[go: up one dir, main page]

WO2025004126A1 - In-vehicle device and vehicle authentication system - Google Patents

In-vehicle device and vehicle authentication system Download PDF

Info

Publication number
WO2025004126A1
WO2025004126A1 PCT/JP2023/023480 JP2023023480W WO2025004126A1 WO 2025004126 A1 WO2025004126 A1 WO 2025004126A1 JP 2023023480 W JP2023023480 W JP 2023023480W WO 2025004126 A1 WO2025004126 A1 WO 2025004126A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
server
external terminal
unit
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/JP2023/023480
Other languages
French (fr)
Japanese (ja)
Inventor
量 福田
一弘 中西
正明 中村
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Astemo Ltd
Original Assignee
Hitachi Astemo Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Astemo Ltd filed Critical Hitachi Astemo Ltd
Priority to PCT/JP2023/023480 priority Critical patent/WO2025004126A1/en
Publication of WO2025004126A1 publication Critical patent/WO2025004126A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/20Means to switch the anti-theft system on or off
    • B60R25/24Means to switch the anti-theft system on or off using electronic identifiers containing a code not memorised by the user
    • EFIXED CONSTRUCTIONS
    • E05LOCKS; KEYS; WINDOW OR DOOR FITTINGS; SAFES
    • E05BLOCKS; ACCESSORIES THEREFOR; HANDCUFFS
    • E05B49/00Electric permutation locks; Circuits therefor ; Mechanical aspects of electronic locks; Mechanical keys therefor
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Definitions

