WO2018047510A1 - Processing device for mounting in vehicle - Google Patents

Processing device for mounting in vehicle Download PDF

Info

Publication number
WO2018047510A1
WO2018047510A1 PCT/JP2017/027366 JP2017027366W WO2018047510A1 WO 2018047510 A1 WO2018047510 A1 WO 2018047510A1 JP 2017027366 W JP2017027366 W JP 2017027366W WO 2018047510 A1 WO2018047510 A1 WO 2018047510A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
processing device
transfer destination
vehicle
vehicle processing
Prior art date
Application number
PCT/JP2017/027366
Other languages
French (fr)
Japanese (ja)
Inventor
尚幸 山本
中西 一弘
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Priority to JP2018538283A priority Critical patent/JP6704458B2/en
Publication of WO2018047510A1 publication Critical patent/WO2018047510A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks

Definitions

  • the present invention relates to an in-vehicle processing apparatus.
  • the vehicle is equipped with a plurality of electronic control devices (hereinafter referred to as ECUs), and the network between the devices is mainly composed of CAN (Controller Area Network) standards.
  • ECUs Electronice control devices
  • the network between the devices is mainly composed of CAN (Controller Area Network) standards.
  • CAN Controller Area Network
  • the CAN frame transmission ECU authenticates the CAN frame using a key to guarantee the validity of the CAN frame and to prevent replay attacks from the fake ECU connected to the CAN bus.
  • a method of assigning a code (Message Authentication Code; MAC) has been proposed (for example, see Patent Document 1).
  • the vehicle data communication apparatus of Patent Document 2 is a unit of a combination of a bus connecting a node on the data transmission side and a bus connecting a node on the data reception side for encryption information indicating whether or not to encrypt data.
  • the node centrally manages the decoding information as to whether or not to decode the data in units of buses connecting the nodes on the data transmission side.
  • the current vehicle network CAN is a line-type network by connecting each ECU on the line.
  • the CAN frame does not include identification information of the transmission source ECU and the destination ECU, and the reception ECU cannot simply determine whether the data is from the correct transmission source ECU.
  • An object of the present invention is to provide an in-vehicle processing apparatus that can introduce security in an in-vehicle network in stages.
  • the present invention provides a receiving unit that receives first data including an identifier, a routing control unit that identifies a transfer destination corresponding to the identifier, and a security level required for the transfer destination.
  • a security control unit that generates second data to be transferred from the first data to the transfer destination based on the safety degree information that is indicated; and a transmission unit that transmits the second data to the transfer destination.
  • the in-vehicle network includes two buses (N600 and N601).
  • the in-vehicle gateway device 1, ECU 1 (N101), ECU 2 (N301), ECU 3 (N201) and the like according to the embodiment of the present invention are connected to the bus N600 (line).
  • the ECU 4 (N102) is connected to the bus N601.
  • Each ECU is assigned an ASIL (Automotive Safety Integrity Level) defined by ISO (International Organization for Standardization). Specifically, ASIL is classified using symbols such as QM (Quality Management), A, B, C, and D. The degree of safety required in the order of QM ⁇ A ⁇ B ⁇ C ⁇ D increases.
  • ASIL Automotive Safety Integrity Level
  • ISO International Organization for Standardization
  • “D”, which is the highest safety level, is assigned to the ECU 1 (N101) and the ECU 4 (N102) in the broken line N100.
  • “B” is assigned to the ECU 3 (N201) and the ECU 5 in the broken line N200.
  • QM which is the lowest safety level, is assigned to the ECU 2 (N301) and the ECU 6 in the broken line N300.
  • the in-vehicle gateway device 1 includes a routing control unit 2 that determines a data transfer destination, a routing table 3 that indicates a correspondence between a CAN ID (identifier) and an output destination (transfer destination), a security control unit 4 that performs security control determination, and the like. , Key information management of each device, authentication information between ECUs, security table 5 indicating each ASIL information and encryption method, encryption / decryption algorithm 6 (FIG. 2), and key information 8.
  • the in-vehicle gateway device 1 includes a microcomputer 11 (processor), an input / output device 14 such as an input / output port, a communication device 15 such as a CAN transceiver, and the like, as shown in FIG.
  • the microcomputer 11 includes an SRAM 12 (Static Random Access Memory) that is an example of a volatile memory and a FLASH 13 (Flash Memory) that is an example of a nonvolatile memory.
  • the FLASH 13 stores a routing table 3, a security table 5, encryption / decryption algorithms 6, 7 (program), key information 8, and the like.
  • the SRAM 12 temporarily stores data necessary for calculation, calculation results, and the like.
  • the routing table 3 corresponds to “connection bus No” indicating a number for identifying a bus to which the transmission destination ECU is connected, “reception data ID” indicating the ID of reception data, and reception data ID. Fields such as “transmission destination ECU” indicating the transmission destination ECU and “transmission ID” indicating ID assigned to data to be transmitted to the transmission destination are provided.
  • the security table 5 includes an “device name”, an “ASIL” indicating a vehicle safety level, an “key ID” indicating an ID for identifying an encryption key, an “encryption method”, and an ECU indicated by the device name.
  • the FLASH 13 storage device stores a combination of a device name (transfer destination) and ASIL (safety level information) corresponding to the device name (transfer destination).
  • the security control unit 4 (microcomputer 11) of the in-vehicle gateway device 1 reads the ASIL (safety degree information) corresponding to the transfer destination from the FLASH 13 (storage device), and according to the read ASIL, the data to be transferred to the transfer destination Set the encryption strength. Thereby, the encryption strength of the data to be transferred is determined according to the ASIL of the transfer destination regardless of the encryption strength of the data before the transfer. Details of the operation will be described later with reference to FIG.
  • ASIL safety degree information
  • the FLASH 13 stores ASIL (security level information) and a combination of encryption methods corresponding to ASIL.
  • the security control unit 4 (microcomputer 11) of the in-vehicle gateway device 1 reads the encryption method corresponding to ASIL (safety level information) from the FLASH 13 (storage device), and uses the read encryption method to transfer the data to the transfer destination Set the cipher strength of. As a result, the transfer destination need only perform decryption of an encryption method corresponding to ASIL. Details will be described later with reference to FIG.
  • the FLASH 13 stores a combination of ASIL (safety level information) and a key ID (encryption key information) indicating information of an encryption key corresponding to ASIL.
  • ASIL safety level information
  • key ID encryption key information
  • the security control unit 4 (microcomputer 11) of the in-vehicle gateway device 1 reads the key ID corresponding to ASIL (safety level information) from the FLASH 13 (storage device), and distributes the encryption key indicated by the read key ID to the transfer destination. .
  • ASIL safety level information
  • the transfer destination can decrypt the data using the encryption key corresponding to the ASIL.
  • CMAC® (Cipher-based MAC) shown in FIG. 3 is a message authentication code algorithm based on block cipher.
  • HMAC Hash-based Message Authentication Code
  • MAC message authentication codes
  • data data
  • hash function a hash function
  • a transmission ID is prepared for transmitting key information to the ECU 1 (N101), ECU 3 (N201), etc. that require security.
  • the transmission ID “600” is assigned to the transmission destination “ECU1” in the third record of the routing table 3.
  • the transmission ID “610” is assigned to the transmission destination “ECU3”.
  • the key ID “D” is assigned to the device name “ECU1” in the first record of the security table 5.
  • the key ID “B” is assigned to the device name “ECU3”.
  • the key ID is an identifier for identifying an encryption key.
  • the in-vehicle gateway device 1 performs ECU device authentication by challenge and response with each ECU.
  • the in-vehicle gateway device 1 distributes key information 8 for each ASIL solved by the security table 5 to each ECU when authentication with each ECU is successful.
  • the in-vehicle gateway device 1 monitors the cycle for each received data ID. ID data received outside the cycle is discarded as invalid data.
  • the in-vehicle gateway device 1 uses the key distributed to each ECU to resolve the MAC at the time of frame reception and frame transmission, and mediates encryption with each ECU. This frame arbitration (encryption key replacement or cancellation) will be described with reference to FIG.
  • the in-vehicle gateway device 1 resolves the received data 401 from the ECU 1 (N101) from the routing table 3 and the security table 5 and decrypts the data by the decryption algorithm 6.
  • the key information 8 is specified by the encryption algorithm 6 corresponding to the transmission destination ECU of the routing table 3 and the data is encrypted to obtain the data strength B (403), and the transmission ID is changed and transmitted.
  • the ASIL of the transmission destination ECU of the security table 5 is QM, the transmission ID is changed and transmitted as the raw data 402 without encryption.
