JP7366819B2 - Communication systems and control equipment - Google Patents

Description

The present invention relates to a communication system and a control device.

2. Description of the Related Art Conventionally, communication systems have been known that control a vehicle through wireless communication between a terminal and an on-vehicle device mounted on the vehicle, for example. In a communication system, when an in-vehicle device receives authentication information such as a key code required for authentication sent from a terminal, the authentication information received by the in-vehicle device is compared with the authentication information registered in the in-vehicle device to perform key verification. It will be done. When key verification is established, operation of the vehicle is permitted.

Further, among such communication systems, there is a communication system that performs wireless communication between a terminal and an on-vehicle device using encrypted communication in order to cope with unauthorized interception of authentication information transmitted wirelessly to a vehicle. In encrypted communication, a sender encrypts communication data to be sent to the other party using an encryption key owned by the sender, and then sends the encrypted data. When the other party receives the communication data, it decrypts the received communication data using its own encryption key and accepts the communication data. Such encrypted communication technology is disclosed in, for example, Patent Document 1. An example of this type of encrypted communication is a common key encryption method in which both the sender and the other party have a common encryption key.

Japanese Patent Application Publication No. 2007-49759

However, in encrypted communication, there is a problem in that security deteriorates when the common key is decrypted.
Therefore, the present invention has been made in view of the above problems, and an object of the present invention is to provide a new and improved technique that makes it possible to improve security.

In order to solve the above problems, according to one aspect of the present invention, a first device that transmits encrypted information encrypted using a first encryption key; a second device that executes a predetermined process based on a certain second encryption key and the encrypted information from the first device; , comprising a first changing unit that changes the first encryption key, and the second device changes the second encryption key when a second condition that is a common condition with the first condition is satisfied. A communication system is provided that includes a second change unit.

Moreover, in order to solve the above-mentioned problem, according to another aspect of the present invention, there is provided a control device capable of communicating with each of a first device and a second device, wherein the first device uses a first encryption key. When the encrypted information is transmitted to the second device, the second device executes a predetermined process based on the encrypted information and a second encryption key that is common to the first encryption key, The control device is provided with a key control unit that controls changes to each of the first encryption key and the second encryption key when a predetermined condition is satisfied.

As explained above, according to the present invention, a technology that can improve security is provided.

FIG. 2 is a block diagram showing the configuration of a distance measurement system provided in the electronic key system. FIG. 3 is a diagram showing the arrangement of communication devices in a vehicle. FIG. 3 is a flow diagram showing a distance measurement procedure. FIG. 7 is a diagram for explaining a modified example of the configuration related to cryptographic key authentication in the communication system according to the present embodiment.

DESCRIPTION OF THE PREFERRED EMBODIMENTS Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings. Note that, in this specification and the drawings, components having substantially the same functional configurations are designated by the same reference numerals and redundant explanation will be omitted.

<1. One embodiment>
An embodiment of a communication system will be described below using FIGS. 1 to 4.

<<1.1. Configuration example >>
A configuration example of a communication system according to this embodiment will be described using FIG. 1. As shown in FIG. 1, the communication system according to this embodiment includes an electronic key system 4. The electronic key system 4 controls whether or not the in-vehicle device 3 can be operated by confirming whether the terminal 2 is authorized via wireless communication (by authenticating the terminal 2). More specifically, in the electronic key system 4 of this example, when a key ID (ID information) necessary for authentication is transmitted by one of the vehicle 1 and the terminal 2, and the key ID is received by the other, This is a smart verification system that performs ID verification (hereinafter also referred to as "smart verification") that verifies the key ID received by the other party and the key ID registered in the other party.

As will be explained later, in this example, it is mainly assumed that smart verification is performed in the vehicle 1. However, smart matching may also be performed at the terminal 2. Furthermore, smart verification is an example of authentication of the terminal 2 through wireless communication. Therefore, the method of authentication of the terminal 2 is not limited to smart verification. When smart verification is performed by the electronic key system 4, the terminal 2 is preferably an electronic key 5, as shown in FIG. The electronic key 5 is used for smart verification through wireless communication with the vehicle 1, for example, and has a key function of operating the in-vehicle device 3 based on the smart verification.

(Each configuration of the vehicle)
Next, each configuration of the vehicle 1 will be explained. The vehicle 1 includes an on-vehicle device 3, a verification ECU (Electronic Control Unit) 8, a body ECU 9, an engine ECU 10, an LF (Low Frequency) transmitter 13, a UHF (Ultra High Frequency) receiver 14, and a communication device. 31. As shown in FIG. 1, examples of the in-vehicle device 3 include a door lock device 6 that controls locking and unlocking of vehicle doors, and an engine 7 of the vehicle 1.

The verification ECU 8 includes a memory 12, a key control section 42, a processing execution section 43, and an authentication section 44. The authentication unit 44 executes smart verification and authenticates the terminal 2 by smart verification. A key ID unique to the terminal 2 and a key unique key are registered in the memory 12 of the verification ECU 8. The key ID and key unique key are used for smart matching. The key control section 42 and the processing execution section 43 will be explained in detail later.

The body ECU 9 manages power supplies for on-vehicle electrical components. For example, the body ECU 9 controls a door lock device 6 that switches between locking and unlocking a vehicle door. Further, the engine ECU 10 controls the engine 7. Verification ECU 8 , body ECU 9 , and engine ECU 10 are connected via a communication line 11 inside vehicle 1 . The protocol used for communication via the communication line 11 may be, for example, CAN (Controller Area Network) or LIN (Local Interconnect Network).

The LF transmitter 13 transmits radio waves in the LF band to the terminal 2 when performing smart verification communication between the vehicle 1 and the terminal 2. Furthermore, when the terminal 2 receives radio waves in the LF band and the terminal 2 transmits radio waves in the UHF band, the UHF receiver 14 receives the radio waves in the UHF band transmitted from the terminal 2. Note that the LF transmitter 13 includes, for example, an outdoor LF transmitter that transmits radio waves to a terminal 2 located outside the vehicle 1, and an indoor LF transmitter that transmits radio waves to a terminal 2 located inside the vehicle 1. It is preferable to have a machine. The communication device 31 will be explained in detail later.

(Each configuration of the terminal)
Next, each configuration of the terminal 2 will be explained. The terminal 2 includes a terminal control section 20, an LF receiving section 21, a UHF transmitting section 22, and a UWB (Ultra Wide Band) transmitting/receiving section 33. The terminal control unit 20 controls the terminal 2. The terminal control section 20 includes a memory 23, a generation section 40a, and a key authentication section 41a. In the memory 23 of the terminal control unit 20, a key ID unique to the terminal 2 and a key unique key are registered. The key ID and key unique key are used for smart matching. The generation unit 40a and the key authentication unit 41a will be explained in detail later.

The LF receiving unit 21 receives LF radio waves transmitted from the vehicle 1 when performing smart verification communication between the vehicle 1 and the terminal 2 . When the LF reception section 21 receives the LF radio waves transmitted from the vehicle 1, the UHF transmission section 22 transmits the UHF radio waves to the vehicle 1. The UWB transmitter/receiver 33 will be explained in detail later.

(smart matching)
Next, we will explain the flow of smart matching. First, the LF transmitter 13 of the vehicle 1 periodically or irregularly transmits a wake signal via LF. When the terminal 2 receives the wake signal by the LF receiving section 21, it starts from a standby state, and the UHF transmitting section 22 transmits an ACK signal in UHF. When the UHF receiver 14 receives the ACK signal in response to the wake signal from the terminal 2, the verification ECU 8 causes the authentication unit 44 to start smart verification. At this time, when the outdoor terminal 2 receives the wake signal from the outdoor LF transmitter 13, the authentication unit 44 of the verification ECU 8 executes outdoor smart verification between the outdoor terminal 2 and the vehicle 1. . On the other hand, when the indoor terminal 2 receives the wake signal from the indoor LF transmitter 13, the authentication unit 44 of the verification ECU 8 performs indoor smart verification with the indoor terminal 2.