  • the present invention relates to an in-vehicle device and a vehicle authentication system.
  • Prior art that anticipates such cases includes a method of performing authentication when communication between an external terminal and a server is interrupted, as described in Patent Document 1.
  • Patent Document 1 describes an authentication method for when communication between an external terminal and a server is interrupted, in which multiple cryptographic tokens for authentication are acquired in advance between the external terminal and the server, and "authentication with the vehicle-side system is performed without using tokens when a specified operation is performed.”
  • the specified operation refers to "when a low-security level operation is performed” by assigning a security level to each operation performed on the vehicle from the external terminal in advance. This reduces the consumption of cryptographic tokens and prevents the vehicle from becoming inoperable when communication with the server is interrupted.
  • this is merely a method of reducing risk, and if a high-security level operation is performed multiple times, the risk of the vehicle becoming inoperable in an area where communication is unavailable remains.
  • the present invention was made in consideration of the above problems, and aims to provide an in-vehicle device and a vehicle authentication system that prevents the vehicle from becoming inoperable even when communication between an external terminal and a server is interrupted.
  • the in-vehicle device includes an authentication unit that executes authentication processing in response to a request from an external terminal, and a communication unit that transmits and receives information between the external terminal and a server.
  • the authentication unit executes authentication processing via the server, and when communication between the external terminal and the server is interrupted, the authentication unit executes authentication processing without going through the server.
  • FIG. 1 is a block diagram showing the overall configuration of a vehicle authentication system according to an embodiment of the present invention.
  • 6 is a flowchart showing a process of an external terminal according to the first embodiment of the present invention.
  • 4 is a flowchart showing a process of the in-vehicle device according to the first embodiment of the present invention.
  • 6 is a flowchart showing a process of a server according to the first embodiment of the present invention.
  • 10 is a flowchart showing a process of an external terminal according to the second embodiment of the present invention.
  • 10 is a flowchart showing a process of an in-vehicle device according to a second embodiment of the present invention.
  • FIG. 1 is a functional block diagram showing the configuration of a vehicle authentication system 1 according to a first embodiment of the present invention, which has an in-vehicle control device 100 (hereinafter simply referred to as the in-vehicle device 100), an external terminal 200, and a server device 300 (hereinafter simply referred to as the server 300).
  • the in-vehicle device 100 an in-vehicle control device 100
  • the external terminal 200 external terminal
  • server 300 hereinafter simply referred to as the server 300
  • the user can instruct the vehicle 10 to perform various operations from the external terminal 200.
  • the in-vehicle device 100 installed in the vehicle 10 receives an operation from the external terminal 200, it authenticates whether the operation is a legitimate operation, and if the authentication is successful, it instructs other control ECUs in the vehicle 10 to perform the operation.
  • the external terminal 200 can communicate with the server 300, authentication is performed using a token, and when the communication is interrupted, authentication between the in-vehicle device 100 and the external terminal 200 is performed by encryption key authentication using an encryption key.
  • the in-vehicle device 100 is mounted on the vehicle 10, and is connected to the external communication device 20, the door control ECU 30, the engine control ECU 40, and the GPS (Global Positioning System) receiver 50 via an in-vehicle communication path such as a CAN (Control Area Network), and performs communication.
  • the external communication device 20 supports long-distance wireless communication standards such as 5G, and performs wireless communication with the server 300.
  • the in-vehicle device 100 is made up of a well-known microcomputer equipped with a memory and a CPU, and includes an in-vehicle communication unit 110, a random number generation unit 120, an authentication unit 130, an operation monitoring unit 140, and a storage unit 150.
  • the storage unit 150 further includes a key information storage unit 160, a terminal information storage unit 170, a function switching information storage unit 180, and a log storage unit 190. Note that although the key information storage unit 160, the terminal information storage unit 170, the function switching information storage unit 180, and the log storage unit 190 are represented as separate blocks, they may be individually allocated to the storage area of a single storage medium, or may be arbitrarily arranged in the storage areas of multiple storage media.
  • the in-vehicle communication unit 110 is a well-known communication module that has the function of communicating with the external terminal 200 via wireless communication such as Wi-Fi (registered trademark) or Bluetooth (registered trademark). It also communicates with the server 300 via the external communication device 20. Note that in this embodiment, the in-vehicle communication unit 110 communicates with the external terminal 200 using a short-range communication standard, but if it supports a long-range communication standard such as 5G, it may have the function of communicating directly with the server 300 without going through the external communication device 20.
  • Wi-Fi registered trademark
  • Bluetooth registered trademark
  • the random number generation unit 120 is a well-known module that generates random numbers to be used for encryption key authentication when communication between the external terminal 200 and the server 300 is interrupted.
  • the authentication unit 130 is a module that includes a server-via-server operation authentication unit 132, a terminal operation authentication unit 134, and a function switching authentication unit 136, and performs authentication of operation instructions from the external terminal 200 to the vehicle 10.
  • the server-mediated operation authentication unit 132 is in an active state when communication is possible between the external terminal 200 and the server 300, and performs authentication of the operation received from the external terminal 200. Specifically, the server-mediated operation authentication unit 132 performs authentication of the operation instruction received from the external terminal 200 via the server. In this embodiment, the server-mediated operation authentication unit 132 performs authentication using a token. The server-mediated operation authentication unit 132 transmits the token attached to the operation instruction received from the external terminal 200 to the server 300 via the external communication device 20 and performs verification of the validity of the token. If the token is authenticated by the server 300, the operation requested from the external terminal 200 is executed.
