key representing the BMK key is a character string C BOOT_MAC_KEY . A variable N_key representing the KEY_N key is a character string C KEY_N . The designation of the variable N_key may be one or more. The key generation device 100 generates a key for the specified variable N_key. Note that a key type variable N_key to be generated may be specified in advance for the key generation device 100.
(ステップS1001)鍵生成装置100の入力部101は、初期鍵を格納する先の第2のECU20のECU識別子ECUIDを取得する。なお、鍵生成装置100に対して、初期鍵を格納する先の第2のECU20のECU識別子ECUIDを予め設定しておいてもよい。 (Step S1001) The input unit 101 of the key generation device 100 acquires the ECU identifier ECUID of the second ECU 20 to which the initial key is stored. Note that the ECU identifier ECUID of the second ECU 20 that stores the initial key may be set in advance for the key generation device 100.
(ステップS1002)鍵生成装置100のダイジェスト算出部102は、マスター鍵記憶部104に格納されているマスター鍵MSと、初期鍵を格納する先の第2のECU20のECU識別子ECUIDと、指定された変数N_keyとを使用して、「ダイジェスト(MS、ECUID、N_key)」を算出する。 (Step S1002) The digest calculation unit 102 of the key generation device 100 specifies the master key MS stored in the master key storage unit 104, the ECU identifier ECUID of the second ECU 20 that stores the initial key, and the specified key “Digest (MS, ECUID, N_key)” is calculated using the variable N_key.
(ステップS1003)鍵生成装置100の出力部103は、ダイジェスト算出部102が算出した「ダイジェスト(MS、ECUID、N_key)」を、当該変数N_keyが表す種類の初期鍵として出力する。第2のECU20は、その出力された初期鍵を受信する。 (Step S1003) The output unit 103 of the key generation device 100 outputs the “digest (MS, ECUID, N_key)” calculated by the digest calculation unit 102 as an initial key of the type represented by the variable N_key. The second ECU 20 receives the output initial key.
(ステップS1004)第2のECU20は、鍵生成装置100から受信した初期鍵を、SHE23の該当する種類の鍵としてSHE23に格納する。 (Step S1004) The second ECU 20 stores the initial key received from the key generation device 100 in the SHE 23 as a corresponding type of key of the SHE 23.
 なお、第1のECU10のSHE13に対しても、上述した第2のECU20と同様に、初期鍵の生成及び設定を行ってもよい。 It should be noted that an initial key may be generated and set for the SHE 13 of the first ECU 10 as well as the second ECU 20 described above.
 第5実施形態によれば、変数N_keyを変えることによって、同じマスター鍵とECU識別子から複数の種類の鍵を柔軟に生成することができる。 According to the fifth embodiment, a plurality of types of keys can be flexibly generated from the same master key and ECU identifier by changing the variable N_key.
 以上、本発明の実施形態について図面を参照して詳述してきたが、具体的な構成はこの実施形態に限られるものではなく、本発明の要旨を逸脱しない範囲の設計変更等も含まれる。 As described above, the embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes design changes and the like within a scope not departing from the gist of the present invention.
 上述した実施形態では、車両として自動車を例に挙げたが、原動機付自転車や鉄道車両等の自動車以外の他の車両にも適用可能である。 In the above-described embodiment, an automobile is taken as an example of a vehicle, but the present invention can also be applied to other vehicles such as a motorbike and a railway vehicle.
 また、上述した各装置の機能を実現するためのコンピュータプログラムをコンピュータ読み取り可能な記録媒体に記録して、この記録媒体に記録されたプログラムをコンピュータシステムに読み込ませ、実行するようにしてもよい。なお、ここでいう「コンピュータシステム」とは、OSや周辺機器等のハードウェアを含むものであってもよい。
 また、「コンピュータ読み取り可能な記録媒体」とは、フレキシブルディスク、光磁気ディスク、ROM、フラッシュメモリ等の書き込み可能な不揮発性メモリ、DVD(Digital Versatile Disc)等の可搬媒体、コンピュータシステムに内蔵されるハードディスク等の記憶装置のことをいう。 In addition, a computer program for realizing the functions of each device described above may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read into a computer system and executed. Here, the “computer system” may include an OS and hardware such as peripheral devices.
“Computer-readable recording medium” refers to a flexible disk, a magneto-optical disk, a ROM, a writable nonvolatile memory such as a flash memory, a portable medium such as a DVD (Digital Versatile Disc), and a built-in computer system. A storage device such as a hard disk.
 さらに「コンピュータ読み取り可能な記録媒体」とは、インターネット等のネットワークや電話回線等の通信回線を介してプログラムが送信された場合のサーバやクライアントとなるコンピュータシステム内部の揮発性メモリ(例えばDRAM(Dynamic Random Access Memory))のように、一定時間プログラムを保持しているものも含むものとする。
 また、上記プログラムは、このプログラムを記憶装置等に格納したコンピュータシステムから、伝送媒体を介して、あるいは、伝送媒体中の伝送波により他のコンピュータシステムに伝送されてもよい。ここで、プログラムを伝送する「伝送媒体」は、インターネット等のネットワーク(通信網)や電話回線等の通信回線(通信線)のように情報を伝送する機能を有する媒体のことをいう。
 また、上記プログラムは、前述した機能の一部を実現するためのものであっても良い。
さらに、前述した機能をコンピュータシステムにすでに記録されているプログラムとの組み合わせで実現できるもの、いわゆる差分ファイル(差分プログラム)であっても良い。 Further, the “computer-readable recording medium” means a volatile memory (for example, DRAM (Dynamic DRAM) in a computer system that becomes a server or a client when a program is transmitted through a network such as the Internet or a communication line such as a telephone line. Random Access Memory)), etc., which hold programs for a certain period of time.
The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
The program may be for realizing a part of the functions described above.
Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.
 本発明は、データの安全性を向上させることが不可欠な用途にも適用できる。 The present invention can also be applied to uses where it is essential to improve the safety of data.
1…自動車、10…第1のECU(鍵管理ECU)、11,21…CPU、12,22…記憶部、13,23…SHE、14…HSM、20…第2のECU(被認証ECU)、30…CAN、40…通信モジュール、41…SIM、100…鍵生成装置、101…入力部、102…ダイジェスト算出部、103…出力部、104…マスター鍵記憶部 DESCRIPTION OF SYMBOLS 1 ... Motor vehicle, 10 ... 1st ECU (key management ECU), 11, 21 ... CPU, 12, 22 ... Memory | storage part, 13, 23 ... SHE, 14 ... HSM, 20 ... 2nd ECU (authenticated ECU) , 30 ... CAN, 40 ... communication module, 41 ... SIM, 100 ... key generation device, 101 ... input unit, 102 ... digest calculation unit, 103 ... output unit, 104 ... master key storage unit