Here, the smart verification may include key ID verification to confirm the match between the key ID registered in the terminal 2 and the key ID registered in the vehicle 1 in advance, or a request using a key-specific key. Response authentication may also be included. Request-response authentication is an authentication in which both the vehicle 1 and the terminal 2 calculate a response code using a unique key for a request code, which is a random number, and confirms that the response codes match. In this example, it is mainly assumed that the authentication unit 44 of the verification ECU 8 determines that smart verification is successful when both key ID verification and request response authentication are successful.

(distance measurement system)
As shown in FIG. 1, the communication system according to this embodiment includes a distance measurement system 30. The distance measurement system 30 will be explained below. Note that the distance measurement system 30 directly measures a measurement value Vm based on the distance between the vehicle 1 and the terminal 2. However, to simplify the explanation, hereinafter, it may be expressed that the distance measurement system 30 measures the distance between the vehicle 1 and the terminal 2.

Here, if the vehicle 1 and the terminal 2 are far apart, there is no communication connection between the vehicle 1 and the terminal 2, and therefore smart verification is usually not established. However, a fraudulent act may be carried out in which a terminal 2 located far away from the vehicle 1 is communicatively connected to the vehicle 1 via a repeater or the like to establish smart verification. In order to prevent such fraud, the distance measurement system 30 has a function of measuring a measured value Vm based on the distance between the vehicle 1 and the terminal 2, and determines whether or not smart verification can be achieved based on the validity of the measured value Vm. Equipped with a function to determine (unauthorized communication detection function).

The distance measurement system 30 is mainly realized by the UWB transmitter/receiver 33 and the generator 40a included in the terminal 2, and the communication device 31, key controller 42, and process execution unit 43 included in the vehicle 1. The UWB transmitter/receiver 33 performs communication with the communication device 31 for distance measurement. The communication device 31 also performs communication with the terminal 2 for distance measurement. In this example, it is mainly assumed that the vehicle 1 includes a plurality of communication devices 31 (in particular, a master communication device 34 and a slave communication device 35). However, the number of communication devices 31 included in the vehicle 1 is not limited.

In this example, the master communication device 34 is connected to the verification ECU 8 via a communication line 36. The slave communication device 35 is connected to the master communication device 34 via a communication line 37. The communication protocol for communication via the communication line 36 and the communication line 37 may be, for example, LIN or CAN. Note that the communication line 36 may use a communication interface such as a UART (Universal Asynchronous Receiver Transmitter).

The master communication device 34 includes a measurement section 32b, a communication control section 38, an interface section 39, a generation section 40b, and a key authentication section 41b. The interface unit 39 is an interface that can communicate with each of the verification ECU 8 and the slave communication device 35. For example, the interface section 39 outputs an activation signal to the slave communication device 35. The communication control unit 38 controls the operation of the slave communication device 35. When there are multiple slave communications devices 35, the communication control unit 38 sets the operating order of the multiple slave communications devices 35, or selectively operates some of the multiple slave communications devices 35. . The measurement section 32b and the key authentication section 41b will be explained in detail later.

The slave communication device 35 includes a generation section 40c, a key authentication section 41c, and a measurement section 32c. The generation unit 40c, key authentication unit 41c, and measurement unit 32c will be described in detail later.

Here, an example of installation of the communication device 31 will be described with reference to FIG. 2. In the example shown in FIG. 2, communication devices 31 are installed at five locations on the vehicle 1. Among the communication devices 31, the master communication device 34 is placed inside the vehicle 1 and transmits distance measuring radio waves into the vehicle interior. The distance measuring radio waves will be explained later. The first slave communication device 35a is arranged at a corner in front of the driver's seat of the vehicle 1, and thereby transmits distance measuring radio waves to the front of the vehicle 1 and to the driver's seat side. The second slave communication device 35b is disposed at a corner in front of the passenger seat of the vehicle 1, and transmits distance measurement radio waves to the front of the vehicle 1 and to the passenger seat side.

The third slave communication device 35c is arranged at a corner behind the driver's seat of the vehicle 1, and thereby transmits distance measuring radio waves to the rear of the vehicle 1 and to the driver's seat side. The fourth slave communication device 35d is arranged at a corner of the vehicle 1 on the rear side of the passenger seat, and thereby transmits distance measuring radio waves to the rear of the vehicle 1 and to the passenger seat side. However, the installation of the communication device 31 is not limited to this example.

Returning to FIG. 1, the explanation will be continued. The terminal 2 and the communication device 31 each use an encryption key. The encryption key (first encryption key) used by the terminal 2 and the encryption key (second encryption key) used by the communication device 31 are common encryption keys. In this example, authentication (hereinafter also referred to as "encryption key authentication") is performed to confirm that the terminal 2 and the communication device 31 use a common encryption key. Even if the distance between the terminal 2 and the communication device 31 is valid, if the cryptographic key authentication is not established, the establishment of the smart verification is invalidated. This more reliably prevents acts of fraudulently establishing smart verification.

Specifically, the terminal 2 and the slave communication device 35 use a common encryption key, and the terminal 2 and the master communication device 34 use a common encryption key. In this example, a case will be mainly described in which the common encryption key used by the terminal 2 and the master communication device 34 and the common encryption key used by the terminal 2 and the slave communication device 35 are the same. However, the common encryption key used by each of the terminal 2 and the master communication device 34 and the common encryption key used by each of the terminal 2 and the slave communication device 35 may be different.

Furthermore, if there are a plurality of slave communication devices 35, the encryption key may be different for each slave communication device 35. That is, the encryption key used by each communication device 31 may be different for each communication device 31. Alternatively, the encryption keys used by some of the slave communication devices 35 among the plurality of slave communication devices 35 may be the same, and the encryption keys used by the remaining slave communication devices 35 may be different.

(Change of encryption key)
In the following, changing the encryption key will be explained. As described above, if the common encryption key is decrypted, security will deteriorate. Therefore, in this example, when the conditions for generating an encryption key (hereinafter also referred to as "key generation conditions") are met, an encryption key is generated, and the encryption key used for encryption is generated using an encryption key. changed to key. This is expected to improve security. The terminal 2 and the communication device 31 each hold key generation logic that is logic indicating a procedure for generating an encryption key. The key generation logic (first key generation logic) held by the terminal 2 and the key generation logic (second key generation logic) held by the communication device 31 are common logic.

More specifically, the terminal 2 and the slave communication device 35 have a common key generation logic, and the terminal 2 and the master communication device 34 have a common key generation logic. This example mainly deals with the case where the common key generation logic held by each of the terminal 2 and the master communication device 34 is the same as the common key generation logic held by each of the terminal 2 and the slave communication device 35. Explain. However, the common key generation logic held by each of the terminal 2 and the master communication device 34 and the common key generation logic held by each of the terminal 2 and the slave communication device 35 may be different.

Furthermore, when there are multiple slave communication devices 35, the key generation logic may be different for each slave communication device 35. That is, the key generation logic held by each communication device 31 may be different for each communication device 31. Alternatively, the key generation logic held by some of the slave communication devices 35 among the plurality of slave communication devices 35 may be the same, and the key generation logic held by the remaining slave communication devices 35 may be different.

Furthermore, the terminal 2 and the communication device 31 each hold key generation conditions. The key generation condition (first condition) held by the terminal 2 and the key generation condition (second condition) held by the communication device 31 are common conditions. More specifically, the terminal 2 and the slave communication device 35 have a common key generation condition, and the terminal 2 and the master communication device 34 have a common key generation condition. This example mainly deals with the case where the common key generation conditions held by the terminal 2 and the master communication device 34 are the same as the common key generation conditions held by the terminal 2 and the slave communication device 35, respectively. Explain. However, the common key generation conditions held by each of the terminal 2 and the master communication device 34 and the common key generation conditions held by each of the terminal 2 and the slave communication device 35 may be different.