  • the token authentication method is not limited to the above method, and for example, the server 300 may encrypt the token information with an encryption key held by the server 300 and digitally sign the token, so that the server may be involved in the authentication method even if the vehicle 10 and the server 300 do not directly communicate with each other.
  • the terminal operation authentication unit 134 When communication between the external terminal 200 and the server 300 is interrupted, the terminal operation authentication unit 134 becomes active upon receiving a function switching request from the external terminal 200, and performs authentication of operation instructions between the external terminal 200 and the vehicle 10. In this embodiment, the terminal operation authentication unit 134 performs authentication of operation instructions by encryption authentication using an encryption key. Specifically, the encryption key encryption given to the operation information from the external terminal 200 is decrypted by a pair of encryption keys shared in advance between the external terminal 200 and the vehicle 10, and authentication is performed. If the operation is authenticated, the requested operation is executed.
  • the function switching authentication unit 136 switches between the active states of the server-via-operation authentication unit 132 and the terminal operation authentication unit 134 in response to a function switching request received from the external terminal 200. Specifically, it compares function switching information, including the user's password and biometric information such as face and fingerprint, attached to the function switching request with pre-registered regular function switching information to authenticate the function switching. If the function switching request is authenticated, it sets the server-via-operation authentication unit 132 to an inactive state and the terminal operation authentication unit 134 to an active state, and switches the authentication for the operation request from the external terminal 200 from authentication using a token (token authentication) to authentication using an encryption key (encryption key authentication). Note that the user information used for this switching may not be input from the external terminal 200, but may be input, for example, from a camera or navigation system installed in the vehicle.
  • the operation monitoring unit 140 starts monitoring the in-vehicle communication unit 110, the external communication device 20, and the engine control ECU 40 when the authentication method of the authentication unit 130 is switched from token authentication to encryption key authentication.
  • the monitoring of the in-vehicle communication unit 110 or the external communication device 20 monitors the communication state between the vehicle and the server, and if the communication state with the server is possible but an operation request by encryption key authentication from an external terminal continues, a notification is sent to the external terminal and the authentication method is switched to token authentication.
  • the monitoring of the engine control ECU 40 monitors the travel distance from the engine start after switching to encryption key authentication, and if an operation request by encryption key authentication from an external terminal continues even after driving a certain distance or more after switching to encryption key authentication, the authentication method is switched to token authentication.
  • the reason for switching to token authentication in this way is that there is a high possibility of being subjected to a cyber attack by a third party when the external communication function of the vehicle is active or when encryption authentication has continued for a certain period of time or more.
  • this function is used to forcibly switch the authentication method, the terminal information and communication log of the external terminal 200 currently communicating, current location information from the GPS receiver 50, and the timestamp of the switch are stored in the log storage unit 190. If communication between the vehicle 10 and the server 300 is possible, the information stored in the log storage unit 190 is sent to the server 300 to notify the server 300 of the possibility of unauthorized use (cyber attack).
  • the key information storage unit 160 stores encryption key information that has been shared in advance between the external terminal 200 and the vehicle 10.
  • the terminal information storage unit 170 stores the identification information of the external terminal acquired when registering the external terminal 200 that communicates with the in-vehicle device 100.
  • the function switching information storage unit 180 stores user information used by the function switching authentication unit 136.
  • the log storage unit 190 stores information when the operation monitoring unit 140 forcibly switches the authentication method.
  • the external terminal 200 is made up of a well-known microcomputer equipped with a memory and a CPU, and includes a terminal communication unit A210, a terminal communication unit B220, a display unit 230, an operation unit 240, a data generation unit 250, and a storage unit 260.
  • the storage unit 260 further includes a terminal key information storage unit 270, a token storage unit 280, and a terminal function switching information storage unit 290. Note that although the terminal key information storage unit 270, the token storage unit 280, and the terminal function switching information storage unit 290 are represented as separate blocks, they may be individually allocated to the storage area of a single storage medium, or may be arbitrarily arranged in the storage areas of multiple storage media.
  • the terminal communication unit A210 communicates with the server 300 using a long-distance communication standard such as 5G (fifth generation mobile communication system).
  • 5G farth generation mobile communication system
  • the terminal communication unit B220 is a well-known communication module that has the function of communicating with the in-vehicle device 100 via wireless communication such as Wi-Fi (registered trademark) or Bluetooth (registered trademark). Note that in this embodiment, communication with the server 300 is performed by the terminal communication unit A210, and communication with the in-vehicle device 100 is performed by the terminal communication unit B220, but if the communication standards can be unified or if one module is used that supports multiple communication standards, the terminal communication units may be combined into one module.
  • Wi-Fi registered trademark
  • Bluetooth registered trademark
  • the display unit 230 displays on the LCD screen the operations that the user can currently perform on the vehicle 10, as shown in FIG. 2.
  • the operation unit 240 acquires input of operations performed by the user in response to the display on the display unit 230.
  • the data generation unit 250 includes a terminal function switching authentication unit 252 and a cryptography generation unit 254, and generates data to be sent to the vehicle 10. Normally, a token is attached to the operation information obtained from the operation unit 240 and the data is sent to the in-vehicle device 100. When the authentication method is switched to encryption key authentication, an encryption key cipher is attached to the operation information and the data is sent to the in-vehicle device 100.