Claims (24)

  1.  車両に備わる車載コンピュータシステムにおいて、
     第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、
     前記第1のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が設定されてあり、
     前記第1の演算処理装置は、
     前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記第1のSHEによって前記マスター鍵を使用して生成させ、
     該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する、
     車載コンピュータシステム。     In the in-vehicle computer system provided in the vehicle,
    A first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit;
    A second in-vehicle computer comprising a second arithmetic processing unit, a second SHE, and a second storage unit,
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the second SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing.
    In the first SHE, one KEY_N key that can be used for generating and verifying a message authentication code is used together with an identifier of the second in-vehicle computer for generating a message authentication code used as the initial key. Master key to be set,
    The first arithmetic processing unit includes:
    A message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer is generated by the first SHE using the master key;
    Using the generated message authentication code to execute a validity authentication process of the second in-vehicle computer;
    In-vehicle computer system.
  2.  前記第1の演算処理装置は、
     前記第1のSHEによって前記マスター鍵を使用して前記第2のSHEのMEK鍵を生成させ、
     前記第1のSHEによって前記MEK鍵を使用して、前記第2のSHEの暗号化処理及び復号処理に使用可能な一のKEY_N鍵、又は、前記第2のSHEのメッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に鍵交換鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、
     前記第2の演算処理装置は、該鍵登録メッセージによって前記第2のSHEに鍵交換鍵を登録する、
     請求項1に記載の車載コンピュータシステム。     The first arithmetic processing unit includes:
    Generating a MEK key for the second SHE using the master key by the first SHE;
    Using the MEK key by the first SHE, a KEY_N key that can be used for encryption and decryption of the second SHE, or a message authentication code generation process of the second SHE, and Generating a key registration message for registering a key exchange key in one KEY_N key usable for verification processing, and transmitting the key registration message to the second in-vehicle computer;
    The second arithmetic processing unit registers a key exchange key in the second SHE by the key registration message.
    The in-vehicle computer system according to claim 1.
  3.  前記第1の演算処理装置は、前記第1のSHEによって前記鍵交換鍵を使用して、前記第2のSHEのRAM_KEY鍵にMAC鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、
     前記第2の演算処理装置は、該鍵登録メッセージによって前記第2のSHEにMAC鍵を登録する、
     請求項2に記載の車載コンピュータシステム。     The first processing unit uses the key exchange key by the first SHE to generate a key registration message for registering a MAC key in the RAM_KEY key of the second SHE, and the key registration message To the second in-vehicle computer,
    The second arithmetic processing unit registers a MAC key in the second SHE by the key registration message.
    The in-vehicle computer system according to claim 2.
  4.  前記第2の記憶部は、前記第2のSHEのRAM_KEY鍵にMAC鍵を登録する鍵登録メッセージを不揮発性メモリに格納し、
     前記第2の演算処理装置は、前記不揮発性メモリに格納されている鍵登録メッセージによって前記第2のSHEにMAC鍵を登録し、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは、前記不揮発性メモリに格納されている鍵登録メッセージによって前記第2のSHEのRAM_KEY鍵に登録されたMAC鍵に基づいて正当性の認証処理を実行する、
     請求項3に記載の車載コンピュータシステム。     The second storage unit stores a key registration message for registering a MAC key in the RAM_KEY key of the second SHE in a nonvolatile memory,
    The second arithmetic processing unit registers a MAC key in the second SHE by a key registration message stored in the nonvolatile memory,
    The first in-vehicle computer and the second in-vehicle computer authenticate validity based on the MAC key registered in the RAM_KEY key of the second SHE by a key registration message stored in the nonvolatile memory. Execute the process,
    The in-vehicle computer system according to claim 3.
  5.  車両に備わる車載コンピュータシステムにおいて、
     第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、
     前記HSMには、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が格納されてあり、
     前記第1の演算処理装置は、
     前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記HSMによって前記マスター鍵を使用して生成させ、
     該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する、
     車載コンピュータシステム。     In the in-vehicle computer system provided in the vehicle,
    A first in-vehicle computer comprising a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit;
    A second in-vehicle computer including a second arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit;
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing.
    The HSM stores a master key used together with the identifier of the second in-vehicle computer for generating a message authentication code used as the initial key,
    The first arithmetic processing unit includes:
    A message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer is generated by the HSM using the master key;
    Using the generated message authentication code to execute a validity authentication process of the second in-vehicle computer;
    In-vehicle computer system.
  6.  前記第1の演算処理装置は、
     前記HSMによって前記マスター鍵を使用して前記SHEのMEK鍵を生成させ、