  • ECU 1 shown in FIG. 2 transmits encrypted data 400 (CAN frame) having data strength D via bus N601.
  • the ID (identifier) included in the data 400 is “100”.
  • the data 400 (first data) is encrypted using the encryption key (first encryption key) indicated by the key ID “D”.
  • the in-vehicle gateway device 1 receives the data 400 (S1).
  • the communication device 15 of the in-vehicle gateway device 1 functions as a receiving unit that receives data 400 including an ID (identifier).
  • the in-vehicle gateway device 1 determines whether or not the received data 400 (received data 401) is a transfer target (S2).
  • the in-vehicle gateway device 1 searches the routing table 3 for a record in which the value of the “reception data ID” field matches the ID “100” of the data 400.
  • the in-vehicle gateway device 1 proceeds to the process of S3, and in the “transmission destination ECU” field of the record hit by the search If the value is self or there is no record that satisfies the search condition (S2: NO), the process is terminated.
  • the first record is hit by the search.
  • the in-vehicle gateway device 1 determines that the transmission destination ECUs are the ECUs 2 and 3 from the value of the “transmission destination ECU” field D1 of the first record of the routing table 3, and the received data 400 is a transfer target.
  • the in-vehicle gateway device 1 specifies that the IDs of data to be transmitted are 101 and 102 from the “transmission ID” field of the first record of the routing table 3.
  • the microcomputer 11 of the in-vehicle gateway device 1 functions as the routing control unit 2 that specifies the transfer destination corresponding to the ID (identifier) included in the data 400.
  • the in-vehicle gateway device 1 determines whether or not the ASIL of the ECU 1 that transmitted the data 400 is different from the ASIL of the transmission destination ECU 2 and ECU 3 (S3).
  • the in-vehicle gateway device 1 refers to the security table 5 and identifies the ASIL of the ECU 1 that has transmitted the data 400. Specifically, the in-vehicle gateway device 1 searches the security table 5 for a record in which the value of the “transmission data ID” field matches the ID “100” of the data 400. In the security table 5 shown in FIG. 5, the first record is hit. The in-vehicle gateway device 1 specifies that the ASIL of the ECU 1 that transmitted the data 400 is “D” from the value of the “ASIL” field D2 of the first record of the security table 5.
  • the in-vehicle gateway device 1 refers to the security table 5 and identifies the ASIL of the transfer destination ECU 2 and ECU 3. Specifically, the in-vehicle gateway device 1 searches the data of the ECU 2 and the ECU 3 for the value of the “device name” field from the security table 5. In the security table 5 shown in FIG. 5, the second record and the third record are hit.
  • the in-vehicle gateway device 1 identifies that the ASIL of the destination ECU 2 is “QM” from the value of the “ASIL” field D2 of the second record of the security table 5. Similarly, the in-vehicle gateway device 1 specifies that the ASIL of the destination ECU 3 is “B” from the value of the “ASIL” field D 2 of the third record of the security table 5.
  • the in-vehicle gateway device 1 determines that the ASIL of the ECU 1 that transmitted the data 400 is different from the ASIL of the destination ECU 2 and ECU 3 (S3: YES).
  • the in-vehicle gateway device 1 specifies that the ECU 1 has encrypted the data 400 with “CMAC” from the value of the “encryption method” field of the first record of the security table 5, and the received data 400 is encrypted with the encryption method “CMAC”. (S4).
  • the in-vehicle gateway device 1 determines whether the ASIL of the transmission destination (transfer destination) ECU is other than “QM” (S5). In the example of FIG. 5, the ASIL of the destination ECU 2 is “QM”, so the in-vehicle gateway device 1 generates and transmits plaintext raw data 402 (CAN frame) from the data 400 decrypted in S4. (S7). Further, since the ASIL of the ECU 3 as the transmission destination is “B”, the in-vehicle gateway device 1 sets the value “B” in the “key ID” field of the third record of the security table 5 to the data 400 decrypted in S4. The data 400 decrypted in S4 is encrypted with the value “HMAC” in the “encryption scheme” field (S6) using the encryption key shown (S6), and data 403 (CAN frame) with data strength B is generated and transmitted (S7). ).
  • the microcomputer 11 of the in-vehicle gateway device 1 transfers the data 402, 403 to be transferred from the data 400 (first data) to the transfer destination based on the ASIL (safety level information) indicating the safety level required for the transfer destination. It functions as the security control unit 4 that generates (second data).
  • the communication device 15 of the in-vehicle gateway device 1 functions as a transmission unit that transmits the data 402 and 403 (second data) to the transfer destination.
  • the microcomputer 11 sets the encryption strength of the data 402 and 403 (second data) according to the ASIL (safety level information) of the transfer destination. Specifically, the microcomputer 11 (security control unit 4) exchanges the encryption key of the data 400 (first data) or releases the encryption of the data 400 according to the ASIL (safety level information) of the transfer destination. Thus, data 402 and 403 (second data) are generated.
  • security can be introduced for each transfer destination according to the ASIL of the transfer destination.
  • the ECU 2 receives the unencrypted raw data 402 and performs a predetermined process using the received raw data 402.
  • the ECU 3 uses the encryption key corresponding to the key ID “B” distributed from the in-vehicle gateway device 1 to decrypt the encrypted data 403 having the data strength B, and uses the decrypted data. Predetermined processing.
  • the ECU 2 (N301) handles the data only by receiving the data without decoding the raw data 402.
  • the ECU 3 (N201) handles the data by decoding the data 403 of the data strength B with the target algorithm (HMAC) when receiving the data.
  • HMAC target algorithm
  • security can be introduced into the in-vehicle network in stages. Specifically, security can be easily introduced by allowing a mixture of a security function compatible ECU (with a decryption function) and a conventional ECU (without a decryption function).
  • the conventional ECU can be provided with a security function in the network without requiring a change man-hour. Since authentication and key management are performed at the gateway, security functions can be centrally managed at the gateway, enabling quick response to accidents.
  • the present invention is not limited to the above-described embodiment, and includes various modifications.
  • the above-described embodiment has been described in detail for easy understanding of the present invention, and is not necessarily limited to the one having all the configurations described.
  • a part of the configuration of an embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of an embodiment.
  • values are stored in advance in each field of the routing table 3 and the security table 5, but they may be specified and registered from each ECU.
  • each of the above-described configurations, functions, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit.
  • Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by a processor (microcomputer).
  • Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, or an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.
  • a storage unit storing safety information of the other in-vehicle processing device and data transmitted to the other in-vehicle processing device
  • An in-vehicle processing device comprising: a transmission data processing unit that processes based on safety information of the in-vehicle processing device; and a transmission unit that transmits data processed by the transmission data processing unit to the other in-vehicle processing device.
  • the encryption unit treats the data based on an identification number assigned to data transmitted from another in-vehicle gateway device. After specifying the gateway device, the information of the other in-vehicle processing device and the safety level information are collated to set an encryption level when transmitting the data.
  • At least one of the plurality of in-vehicle gateway devices is an in-vehicle processing device.
  • At least one of the plurality of in-vehicle processing devices is an ECU.
  • a gateway device having a setting table in which a plurality of encryption levels are assigned to the in-vehicle processing device according to (1), and the encryption level is associated with the output destination in-vehicle device.
  • a gateway device having a setting table in which a plurality of safety levels are assigned to the in-vehicle processing device according to (1), and a safety level is associated with an encryption level.
  • a gateway device having a setting table in which a plurality of encryption methods are assigned to the in-vehicle processing device according to (1), and the encryption method is associated with the encryption level.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention provides a vehicle-mounted processing device capable of introducing security into a vehicle-mounted network in stages. According to the present invention, a communication device (receiving unit) of a vehicle-mounted gateway device 1 receives data 400 (first data) including an identifier (ID). A routing control unit 2 of the vehicle-mounted gateway device 1 identifies a transfer destination corresponding to the ID. A security control unit 4 of the vehicle-mounted gateway device 1 generates, from the data 400 (first data), data 402, 403 (second data) to be transferred to the transfer destination, on the basis of safety level information (ASIL) indicating a safety level required for the transfer destination. A communication device (transmitting unit) of the vehicle-mounted gateway device 1 transmits the data 402, 403 (second data) to the transfer destination.