Furthermore, if there are multiple slave communication devices 35, the key generation conditions may be different for each slave communication device 35. That is, the key generation conditions held by each communication device 31 may be different for each communication device 31. Alternatively, the key generation conditions held by some of the slave communication devices 35 among the plurality of slave communication devices 35 may be the same, and the key generation conditions held by the remaining slave communication devices 35 may be different.

When the key generation conditions held by the terminal 2 are satisfied, the generation unit 40a included in the terminal 2 generates an encryption key based on the information for encryption key generation (first information) and the key generation logic held by the terminal 2. Generate a key. In the following, information for generating an encryption key will also be referred to as a "seed." In this example, it is assumed that the seed is a random number. However, as will be explained later, the seed is not limited to random numbers.

When generating an encryption key for the first time, the generation unit 40a included in the terminal 2 uses the generated encryption key (first encryption key) for encryption. Further, when generating the encryption key again, the generation unit 40a included in the terminal 2 includes a changing unit (first changing unit) that changes the encryption key (first encryption key) used for encryption with the regenerated encryption key. ).

A generation unit 40 included in the communication device 31 generates an encryption key based on a seed (first information) and key generation logic held in the communication device 31 when a key generation condition held in the communication device 31 is satisfied. generate.

More specifically, when the key generation condition held by the slave communication device 35 is satisfied, the generation unit 40c included in the slave communication device 35 generates a message based on the key generation logic and seed held by the slave communication device 35. Generate an encryption key. Further, the generation unit 40b included in the master communication device 34 generates an encryption key based on the key generation logic and seed held in the master communication device 34 when the key generation conditions held in the master communication device 34 are satisfied. do.

When generating an encryption key for the first time, the generation unit 40 included in the communication device 31 uses the generated encryption key (second encryption key) for encryption. Further, when the encryption key is generated again, the generation unit 40 included in the communication device 31 has a changing unit (second modification key) that changes the encryption key (second encryption key) used for encryption with the encryption key generated again. functions as a division).

More specifically, when generating an encryption key for the first time, the generation unit 40c included in the slave communication device 35 uses the generated encryption key for encryption. Furthermore, when generating the encryption key again, the generation unit 40c included in the slave communication device 35 changes the encryption key used for encryption to the generated encryption key. Further, when generating an encryption key for the first time, the generation unit 40b included in the master communication device 34 uses the generated encryption key for encryption. On the other hand, when generating the encryption key again, the generation unit 40b included in the master communication device 34 changes the encryption key used for encryption to the generated encryption key.

As described above, the terminal 2 and the communication device 31 each hold a common encryption key and a common key generation condition, and the generation unit 40a included in the terminal 2 generates a signal when the key generation condition held by the terminal 2 is satisfied. The generation unit 40 included in the communication device 31 changes the encryption key when the key generation conditions held by the communication device 31 are satisfied. As a result, even if the common encryption key is decrypted by a third party, if the third party attempts to commit fraud based on the decryption result, the encryption key has already been changed by each of the terminal 2 and the communication device 31. It is expected that security will improve as the possibility that the

Further, as described above, when the key generation condition held by the terminal 2 is satisfied, the generation unit 40a included in the terminal 2 generates an encryption key, and the generation unit 40 included in the communication device 31 generates an encryption key. Generates an encryption key when the key generation conditions held by the cipher are met. This eliminates the need to register a common encryption key between the communication device 31 and the terminal 2 in advance (or even when a new communication device 31 is added, Since there is no need to register in advance a common encryption key with the terminal 2), the number of steps required for pairing can be reduced.

Here, the specific conditions for the key generation conditions held by the communication device 31 and the key generation conditions held by the terminal 2 are not limited.

In this example, the key generation conditions held by the terminal 2 include the condition that a seed (second information) is input to the generation unit 40a included in the terminal 2, and the key generation conditions held by the communication device 31 include the condition that the seed (second information) is input to the generation unit 40a included in the terminal 2. A case is assumed in which the condition that a seed (second information) is input to the generation unit 40 included in the generation unit 31 is included. At this time, when the key generation condition held by the terminal 2 is satisfied, the generation unit 40a included in the terminal 2 generates a cryptographic code generated based on the seed (second information) and the key generation logic held by the terminal 2. Change the encryption key (first encryption key) used for encryption to the key (third encryption key). On the other hand, the generation unit 40 included in the communication device 31 generates a key based on the seed (second information) and the key generation logic held in the communication device 31 when the key generation condition held in the communication device 31 is satisfied. Change the encryption key (second encryption key) used for encryption to the encryption key (fourth encryption key).

According to this configuration, by simply inputting the same seed to each of the generation unit 40a included in the terminal 2 and the generation unit 40 included in the communication device 31, the encryption keys held by each of the terminal 2 and the communication device 31 are generated. The same can be changed. Therefore, the workload required for changing the encryption key can be reduced.

However, the key generation conditions held by the terminal 2 and the key generation conditions held by the communication device 31 are not limited to this example. For example, the key generation conditions held by the terminal 2 and the key generation conditions held by the communication device 31 may each include a condition that a predetermined time has elapsed. According to such a configuration, the same encryption key will not be used even after a predetermined period of time has elapsed, so it is expected that security will be improved. The predetermined time may be a time that occurs only once, or may be a time that occurs multiple times. Moreover, the time that arrives multiple times may be a time that arrives multiple times regularly.

Note that in such a case, it is desirable that the timing at which the predetermined time elapses is the same in the terminal 2 and the communication device 31, so it is desirable that synchronization is established between the terminal 2 and the communication device 31 in advance. . Alternatively, the passage of the predetermined time may be determined by a block (eg, verification ECU 8, etc.) that can communicate with both the terminal 2 and the communication device 31. In such a case, the block that can communicate with both the terminal 2 and the communication device 31 may notify each of the terminal 2 and the communication device 31 that the predetermined time has elapsed.

Alternatively, the key generation conditions held by the terminal 2 and the key generation conditions held by the communication device 31 are for communication (encrypted communication) performed between the terminal 2 and the communication device 31 using a common encryption key. It may also include a condition that the number of times has reached a predetermined number of times. According to this configuration, the same encryption key will not be used even after the number of encrypted communications reaches a predetermined number, so it is expected that security will be improved. Note that the number of encrypted communications performed between the terminal 2 and the communication device 31 may be managed by each of the terminal 2 and the communication device 31, for example.

When a predetermined condition is met, the key control unit 42 outputs a seed (second information) to the generation unit 40a included in the terminal 2, thereby causing the generation unit 40a to change the encryption key (from the first encryption key to the first encryption key). 3 encryption key) and outputs a seed (second information) to the generation section 40 included in the communication device 31. (changes to keys).

According to this configuration, by simply outputting the same seed to the generation unit 40a included in the terminal 2 and the generation unit 40 included in the communication device 31 at the same timing, the encryption key held by each of the terminal 2 and the communication device 31 can be generated. can be changed in the same way.

The seed may be prepared by the key controller 42 in any manner. In this example, the key control unit 42 outputs a part of the authentication information used for authentication of the terminal 2 by the authentication unit 44 to the communication device 31 as a seed, and also outputs a part of the authentication information to the terminal 2 as a seed. Assuming the case of output. In such a case, the time required to prepare the seeds may be reduced. In the following, it is assumed that a request code generated by the authentication unit 44 in smart verification is used as the authentication information. However, authentication information is not limited to the request code generated in smart verification.