     前記HSMによって前記MEK鍵を使用して、前記SHEの暗号化処理及び復号処理に使用可能な一のKEY_N鍵、又は、前記SHEのメッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に鍵交換鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、
     前記第2の演算処理装置は、該鍵登録メッセージによって前記SHEに鍵交換鍵を登録する、
     請求項5に記載の車載コンピュータシステム。     The first arithmetic processing unit includes:
    Generating the SHE MEK key using the master key by the HSM;
    One KEY_N key that can be used for encryption and decryption processing of the SHE using the MEK key by the HSM, or one KEY_N that can be used for generation and verification processing of the message authentication code of the SHE Generating a key registration message for registering the key exchange key in the key, and transmitting the key registration message to the second in-vehicle computer;
    The second processing unit registers a key exchange key in the SHE by the key registration message.
    The in-vehicle computer system according to claim 5.
  7.  前記第1の演算処理装置は、前記HSMによって前記鍵交換鍵を使用して、前記SHEのRAM_KEY鍵にMAC鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、
     前記第2の演算処理装置は、該鍵登録メッセージによって前記SHEにMAC鍵を登録する、
     請求項6に記載の車載コンピュータシステム。     The first arithmetic processing unit uses the key exchange key by the HSM to generate a key registration message for registering a MAC key in the RAM_KEY key of the SHE, and sends the key registration message to the second in-vehicle computer. Send to
    The second arithmetic processing unit registers a MAC key in the SHE by the key registration message.
    The in-vehicle computer system according to claim 6.
  8.  前記第2の記憶部は、前記SHEのRAM_KEY鍵にMAC鍵を登録する鍵登録メッセージを不揮発性メモリに格納し、
     前記第2の演算処理装置は、前記不揮発性メモリに格納されている鍵登録メッセージによって前記SHEにMAC鍵を登録し、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは、前記不揮発性メモリに格納されている鍵登録メッセージによって前記SHEのRAM_KEY鍵に登録されたMAC鍵に基づいて正当性の認証処理を実行する、
     請求項7に記載の車載コンピュータシステム。     The second storage unit stores a key registration message for registering a MAC key in the RAM_KEY key of the SHE in a nonvolatile memory,
    The second arithmetic processing unit registers a MAC key in the SHE by a key registration message stored in the nonvolatile memory,
    The first in-vehicle computer and the second in-vehicle computer execute validity authentication processing based on a MAC key registered in the RAM_KEY key of the SHE by a key registration message stored in the nonvolatile memory. To
    The in-vehicle computer system according to claim 7.
  9.  車両に備わる車載コンピュータシステムにおいて、
     第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、
     前記第1の演算処理装置は、
     前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させ、
     該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる、
     車載コンピュータシステム。     In the in-vehicle computer system provided in the vehicle,
    A first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit;
    A second in-vehicle computer comprising a second arithmetic processing unit, a second SHE, and a second storage unit,
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the second SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing.
    The first arithmetic processing unit includes:
    The second vehicle-mounted computer received from the second vehicle-mounted computer with respect to a secure element that stores a master key used together with the identifier of the second vehicle-mounted computer for generating the message authentication code used as the initial key. Generate a message authentication code for the computer identifier,
    Causing the secure element to execute authentication processing of the validity of the second in-vehicle computer using the generated message authentication code;
    In-vehicle computer system.
  10.  前記第1の演算処理装置は、
     前記セキュアエレメントによって前記マスター鍵を使用して前記第2のSHEのMEK鍵を生成させ、
     前記セキュアエレメントによって前記MEK鍵を使用して、前記第2のSHEの暗号化処理及び復号処理に使用可能な一のKEY_N鍵、又は、前記第2のSHEのメッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に鍵交換鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、
     前記第2の演算処理装置は、該鍵登録メッセージによって前記第2のSHEに鍵交換鍵を登録する、
     請求項9に記載の車載コンピュータシステム。     The first arithmetic processing unit includes:
    Generating the second SHE MEK key using the master key by the secure element;
    Generation process and verification process of one KEY_N key that can be used for the encryption process and the decryption process of the second SHE or the message authentication code of the second SHE using the MEK key by the secure element A key registration message for registering a key exchange key with one KEY_N key that can be used for the key, and transmitting the key registration message to the second in-vehicle computer,
    The second arithmetic processing unit registers a key exchange key in the second SHE by the key registration message.
    The in-vehicle computer system according to claim 9.
  11.  車両に備わる車載コンピュータシステムにおいて、
     第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、
     前記第1の演算処理装置は、
     前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させ、
     該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる、
     車載コンピュータシステム。     In the in-vehicle computer system provided in the vehicle,
    A first in-vehicle computer comprising a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit;
    A second in-vehicle computer including a second arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit;
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing.