  • the terminal function switching authentication unit 252 of the data generation unit 250 causes the display unit 230 to display a screen that asks the user whether to switch the authentication method. If the user requests to switch the authentication method, the data generation unit 250 causes the display unit 230 to display a screen that asks the user to enter function switching information such as a password or biometric information as shown in FIG. 3, and checks whether the entered information matches the function switching information that was registered in advance. If the information matches, data for an authentication method switching request is generated with the acquired user information attached, and is sent to the in-vehicle device 100.
  • function switching information such as a password or biometric information as shown in FIG. 3
  • the encryption code generation unit 254 of the data generation unit 250 uses the encryption key to generate an encryption code to be assigned to the operation information.
  • the terminal key information storage unit 270 stores the encryption key used when the authentication method is switched to encryption key authentication.
  • the token storage unit 280 stores a token issued by the server 300, which is added to the operation information during token authentication by the authentication method. Note that the number of tokens stored is not limited to one, and multiple tokens may be stored as in Patent Document 1.
  • the terminal function switching information storage unit 290 stores user information such as passwords and biometric information required for switching authentication methods.
  • the server 300 includes a terminal information authentication unit 310, a token authentication unit 320, a token generation unit 330, a server communication unit 340, and a storage unit 350.
  • the storage unit 350 further includes a terminal information storage unit 360 and a server token storage unit 370.
  • the server 300 issues a token to the external terminal 200 and authenticates the token with the vehicle 10.
  • the terminal information storage unit 360 and the server token storage unit 370 are represented as separate blocks, but they may be individually allocated to the storage area of a single storage medium, or may be arbitrarily arranged in the storage areas of multiple storage media.
  • the terminal information authentication unit 310 When the terminal information authentication unit 310 first communicates with the external terminal 200, it links the terminal information of the external terminal 200 with the information of the paired vehicle 10 and stores them in the terminal information storage unit 360. From the next time an external terminal accesses the unit, it checks whether the information of the external terminal that accessed the unit matches the information stored in the terminal information storage unit 360, and if they match, it allows the token generation unit 330 to issue a token.
  • the token authentication unit 320 authenticates whether the token sent from the vehicle 10 is genuine, and if it is genuine, returns a positive response to the vehicle 10.
  • the token generation unit 330 issues a token to the external terminal 200, and stores the currently issued token information and the issued terminal information as a set in the server token storage unit 370.
  • a new token is issued to the external terminal 200 when an issuance request from the external terminal 200 is permitted by the terminal information authentication unit 310, or when the token authentication sent from the vehicle 10 is successful.
  • an expiration date is set for the issued token, and if the token expiration date has expired or if the token authentication from the vehicle 10 has failed, the current token information stored in the server token storage unit 370 is discarded, and authentication processing cannot be performed with that token.
  • the server communication unit 340 is an existing wireless communication module that communicates between the external terminal 200 and the vehicle 10 or the in-vehicle device 100 using a long-distance communication standard such as 5G.
  • the terminal information storage unit 360 stores the terminal information of the external terminal 200 that has been permitted to access by the terminal information authentication unit 310.
  • the server token storage unit 370 stores the currently valid tokens issued by the token generation unit 330 and the terminal information for which the tokens were issued.
  • FIG. 4 is a flowchart of the processing executed by the external terminal 200 according to the first embodiment.
  • step 100 the external terminal 200 sends its own terminal information to the server 300, requests the issuance of a token, and proceeds to step 101.
  • step 101 the external terminal 200 waits for a response from the server 300, and if the terminal authentication is successful, it proceeds to step 102, and if it is unsuccessful, it proceeds to step 100.
  • step 102 the external terminal 200 stores the token issued by the server 300 in the token storage unit 280 and proceeds to step 103.
  • step 103 the external terminal 200 checks the communication status with the server 300 and proceeds to step 104.
  • step 104 if the communication status between the external terminal 200 and the server 300 is available, the process proceeds to step 105, and if the communication status is interrupted, the process proceeds to step 111. From here on, steps 105 to 110 represent the authentication process using a token, and steps 111 to 125 represent the process flow for authentication process using encryption key cryptography.
  • step 105 the data generation unit 250 checks the expiration date of the token stored in the token storage unit 280 and proceeds to step 106.
  • step 106 if the expiration date of the token stored in the token storage unit 280 is within the expiration date, the process proceeds to step 107; if the expiration date has expired, the currently stored token is discarded and the process proceeds to step 100.
  • step 107 the data generation unit 250 reads the operation information input by the user from the operation unit 240, and proceeds to step 108.
  • step 108 the data generation unit 250 generates transmission data by adding the token stored in the token storage unit 280 to the operation information read from the operation unit 240, and transmits the data from the terminal communication unit B220 to the vehicle 10, and proceeds to step 109.
  • step 109 the external terminal 200 waits for a response to the operation information from the vehicle 10, and if the response is positive, proceeds to step 110, and if the response is negative, discards the currently stored token and proceeds to step 100.
  • step 110 the external terminal 200 discards the token sent to the vehicle 10, stores the newly issued token from the server 300 in the token storage unit 280, and proceeds to step 103.
  • step 111 the terminal function switching authentication unit 252 displays a screen for the user to confirm whether or not to switch the authentication method, and proceeds to step 112.
  • step 112 the terminal function switching authentication unit 252 waits for input from the user, and if the input read from the operation unit 240 indicates that switching of the authentication function is necessary, it proceeds to step 113, and if not, it proceeds to step 103.
  • step 113 the terminal function switching authentication unit 252 displays a screen on the display unit 230 requesting the user to input function switching information such as a password and biometric information as shown in FIG. 3, and then proceeds to step 114.