More specifically, the request code generated in the smart verification is output from the verification ECU 8 to the terminal 2. Therefore, in this example, it is assumed that the key control unit 42 uses a part of the request code output from the verification ECU 8 to the terminal 2 in smart verification as a seed to be output to the terminal 2. That is, the key control unit 42 outputs the entire request code including the seed to the terminal 2. In such a case, not only the time required to prepare the seeds is reduced, but also the amount of data output from the verification ECU 8 to the terminal 2 can be suppressed.

Alternatively, the key control unit 42 may output a part of the request code to the terminal 2 as a seed, in addition to the request code output from the verification ECU 8 to the terminal 2 in smart verification. That is, the key control unit 42 may output the entire request code in smart verification to the terminal 2, apart from a part of the request code as a seed. In such a case, at least the time required to prepare the seeds may be reduced.

Here, the conditions for the key control unit 42 to output the seed, ie, the predetermined conditions, may include the condition that the request code is generated by the authentication unit 44. According to this configuration, each time the authentication unit 44 performs authentication (smart verification) of the terminal 2, a seed is output to the communication device 31 and the terminal 2, and the seed is used by the terminal 2 and the communication device 31, respectively, based on the seed. The encryption key is regenerated. Therefore, when the communication between the terminal 2 and the communication device 31 ends, the encryption key can be deleted from each of the communication device 31 and the communication device 31, so that the memory usage of each of the terminal 2 and the communication device 31 is suppressed. be able to.

Note that the above assumes that the generation unit 40a included in the terminal 2 changes the encryption key (first encryption key) when the key generation condition held by the terminal 2 is satisfied. Further, in the above description, it is assumed that the generation unit 40 included in the communication device 31 changes the encryption key (second encryption key) when the key generation condition held by the communication device 31 is satisfied. However, the generation unit 40a included in the terminal 2 may change the encryption key by changing the key generation logic (first key generation logic) held by the terminal 2. Further, the generation unit 40 included in the communication device 31 may change the encryption key by changing the key generation logic (second key generation logic) held by the communication device 31.

More specifically, the generation unit 40a included in the terminal 2 changes the key generation logic (first key generation logic) held by the terminal 2, and based on the seed (first information) and the changed key generation logic. , an encryption key may be generated, and the encryption key (first encryption key) may be changed to the generated encryption key. The generation unit 40 included in the communication device 31 changes the key generation logic (second key generation logic) held by the communication device 31, and generates an encryption key based on the seed (first information) and the changed key generation logic. The encryption key (second encryption key) may be changed to the generated encryption key.

At this time, the key generation logic held by the terminal 2 and the key generation logic held by the communication device 31 are changed to be common. For example, the terminal 2 and the communication device 31 maintain a predetermined common key generation logic change procedure (for example, the common key generation logic change order, etc.), and the communication device 31 and the communication device 2 each have , the key generation logic may be similarly modified according to the modification procedure. Alternatively, the key control unit 42 may notify each of the terminal 2 and the communication device 31 which key generation logic should be changed to. The key generation logic to be changed to may be determined randomly by the key control unit 42, or may be determined based on some kind of rule.

(Communication for encryption key authentication and distance measurement)
Next, communication for encryption key authentication and distance measurement will be explained. For example, when a distance measurement request is output from the verification ECU 8, the interface section 39 of the master communication device 34 receives the input of the distance measurement request from the verification ECU 8. In this example, it is assumed that a seed output from the verification ECU 8 is used as a distance measurement request. However, the distance measurement request is not limited to the seed output from the verification ECU 8. When the input of the distance measurement request is accepted by the interface section 39, the communication control section 38 outputs the distance measurement request to the slave communication device 35 via the interface section 39.

Upon receiving the input of the distance measurement request, the communication devices 31 (master communication device 34 and slave communication device 35) start encryption key authentication and communication for distance measurement with the terminal 2, respectively. Note that in this example, a case is assumed in which communication for encryption key authentication and communication for distance measurement use a common radio wave. However, communication for encryption key authentication and distance measurement may use different radio waves. Therefore, communication for encryption key authentication and distance measurement does not necessarily have to be executed both, and communication for distance measurement may be executed only when encryption key authentication is established. Encryption key authentication may be performed only when the determination result of the measurement value obtained through communication for distance measurement is valid.

First, cryptographic key authentication will be explained. In this example, as an example of encryption key authentication, it is assumed that request response authentication is performed using a common encryption key held by each of the communication device 31 and the terminal 2. However, the cryptographic key authentication method is not limited to request-response authentication.

Request-response authentication is an authentication in which both the communication device 31 and the terminal 2 calculate a response code using an encryption key for a request code, which is a random number, and confirm whether these response codes match. The response code is an example of encrypted information. In this example, when the key authentication section 41 of the communication device 31 (that is, the key authentication section 41b of the master communication device 34 and the key authentication section 41c of the slave communication device 35) confirms that the response codes match each other in the communication device 31 Assume that However, the correspondence between the response codes may be confirmed at the terminal 2.

Next, communication for distance measurement will be explained. In this example, a case is mainly assumed in which radio waves used for communication for distance measurement (radio waves for distance measurement and radio waves in response thereto) are radio waves in the UWB band. Therefore, hereinafter, the radio waves used for communication for distance measurement may be referred to as "UWB radio waves Sa." However, radio waves used for distance measurement communication are not limited to UWB band radio waves.

First, in communication for distance measurement, the communication device 31 (that is, the master communication device 34 and the slave communication device 35) transmits UWB radio waves Sa. When the UWB transmitter/receiver 33 of the terminal 2 receives the UWB radio wave Sa from the communication device 31, it returns the UWB radio wave Sa as a response. The communication device 31 then receives the UWB radio wave Sa transmitted from the terminal 2. At this time, the measurement section 32 of the communication device 31 (that is, the measurement section 32b of the master communication device 34 and the measurement section 32c of the slave communication device 35) calculates the measured value Vm (based on the distance between the communication device 31 and the terminal 2). Measure the distance value (corresponding to the distance).

More specifically, the measuring unit 32 of the communication device 31 calculates the propagation time from the transmission of the UWB radio wave Sa to the reception of the UWB radio wave Sa as a response, and calculates the propagation time between the communication device 31 and the terminal 2 based on this propagation time. A measured value Vm (distance measurement value corresponding to the distance) is calculated based on the distance. Furthermore, the measuring unit 32 determines whether the measured value Vm is valid when the encryption key authentication is successful. Whether or not the measured value Vm is valid is determined by, for example, whether the measured value Vm is less than a specified value Vk. On the other hand, the measuring unit 32 does not determine whether the measured value Vm is valid if the encryption key authentication is not established.

When determining whether the measured value Vm is valid, the communication device 31 outputs the determination result to the verification ECU 8. More specifically, the measurement unit 32c of the slave communication device 35 outputs the determination result to the master communication device 34. When the determination result is input from the slave communication device 35, the measurement unit 32b of the master communication device 34 outputs the input determination result to the verification ECU 8. Further, when determining whether the measured value Vm is valid, the measuring unit 32b of the master communication device 34 outputs the determination result to the verification ECU 8.

The processing execution unit 43 of the verification ECU 8 determines whether smart verification can be achieved based on the determination result indicating whether the measured value Vm is valid or not. For example, when a determination result indicating that the measured value Vm is valid is input from at least one communication device 31, the processing execution unit 43 enables the establishment of smart verification. On the other hand, if the determination result indicating that the measured value Vm is valid is not input from any of the communication devices 31, the processing execution unit 43 invalidates the establishment of smart verification. Verification ECU 8 permits or executes the operation of vehicle-mounted device 3 when establishment of smart verification is enabled.

In this example, it is mainly assumed that the measuring unit 32 does not determine whether the measured value Vm is valid or not when the encryption key authentication is not established. However, the measurement unit 32 may determine whether the measured value Vm is valid even if the encryption key authentication is not established. However, if the encryption key authentication is not established, the determination result indicating whether or not the measured value Vm is valid does not need to be output from the communication device 31 to the verification ECU 8.