    The first arithmetic processing unit includes:
    The second vehicle-mounted computer received from the second vehicle-mounted computer with respect to a secure element that stores a master key used together with the identifier of the second vehicle-mounted computer for generating the message authentication code used as the initial key. Generate a message authentication code for the computer identifier,
    Causing the secure element to execute authentication processing of the validity of the second in-vehicle computer using the generated message authentication code;
    In-vehicle computer system.
  12.  前記第1の演算処理装置は、
     前記セキュアエレメントによって前記マスター鍵を使用して前記SHEのMEK鍵を生成させ、
     前記セキュアエレメントによって前記MEK鍵を使用して、前記SHEの暗号化処理及び復号処理に使用可能な一のKEY_N鍵、又は、前記SHEのメッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に鍵交換鍵を登録する鍵登録メッセージを生成させ、該鍵登録メッセージを前記第2の車載コンピュータへ送信し、
     前記第2の演算処理装置は、該鍵登録メッセージによって前記SHEに鍵交換鍵を登録する、
     請求項11に記載の車載コンピュータシステム。     The first arithmetic processing unit includes:
    Generating the SHE MEK key using the master key by the secure element;
    Using the MEK key by the secure element, one KEY_N key that can be used for encryption and decryption of the SHE, or one that can be used for generation and verification of the message authentication code of the SHE Generating a key registration message for registering a key exchange key in the KEY_N key, and transmitting the key registration message to the second in-vehicle computer;
    The second processing unit registers a key exchange key in the SHE by the key registration message.
    The in-vehicle computer system according to claim 11.
  13.  請求項1から12のいずれか1項に記載の車載コンピュータシステムを備える車両。 A vehicle comprising the in-vehicle computer system according to any one of claims 1 to 12.
  14.  車両に備わる車載コンピュータシステムが、
     第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、
     前記第1のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が設定されてあり、
     前記第1の演算処理装置が、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記第1のSHEによって前記マスター鍵を使用して生成させるメッセージ認証コード生成ステップと、
     前記第1の演算処理装置が、該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する認証ステップと、
     を含む管理方法。     An in-vehicle computer system in the vehicle
    A first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit;
    A second in-vehicle computer comprising a second arithmetic processing unit, a second SHE, and a second storage unit,
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the second SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing.
    In the first SHE, one KEY_N key that can be used for generating and verifying a message authentication code is used together with an identifier of the second in-vehicle computer for generating a message authentication code used as the initial key. Master key to be set,
    Message authentication in which the first arithmetic processing unit generates a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer by using the master key by the first SHE. A code generation step;
    An authentication step in which the first arithmetic processing unit executes an authenticity authentication process of the second in-vehicle computer using the generated message authentication code;
    Management method including.
  15.  車両に備わる車載コンピュータシステムが、
     第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、
     前記HSMには、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が格納されてあり、
     前記第1の演算処理装置が、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記HSMによって前記マスター鍵を使用して生成させるメッセージ認証コード生成ステップと、
     前記第1の演算処理装置が、該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する認証ステップと、
     を含む管理方法。     An in-vehicle computer system in the vehicle
    A first in-vehicle computer comprising a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit;
    A second in-vehicle computer including a second arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit;
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing.
    The HSM stores a master key used together with the identifier of the second in-vehicle computer for generating a message authentication code used as the initial key,
    A message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer by the first arithmetic processing unit by using the master key by the HSM. When,
    An authentication step in which the first arithmetic processing unit executes an authenticity authentication process of the second in-vehicle computer using the generated message authentication code;
    Management method including.
  16.  車両に備わる車載コンピュータシステムが、
     第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、
     前記第1の演算処理装置が、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させるメッセージ認証コード生成ステップと、
     前記第1の演算処理装置が、該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる認証ステップと、
     を含む管理方法。     An in-vehicle computer system in the vehicle
    A first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit;
    A second in-vehicle computer comprising a second arithmetic processing unit, a second SHE, and a second storage unit,
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the second SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing.