Description

車載用処理装置In-vehicle processing equipment
 本発明は、車載用処理装置に関する。 The present invention relates to an in-vehicle processing apparatus.
 車両システムの情報化の進展に従い、ネットワークのセキュリティリスクが増大している。実際に車両のネットワークに対し、攻撃することで走行に影響を与えるような脅威事例も発生し、外部からの攻撃に対して、自動車の制御システムを保護するセキュリティ機能が重要視されている。  Network security risks are increasing with the progress of computerization of vehicle systems. Threat cases that have an impact on driving by actually attacking a vehicle network also occur, and security functions for protecting a vehicle control system against attacks from outside are regarded as important.
 車両には、複数の電子制御装置(以降、ECUと呼ぶ)が搭載されており、装置間のネットワークは、主にCAN(Controller Area Network)の規格で構成されている。車載ネットワークにセキュリティ対策を適用する場合、CANフレーム送信ECUは、CANフレームの正当性を保証し、CANバスに接続された偽ECUからのリプレイ攻撃を防御するため、鍵を用いてCANフレームに認証コード(Message Authentication Code; MAC)を付与する方法が提案されている(例えば、特許文献1参照)。 The vehicle is equipped with a plurality of electronic control devices (hereinafter referred to as ECUs), and the network between the devices is mainly composed of CAN (Controller Area Network) standards. When applying security measures to an in-vehicle network, the CAN frame transmission ECU authenticates the CAN frame using a key to guarantee the validity of the CAN frame and to prevent replay attacks from the fake ECU connected to the CAN bus. A method of assigning a code (Message Authentication Code; MAC) has been proposed (for example, see Patent Document 1).
 また、ノードの負担を抑制しつつ、データ通信のセキュリティ性を高めることができる技術が開示されている(例えば、特許文献2参照)。特許文献2の車両用データ通信装置は、データを暗号化するか否かの暗号化情報をデータの送信側のノードを接続するバスとデータの受信側のノードを接続するバスとの組み合わせの単位で一元的に管理し、ノードは、データを復号化するか否かの復号化情報をデータの送信側のノードを接続するバスの単位で一元的に管理する。 In addition, a technique that can improve the security of data communication while suppressing the burden on the node is disclosed (for example, see Patent Document 2). The vehicle data communication apparatus of Patent Document 2 is a unit of a combination of a bus connecting a node on the data transmission side and a bus connecting a node on the data reception side for encryption information indicating whether or not to encrypt data. The node centrally manages the decoding information as to whether or not to decode the data in units of buses connecting the nodes on the data transmission side.
特許第5770602号公報Japanese Patent No. 5770602 特開2013-201510号公報JP 2013-201510 JP
 現状の車両ネットワークのCANでは、ライン上に各ECUを接続していくことによるライン型のネットワークとなっている。CANフレームには送信元ECU及び宛先ECUの識別情報が含まれておらず、受信ECUにおいて、送信元の正しいECUからのデータであるか否かを単純に判断することはできない。 The current vehicle network CAN is a line-type network by connecting each ECU on the line. The CAN frame does not include identification information of the transmission source ECU and the destination ECU, and the reception ECU cannot simply determine whether the data is from the correct transmission source ECU.
 特許文献1に開示されるような技術では、車載ネットワークにセキュリティ対策を適用する場合、送信CANフレーム自体に変更が必要となり、全ECUの変更対応工数が大きくなる。 In the technique disclosed in Patent Document 1, when applying security measures to an in-vehicle network, the transmission CAN frame itself needs to be changed, and the change handling man-hours of all the ECUs are increased.
 特許文献2に開示されるような技術では、バス毎にセキュリティ対策を行うことができるが、データを受信するECUはすべて復号化する機能を持つ必要があり、信頼性(安全性)が要求されるECUから段階的にセキュリティ機能を取り入れる事ができず、対応工数が大きくなる。 In the technology disclosed in Patent Document 2, security measures can be taken for each bus, but all ECUs that receive data must have a function of decoding, and reliability (safety) is required. The security function cannot be taken in step by step from the ECU, and the corresponding man-hours increase.
 本発明の目的は、車載ネットワークに段階的にセキュリティを導入することができる車載処理装置を提供することにある。 An object of the present invention is to provide an in-vehicle processing apparatus that can introduce security in an in-vehicle network in stages.
 上記目的を達成するために、本発明は、識別子を含む第1データを受信する受信部と、前記識別子に対応する転送先を特定するルーティング制御部と、前記転送先に要求される安全度を示す安全度情報に基づいて前記第1データから前記転送先に転送する第2データを生成するセキュリティ制御部と、前記第2データを前記転送先へ送信する送信部と、を備える。 In order to achieve the above object, the present invention provides a receiving unit that receives first data including an identifier, a routing control unit that identifies a transfer destination corresponding to the identifier, and a security level required for the transfer destination. A security control unit that generates second data to be transferred from the first data to the transfer destination based on the safety degree information that is indicated; and a transmission unit that transmits the second data to the transfer destination.
 本発明によれば、車載ネットワークに段階的にセキュリティを導入することができる。
  上記した以外の課題、構成及び効果は、以下の実施形態の説明により明らかにされる。 According to the present invention, security can be introduced to an in-vehicle network in stages.
Problems, configurations, and effects other than those described above will be clarified by the following description of embodiments.
本発明の一実施形態による車載用ゲートウェイ装置及び車載ネットワークシステムの構成並びに鍵配信の動作を説明するための図である。It is a figure for demonstrating the structure of the vehicle-mounted gateway apparatus by one Embodiment of this invention, the structure of a vehicle-mounted network system, and the operation | movement of key distribution. 本発明の一実施形態による車載用ゲートウェイ装置及び車載ネットワークシステムの構成並びに暗号鍵の付替え又は解除の動作を説明するための図である。It is a figure for demonstrating the structure of the vehicle-mounted gateway apparatus by one Embodiment of this invention, the structure of a vehicle-mounted network system, and the operation | movement of the replacement | exchange or cancellation | release of an encryption key. 本発明の一実施形態による車載用ゲートウェイ装置のセキュリティテーブルの構成図である。It is a block diagram of the security table of the vehicle-mounted gateway apparatus by one Embodiment of this invention. 本発明の一実施形態による車載用ゲートウェイ装置のルーティングテーブルの構成図である。It is a block diagram of the routing table of the vehicle-mounted gateway apparatus by one Embodiment of this invention. 本発明の一実施形態による車載用ゲートウェイ装置のフローチャートである。It is a flowchart of the vehicle-mounted gateway apparatus by one Embodiment of this invention. 本発明の一実施形態による車載用ゲートウェイ装置のハードウェア構成を示す図である。It is a figure which shows the hardware constitutions of the vehicle-mounted gateway apparatus by one Embodiment of this invention.
 以下、図面を用いて、本発明の実施形態による車載用ゲートウェイ装置(車載処理装置)の構成及び動作について説明する。なお、各図において、同一符号は同一部分を示す。 Hereinafter, the configuration and operation of the in-vehicle gateway device (in-vehicle processing device) according to the embodiment of the present invention will be described with reference to the drawings. In each figure, the same numerals indicate the same parts.
 (システム構成) 図1を用いて本発明の一実施形態による車載用ゲートウェイ装置及び車載ネットワークシステムの構成を説明する。 (System Configuration) The configuration of the in-vehicle gateway device and the in-vehicle network system according to an embodiment of the present invention will be described with reference to FIG.
 図1の例では、車載ネットワークは、2つのバス(N600、N601)を備えている。バスN600(ライン)には、本発明の実施形態による車載用ゲートウェイ装置1、ECU1(N101)、ECU2(N301)、ECU3(N201)等が接続されている。一方、バスN601には、ECU4(N102)が接続されている。 In the example shown in FIG. 1, the in-vehicle network includes two buses (N600 and N601). The in-vehicle gateway device 1, ECU 1 (N101), ECU 2 (N301), ECU 3 (N201) and the like according to the embodiment of the present invention are connected to the bus N600 (line). On the other hand, the ECU 4 (N102) is connected to the bus N601.
 各ECUには、ISO(International Organization for Standardization)によって規定される自動車安全度水準ASIL(Automotive Safety Integrity Level)が割り当てられている。具体的には、ASILは、QM(Quality Management)、A、B、C、D等の記号を用いて分類される。QM<A<B<C<Dの順で要求される安全度は大きくなる。 Each ECU is assigned an ASIL (Automotive Safety Integrity Level) defined by ISO (International Organization for Standardization). Specifically, ASIL is classified using symbols such as QM (Quality Management), A, B, C, and D. The degree of safety required in the order of QM <A <B <C <D increases.
 図1の例では、破線N100内のECU1(N101)、ECU4(N102)に、最も高い安全度である「D」が割り当てられている。破線N200内のECU3(N201)、ECU5には、「B」が割り当てられている。破線N300内のECU2(N301)、ECU6には、最も低い安全度である「QM」が割り当てられている。 In the example of FIG. 1, “D”, which is the highest safety level, is assigned to the ECU 1 (N101) and the ECU 4 (N102) in the broken line N100. “B” is assigned to the ECU 3 (N201) and the ECU 5 in the broken line N200. “QM”, which is the lowest safety level, is assigned to the ECU 2 (N301) and the ECU 6 in the broken line N300.
 車載用ゲートウェイ装置1は、データ転送先を判定するルーティング制御部2、CAN ID(識別子)と出力先(転送先)の対応づけを示すルーティングテーブル3、セキュリティの制御判定等をするセキュリティ制御部4、各装置の鍵情報管理、ECU間の認証情報、各ASIL情報及び暗号方式を示すセキュリティテーブル5、暗号化・復号化アルゴリズム6(図2)、鍵情報8を備える。 The in-vehicle gateway device 1 includes a routing control unit 2 that determines a data transfer destination, a routing table 3 that indicates a correspondence between a CAN ID (identifier) and an output destination (transfer destination), a security control unit 4 that performs security control determination, and the like. , Key information management of each device, authentication information between ECUs, security table 5 indicating each ASIL information and encryption method, encryption / decryption algorithm 6 (FIG. 2), and key information 8.