  • step 114 the terminal function switching authentication unit 252 waits for input from the user, compares and authenticates the function switching information read from the operation unit 240 with the function switching information stored in the terminal function switching information storage unit 290, and proceeds to step 115.
  • step 115 if the authentication of the function switching information is successful, the process proceeds to step 116; if it is unsuccessful, the process proceeds to step 103.
  • step 116 the data generation unit 250 adds the function switching information authenticated in step 114 to the authentication method switching request, transmits it from the terminal communication unit B220 to the vehicle 10, and proceeds to step 117.
  • step 117 the terminal function switching authentication unit 252 waits for a response to the authentication method switching request from the vehicle 10, and proceeds to step 118 if the response is positive, or to step 103 if the response is negative.
  • step 118 the terminal function switching authentication unit 252 checks the communication state between the terminal communication unit A210 and the server 300, and proceeds to step 119.
  • step 119 if the communication state with the server 300 is not available, the process proceeds to step 121; if the communication state is available, the process proceeds to step 120.
  • step 120 the terminal function switching authentication unit 252 switches the authentication method from encryption key authentication to token authentication, and proceeds to step 103.
  • step 121 the terminal function switching authentication unit 252 checks whether forced switching of the authentication method has been performed by the vehicle 10. If forced switching has not been performed, the process proceeds to step 122. If forced switching has been performed, the process stops operation of the vehicle 10 by the external terminal 200 and ends the process.
  • step 122 the data generation unit 250 reads the user's operation from the operation unit 240, and proceeds to step 123.
  • This operation is any operation commanded by the user to the vehicle 10.
  • step 123 the data generation unit 250 generates transmission data based on the operation information read from the operation unit 240, transmits an operation request from the terminal communication unit B220 to the vehicle 10, and proceeds to step 124.
  • step 124 the encryption key encryption generator 254 receives an encryption key encryption request including random number information from the vehicle 10, generates an encryption key encryption from the received random number and the encryption key stored in the terminal key information storage unit 270, and proceeds to step 125.
  • step 125 the data generation unit 250 generates transmission data from the encryption key encryption generated by the encryption generation unit 254 in step 124, transmits the data from the terminal communication unit B220 to the vehicle 10, and proceeds to step 118 after receiving a response from the vehicle 10.
  • FIG. 5 is a flowchart of the process executed by the in-vehicle device 100 according to the first embodiment.
  • step 200 the in-vehicle device 100 checks whether a request to switch the authentication method has been received from the external terminal 200. If there is a request to switch, the process proceeds to step 201. If there is no request to switch, the process proceeds to step 221. From here on, steps 201 to 220 represent the process flow of authentication processing using encryption key encryption, and steps 221 to 226 represent the process flow of authentication processing using a token.
  • step 201 the function switching authentication unit 136 performs a comparison and authentication between the function switching information, including the user's password and biometric information such as a facial image, contained in the authentication method switching request received from the external terminal 200, and the function switching information stored in the function switching information storage unit 180, and then proceeds to step 202.
  • step 202 if the authentication of the function switching information in step 201 is successful, the process proceeds to step 204, and if it is unsuccessful, the process proceeds to step 203.
  • step 203 the authentication unit 130 transmits a negative response to the authentication method switching request from the in-vehicle communication unit 110 to the external terminal 200, and proceeds to step 200.
  • step 204 the authentication unit 130 transmits a positive response to the authentication method switching request from the in-vehicle communication unit 110 to the external terminal 200, and proceeds to step 205.
  • step 205 the function switching authentication unit 136 switches the authentication method of the in-vehicle device 100 in response to an operation request from the external terminal 200 from token authentication to encryption key encryption authentication.
  • the operation monitoring unit 140 starts saving the communication contents and timestamps between the in-vehicle device 100 and the external terminal 200 after the authentication method switching, and the information of the external terminal 200 in the log storage unit 190, and proceeds to step 206.
  • step 206 it is confirmed whether operation monitoring by the operation monitoring unit 140 is being performed. If it is being performed, the process proceeds to step 208. If it is not being performed, the process proceeds to step 207.
  • step 207 the operation monitoring unit 140 starts monitoring the communication state between the vehicle 10 and the server 300 by the external communication device 20, and the distance traveled by the vehicle 10 after the engine control ECU 40, and proceeds to step 208.
  • the operation monitoring unit 140 determines that the operation state of the vehicle is NG.
  • step 208 the authentication unit 130 waits to receive an operation request from the external terminal 200, and if an operation request is received, the process proceeds to step 209. If no operation request is received, the process continues to wait.
  • step 209 the random number generation unit 120 generates a random number for the encryption key encryption and proceeds to step 210.
  • step 210 the random number generation unit 120 transmits the random number information generated in step 209 from the in-vehicle communication unit 110 to the external terminal 200, and then proceeds to step 211.
  • step 211 the authentication unit 130 waits to receive the encryption key cipher from the external terminal 200, and if an encryption key cipher is received, the process proceeds to step 212.
  • step 212 the terminal operation authentication unit 134 decrypts the encryption key encryption received from the external terminal 200 using the encryption key stored in the key information storage unit 160, and then proceeds to step 213.
  • step 213 the terminal operation authentication unit 134 checks whether the encryption key encryption decrypted in step 212 matches the random number generated by the random number generation unit 120 in step 209. If they match, the process proceeds to step 214; if they do not match, the process proceeds to step 200.
  • step 214 the authentication unit 130 sends a negative response to the external terminal 200 and proceeds to step 200.
  • step 215 the authentication unit 130 sends a positive response to the external terminal 200 and proceeds to step 216.