    For the secure element that stores the master key used together with the identifier of the second in-vehicle computer for the generation of the message authentication code used as the initial key, the first arithmetic processing unit performs the second in-vehicle A message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the computer;
    An authentication step in which the first arithmetic processing unit causes the secure element to execute an authenticity authentication process of the second in-vehicle computer using the generated message authentication code;
    Management method including.
  17.  車両に備わる車載コンピュータシステムが、
     第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、
     前記第1の演算処理装置が、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させるメッセージ認証コード生成ステップと、
     前記第1の演算処理装置が、該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる認証ステップと、
     を含む管理方法。     An in-vehicle computer system in the vehicle
    A first in-vehicle computer comprising a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit;
    A second in-vehicle computer including a second arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit;
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing.
    For the secure element that stores the master key used together with the identifier of the second in-vehicle computer for the generation of the message authentication code used as the initial key, the first arithmetic processing unit performs the second in-vehicle A message authentication code generating step for generating a message authentication code for the identifier of the second in-vehicle computer received from the computer;
    An authentication step in which the first arithmetic processing unit causes the secure element to execute an authenticity authentication process of the second in-vehicle computer using the generated message authentication code;
    Management method including.
  18.  車両に備わる車載コンピュータシステムが、
     第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、
     前記第1のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が設定されてある前記車載コンピュータシステムの前記第1の演算処理装置としてのコンピュータに、
     前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記第1のSHEによって前記マスター鍵を使用して生成させるメッセージ認証コード生成ステップと、
     該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する認証ステップと、
     を実行させるためのコンピュータプログラム。     An in-vehicle computer system in the vehicle
    A first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit;
    A second in-vehicle computer comprising a second arithmetic processing unit, a second SHE, and a second storage unit,
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the second SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing.
    In the first SHE, one KEY_N key that can be used for generating and verifying a message authentication code is used together with an identifier of the second in-vehicle computer for generating a message authentication code used as the initial key. In the computer as the first arithmetic processing unit of the in-vehicle computer system in which a master key to be set is set,
    Generating a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer by using the master key by the first SHE; and
    An authentication step of executing the authenticity authentication process of the second in-vehicle computer using the generated message authentication code;
    A computer program for running.
  19.  車両に備わる車載コンピュータシステムが、
     第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてあり、
     前記HSMには、前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵が格納されてある前記車載コンピュータシステムの前記第1の演算処理装置としてのコンピュータに、
     前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを、前記HSMによって前記マスター鍵を使用して生成させるメッセージ認証コード生成ステップと、
     該生成したメッセージ認証コードを使用して前記第2の車載コンピュータの正当性の認証処理を実行する認証ステップと、
     を実行させるためのコンピュータプログラム。     An in-vehicle computer system in the vehicle
    A first in-vehicle computer comprising a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit;
    A second in-vehicle computer including a second arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit;
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the SHE, an initial key is set as one KEY_N key that can be used for message authentication code generation processing and verification processing.
    As the first arithmetic processing unit of the in-vehicle computer system, the HSM stores a master key used together with the identifier of the second in-vehicle computer to generate a message authentication code used as the initial key. On the computer
    Generating a message authentication code for the identifier of the second in-vehicle computer received from the second in-vehicle computer using the master key by the HSM; and
    An authentication step of executing the authenticity authentication process of the second in-vehicle computer using the generated message authentication code;
    A computer program for running.
  20.  車両に備わる車載コンピュータシステムが、
     第1の演算処理装置と第1のSHE(Secure Hardware Extension)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置と第2のSHEと第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記第2のSHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてある前記車載コンピュータシステムの前記第1の演算処理装置としてのコンピュータに、
     前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させるメッセージ認証コード生成ステップと、
     該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる認証ステップと、
     を実行させるためのコンピュータプログラム。     An in-vehicle computer system in the vehicle