 なお、車載用ゲートウェイ装置1は、図6に示すように、マイコン11(プロセッサ)、入出力ポートなどの入出力装置14、CANトランシーバなどの通信装置15等を備える。マイコン11は、揮発性メモリの一例であるSRAM12(Static Random Access Memory)と、不揮発性メモリの一例であるFLASH13(Flash Memory)を内蔵する。 The in-vehicle gateway device 1 includes a microcomputer 11 (processor), an input / output device 14 such as an input / output port, a communication device 15 such as a CAN transceiver, and the like, as shown in FIG. The microcomputer 11 includes an SRAM 12 (Static Random Access Memory) that is an example of a volatile memory and a FLASH 13 (Flash Memory) that is an example of a nonvolatile memory.
 FLASH13には、ルーティングテーブル3、セキュリティテーブル5、暗号化・復号化アルゴリズム6、7(プログラム)、鍵情報8等が記憶される。SRAM12には、演算に必要なデータ、演算結果などが一時的に記憶される。 The FLASH 13 stores a routing table 3, a security table 5, encryption / decryption algorithms 6, 7 (program), key information 8, and the like. The SRAM 12 temporarily stores data necessary for calculation, calculation results, and the like.
 ルーティングテーブル3は、図4に示すように、送信先ECUが接続されるバスを識別する番号を示す「接続バスNo」、受信データのIDを示す「受信データID」、受信データIDに対応する送信先のECUを示す「送信先ECU」、送信先へ送信するデータに割り当てるIDを示す「送信ID」等のフィールドを備える。 As shown in FIG. 4, the routing table 3 corresponds to “connection bus No” indicating a number for identifying a bus to which the transmission destination ECU is connected, “reception data ID” indicating the ID of reception data, and reception data ID. Fields such as “transmission destination ECU” indicating the transmission destination ECU and “transmission ID” indicating ID assigned to data to be transmitted to the transmission destination are provided.
 セキュリティテーブル5は、図3に示すように、「装置名」、自動車安全度水準を示す「ASIL」、暗号鍵を識別するIDを示す「鍵ID」、「暗号方式」、装置名が示すECUが送信するデータのIDを示す「送信データID」、チャレンジアンドレスポンスによる認証の結果を示す「認証」等のフィールドを備える。換言すれば、FLASH13(記憶装置)は、装置名(転送先)、及び装置名(転送先)に対応するASIL(安全度情報)の組合せを記憶する。 As shown in FIG. 3, the security table 5 includes an “device name”, an “ASIL” indicating a vehicle safety level, an “key ID” indicating an ID for identifying an encryption key, an “encryption method”, and an ECU indicated by the device name. Are provided with fields such as “transmission data ID” indicating the ID of data to be transmitted and “authentication” indicating the result of authentication by challenge and response. In other words, the FLASH 13 (storage device) stores a combination of a device name (transfer destination) and ASIL (safety level information) corresponding to the device name (transfer destination).
 車載用ゲートウェイ装置1のセキュリティ制御部4(マイコン11)は、FLASH13(記憶装置)から転送先に対応するASIL(安全度情報)を読み出し、読み出したASILに応じて、転送先に転送するデータの暗号強度を設定する。これにより、転送前のデータの暗号強度にかかわらず転送先のASILに応じて転送するデータの暗号強度が決まる。動作の詳細については、図5を用いて後述する。 The security control unit 4 (microcomputer 11) of the in-vehicle gateway device 1 reads the ASIL (safety degree information) corresponding to the transfer destination from the FLASH 13 (storage device), and according to the read ASIL, the data to be transferred to the transfer destination Set the encryption strength. Thereby, the encryption strength of the data to be transferred is determined according to the ASIL of the transfer destination regardless of the encryption strength of the data before the transfer. Details of the operation will be described later with reference to FIG.
 また、FLASH13(記憶装置)は、ASIL(安全度情報)、及びASILに対応する暗号方式の組合せを記憶する。 The FLASH 13 (storage device) stores ASIL (security level information) and a combination of encryption methods corresponding to ASIL.
 車載用ゲートウェイ装置1のセキュリティ制御部4(マイコン11)は、FLASH13(記憶装置)からASIL(安全度情報)に対応する暗号方式を読み出し、読み出した暗号方式を用いて、転送先に転送するデータの暗号強度を設定する。これにより、転送先では、ASILに対応する暗号方式の復号のみを行えばよい。詳細については、図5を用いて後述する。 The security control unit 4 (microcomputer 11) of the in-vehicle gateway device 1 reads the encryption method corresponding to ASIL (safety level information) from the FLASH 13 (storage device), and uses the read encryption method to transfer the data to the transfer destination Set the cipher strength of. As a result, the transfer destination need only perform decryption of an encryption method corresponding to ASIL. Details will be described later with reference to FIG.
 さらに、FLASH13(記憶装置)は、ASIL(安全度情報)、及びASILに対応する暗号鍵の情報を示す鍵ID(暗号鍵情報)の組合せを記憶する。 Further, the FLASH 13 (storage device) stores a combination of ASIL (safety level information) and a key ID (encryption key information) indicating information of an encryption key corresponding to ASIL.
 車載用ゲートウェイ装置1のセキュリティ制御部4(マイコン11)は、FLASH13(記憶装置)からASIL(安全度情報)に対応する鍵IDを読み出し、読み出した鍵IDが示す暗号鍵を転送先に配信する。これにより、転送先では、ASILに応じた暗号鍵を用いてデータを復号化することができる。 The security control unit 4 (microcomputer 11) of the in-vehicle gateway device 1 reads the key ID corresponding to ASIL (safety level information) from the FLASH 13 (storage device), and distributes the encryption key indicated by the read key ID to the transfer destination. . As a result, the transfer destination can decrypt the data using the encryption key corresponding to the ASIL.
 なお、図3に示すCMAC (Cipher-based MAC)は、ブロック暗号に基づくメッセージ認証符号アルゴリズムである。また、図3に示すHMAC (Hash-based Message Authentication Code)は、メッセージ認証符号 (MAC; Message Authentication Code) の一つであり、秘密鍵とメッセージ(データ)とハッシュ関数をもとに計算される。CMACの暗号強度は、HMACの暗号強度よりも大きい。 Note that CMAC® (Cipher-based MAC) shown in FIG. 3 is a message authentication code algorithm based on block cipher. Also, HMAC (Hash-based Message Authentication Code) shown in FIG. 3 is one of message authentication codes (MAC; Message Authentication Code) and is calculated based on a secret key, a message (data), and a hash function. . The encryption strength of CMAC is greater than that of HMAC.
 (暗号鍵の配信)
  次に、図1を用いて、ASIL毎に車載用ゲートウェイ装置1が各ECUへ鍵配信を行う例を説明する。 (Distribution of encryption key)
Next, an example in which the in-vehicle gateway device 1 distributes keys to each ECU for each ASIL will be described with reference to FIG.
 車載用ゲートウェイ装置1のルーティングテーブル3には、セキュリティを必要とするECU1(N101)、ECU3(N201)等へ鍵情報を送信するため送信IDを準備する。図1の例では、ルーティングテーブル3の第3レコードにおいて、送信先「ECU1」に送信ID「600」が割り当てられている。また、ルーティングテーブル3の第4レコードにおいて、送信先「ECU3」に送信ID「610」が割り当てられている。 In the routing table 3 of the in-vehicle gateway device 1, a transmission ID is prepared for transmitting key information to the ECU 1 (N101), ECU 3 (N201), etc. that require security. In the example of FIG. 1, the transmission ID “600” is assigned to the transmission destination “ECU1” in the third record of the routing table 3. In the fourth record of the routing table 3, the transmission ID “610” is assigned to the transmission destination “ECU3”.
 セキュリティテーブル5には、各ECUに対応したASIL毎の鍵情報を準備する。図1の例では、セキュリティテーブル5の第1レコードにおいて、装置名「ECU1」に、鍵ID「D」が割り当てられている。また、セキュリティテーブルの第3レコードにおいて、装置名「ECU3」に鍵ID「B」が割り当てられている。ここで、鍵IDは、暗号鍵を識別する識別子である。 In the security table 5, key information for each ASIL corresponding to each ECU is prepared. In the example of FIG. 1, the key ID “D” is assigned to the device name “ECU1” in the first record of the security table 5. In the third record of the security table, the key ID “B” is assigned to the device name “ECU3”. Here, the key ID is an identifier for identifying an encryption key.
 車載用ゲートウェイ装置1は、各ECUとチャレンジ&レスポンスによるECU機器認証を行う。車載用ゲートウェイ装置1は、各ECUと認証が成功した場合に、セキュリティテーブル5で解決したASIL毎の鍵情報8を各ECUへ配信する。車載用ゲートウェイ装置1は、受信データID毎に周期の監視を行う。周期を逸脱して受信したIDのデータは不正データとし破棄する。 The in-vehicle gateway device 1 performs ECU device authentication by challenge and response with each ECU. The in-vehicle gateway device 1 distributes key information 8 for each ASIL solved by the security table 5 to each ECU when authentication with each ECU is successful. The in-vehicle gateway device 1 monitors the cycle for each received data ID. ID data received outside the cycle is discarded as invalid data.
 車載用ゲートウェイ装置1は、各ECUへ配信した鍵を用いてフレーム受信及びフレーム送信時MACの解決を行い、各ECUとの暗号化の調停を行う。このフレーム調停(暗号鍵の付替え又は解除)は、図2を用いて説明する。 The in-vehicle gateway device 1 uses the key distributed to each ECU to resolve the MAC at the time of frame reception and frame transmission, and mediates encryption with each ECU. This frame arbitration (encryption key replacement or cancellation) will be described with reference to FIG.
 (暗号鍵の付替え又は解除)
  次に、図2を用いて本発明の一実施形態による車載用ゲートウェイ装置及び車載ネットワークの暗号鍵の付替え又は解除の動作を説明する。 (Replacement or cancellation of encryption key)
Next, the operation of changing or releasing the encryption key of the in-vehicle gateway device and the in-vehicle network according to the embodiment of the present invention will be described with reference to FIG.