In the above, the terminal 2 transmits a response code obtained by encrypting a request code using an encryption key (first encryption key) to the communication device 31, and the communication device 31 transmits a response code that is the same as the encryption key (first encryption key). A case is assumed in which a predetermined process is executed based on an encryption key (second encryption key) and a response code received from the terminal 2. In particular, in the above, the communication device 31 performs predetermined processing such as a response code encrypted using an encryption key (first encryption key) and a response code encrypted using an encryption key (second encryption key). This assumes a case where processing (encryption key authentication) is performed to check the

However, the predetermined processing performed by the communication device 31 is not limited to this example. For example, the terminal 2 encrypts information using the encryption key (first encryption key) and transmits the encrypted information to the communication device 31, and the communication device 31 encrypts the information using the encryption key (first encryption key). When the encrypted information is received from the terminal 2, the encrypted information received from the terminal 2 may be decrypted using the encryption key (second encryption key) as a predetermined process.

Note that the predetermined processing may be performed by the terminal 2 instead of the communication device 31. At this time, the communication device 31 encrypts the information using the encryption key (second encryption key) and transmits the encrypted information to the terminal 2, and the terminal 2 encrypts the information using the encryption key (second encryption key). When the encrypted information is received from the communication device 31, the encrypted information received from the communication device 31 may be decrypted using the encryption key (first encryption key) as a predetermined process.

<<1.2. Operation example >>
Next, the operation of the communication system of this embodiment will be explained using FIG. 3. In the following description, in consideration of the ease of understanding the terminology, a seed may be referred to as a seed Ds, a key generation logic may be referred to as a key generation logic f, and an encryption key may be referred to as an encryption key Dk.

As shown in FIG. 3, in step S101, the key control unit 42 generates a seed Ds. As mentioned above, the seed Ds may be a random number, for example. In this example, it is assumed that a part of the request code sent to the terminal 2 in smart verification request response authentication is used as the seed Ds. In this way, the seed Ds is included in the request code generated in the smart verification request response authentication in the electronic key system 4. This eliminates the need to generate the seed Ds separately from the request code in the distance measurement system 30, so the time required to prepare the seed and the time to transmit the seed can be omitted.

In step S102, the key control unit 42 transmits the seed Ds to the terminal 2. In step S103, upon receiving the seed Ds, the generation unit 40a of the terminal 2 generates the encryption key Dk by passing the seed Ds through the key generation logic f.

In step S104, the key control unit 42 outputs the same seed Ds that was transmitted to the terminal 2 to the master communication device 34. When the interface section 39 of the master communication device 34 receives the seed Ds, it outputs the input seed Ds to the slave communication device 35 . In this example, the input of the seed Ds to the communication device 31 also serves as a trigger for starting communication for distance measurement. Therefore, when the seed Ds is input, the master communication device 34 is activated from the sleep state and starts communication for distance measurement. Similarly, when the seed Ds is input, the slave communication device 35 is activated from the sleep state and starts communication for distance measurement.

In step S105, upon inputting the seed Ds, the generation unit 40b of the master communication device 34 passes the seed Ds through the key generation logic f to generate the encryption key Dk. Similarly, in step S106, when the generation unit 40c of the slave communication device 35 receives the seed Ds, it passes the seed Ds through the key generation logic f to generate the encryption key Dk. Thereby, the terminal 2 and the communication device 31 obtain the common encryption key Dk. The generation unit 40 changes the encryption key Dk each time it receives the seed Ds through the processes of S102 to S106. If the seed Ds is output every time a smart match is performed, the encryption key Dk is changed every time a smart match is performed.

In step S107, the key authentication unit 41c of the slave communication device 35 generates a request code for encryption key authentication, and transmits the UWB radio wave Sa containing the request code to the terminal 2. At this time, the communication control unit 38 of the master communication device 34 sets the operating order of the slave communication devices 35, and causes the slave communication devices 35 to transmit the UWB radio waves Sa in accordance with the operating order. Upon receiving the UWB radio wave Sa, the terminal 2 calculates a response code for the request code included in the UWB radio wave Sa.
Furthermore, the key authentication unit 41a of the terminal 2 determines whether the encryption key authentication is successful based on whether the response code included in the UWB radio wave Sa of the received response matches the response code calculated by itself. You may. More specifically, in this determination, the key authentication unit 41a of the terminal 2 determines that the encryption key authentication is successful when the response codes match. On the other hand, if the response codes do not match, the key authentication unit 41a of the terminal 2 determines that the encryption key authentication is unsuccessful. If the encryption key authentication is unsuccessful, the key authentication unit 41a of the terminal 2 ends the process.
Note that the terminal 2 transmits the calculated response code by including it in the response UWB radio wave Sa. This transmission of the UWB radio wave Sa including the response code by the terminal 2 may be executed when the encryption key authentication is established.

The measurement unit 32c of the slave communication device 35 measures the time from transmitting the UWB radio wave Sa to receiving the response UWB radio wave Sa. Then, the slave communication device 35 calculates a measurement value Vm based on the distance between the slave communication device 35 and the terminal 2 from the measured time.

On the other hand, in step S108, the key authentication unit 41c of the slave communication device 35 determines whether the response code included in the UWB radio wave Sa of the received response matches the response code calculated by itself, and the encryption key authentication is established. Determine whether or not. More specifically, the key authentication unit 41c determines that the encryption key authentication is successful when the response codes match. On the other hand, if the response codes do not match, the key authentication unit 41c determines that the encryption key authentication is unsuccessful. If the encryption key authentication is unsuccessful, the key authentication unit 41c ends the process.

If the encryption key authentication is successful, the slave communication device 35 determines the validity of the measured value Vm measured by itself in step S109. The slave communication device 35 determines the validity of the positional relationship between the terminal 2 and the vehicle 1 by comparing the measured value Vm and the specified value Vk. That is, the slave communication device 35 determines whether the terminal 2 is within a specified distance from the vehicle 1. If the measured value Vm is less than the specified value Vk, the slave communication device 35 determines that the distance between the vehicle 1 and the terminal 2 is valid. On the other hand, if the measured value Vm is equal to or greater than the specified value Vk, the slave communication device 35 determines that the distance between the vehicle 1 and the terminal 2 is incorrect.

In step S110, the master communication device 34 executes a series of processes of transmitting and receiving the UWB radio wave Sa, authenticating the encryption key, and determining the measured value Vm. In particular, the master communication device 34 transmits the UWB radio wave Sa from itself when its own activation timing comes. Thereby, transmission and reception of UWB radio waves Sa between the plurality of communication devices 31 and the terminal 2 can be realized. However, since the transmission and reception of the UWB radio waves Sa, encryption key authentication, and determination of the measured value Vm, which are executed by the master communication device 34, are executed in the same procedure as steps S107 to S109, a detailed explanation will be omitted. Note that FIG. 3 shows UWB radio waves Sa transmitted and received between the slave communication device 35 and the terminal 2 in one round trip, representing the UWB radio waves Sa transmitted and received between the plurality of communication devices 31 and the terminal 2. Only minutes are shown.

In step S111, if the encryption key authentication is successful, the slave communication device 35 notifies the master communication device 34 of the determination result of the measured value Vm. In step S112, the interface section 39 of the master communication device 34 notifies the verification ECU 8 of the determination result of the measured value Vm input from the slave communication device 35. Further, the master communication device 34 notifies the verification ECU 8 of the determination result of the measured value Vm determined by itself.

In step S113, the verification ECU 8 controls the operation of the vehicle 1 based on the determination result of the measured value Vm. More specifically, the processing execution unit 43 determines whether smart matching is successful based on the determination result of the measured value Vm. For example, if any of the communication devices 31 determines that the measured value Vm is valid, the processing execution unit 43 validates the verification result of the smart verification. On the other hand, if all the communication devices 31 determine that the measured value Vm is not valid, the processing execution unit 43 invalidates the verification result of the smart verification.