    A first in-vehicle computer including a first arithmetic processing unit, a first SHE (Secure Hardware Extension), and a first storage unit;
    A second in-vehicle computer comprising a second arithmetic processing unit, a second SHE, and a second storage unit,
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the second SHE, an initial key is set as one KEY_N key that can be used for generating and verifying a message authentication code. In the computer as the first arithmetic processing unit of the in-vehicle computer system,
    The second vehicle-mounted computer received from the second vehicle-mounted computer with respect to a secure element that stores a master key used together with the identifier of the second vehicle-mounted computer for generating the message authentication code used as the initial key. A message authentication code generating step for generating a message authentication code for the computer identifier;
    An authentication step for causing the secure element to execute an authenticity authentication process of the second in-vehicle computer using the generated message authentication code;
    A computer program for running.
  21.  車両に備わる車載コンピュータシステムが、
     第1の演算処理装置とHSM(Hardware Security Module)と第1の記憶部とを備える第1の車載コンピュータと、
     第2の演算処理装置とSHE(Secure Hardware Extension)と第2の記憶部とを備える第2の車載コンピュータと、を備え、
     前記第1の車載コンピュータと前記第2の車載コンピュータとは前記車両に備わる通信ネットワークに接続され、
     前記SHEには、メッセージ認証コードの生成処理及び検証処理に使用可能な一のKEY_N鍵に初期鍵が設定されてある前記車載コンピュータシステムの前記第1の演算処理装置としてのコンピュータに、
     前記初期鍵として使用されるメッセージ認証コードの生成に前記第2の車載コンピュータの識別子と共に使用されるマスター鍵を格納するセキュアエレメントに対して、前記第2の車載コンピュータから受信した前記第2の車載コンピュータの識別子についてのメッセージ認証コードを生成させるメッセージ認証コード生成ステップと、
     該生成されたメッセージ認証コードを使用する前記第2の車載コンピュータの正当性の認証処理を前記セキュアエレメントに実行させる認証ステップと、
     を実行させるためのコンピュータプログラム。     An in-vehicle computer system in the vehicle
    A first in-vehicle computer comprising a first arithmetic processing unit, an HSM (Hardware Security Module), and a first storage unit;
    A second in-vehicle computer including a second arithmetic processing unit, a SHE (Secure Hardware Extension), and a second storage unit;
    The first in-vehicle computer and the second in-vehicle computer are connected to a communication network provided in the vehicle,
    In the SHE, an initial key is set as one KEY_N key that can be used for generating and verifying a message authentication code. In the computer as the first arithmetic processing unit of the in-vehicle computer system,
    The second vehicle-mounted computer received from the second vehicle-mounted computer with respect to a secure element that stores a master key used together with the identifier of the second vehicle-mounted computer for generating the message authentication code used as the initial key. A message authentication code generating step for generating a message authentication code for the computer identifier;
    An authentication step for causing the secure element to execute an authenticity authentication process of the second in-vehicle computer using the generated message authentication code;
    A computer program for running.
  22.  マスター鍵を記憶する記憶部と、
     前記記憶部に記憶されているマスター鍵と、車両に備わる車載コンピュータの識別子と、鍵の種類を表す変数とを使用して、鍵を算出する算出部と、
     を備える鍵生成装置。     A storage unit for storing a master key;
    A calculation unit for calculating a key using a master key stored in the storage unit, an identifier of an in-vehicle computer provided in the vehicle, and a variable representing a key type;
    A key generation device comprising:
  23.  鍵生成装置が、マスター鍵を記憶部に記憶する記憶ステップと、
     前記鍵生成装置が、前記記憶部に記憶されているマスター鍵と、車両に備わる車載コンピュータの識別子と、鍵の種類を表す変数とを使用して、鍵を算出する算出ステップと、
     を含む鍵生成方法。     A storage step in which the key generation device stores the master key in the storage unit;
    The key generation device calculates a key using a master key stored in the storage unit, an identifier of an in-vehicle computer provided in the vehicle, and a variable indicating a key type;
    Key generation method including
  24.  コンピュータに、
     マスター鍵を記憶部に記憶する記憶ステップと、
     前記記憶部に記憶されているマスター鍵と、車両に備わる車載コンピュータの識別子と、鍵の種類を表す変数とを使用して、鍵を算出する算出ステップと、
     を実行させるためのコンピュータプログラム。     On the computer,
    A storage step of storing the master key in the storage unit;
    A calculation step of calculating a key using a master key stored in the storage unit, an identifier of an in-vehicle computer provided in the vehicle, and a variable representing a key type;
    A computer program for running.
PCT/JP2017/000105 2016-01-18 2017-01-05 In-car computer system, vehicle, key generation device, management method, key generation method, and computer program WO2017126322A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US16/068,804 US10855460B2 (en) 2016-01-18 2017-01-05 In-vehicle computer system, vehicle, key generation device, management method, key generation method, and computer program
EP17741202.0A EP3407534B1 (en) 2016-01-18 2017-01-05 In-car computer system, vehicle, key generation device, management method, key generation method, and computer program
CN201780007461.3A CN108496322B (en) 2016-01-18 2017-01-05 Vehicle-mounted computer system, vehicle, key generation device, management method, key generation method, and computer-readable recording medium