 ECU1(N101)からECU2(N301)及びのECU3(N201)へデータを渡したい場合、ECU1(N101)で、CANフレームの暗号化をしている為、受信側のECUはデータを受信してもそのままデータを扱う事ができない。そこで車載用ゲートウェイ装置1はECU1(N101)からの受信データ401をルーティングテーブル3及びセキュリティテーブル5から解決し、復号化アルゴリズム6によりデータ復号化をする。 When it is desired to pass data from the ECU 1 (N101) to the ECU 2 (N301) and the ECU 3 (N201), since the CAN frame is encrypted by the ECU 1 (N101), the receiving ECU receives the data. Data cannot be handled as it is. Therefore, the in-vehicle gateway device 1 resolves the received data 401 from the ECU 1 (N101) from the routing table 3 and the security table 5 and decrypts the data by the decryption algorithm 6.
 ルーティングテーブル3の送信先ECUに見合った暗号化アルゴリズム6により鍵情報8を指定して、データ暗号化する事でデータ強度B(403)とし、送信IDを付け替えて送信する。セキュリティテーブル5の送信先ECUのASILがQMの場合は、暗号化せずに素データ402として、送信IDを付け替えて送信する。 The key information 8 is specified by the encryption algorithm 6 corresponding to the transmission destination ECU of the routing table 3 and the data is encrypted to obtain the data strength B (403), and the transmission ID is changed and transmitted. When the ASIL of the transmission destination ECU of the security table 5 is QM, the transmission ID is changed and transmitted as the raw data 402 without encryption.
 次に、図5を用いて、車載用ゲートウェイ装置1の動作を詳細に説明する。ここでは、図2に示すECU1が、暗号化したデータ強度Dのデータ400(CANフレーム)を、バスN601を介して送信したと仮定する。なお、データ400に含まれるID(識別子)は「100」である。データ400(第1データ)は、鍵IDである「D」が示す暗号鍵(第1暗号鍵)を用いて暗号化されている。 Next, the operation of the in-vehicle gateway device 1 will be described in detail with reference to FIG. Here, it is assumed that ECU 1 shown in FIG. 2 transmits encrypted data 400 (CAN frame) having data strength D via bus N601. The ID (identifier) included in the data 400 is “100”. The data 400 (first data) is encrypted using the encryption key (first encryption key) indicated by the key ID “D”.
 車載用ゲートウェイ装置1は、データ400を受信する(S1)。ここで、車載用ゲートウェイ装置1の通信装置15は、ID(識別子)を含むデータ400を受信する受信部として機能する。 The in-vehicle gateway device 1 receives the data 400 (S1). Here, the communication device 15 of the in-vehicle gateway device 1 functions as a receiving unit that receives data 400 including an ID (identifier).
 車載用ゲートウェイ装置1は、受信したデータ400(受信データ401)が転送の対象であるか否かを判定する(S2)。 The in-vehicle gateway device 1 determines whether or not the received data 400 (received data 401) is a transfer target (S2).
 詳細には、車載用ゲートウェイ装置1は、ルーティングテーブル3から「受信データID」フィールドの値がデータ400のID「100」と一致するレコードを検索する。車載用ゲートウェイ装置1は、検索によりヒットしたレコードの「送信先ECU」フィールドの値が自身でない場合(S2:YES)、S3へ処理を進め、検索によりヒットしたレコードの「送信先ECU」フィールドの値が自身である場合又は検索条件を満たすレコードがない場合(S2:NO)、処理を終了する。 Specifically, the in-vehicle gateway device 1 searches the routing table 3 for a record in which the value of the “reception data ID” field matches the ID “100” of the data 400. When the value of the “transmission destination ECU” field of the record hit by the search is not itself (S2: YES), the in-vehicle gateway device 1 proceeds to the process of S3, and in the “transmission destination ECU” field of the record hit by the search If the value is self or there is no record that satisfies the search condition (S2: NO), the process is terminated.
 図5に示すルーティングテーブル3では、検索により第1レコードがヒットする。車載用ゲートウェイ装置1は、ルーティングテーブル3の第1レコードの「送信先ECU」フィールドD1の値から送信先ECUがECU2、ECU3であり、受信したデータ400は転送の対象であると判定する。なお、車載用ゲートウェイ装置1は、ルーティングテーブル3の第1レコードの「送信ID」フィールドから送信するデータのIDが101、102であることを特定する。 In the routing table 3 shown in FIG. 5, the first record is hit by the search. The in-vehicle gateway device 1 determines that the transmission destination ECUs are the ECUs 2 and 3 from the value of the “transmission destination ECU” field D1 of the first record of the routing table 3, and the received data 400 is a transfer target. The in-vehicle gateway device 1 specifies that the IDs of data to be transmitted are 101 and 102 from the “transmission ID” field of the first record of the routing table 3.
 ここで、車載用ゲートウェイ装置1のマイコン11は、データ400に含まれるID(識別子)に対応する転送先を特定するルーティング制御部2として機能する。 Here, the microcomputer 11 of the in-vehicle gateway device 1 functions as the routing control unit 2 that specifies the transfer destination corresponding to the ID (identifier) included in the data 400.
 続いて、車載用ゲートウェイ装置1は、データ400を送信したECU1のASILと送信先のECU2、ECU3のASILが異なるか否かをそれぞれ判定する(S3)。 Subsequently, the in-vehicle gateway device 1 determines whether or not the ASIL of the ECU 1 that transmitted the data 400 is different from the ASIL of the transmission destination ECU 2 and ECU 3 (S3).
 まず、車載用ゲートウェイ装置1は、セキュリティテーブル5を参照し、データ400を送信したECU1のASILを特定する。具体的には、車載用ゲートウェイ装置1は、セキュリティテーブル5から「送信データID」フィールドの値がデータ400のID「100」と一致するレコードを検索する。図5に示すセキュリティテーブル5では、第1レコードがヒットする。車載用ゲートウェイ装置1は、セキュリティテーブル5の第1レコードの「ASIL」フィールドD2の値からデータ400を送信したECU1のASILが「D」であることを特定する。 First, the in-vehicle gateway device 1 refers to the security table 5 and identifies the ASIL of the ECU 1 that has transmitted the data 400. Specifically, the in-vehicle gateway device 1 searches the security table 5 for a record in which the value of the “transmission data ID” field matches the ID “100” of the data 400. In the security table 5 shown in FIG. 5, the first record is hit. The in-vehicle gateway device 1 specifies that the ASIL of the ECU 1 that transmitted the data 400 is “D” from the value of the “ASIL” field D2 of the first record of the security table 5.
 次に、車載用ゲートウェイ装置1は、セキュリティテーブル5を参照し、転送先のECU2、ECU3のASILを特定する。具体的には、車載用ゲートウェイ装置1は、セキュリティテーブル5から「装置名」フィールドの値が、ECU2、ECU3のデータをそれぞれ検索する。図5に示すセキュリティテーブル5では、第2レコード、第3レコードがそれぞれヒットする。 Next, the in-vehicle gateway device 1 refers to the security table 5 and identifies the ASIL of the transfer destination ECU 2 and ECU 3. Specifically, the in-vehicle gateway device 1 searches the data of the ECU 2 and the ECU 3 for the value of the “device name” field from the security table 5. In the security table 5 shown in FIG. 5, the second record and the third record are hit.
 車載用ゲートウェイ装置1は、セキュリティテーブル5の第2レコードの「ASIL」フィールドD2の値から送信先のECU2のASILが「QM」であることを特定する。
  同様に、車載用ゲートウェイ装置1は、セキュリティテーブル5の第3レコードの「ASIL」フィールドD2の値から送信先のECU3のASILが「B」であることを特定する。 The in-vehicle gateway device 1 identifies that the ASIL of the destination ECU 2 is “QM” from the value of the “ASIL” field D2 of the second record of the security table 5.
Similarly, the in-vehicle gateway device 1 specifies that the ASIL of the destination ECU 3 is “B” from the value of the “ASIL” field D 2 of the third record of the security table 5.
 これにより、車載用ゲートウェイ装置1は、データ400を送信したECU1のASILと送信先のECU2、ECU3のASILがそれぞれ異なると判定する(S3:YES)。 Thereby, the in-vehicle gateway device 1 determines that the ASIL of the ECU 1 that transmitted the data 400 is different from the ASIL of the destination ECU 2 and ECU 3 (S3: YES).
 車載用ゲートウェイ装置1は、セキュリティテーブル5の第1レコードの「暗号方式」フィールドの値からECU1が「CMAC」でデータ400を暗号化したことを特定し、受信したデータ400を暗号方式「CMAC」で復号化する(S4)。 The in-vehicle gateway device 1 specifies that the ECU 1 has encrypted the data 400 with “CMAC” from the value of the “encryption method” field of the first record of the security table 5, and the received data 400 is encrypted with the encryption method “CMAC”. (S4).
 車載用ゲートウェイ装置1は、送信先(転送先)のECUのASILが「QM」以外であるか否かを判定する(S5)。図5の例では、送信先のECU2のASILは「QM」であるため、車載用ゲートウェイ装置1は、S4で復号化したデータ400から平文の素データ402(CANフレーム)を生成して送信する(S7)。また、送信先のECU3のASILは「B」であるため、車載用ゲートウェイ装置1は、S4で復号化したデータ400をセキュリティテーブル5の第3レコードの「鍵ID」フィールドの値「B」が示す暗号鍵を用いて、S4で復号化したデータ400を「暗号方式」フィールドの値「HMAC」で暗号化し(S6)、データ強度Bのデータ403(CANフレーム)を生成して送信する(S7)。 The in-vehicle gateway device 1 determines whether the ASIL of the transmission destination (transfer destination) ECU is other than “QM” (S5). In the example of FIG. 5, the ASIL of the destination ECU 2 is “QM”, so the in-vehicle gateway device 1 generates and transmits plaintext raw data 402 (CAN frame) from the data 400 decrypted in S4. (S7). Further, since the ASIL of the ECU 3 as the transmission destination is “B”, the in-vehicle gateway device 1 sets the value “B” in the “key ID” field of the third record of the security table 5 to the data 400 decrypted in S4. The data 400 decrypted in S4 is encrypted with the value “HMAC” in the “encryption scheme” field (S6) using the encryption key shown (S6), and data 403 (CAN frame) with data strength B is generated and transmitted (S7). ).
 換言すれば、車載用ゲートウェイ装置1のマイコン11は、転送先に要求される安全度を示すASIL(安全度情報)に基づいてデータ400(第1データ)から転送先に転送するデータ402、403(第2データ)を生成するセキュリティ制御部4として機能する。また、車載用ゲートウェイ装置1の通信装置15は、データ402、403(第2データ)を転送先へ送信する送信部として機能する。 In other words, the microcomputer 11 of the in-vehicle gateway device 1 transfers the data 402, 403 to be transferred from the data 400 (first data) to the transfer destination based on the ASIL (safety level information) indicating the safety level required for the transfer destination. It functions as the security control unit 4 that generates (second data). The communication device 15 of the in-vehicle gateway device 1 functions as a transmission unit that transmits the data 402 and 403 (second data) to the transfer destination.