  • step 216 the authentication unit 130 performs the operation requested by the external terminal 200 and proceeds to step 217.
  • step 217 the operation monitoring unit 140 checks whether the current operation status of the vehicle 10 is in an operation NG state, and if it is, proceeds to step 218, and if it is not, proceeds to step 206.
  • step 218 the operation monitoring unit 140 forcibly switches the authentication method from encryption key encryption authentication to token authentication, locks the current encryption key so that it cannot be used for authentication, and proceeds to step 219.
  • step 219 the operation monitoring unit 140 monitors the communication state between the vehicle 10 and the server 300, and if communication is possible, the process proceeds to step 220. If communication is not possible, the process waits.
  • step 220 the operation monitoring unit 140 combines the latest log in the log storage unit 190 and the current location information from the GPS receiver 50, and transmits this as an unauthorized use notification from the external vehicle communication device 20 to the server 300, and ends the authentication process.
  • step 221 the authentication unit 130 waits for an operation request and token from the external terminal 200, and if they are received, proceeds to step 222. If they are not received, it continues to wait.
  • step 222 the server-via-operation authentication unit 132 extracts the token information attached to the operation request received in step 221, transmits a token authentication request from the exterior vehicle communication device 20 to the server 300, and proceeds to step 223. In step 223, it waits for a response to the token authentication request from the server 300, and proceeds to step 225 if the authentication is successful, or proceeds to step 224 if the authentication is unsuccessful.
  • step 224 the authentication unit 130 sends a negative response to the external terminal 200 and proceeds to step 200.
  • step 225 the authentication unit 130 sends a positive response to the external terminal 200 and proceeds to step 226.
  • step 226 the authentication unit 130 performs the operation requested by the external terminal 200 and proceeds to step 200.
  • FIG. 6 is a flowchart of the process executed by the server 300 according to the first embodiment.
  • step 300 the server 300 determines the type of request it has received. If the request is a token issuance request received from the external terminal 200, it proceeds to step 301. If the request is a token authentication request received from the vehicle 10, it proceeds to step 307.
  • step 301 the terminal information authentication unit 310 performs a comparison authentication between the terminal information received from the external terminal 200 and the terminal information stored in the terminal information storage unit 360, and then proceeds to step 302.
  • step 302 if the terminal information authentication unit 310 compares the terminal information performed in step 301 and the results show a match, it proceeds to step 304, and if the results show a match, it proceeds to step 303.
  • step 303 the terminal information authentication unit 310 sends a negative response from the server communication unit 340 to the external terminal 200, and proceeds to step 300.
  • step 304 the terminal information authentication unit 310 sends a positive response from the server communication unit 340 to the external terminal 200, and proceeds to step 305.
  • step 305 the token generation unit 330 issues a new token, stores the token information in the server token storage unit 370, and proceeds to step 306.
  • step 306 the token generation unit 330 transmits the token from the server communication unit 340 to the external terminal 200, and the process proceeds to step 300.
  • step 307 the token authentication unit 320 performs authentication using the token information received from the vehicle 10 and the token information stored in the server token storage unit 370, and proceeds to step 308.
  • step 308 the token authentication unit 320 checks the result of the authentication performed in step 307, and if the authentication is successful, the process proceeds to step 310, and if the authentication is unsuccessful, the process proceeds to step 309.
  • step 309 the token authentication unit 320 sends a negative response from the server communication unit 340 to the vehicle 10, and proceeds to step 300.
  • step 310 the token authentication unit 320 sends a positive response from the server communication unit 340 to the vehicle 10, and proceeds to step 311.
  • step 311 the token generation unit 330 issues an update token and proceeds to step 312.
  • step 312 the token generation unit 330 transmits the token issued in step 311 to the external terminal 200 from the server communication unit 340, and then proceeds to step 300.
  • the authentication method for the operation request sent from the external terminal 200 to the vehicle 10 is switched depending on the communication status between the external terminal 200 and the server. Specifically, when communication between the external terminal 200 and the server 300 is interrupted, authentication is performed using an encryption key generated by the external terminal 200 for the operation request sent from the external terminal 200 to the vehicle 10. This makes it possible to avoid the risk of the vehicle becoming inoperable even in a situation where communication between the external terminal 200 and the server 300 is interrupted.
  • the system configuration is the same as in the first embodiment, but it differs from the first embodiment in that the user's operation is performed directly on the vehicle 10, not through the external terminal 200.
  • An operation performed directly on the vehicle 10 refers to, for example, a case where the door control ECU 30 is requested to open or close the door using a physical button on the door, or a case where the engine control ECU 40 is requested to start the engine using a smart push key.
  • FIG. 7 is a flowchart showing the processing executed by the external terminal 200 according to the second embodiment. Note that the same processes as those executed in the first embodiment, explained in FIG. 4, are given the same reference numerals, and the explanation is omitted. Also, the processing executed by the server 300 is the same as that in FIG. 6 according to the first embodiment, and therefore the explanation is omitted.
  • step 106 If, in step 106, the token stored in the token storage unit 280 is within its expiration date, in step 407, the data generation unit 250 receives information about the operation performed directly by the user on the vehicle 10, and the process proceeds to step 108.
  • the subsequent processing is the same as that described using FIG. 4.
  • the data generation unit 250 receives information about the operation performed directly by the user on the vehicle 10 in step 421, and the process proceeds to step 123.
  • the subsequent processing is the same as the processing described with reference to FIG. 4.
  • FIG. 8 is a flowchart showing the process performed by the in-vehicle device 100 according to the second embodiment. Note that the same processes as those performed in the second embodiment described in FIG. 5 are denoted by the same reference numerals, and the description thereof will be omitted.