For example, when outdoor smart verification is established with the outdoor terminal 2 and the processing execution unit 43 validates the verification result of the smart verification, the verification ECU 8 allows the body ECU 9 to lock/unlock the door lock device 6 or Execute. Thus, for example, when a door handle outside the vehicle is touched when the door is locked, the vehicle door is unlocked, and when a lock button on the outside door handle is pressed when the door is unlocked, the vehicle door is locked.

On the other hand, when the indoor smart comparison with the indoor terminal 2 is established and the processing execution unit 43 validates the comparison result, the verification ECU 8 permits the vehicle power source transition operation by the indoor engine switch 50. Thus, for example, when the engine switch 50 is operated while the brake pedal is depressed, the engine 7 is started.

The verification ECU 8 prohibits the operation of the in-vehicle device 3 when the processing execution unit 43 invalidates the verification result of the smart verification. This prevents the in-vehicle device 3 from being activated by, for example, unauthorized communication using a repeater or the like. Further, since encryption key authentication is performed between the terminal 2 and the communication device 31, security in communication for distance measurement between the terminal 2 and the communication device 31 can be ensured.

<<1.3. Effect >>
According to the above embodiment, the first device transmits encrypted information encrypted using the first encryption key, the second encryption key which is the encryption key common to the first encryption key, and the first device a second device that executes a predetermined process based on the encrypted information from the first device, and the first device includes a first changing unit that changes the first encryption key when the first condition is satisfied. A communication system is provided in which the second device includes a second changing unit that changes the second encryption key when a second condition that is common to the first condition is satisfied.

According to such a configuration, even if the common encryption key is decrypted by a third party, if the third party attempts to commit fraud based on the decryption result, the first device and the second device each decrypt the encryption key. It is expected that security will improve as the possibility that the key has already been changed increases.

Further, the first encryption key is generated based on the first information and the first key generation logic that is logic indicating the procedure for generating the first encryption key, and the second encryption key is generated based on the first key generation logic that is the logic that indicates the generation procedure of the first encryption key. The second key generation logic may be generated based on the first information.

According to such a configuration, there is no need to register a common encryption key between the first device and the second device in advance, so that the number of steps required for pairing can be reduced.

Further, the first condition includes a condition that the second information is input to the first change section, and the second condition includes a condition that the second information is input to the second change section, and the second condition includes a condition that the second information is input to the second change section. changes the first encryption key to a third encryption key generated based on the second information and the first key generation logic when the first condition is satisfied; If the condition is satisfied, the second encryption key may be changed to a fourth encryption key generated based on the second information and the second key generation logic.

According to this configuration, the encryption keys held by each of the first device and the second device can be changed in the same way by simply inputting the same information to each of the first changing unit and the second changing unit. . Therefore, the workload required for changing the encryption key can be reduced.

One of the first device and the second device may be a terminal, and the other of the first device and the second device may be a communication device that performs wireless communication with the terminal. The communication system includes an authentication unit that authenticates the terminal, and the key control unit outputs part of the authentication information used for authentication to the first device as second information, and also outputs part of the authentication information to the first device. It may be output to a second device as second information. In such a case, the time required to prepare the second information can be reduced.

For example, the key control unit may output the entire authentication information including a part of the authentication information to the terminal. In such a case, not only the time required to prepare the second information is reduced, but also the amount of data output from the key control unit to the terminal can be suppressed. Alternatively, the key control unit may output the entire authentication information to the terminal separately from a part of the authentication information. In such a case, the time required to prepare at least the second information can be reduced.

The predetermined condition may include a condition that authentication information has been generated. According to this configuration, each time the terminal is authenticated, information is output to the communication device and the terminal, and based on the information, the encryption keys used by the terminal and the communication device are regenerated. Therefore, when the communication between the terminal and the communication device ends, the encryption key may be deleted from each of the communication device and the terminal, so that the amount of memory used in each of the terminal and the communication device can be suppressed.

Further, the control device is capable of communicating with each of the first device and the second device, and when encrypted information encrypted by the first device using the first encryption key is transmitted to the second device, the second device The device executes a predetermined process based on the first encryption key, a common second encryption key, and encrypted information, and the control device executes each of the first encryption key and the second encryption key when a predetermined condition is satisfied. A control device is provided that includes a key control unit that controls changes to the key control unit.

According to such a configuration, even if the common encryption key is decrypted by a third party, if the third party attempts to commit fraud based on the decryption result, the first device and the second device each decrypt the encryption key. It is expected that security will improve as the possibility that the key has already been changed increases.

<<1.4. Modified example >>
Although preferred embodiments of the present invention have been described above in detail with reference to the accompanying drawings, the present invention is not limited to such examples. It is clear that a person with ordinary knowledge in the technical field to which the present invention pertains can come up with various changes or modifications within the scope of the technical idea stated in the claims. It is understood that these also naturally fall within the technical scope of the present invention.

For example, this embodiment can be modified and implemented as follows. This embodiment and the following modified examples can be implemented in combination with each other within a technically consistent range.

(Modified example of configuration related to encryption key authentication)
FIG. 4 is a diagram for explaining a modified example of the configuration related to cryptographic key authentication in the communication system according to the present embodiment.

The above assumes that the verification ECU 8 (more specifically, the key control unit 42 included in the verification ECU 8) controls the first encryption key held by the terminal 2 and the second encryption key held by the communication device 31. did. In such a case, as described above, part of the data used in wireless communication between the verification ECU 8 and the terminal 2 can be used as a seed. However, the device that controls the encryption key is not limited to the verification ECU 8. Furthermore, the device that holds the encryption key is not limited to the terminal 2 and the communication device 31 either.

For example, as shown in FIG. 4, the device that controls the encryption key may be the control device 230, and the devices that hold the encryption key are the first device 220 and the second device that can communicate with the control device 230. It may be 240. At this time, the first device 220, like the terminal 2, transmits the encrypted information encrypted using the first encryption key to the second device 240, and the second device 240, like the communication device 31, sends the encrypted information to the second device 240. , executes a predetermined process based on the second encryption key, which is the encryption key common to the first encryption key, and the encrypted information from the first device 220. Similarly to the verification ECU 8, the control device 230 includes a key control unit 42 that controls changes to each of the first encryption key and the second encryption key when a predetermined condition is satisfied.

The control device 230 does not need to control the transmission of radio waves in the LF band and the reception of radio waves in the UHF band, unlike the verification ECU 8. For example, the control device 230 controls other wireless communications (for example, communication using NFC (Near Field Communication) or communication using BLE (Bluetooth (registered trademark) Low Energy)). Good too. Further, the control device 230 may be a server that can communicate with the first device 220 and the second device 240. That is, the key control unit 42 may be provided in a server or the like that can communicate with the vehicle 1 and the terminal 2. Alternatively, the control device 230 may be an in-vehicle ECU other than the verification ECU 8. That is, the key control unit 42 may be provided in an in-vehicle ECU other than the verification ECU 8. For example, the in-vehicle ECU may be the body ECU 9 or the engine ECU 10.

Furthermore, the communication between the first device 220 and the second device 240 does not need to be performed using radio waves in the UWB band like the communication between the terminal 2 and the communication device 31. For example, the communication between the first device 220 and the second device 240 may be performed using other wireless communication (for example, communication using NFC, communication using BLE, etc.). Furthermore, in the above description, it is assumed that the terminal 2 as an example of the first device 220 is the electronic key 5. However, the terminal 2 as an example of the first device 220 may be a high-performance mobile phone or the like.