 詳細には、マイコン11(セキュリティ制御部4)は、転送先のASIL(安全度情報)に応じてデータ402、403(第2データ)の暗号強度を設定する。具体的には、マイコン11(セキュリティ制御部4)は、転送先のASIL(安全度情報)に応じてデータ400(第1データ)の暗号鍵を交換する又はデータ400の暗号化を解除することにより、データ402、403(第2データ)を生成する。 Specifically, the microcomputer 11 (security control unit 4) sets the encryption strength of the data 402 and 403 (second data) according to the ASIL (safety level information) of the transfer destination. Specifically, the microcomputer 11 (security control unit 4) exchanges the encryption key of the data 400 (first data) or releases the encryption of the data 400 according to the ASIL (safety level information) of the transfer destination. Thus, data 402 and 403 (second data) are generated.
 例えば、マイコン11(セキュリティ制御部4)は、転送先のASIL(安全度情報)に応じて、第1暗号鍵(鍵ID=D)を用いてデータ400(第1データ)を復号化し、第1暗号鍵と異なる第2暗号鍵(鍵ID=B)を用いて暗号化することにより、データ400の暗号鍵を交換し、転送先のASILが最も低い安全度を示す場合、第1暗号鍵(鍵ID=D)を用いてデータ400を復号化することにより、データ400の暗号化を解除する。これにより、転送先のASILに応じて、転送先毎にセキュリティを導入できる。 For example, the microcomputer 11 (security control unit 4) decrypts the data 400 (first data) using the first encryption key (key ID = D) according to the ASIL (security level information) of the transfer destination, When the encryption key of the data 400 is exchanged by encryption using a second encryption key (key ID = B) different from the one encryption key, and the ASIL of the transfer destination indicates the lowest security level, the first encryption key The data 400 is decrypted by decrypting the data 400 using (key ID = D). Thereby, security can be introduced for each transfer destination according to the ASIL of the transfer destination.
 ECU2(N301)は、暗号化されていない素データ402を受信し、受信した素データ402を用いて、所定の処理を行う。一方、ECU3(N201)は、車載用ゲートウェイ装置1から配信された鍵ID「B」に対応する暗号鍵を用いて、暗号化されたデータ強度Bのデータ403を復号化し、復号化したデータ用いて所定の処理を行う。 The ECU 2 (N301) receives the unencrypted raw data 402 and performs a predetermined process using the received raw data 402. On the other hand, the ECU 3 (N201) uses the encryption key corresponding to the key ID “B” distributed from the in-vehicle gateway device 1 to decrypt the encrypted data 403 having the data strength B, and uses the decrypted data. Predetermined processing.
 このようにして、ECU2(N301)は、素データ402を復号化なしでデータ受信のみでデータを取り扱う。ECU3(N201)は、データ受信時にデータ強度Bのデータ403を対象アルゴリズム(HMAC)で復号化しデータを取り扱う。 In this way, the ECU 2 (N301) handles the data only by receiving the data without decoding the raw data 402. The ECU 3 (N201) handles the data by decoding the data 403 of the data strength B with the target algorithm (HMAC) when receiving the data.
 以上説明したように、本実施形態によれば、車載ネットワークに段階的にセキュリティを導入することができる。具体的には、セキュリティ機能対応ECU(復号機能あり)と従来ECU(復号機能なし)との混在を許容する事で、セキュリティ導入を容易とする。
  また従来ECUには、変更工数をかけずに、ネットワークにセキュリティ機能をいれる事ができる。ゲートウェイで認証や鍵管理を行う為、ゲートウェイでセキュリティ機能の一元管理がでるので早急な事故対応を可能とする。 As described above, according to the present embodiment, security can be introduced into the in-vehicle network in stages. Specifically, security can be easily introduced by allowing a mixture of a security function compatible ECU (with a decryption function) and a conventional ECU (without a decryption function).
In addition, the conventional ECU can be provided with a security function in the network without requiring a change man-hour. Since authentication and key management are performed at the gateway, security functions can be centrally managed at the gateway, enabling quick response to accidents.
 なお、本発明は上記した実施形態に限定されるものではなく、様々な変形例が含まれる。例えば、上述した実施形態は本発明を分かりやすく説明するために詳細に説明したものであり、必ずしも説明した全ての構成を備えるものに限定されるものではない。また、ある実施形態の構成の一部を他の実施形態の構成に置き換えることが可能であり、また、ある実施形態の構成に他の実施形態の構成を加えることも可能である。また、各実施形態の構成の一部について、他の構成の追加・削除・置換をすることが可能である。 Note that the present invention is not limited to the above-described embodiment, and includes various modifications. For example, the above-described embodiment has been described in detail for easy understanding of the present invention, and is not necessarily limited to the one having all the configurations described. Further, a part of the configuration of an embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of an embodiment. In addition, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.
 上記実施形態では、ルーティングテーブル3及びセキュリティテーブル5の各フィールドには予め値が格納されているが、各ECUから指定して登録するようにしてもよい。 In the above embodiment, values are stored in advance in each field of the routing table 3 and the security table 5, but they may be specified and registered from each ECU.
 また、上記の各構成、機能等は、それらの一部又は全部を、例えば集積回路で設計する等によりハードウェアで実現してもよい。また、上記の各構成、機能等は、プロセッサ(マイコン)がそれぞれの機能を実現するプログラムを解釈し、実行することによりソフトウェアで実現してもよい。各機能を実現するプログラム、テーブル、ファイル等の情報は、メモリや、ハードディスク、SSD(Solid State Drive)等の記録装置、または、ICカード、SDカード、DVD等の記録媒体に置くことができる。 In addition, each of the above-described configurations, functions, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by a processor (microcomputer). Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, or an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.
 なお、本発明の実施形態は、以下の態様であってもよい。 In addition, the following aspects may be sufficient as embodiment of this invention.
 (1)他の車載処理装置と接続された車載処理装置において、前記他の車載処理装置の安全度情報が格納された記憶部と、前記他の車載処理装置に送信されるデータを前記他の車載処理装置の安全度情報に基づいて処理する送信データ処理部と、前記送信用データ処理部で処理されたデータを前記他の車載処理装置へ送信する送信部と、を備える、車載処理装置。 (1) In an in-vehicle processing device connected to another in-vehicle processing device, a storage unit storing safety information of the other in-vehicle processing device and data transmitted to the other in-vehicle processing device An in-vehicle processing device comprising: a transmission data processing unit that processes based on safety information of the in-vehicle processing device; and a transmission unit that transmits data processed by the transmission data processing unit to the other in-vehicle processing device.
 (2)前記送信データ処理部は、前記他の車載処理装置に送信されるデータを暗号化する暗号化部である、(1)に記載の車載処理装置。 (2) The in-vehicle processing device according to (1), wherein the transmission data processing unit is an encryption unit that encrypts data transmitted to the other in-vehicle processing device.
 (3)前記暗号化部は、前記データを暗号化する際の暗号化レベルを、前記安全度情報に基づいて設定する(2)に記載の車載処理装置。 (3) The in-vehicle processing device according to (2), wherein the encryption unit sets an encryption level when encrypting the data based on the safety degree information.
 (4)(1)に記載の車載処理装置において、前記暗号化部は、他の車載用ゲートウェイ装置から送信されたデータに付与された識別番号に基づいて、前記データを処置する他の車載用ゲートウェイ装置を特定した後、前記他の車載処理装置の情報と前記安全度情報とを、照合して、前記データを送信する際の暗号化レベルを設定する。 (4) In the in-vehicle processing device according to (1), the encryption unit treats the data based on an identification number assigned to data transmitted from another in-vehicle gateway device. After specifying the gateway device, the information of the other in-vehicle processing device and the safety level information are collated to set an encryption level when transmitting the data.
 (5)(1)に記載の車載処理装置において、複数の車載用ゲートウェイ装置の少なくとも1つは、車載処理装置である。 (5) In the in-vehicle processing device according to (1), at least one of the plurality of in-vehicle gateway devices is an in-vehicle processing device.
 (6)(1)に記載の車載処理装置において、複数の車載処理装置の少なくとも1つは、ECUである。 (6) In the in-vehicle processing device according to (1), at least one of the plurality of in-vehicle processing devices is an ECU.
 (7)(1)に記載の車載処理装置に暗号レベルが複数割り当てられ暗号レベルと、出力先車載装置が対応づけられた設定テーブルを有するゲートウェイ装置。 (7) A gateway device having a setting table in which a plurality of encryption levels are assigned to the in-vehicle processing device according to (1), and the encryption level is associated with the output destination in-vehicle device.
 (8)(1)に記載の車載処理装置に安全度が複数割り当てられ安全度レベルと、暗号レベルが対応づけられた設定テーブルを有するゲートウェイ装置。 (8) A gateway device having a setting table in which a plurality of safety levels are assigned to the in-vehicle processing device according to (1), and a safety level is associated with an encryption level.
 (9)(1)に記載の車載処理装置に暗号方式が複数割り当てられ暗号方式と、暗号レベルが対応づけられた設定テーブルを有するゲートウェイ装置。 (9) A gateway device having a setting table in which a plurality of encryption methods are assigned to the in-vehicle processing device according to (1), and the encryption method is associated with the encryption level.
1   車載用ゲートウェイ装置
2   ルーティング制御(部)
3   ルーティングテーブル
4   セキュリティ制御(部)
5   セキュリティテーブル
6   暗号化・復号化アルゴリズム(CMAC)
7   暗号化・復号化アルゴリズム(HMAC)
8   鍵情報
11  マイコン
12  SRAM
13  FLASH
14  入出力装置
15  通信装置
100 安全度ASIL-DのECU
N101 ECU1
N102 ECU4
N200 安全度ASIL-BのECU
N201 ECU3
N202 ECU5
N300 安全度ASIL-QMのECU
N301 ECU2
N302 ECU6
400 データ強度Dのデータ
401 受信データ
402 素データ
403 データ強度Bのデータ
501 鍵情報B
502 鍵情報D 1 In-vehicle gateway device 2 Routing control (part)
3 Routing table 4 Security control (part)
5 Security Table 6 Encryption / Decryption Algorithm (CMAC)
7 Encryption / Decryption Algorithm (HMAC)
8 Key information 11 Microcomputer 12 SRAM
13 FLASH
14 Input / output device 15 Communication device 100 Safety level ASIL-D ECU
N101 ECU1
N102 ECU4
N200 ECU with safety level ASIL-B
N201 ECU3
N202 ECU5
ECU of N300 safety level ASIL-QM
N301 ECU2
N302 ECU6
400 Data strength D data 401 Received data 402 Raw data 403 Data strength B data 501 Key information B
502 Key information D