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2016007432 2016-01-18
JP2016-007432 2016-01-18
JP2016-150269 2016-07-29
JP2016150269A JP6260066B2 (en) 2016-01-18 2016-07-29 In-vehicle computer system and vehicle

Publications (1)

Publication Number Publication Date
WO2017126322A1 true WO2017126322A1 (en) 2017-07-27

Family

ID=59361720

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/000105 WO2017126322A1 (en) 2016-01-18 2017-01-05 In-car computer system, vehicle, key generation device, management method, key generation method, and computer program

Country Status (1)

Country Link
WO (1) WO2017126322A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020112341A1 (en) * 2018-11-28 2020-06-04 Mastercard International Incorporated Systems and methods for optimized cipher-based message authentication code processing
CN114834393A (en) * 2021-01-14 2022-08-02 丰田自动车株式会社 Vehicle control system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009111974A (en) * 2007-10-12 2009-05-21 Panasonic Corp Health care system, key management server and method therefor, and encrypting device and method therefor
WO2013005730A1 (en) * 2011-07-06 2013-01-10 日立オートモティブシステムズ株式会社 In-vehicle network system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009111974A (en) * 2007-10-12 2009-05-21 Panasonic Corp Health care system, key management server and method therefor, and encrypting device and method therefor
WO2013005730A1 (en) * 2011-07-06 2013-01-10 日立オートモティブシステムズ株式会社 In-vehicle network system