  • step 500 the authentication unit 130 checks whether the other ECUs connected to the in-vehicle device 100 have been directly operated by the user, and if so, proceeds to step 501. If no direct operation has been performed by the user, the process waits.
  • step 501 the authentication unit 130 transmits the operation information requested by the user from the other ECU to the external terminal 200, and then proceeds to step 200.
  • Steps 500 and 501 are performed when the user directly operates the vehicle 10, and transition to step 200 occurs as an interrupt.
  • the operational information is sent from the vehicle to the external terminal and authenticated, so it is possible to prevent the vehicle from becoming inoperable even if communication between the external terminal and the server is cut off.
  • the external terminal 200 reissues the token by sending the terminal information to the server 300 again, but it is not limited to using the terminal information to reissue the token.
  • a refresh token may be issued at the same time, and when requesting token reissue, the external terminal 200 may make the reissue request using the refresh token rather than the terminal information.
  • token authentication is used for authentication of operations via the server
  • encryption key cryptography is used for authentication of terminal operations
  • the present invention is not limited to this authentication method, and it is sufficient that the authentication method is different depending on whether or not authentication is performed by the server.
  • an electronic signature using an encryption key by the server may be applied.
  • token authentication is performed between the vehicle 10 and the server 300
  • the token authentication method is not limited to this, and it is sufficient that a server is involved in authenticating operations between the external terminal 200 and the vehicle 10.
  • a server is involved in authenticating operations between the external terminal 200 and the vehicle 10.
  • the server 300 signs the token with an encryption key and returns it.
  • a method in which the external terminal attaches the returned signed token to an operation request, and the vehicle 10 verifies the signature with an encryption key to confirm that the operation has been authenticated by the server 300 may also be used.
  • each embodiment does not need to stand alone, and the functions of each embodiment may be implemented simultaneously.
  • each of the above configurations, functions, etc. may be realized by software that causes a processor to realize each function.
  • Information such as programs, tables, files, etc. that realize each function can be stored in a recording device such as memory, a hard disk, or an SSD (Solid State Drive), or in recording media such as IC cards, SD cards, DVDs, or various recording media installed in the microcomputer.
  • a recording device such as memory, a hard disk, or an SSD (Solid State Drive)
  • recording media such as IC cards, SD cards, DVDs, or various recording media installed in the microcomputer.
  • An example of an in-vehicle device includes an authentication unit that executes authentication processing in response to a request from an external terminal, and a communication unit that transmits and receives information between the external terminal and a server.
  • the authentication unit executes authentication processing via the server, and when communication between the external terminal and the server is interrupted, the authentication unit executes authentication processing without going through the server.
  • the above configuration makes it possible to prevent the vehicle from becoming inoperable even if communication between the external terminal and the server is interrupted.
  • the device further includes a generation unit that generates information to be used in the authentication process, the communication unit transmits the information to the external terminal and receives cryptographic information in which the information is encrypted by the external terminal, and the authentication unit executes the authentication process using a token issued by the server when the external terminal and the server are able to communicate with each other, and executes the authentication process using the cryptographic information when communication between the external terminal and the server is interrupted. Specifically, the process of (1) is executed in this manner.
  • the authentication unit switches from authentication processing using cryptographic information to authentication processing using a token. Because cryptographic authentication processing involves the risk of being subject to cyber attacks from third parties, it is preferable to switch to token authentication in this manner as soon as the token becomes available.
  • the authentication unit stops the authentication process when the vehicle's external communication function is capable of communication and communication between the external terminal and the server remains interrupted. If the vehicle's external communication function is capable of communication, a third party may use the communication function to launch a cyber attack, so the authentication process is stopped to prevent the internal program from being tampered with, etc.
  • the vehicle further includes an operation monitoring unit that monitors the communication status with the server, and when a communication interruption between the external terminal and the server continues and the communication interruption between the server and the vehicle is resolved, the operation monitoring unit stops the authentication process using the encryption information and transmits information on the communicating external terminal and current location information to the server.
  • the communication interruption between the server and the vehicle is resolved, token authentication becomes possible again, so it is preferable to stop the high-risk encryption authentication process and further transmit various information to the server for use in log analysis.
  • the operation monitoring unit further monitors the distance traveled since the start of the vehicle's engine, and stops the authentication process using the encryption information when the distance traveled during the authentication process using the encryption information exceeds a certain distance. If the authentication process using the encryption information continues for too long, it increases the possibility of being subjected to a cyber attack from the outside, so this restriction is imposed on the authentication process using the encryption information to eliminate that risk.
  • a vehicle authentication system that includes a server, an external terminal, and an in-vehicle device, and switches between authentication processing methods between the external terminal and the in-vehicle device depending on the communication state between the server and the external terminal.
  • the in-vehicle device includes an authentication unit that executes authentication processing in response to a request from the external terminal, and a communication unit that transmits and receives information between the external terminal and the server.
  • the authentication unit executes authentication processing via the server, and when communication between the external terminal and the server is interrupted, the authentication unit executes authentication processing without going through the server.
  • Such a system can be expected to achieve the same effects as the in-vehicle device according to (1).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Lock And Its Accessories (AREA)