Claims (9)

  1.  識別子を含む第1データを受信する受信部と、
     前記識別子に対応する転送先を特定するルーティング制御部と、
     前記転送先に要求される安全度を示す安全度情報に基づいて前記第1データから前記転送先に転送する第2データを生成するセキュリティ制御部と、
     前記第2データを前記転送先へ送信する送信部と、
     を備えることを特徴とする車載処理装置。     A receiving unit for receiving first data including an identifier;
    A routing control unit that identifies a transfer destination corresponding to the identifier;
    A security control unit that generates second data to be transferred from the first data to the transfer destination based on safety degree information indicating a safety degree required for the transfer destination;
    A transmission unit for transmitting the second data to the transfer destination;
    A vehicle-mounted processing device comprising:
  2.  請求項1に記載の車載処理装置であって、
     前記セキュリティ制御部は、
     前記転送先の前記安全度情報に応じて前記第2データの暗号強度を設定する ことを特徴とする車載処理装置。     The in-vehicle processing device according to claim 1,
    The security control unit
    The in-vehicle processing device, wherein the encryption strength of the second data is set according to the security level information of the transfer destination.
  3.  請求項2に記載の車載処理装置であって、
     前記第1データは、
     暗号化されており、
     前記セキュリティ制御部は、
     前記転送先の前記安全度情報に応じて前記第1データの暗号鍵を交換する又は前記第1データの暗号化を解除することにより、前記第2データを生成する
     ことを特徴とする車載処理装置。     The in-vehicle processing device according to claim 2,
    The first data is:
    Encrypted,
    The security control unit
    The in-vehicle processing device characterized in that the second data is generated by exchanging an encryption key of the first data or releasing the encryption of the first data according to the safety degree information of the transfer destination. .
  4.  請求項3に記載の車載処理装置であって、
     前記第1データは、
     第1暗号鍵を用いて暗号化されており、
     前記セキュリティ制御部は、
     前記転送先の前記安全度情報に応じて、前記第1暗号鍵を用いて前記第1データを復号化し、前記第1暗号鍵と異なる第2暗号鍵を用いて暗号化することにより、前記第1データの暗号鍵を交換し、
     前記転送先の前記安全度情報が最も低い前記安全度を示す場合、前記第1暗号鍵を用いて前記第1データを復号化することにより、前記第1データの暗号化を解除する
     ことを特徴とする車載処理装置。     The in-vehicle processing device according to claim 3,
    The first data is:
    Encrypted with the first encryption key,
    The security control unit
    The first data is decrypted using the first encryption key and encrypted using a second encryption key different from the first encryption key according to the security level information of the transfer destination, thereby Exchange one data encryption key,
    When the security level information of the transfer destination indicates the lowest level of security, the first data is decrypted using the first encryption key to decrypt the first data. In-vehicle processing device.
  5.  請求項2に記載の車載処理装置であって、
     前記転送先、及び前記転送先に対応する前記安全度情報の組合せを記憶する記憶装置を備え、
     前記セキュリティ制御部は、
     前記記憶装置から前記転送先に対応する前記安全度情報を読み出し、読み出した前記安全度情報に応じて、前記第2データの暗号強度を設定する
     ことを特徴とする車載処理装置。     The in-vehicle processing device according to claim 2,
    A storage device for storing a combination of the transfer destination and the safety degree information corresponding to the transfer destination;
    The security control unit
    The in-vehicle processing device, wherein the safety level information corresponding to the transfer destination is read from the storage device, and the encryption strength of the second data is set according to the read safety level information.
  6.  請求項5に記載の車載処理装置であって、
     前記記憶装置は、
     前記安全度情報、及び前記安全度情報に対応する暗号方式の組合せを記憶し、
     前記セキュリティ制御部は、
     前記記憶装置から前記安全度情報に対応する前記暗号方式を読み出し、読み出した前記暗号方式を用いて、前記第2データの暗号強度を設定する
     ことを特徴とする車載処理装置。     The in-vehicle processing device according to claim 5,
    The storage device
    Storing the safety information, and a combination of encryption methods corresponding to the safety information;
    The security control unit
    The in-vehicle processing device, wherein the encryption method corresponding to the safety degree information is read from the storage device, and the encryption strength of the second data is set using the read encryption method.
  7.  請求項6に記載の車載処理装置であって、
     前記記憶装置は、
     前記安全度情報、及び前記安全度情報に対応する暗号鍵の情報を示す暗号鍵情報の組合せを記憶し、
     前記セキュリティ制御部は、
     前記記憶装置から前記安全度情報に対応する前記暗号鍵情報を読み出し、読み出した前記暗号鍵情報が示す暗号鍵を前記転送先に配信する
     ことを特徴とする車載処理装置。     The in-vehicle processing device according to claim 6,
    The storage device
    Storing a combination of encryption key information indicating information on the safety level information and an encryption key corresponding to the safety level information;
    The security control unit
    The in-vehicle processing device, wherein the encryption key information corresponding to the security level information is read from the storage device, and the encryption key indicated by the read encryption key information is distributed to the transfer destination.
  8.  請求項1に記載の車載処理装置であって、
     前記安全度情報は、
     自動車安全度水準ASILである
     ことを特徴とする車載処理装置。     The in-vehicle processing device according to claim 1,
    The safety information is
    An in-vehicle processing apparatus characterized by being an automobile safety level ASIL.
  9.  第1の車載処理装置、第2の車載処理装置、及び第3の車載処理装置を含む車載システムであって、
     第1の車載処理装置は、
     識別子を含む第1データを送信し、
     前記第2の車載処理装置は、
     前記第1データを受信する受信部と、
     前記識別子に対応する転送先を特定するルーティング制御部と、
     前記転送先に要求される安全度を示す安全度情報に基づいて前記第1データから前記転送先に転送する第2データを生成するセキュリティ制御部と、
     前記第2データを前記転送先である前記第3の車載処理装置へ送信する送信部と、を備え、
     前記第3の車載処理装置は、
     前記第2データを受信し、受信した前記第2データを用いて所定の処理を行う
     ことを特徴とする車載システム。     An in-vehicle system including a first in-vehicle processing device, a second in-vehicle processing device, and a third in-vehicle processing device,
    The first in-vehicle processing device
    Sending first data including an identifier;
    The second in-vehicle processing device is
    A receiving unit for receiving the first data;
    A routing control unit that identifies a transfer destination corresponding to the identifier;
    A security control unit that generates second data to be transferred from the first data to the transfer destination based on safety degree information indicating a safety degree required for the transfer destination;
    A transmission unit that transmits the second data to the third in-vehicle processing device that is the transfer destination,
    The third in-vehicle processing device is
    The in-vehicle system characterized by receiving the second data and performing a predetermined process using the received second data.
PCT/JP2017/027366 2016-09-07 2017-07-28 Processing device for mounting in vehicle WO2018047510A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2018538283A JP6704458B2 (en) 2016-09-07 2017-07-28 In-vehicle processor