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"AN4240 Application Note", STMICROELECTRONICS, September 2013 (2013-09-01), Retrieved from the Internet <URL:http://www.st.eom/web/en/resource/technical/document/application_note/DM00075575.pdf>
"Body Gateway Muke On-chip Security Kino Tosai 32 Bit Maikon", FREESCALE, January 2014 (2014-01-01), Retrieved from the Internet <URL:http://www.nxp.com/assets/documents/data/en/supporting-information/ESecurityMCUJA.pdf> [retrieved on 20170316] *
EMERSON G., ET AL.: "Using the Cryptographic Service Engine (CSE), An introduction to the CSE module", FREESCALE SEMICONDUCTOR APPLICATION NOTE, June 2011 (2011-06-01), XP055512337, [retrieved on 20170316] *
KEISUKE TAKEMORI: "In-vehicle Network Security Using Secure Elements -Discussion of Security Technologies", IEICE TECHNICAL REPORT, vol. 114, no. 508, March 2015 (2015-03-01), pages 73 - 78
KEISUKE TAKEMORI: "Secure Element o Kiten to shita Shasai Seigyo System no Hogo -Yoso Gijutsu no Seiri to Kosatsu", DAI 17 KAI KUMIKOMI SYSTEM GIJUTSU NI KANSURU SUMMER WORKSHOP (SWEST17, 28 August 2015 (2015-08-28), Retrieved from the Internet <URL:https://swest.toppers. jp/SWEST17/data/s3a proceeding.pdf> [retrieved on 20170316] *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020112341A1 (en) * 2018-11-28 2020-06-04 Mastercard International Incorporated Systems and methods for optimized cipher-based message authentication code processing
CN114834393A (en) * 2021-01-14 2022-08-02 丰田自动车株式会社 Vehicle control system
CN114834393B (en) * 2021-01-14 2023-08-04 丰田自动车株式会社 Vehicle control system

Similar Documents

Publication Publication Date Title
JP6454918B2 (en) In-vehicle computer system, vehicle, management method, and computer program
JP6260067B1 (en) Management system, key generation device, in-vehicle computer, management method, and computer program
JP6197000B2 (en) System, vehicle, and software distribution processing method
WO2017022821A1 (en) Management device, management system, key generation device, key generation system, key management system, vehicle, management method, key generation method, and computer program
JP6683588B2 (en) Reuse system, server device, reuse method, and computer program
JP6178390B2 (en) Management device, management system, vehicle, management method, and computer program
JP2017079369A (en) Vehicle system and authentication method
JP6188672B2 (en) Key management system
JP6238939B2 (en) In-vehicle computer system, vehicle, management method, and computer program
JP2010011400A (en) Cipher communication system of common key system
JP5380583B1 (en) Device authentication method and system
CN108377184B (en) Distributed authentication encryption method for internal network of intelligent automobile
JP2017208859A (en) SYSTEM, Vehicle, and Software Distribution Processing Method
WO2017126322A1 (en) In-car computer system, vehicle, key generation device, management method, key generation method, and computer program
KR102198178B1 (en) Session key establishment method using blockchain
JP6476462B2 (en) In-vehicle computer system, vehicle, management method, and computer program
JP2020088836A (en) Vehicle maintenance system, maintenance server device, management server device, on-vehicle device, maintenance tool, computer program, and vehicle maintenance method
US10263976B2 (en) Method for excluding a participant from a group having authorized communication
JP6188744B2 (en) Management system, vehicle and management method
JP6454919B2 (en) Management system, data providing apparatus, in-vehicle computer, management method, and computer program
JP6672243B2 (en) Data providing system, data providing device, data providing method, and data providing program
JP6830877B2 (en) Distribution system, key generator, distribution method, and computer program
JP2017208731A (en) Management system, management device, on-vehicle computer, management method, and computer program
JP6519060B2 (en) Management device, vehicle, management method, and computer program
JP2018026874A (en) Data providing system and data providing method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17741202

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2017741202

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2017741202

Country of ref document: EP

Effective date: 20180820