In the above example, the terminal 2 corresponds to the example of the first device 220 and the communication device 31 corresponds to the example of the second device 240. However, the communication device 31 may correspond to the first device 220 and the terminal 2 may correspond to the second device 240. That is, one of the first device 220 and the second device 240 is the terminal 2, and the other of the first device 220 and the second device 240 is the communication device 31 that performs wireless communication with the terminal 2. It may be.

Other modifications will be described below.

(Variation regarding seeds)
In the above example, the case where the seed Ds is generated during smart matching has been mainly explained. Specifically, in the above example, the case where the seed Ds is generated in conjunction with the generation of a request code in smart verification request-response authentication has been mainly described. However, the timing at which the seed Ds is generated is not limited. For example, the seed Ds may be generated when transmitting a wake signal or when confirming a key ID.
Further, the seed Ds may be generated before or after smart matching. That is, the seed Ds is not limited to being part of the authentication information transmitted to the terminal 2 when the terminal 2 is authenticated.

In the above example, the case where the seed Ds is a random number has been mainly explained. However, the seed Ds may be data that changes regularly. That is, the seed Ds may be information that can change over time, and more preferably, it is information that changes each time it is output.

The seed Ds may be output only once in order to register a common encryption key Dk to the terminal 2 and the communication device 31. That is, it does not have to be output every time there is communication between the terminal 2 and the communication device 31, or it does not have to be output every time the process for starting encrypted communication between the terminal 2 and the communication device 31 is executed. Good too.

The seed Ds may be generated by the verification ECU 8, the terminal 2, or the communication device 31.

(Variation example regarding encryption key)
In the above example, the case where the encryption key Dk held by each of the communication device 31 (master communication device 34 or slave communication device 35) and the terminal 2 is changed every time smart verification is performed has been mainly described. However, the encryption key Dk held by the communication device 31 (master communication device 34 or slave communication device 35) and the terminal 2 may be generated each time the distance is measured, or each time the UWB radio wave Sa is transmitted. may be done. That is, the prescribed conditions for changing the encryption key Dk are not particularly limited.

In the above example, the case where the encryption key Dk is generated in each communication device 31 (master communication device 34 and slave communication device 35) was mainly explained. However, the encryption key Dk generated in at least one of the communication devices 31 may be notified to the remaining communication devices 31. For example, the encryption key Dk generated by the master communication device 34 may be notified to the slave communication device 35.
Alternatively, the encryption key Dk may be generated by the verification ECU 8. That is, the generation unit 40 that generates the encryption key Dk may be provided in the verification ECU 8. At this time, the encryption key Dk generated by the verification ECU 8 may be output to the master communication device 34.

In the above example, the communication for distance measurement between the terminal 2 and the communication device 31 is performed by encrypted communication through encryption key authentication using a common encryption key Dk between the terminal 2 and the communication device 31. Mainly explained. In the above example, the case where such cryptographic key authentication is performed by a request-response method has been mainly described. However, the cryptographic key authentication method is not limited to the request-response method. That is, various authentication methods can be applied as the cryptographic key authentication method.

More specifically, in the above example, a common encryption key is used between the terminal 2 and the communication device 31, and one of the terminals 2 and the communication device 31 uses the request response authentication as an example of encrypted information. The case where a response code is transmitted and the response code received by the other party is compared with the response code generated by itself as an example of encrypted information has been mainly explained. However, since the encryption key authentication method is not limited to the request-response method, the encryption information is not limited to the response code of request-response authentication.

(Modified example regarding communication for distance measurement)
In the above example, the trigger for starting communication for distance measurement is a trigger related to smart matching (in the above example, the output of the seed Ds generated based on the request code in smart matching request response authentication). Mainly explained. However, the trigger for starting communication for distance measurement is not limited to this example. For example, the trigger for starting communication for distance measurement may be an operation on a doorknob of a vehicle door, or an operation on the engine switch 50.
Furthermore, regardless of the trigger for starting communication for distance measurement, communication for distance measurement may be performed before smart verification or after smart verification. It may be in the middle of smart verification. For example, when communication for distance measurement is performed before or during smart matching, the process execution unit 43 may invalidate the establishment of smart matching. In such a case, the processing execution unit 43 may forcibly terminate the smart verification midway through. That is, when the process execution unit 43 invalidates the establishment of smart verification, it is sufficient that the processing execution unit 43 performs some kind of processing to prevent establishment of smart verification (smart communication).

In the above example, the case where communication for distance measurement is performed when smart matching is performed regardless of the type of smart matching has been mainly described. However, even when smart verification is performed, whether communication for distance measurement is performed may be controlled depending on the type of smart verification. For example, communication for distance measurement may not be performed when outdoor smart verification is performed, and communication for distance measurement may be performed only when indoor smart verification is performed. That is, the communication control unit 38 may not operate the communication device 31 in the LF radio wave area formed outside the vehicle 1, but may operate the communication device 31 in the LF radio wave area formed inside the vehicle.

In the above example, the case where the measurement value Vm is measured by the measurement unit 32 of the slave communication device 35 has been mainly described. At this time, the ranging radio wave is transmitted from the slave communication device 35 to the terminal 2. However, the measured value Vm may be measured by a device other than the slave communication device 35. For example, the measurement value Vm may be measured by the terminal 2. At this time, the ranging radio waves may be transmitted from the terminal 2 to the slave communication device 35.

In the above example, the case where the measured value Vm is measured from the propagation time of radio waves between the slave communication device 35 and the terminal 2 has been mainly described. However, the method of measuring the measured value Vm is not limited to this example. For example, when the slave communication device 35 and the terminal 2 receive radio waves transmitted from one of them, the other one measures the received signal strength indicator (RSSI) of the radio waves. A measurement value based on the distance may be calculated from the reception strength.

Furthermore, radio wave transmission may be performed using each of a plurality of channels. At this time, the measurement unit 32 may calculate the measurement value Vm based on the results of radio wave transmission (propagation time or reception strength) performed using each of the plurality of channels.
- The method of communication for distance measurement (radio waves for distance measurement and its response radio waves) is not limited to the method using UWB radio waves Sa. For example, radio waves of other frequencies may be used for distance measurement communication. As an example, Bluetooth (registered trademark) communication may be used as communication for distance measurement.

(Various variations of the system)
In the above example, the case where the processing execution unit 43 that determines whether smart verification is established is provided in the verification ECU 8 has been mainly described. However, the position where the processing execution unit 43 is provided is not limited. For example, the processing execution unit 43 may be provided in the master communication device 34, the slave communication device 35, or the terminal 2.

In the above example, the case where the validity of the measurement value Vm based on the distance between the slave communication device 35 and the terminal 2 is determined by the measurement unit 32 of the slave communication device 35 has been mainly described. That is, in the above example, the case where the master communication device 34 notifies the verification ECU 8 of the determination result by the slave communication device 35 has been mainly described. However, the validity of the measured value Vm may be determined by the master communication device 34. At this time, the master communication device 34 may notify the verification ECU 8 whether or not the smart verification is established based on the determination result by the slave communication device 35. Alternatively, the validity of the measured value Vm may be determined by the verification ECU 8. At this time, the master communication device 34 may notify the verification ECU 8 of the measurement value Vm measured by the slave communication device 35. Alternatively, the validity of the measurement value Vm may be determined by the terminal 2.

In the above example, the case where the number of communication devices 31 is six (in the example shown in FIG. 2, there is one master communication device 34 and four slave communication devices 35) has been mainly described. However, the number of communication devices 31 is not limited. For example, the number of communication devices 31 may be one, two, or three or more.

The LF transmitter 13 of the vehicle 1 may be provided in the vehicle 1 so as to form an LF radio wave (wake signal) area around the vehicle 1. For example, the LF transmitter 13 of the vehicle 1 may form an LF radio wave area around the driver's door, the passenger door, the back door, and inside the room.
The communication control unit 38 may control the operation of the communication device 31 based on the LF radio wave area formed by the LF transmitter 13. For example, when the terminal 2 enters the LF radio wave area around the driver's seat door and outdoor smart verification is established, the communication control unit 38 controls only the first slave communication device 35a and the third slave communication device 35c near the driver's seat. may be activated and the rest may be deactivated.