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2016-174561 2016-09-07
JP2016174561 2016-09-07

Publications (1)

Publication Number Publication Date
WO2018047510A1 true WO2018047510A1 (en) 2018-03-15

Family

ID=61562617

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/027366 WO2018047510A1 (en) 2016-09-07 2017-07-28 Processing device for mounting in vehicle

Country Status (2)

Country Link
JP (1) JP6704458B2 (en)
WO (1) WO2018047510A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3975455A1 (en) * 2020-09-23 2022-03-30 Bayerische Motoren Werke Aktiengesellschaft Determining correctness of actually received timestamp
WO2022230496A1 (en) * 2021-04-30 2022-11-03 株式会社オートネットワーク技術研究所 Vehicle-mounted communication system, relay device, and relay method
WO2023013337A1 (en) * 2021-08-04 2023-02-09 矢崎総業株式会社 Vehicle system
WO2023048274A1 (en) * 2021-09-27 2023-03-30 矢崎総業株式会社 Vehicle system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023191195A1 (en) * 2022-03-31 2023-10-05 엘지전자 주식회사 Signal processing device and vehicle display device comprising same

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004343626A (en) * 2003-05-19 2004-12-02 Sumitomo Electric Ind Ltd On-vehicle communication system, on-vehicle apparatus, and encryption method
JP2010098626A (en) * 2008-10-20 2010-04-30 Hitachi Automotive Systems Ltd Routing method in in-vehicle gateway device
JP2014174778A (en) * 2013-03-11 2014-09-22 Hitachi Automotive Systems Ltd Gateway device and service providing system
JP2014204315A (en) * 2013-04-05 2014-10-27 株式会社デンソー Relay device
JP2016134834A (en) * 2015-01-21 2016-07-25 トヨタ自動車株式会社 On-vehicle gateway device and on-vehicle network system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5783103B2 (en) * 2012-03-23 2015-09-24 株式会社デンソー VEHICLE DATA COMMUNICATION SYSTEM AND VEHICLE DATA COMMUNICATION DEVICE

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004343626A (en) * 2003-05-19 2004-12-02 Sumitomo Electric Ind Ltd On-vehicle communication system, on-vehicle apparatus, and encryption method
JP2010098626A (en) * 2008-10-20 2010-04-30 Hitachi Automotive Systems Ltd Routing method in in-vehicle gateway device
JP2014174778A (en) * 2013-03-11 2014-09-22 Hitachi Automotive Systems Ltd Gateway device and service providing system
JP2014204315A (en) * 2013-04-05 2014-10-27 株式会社デンソー Relay device
JP2016134834A (en) * 2015-01-21 2016-07-25 トヨタ自動車株式会社 On-vehicle gateway device and on-vehicle network system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3975455A1 (en) * 2020-09-23 2022-03-30 Bayerische Motoren Werke Aktiengesellschaft Determining correctness of actually received timestamp
EP4142189A3 (en) * 2020-09-23 2023-03-15 Bayerische Motoren Werke Aktiengesellschaft Determining correctness of actually received timestamp
WO2022230496A1 (en) * 2021-04-30 2022-11-03 株式会社オートネットワーク技術研究所 Vehicle-mounted communication system, relay device, and relay method
WO2023013337A1 (en) * 2021-08-04 2023-02-09 矢崎総業株式会社 Vehicle system
JP7471756B2 (en) 2021-08-04 2024-04-22 矢崎総業株式会社 Vehicle Systems
WO2023048274A1 (en) * 2021-09-27 2023-03-30 矢崎総業株式会社 Vehicle system

Also Published As

Publication number Publication date
JP6704458B2 (en) 2020-06-03
JPWO2018047510A1 (en) 2019-02-21

Similar Documents

Publication Publication Date Title
JP6704458B2 (en) In-vehicle processor
US9954826B2 (en) Scalable and secure key management for cryptographic data processing
EP3348036B1 (en) Unauthorized access event notificaiton for vehicle electronic control units
EP2817916B1 (en) Cryptographic transmission system using key encryption key
US11212087B2 (en) Management system, key generation device, in-vehicle computer, management method, and computer program
US20190245691A1 (en) Reuse system, key generation device, data security device, in-vehicle computer, reuse method, and computer program
CN109314640B (en) Vehicle information collection system, vehicle-mounted computer, vehicle information collection device, vehicle information collection method, and recording medium
EP2461564A1 (en) Key transport protocol
JP6288219B1 (en) Communications system
EP2538366B1 (en) Generating secure device secret key
US20210036873A1 (en) APPARATUS AND METHOD FOR AUTHENTICATING IoT DEVICE BASED ON PUF USING WHITE-BOX CRYPTOGRAPHY
JP6625293B2 (en) Key management device and communication equipment
US11516194B2 (en) Apparatus and method for in-vehicle network communication
Pfeiffer Implementing scalable can security with cancrypt
CN114793184A (en) Security chip communication method and device based on third-party key management node
EP3455763B1 (en) Digital rights management for anonymous digital content sharing
CN114428976A (en) Apparatus and method for managing pseudonymous certificate
JP6203798B2 (en) In-vehicle control system, vehicle, management device, in-vehicle computer, data sharing method, and computer program
JP2018082439A (en) Communication system, vehicle, server device, communication method, and computer program
KR102236282B1 (en) Method and system for authenticating communication data of vehicle
CN117597688A (en) Key verification method and related device
CN110999205A (en) Apparatus and method for encapsulation of profile certificate private keys or other data
US20230396412A1 (en) Method for using cryptographic keys in a vehicle on-board communication network
Sakon et al. Simple Cryptographic Key Management Scheme of the Electronic Control Unit in the Lifecycle of a Vehicle
CN116961887A (en) Key distribution method in vehicle-mounted network communication and vehicle-mounted network communication system

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2018538283

Country of ref document: JP

Kind code of ref document: A

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17848455

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17848455

Country of ref document: EP

Kind code of ref document: A1