As described above, it is assumed that the vehicle 1 is provided with a plurality of slave communication devices 35. In such a case, the determination result of the validity of the measurement value Vm based on the distance between itself and the terminal 2 obtained by each of the plurality of slave communication devices 35 is output to the master communication device 34. At this time, the master communication device 34 may notify the verification ECU 8 of the determination results individually at the timing when the determination results are input, or collate all determination results at once at the timing when all the determination results are input. It may also be output to the ECU 8.

In the above example, the case where the processing execution unit 43 determines whether smart matching can be achieved has been mainly described. However, the processing executed by the processing execution unit 43 is not limited to determining whether smart matching is successful. For example, the processing execution unit 43 may control the operation of the in-vehicle device 3 in accordance with the measured value Vm, in addition to determining whether smart verification is successful.

In the above example, the case where the wake signal is transmitted from the vehicle 1 to the terminal 2 in the smart verification system has been mainly described. However, the wake signal may be transmitted from the terminal 2 to the vehicle 1.

In the above example, the case where the electronic key system 4 is a smart verification system that performs smart verification has been mainly described. However, electronic key system 4 is not limited to smart verification systems. For example, the electronic key system 4 may be any system that can confirm whether the terminal 2 is correct or not. Alternatively, the electronic key system 4 may be omitted, and the correctness of the terminal 2 may be confirmed using UWB communication.
In the above example, the case where confirmation of the correctness of the terminal 2 is performed by key ID verification and request response authentication has been mainly described. However, the method of confirming whether the terminal 2 is correct or not is not limited to this example. For example, the method for confirming the correctness of the terminal 2 may be any method as long as it is possible to confirm whether the terminal 2 and the vehicle 1 are a legitimate pair through communication between the terminal 2 and the vehicle 1.

In the above example, the case where the terminal 2 is the electronic key 5 was mainly explained. However, the terminal 2 is not limited to the electronic key 5. For example, the terminal 2 may be a high-performance mobile phone that can perform wireless communication with the vehicle 1.
In the above example, the distance measurement system 30 has a function of measuring a measured value Vm based on the distance between the vehicle 1 and the terminal 2, and a function of determining whether or not smart verification is established based on the validity of the measured value Vm (i.e., fraud). The case where the communication detection function) is provided has been mainly explained. However, the distance measurement system 30 only needs to have the function of measuring the measured value Vm, and does not need to have the function of detecting unauthorized communication.

In the above example, the case where the common encryption key between the terminal 2 and the communication device 31 is used to encrypt communication for distance measurement has been mainly described. However, the encryption key common between the terminal 2 and the communication device 31 may be used for encryption other than communication for distance measurement.

The frequency and communication method of radio waves used for various communications between the vehicle 1 and the terminal 2 may be changed in various ways.
In the above example, the case where the communication partner of the terminal 2 is the vehicle 1 was mainly explained. However, the communication partner of the terminal 2 is not limited to the vehicle 1, and can be changed to various devices or devices.

DESCRIPTION OF SYMBOLS 1...Vehicle, 2...Terminal, 3...In-vehicle device, 4...Electronic key system, 5...Electronic key, 8...Verification ECU, 20...Terminal control unit, 30...Distance measurement system, 31...Communication device, 32...Measurement unit , 34... Master communication device, 35... Slave communication device, 38... Communication control section, 39... Interface section, 40... Generation section, 41... Key authentication section, 42... Key control section, 43... Process execution section, 44... Authentication Part, 50... Engine switch, 230... Control device, 220... First device, 240... Second device.

Claims (11)

a first device that transmits encrypted information encrypted using a first encryption key;
a second device that executes a predetermined process based on a second encryption key that is a common encryption key with the first encryption key and the encrypted information from the first device;
the authentication department;
A communication system comprising a key control unit ,
The first device includes a first changing unit that changes the first encryption key when a first condition is satisfied,
The second device includes a second changing unit that changes the second encryption key when a second condition that is common to the first condition is satisfied ,
The first encryption key is generated based on first information and a first key generation logic that is logic indicating a procedure for generating the first encryption key,
The second encryption key is generated based on a second key generation logic that is a common logic with the first key generation logic and the first information,
The first condition includes a condition that the second information is input to the first changing section,
The second condition includes a condition that the second information is input to the second changing unit,
the first changing unit changes the first encryption key to a third encryption key generated based on the second information and the first key generation logic when the first condition is satisfied;
the second changing unit changes the second encryption key to a fourth encryption key generated based on the second information and the second key generation logic when the second condition is satisfied;
One of the first device and the second device is a terminal,
The other of the first device and the second device is a communication device that performs wireless communication with the terminal,
The authentication unit generates authentication information used to authenticate the terminal,
The key control unit outputs a part of the authentication information to the terminal as the second information, and outputs a part of the authentication information to the communication device as the second information.
Communications system. The key control unit outputs the second information to the first changing unit when a predetermined condition is met, so that the first changing unit changes the first encryption key to the third encryption key. controlling the change of the second encryption key to the fourth encryption key by the second change unit by controlling the change of the second encryption key and outputting the second information to the second change unit;
The communication system according to claim 1 . The predetermined condition includes a condition that the authentication information is generated.
The communication system according to claim 2 . The authentication unit authenticates the terminal ,
The communication system according to any one of claims 1 to 3. The key control unit outputs the entire authentication information including a part of the authentication information to the terminal.
The communication system according to any one of claims 1 to 4 . The key control unit outputs the entire authentication information to the terminal separately from a part of the authentication information.
The communication system according to any one of claims 1 to 4 . The first changing unit changes the first encryption key by changing the first key generation logic,
The second changing unit changes the second encryption key by changing the second key generation logic.
The communication system according to any one of claims 1 to 6 . The second device performs a process of comparing the encrypted information encrypted using the first encryption key with the encrypted information encrypted using the second encryption key as the predetermined process. conduct,
The communication system according to any one of claims 1 to 7 . The second device performs a process of decrypting the encrypted information encrypted using the first encryption key using the second encryption key as the predetermined process.
The communication system according to any one of claims 1 to 7 . Each of the first condition and the second condition includes a condition that a predetermined time has elapsed or a condition that the number of encrypted communications between the first device and the second device has reached a predetermined number.
The communication system according to any one of claims 1 to 9 . A control device capable of communicating with each of the first device and the second device,
When the encrypted information encrypted by the first device using the first encryption key is transmitted to the second device, the second device uses a second encryption key common to the first encryption key and the encryption information. A predetermined process based on the conversion information is executed,
The control device controls modification of the first encryption key by the first modification unit when a first condition is satisfied , and when a second condition that is a common condition with the first condition is satisfied. , comprising a key control unit that controls modification of the second encryption key by the second modification unit , and an authentication unit ,
The first encryption key is generated based on first information and a first key generation logic that is logic indicating a procedure for generating the first encryption key,
The second encryption key is generated based on a second key generation logic that is a common logic with the first key generation logic and the first information,
The first condition includes a condition that the second information is input to the first changing section,
The second condition includes a condition that the second information is input to the second changing unit,
The key control unit includes:
If the first condition is met, controlling a change of the first encryption key to a third encryption key generated based on the second information and the first key generation logic;
If the second condition is satisfied, controlling a change of the second encryption key to a fourth encryption key generated based on the second information and the second key generation logic;
One of the first device and the second device is a terminal,
The other of the first device and the second device is a communication device that performs wireless communication with the terminal,
The authentication unit generates authentication information used to authenticate the terminal,
The key control unit outputs a part of the authentication information to the terminal as the second information, and outputs a part of the authentication information to the communication device as the second information.
Control device.

Images