Abstract

An in-vehicle device 100 according to the present invention comprises: an authentication unit 130 for executing authentication processing in response to a request from an external terminal 200; and a communication unit 110 for transmitting and receiving information to/from the external terminal 200 and a server 300. The authentication unit 130 executes authentication processing via the server 300 when the external terminal 200 and the server 300 can communicate with each other, and executes authentication processing without going via the server 300 when communication between the external terminal 200 and the server 300 is interrupted.

Description

車載装置及び車両認証システムIn-vehicle device and vehicle authentication system

 本発明は、車両に搭載された車載装置及び車両認証システムに関する。 The present invention relates to an in-vehicle device and a vehicle authentication system.

 近年、コネクテッドカーの普及により、車載ECU(Electrical Control Unit)の数が増加している。これに伴い車両操作に物理鍵を用いないスマートキーシステムの普及が進んでいる。このようなシステムでは、スマートフォン等の携帯端末と、ゲートウェイ等の車載制御装置、ディーラー等の管理者の擁するサーバー装置間で相互通信を行い、操作情報の認証処理を実施している。こうした認証は通信傍受に対する安全性や、認証情報のメンテナンス性からトークンを用いた認証が用いられる傾向にある。 In recent years, the popularity of connected cars has led to an increase in the number of in-vehicle ECUs (Electrical Control Units). This has led to the widespread use of smart key systems that do not use physical keys to operate the vehicle. In such systems, mutual communication is carried out between mobile devices such as smartphones, in-vehicle control devices such as gateways, and server devices operated by administrators such as dealers, and authentication processing of operation information is carried out. There is a trend towards using tokens for this type of authentication due to security against wiretapping and the ease of maintaining authentication information.

 しかし、こうした遠方のサーバーとの相互通信により認証を実施するシステムでは、例えば地下駐車場といったサーバーとの通信が実施できない領域では操作の実施が不可能になる危険性がある。このような場合を想定した先行技術として特許文献1のような外部端末-サーバー間通信が途絶した場合の認証実施方法がある。 However, in a system that performs authentication through mutual communication with a distant server, there is a risk that operations will not be possible in areas where communication with the server is not possible, such as underground parking lots. Prior art that anticipates such cases includes a method of performing authentication when communication between an external terminal and a server is interrupted, as described in Patent Document 1.

特開2021―37889号公報JP 2021-37889 A

 特許文献1では、外部端末-サーバー間通信が途絶した際の認証方法として、あらかじめ外部端末-サーバー間で認証用の暗号トークンを複数取得しておき、「所定の操作がされる場合にトークンを用いずに車両側システムと認証を行う」とある。この所定の操作とは、あらかじめ外部端末から車両に対して実施される各操作にセキュリティレベルを割り振り、「低セキュリティレベルの操作が実施された場合」を意味する。これにより、暗号トークンの消費を軽減し、サーバーとの通信が途絶している際に車両に対して操作不能になることを抑制するための技術となっている。しかし、あくまで危険性の抑制方法であり、高セキュリティレベルの操作を複数回実施された場合、通信不能領域で車両操作不能に陥る危険性は残存したままである。 Patent Document 1 describes an authentication method for when communication between an external terminal and a server is interrupted, in which multiple cryptographic tokens for authentication are acquired in advance between the external terminal and the server, and "authentication with the vehicle-side system is performed without using tokens when a specified operation is performed." The specified operation refers to "when a low-security level operation is performed" by assigning a security level to each operation performed on the vehicle from the external terminal in advance. This reduces the consumption of cryptographic tokens and prevents the vehicle from becoming inoperable when communication with the server is interrupted. However, this is merely a method of reducing risk, and if a high-security level operation is performed multiple times, the risk of the vehicle becoming inoperable in an area where communication is unavailable remains.

 本発明は、上記課題を鑑みてなされたものであり、外部端末-サーバー間の通信が途絶している状態でも車両の操作が不能な状態に陥らない車載装置及び車両認証システムを提供することを目的とする。 The present invention was made in consideration of the above problems, and aims to provide an in-vehicle device and a vehicle authentication system that prevents the vehicle from becoming inoperable even when communication between an external terminal and a server is interrupted.

 上記の課題を解決するため、本発明に係る車載装置は、外部端末からの要求に対して認証処理を実行する認証部と、外部端末及びサーバーとの間で情報を送受信する通信部とを備え、認証部は、外部端末とサーバーとが通信可能であるとき、サーバーを経由して認証処理を実行し、外部端末とサーバーとが通信途絶であるとき、サーバーを経由せず認証処理を実行する。 In order to solve the above problems, the in-vehicle device according to the present invention includes an authentication unit that executes authentication processing in response to a request from an external terminal, and a communication unit that transmits and receives information between the external terminal and a server. When the external terminal and the server are able to communicate, the authentication unit executes authentication processing via the server, and when communication between the external terminal and the server is interrupted, the authentication unit executes authentication processing without going through the server.

 本発明によれば、外部端末-サーバー間の通信が途絶している状態でも車両の操作が不能な状態に陥ることを防止することが可能になる。
 本発明に関連する更なる特徴は、本明細書の記述、添付図面から明らかになるものである。また、上記した以外の課題、構成及び効果は、以下の実施例の説明により明らかにされる。 According to the present invention, it is possible to prevent the vehicle from falling into a state in which it is impossible to operate even when communication between the external terminal and the server is interrupted.
Further features related to the present invention will become apparent from the description of the present specification and the accompanying drawings. Furthermore, the objects, configurations and effects other than those described above will become apparent from the following description of the embodiments.

本発明の一実施例に係る車両認証システム全体の構成を示すブロック図。1 is a block diagram showing the overall configuration of a vehicle authentication system according to an embodiment of the present invention. 外部端末に表示される操作画面の例。An example of the operation screen displayed on an external terminal. ユーザー情報の入力を求める操作画面の例。An example of an action screen prompting for user information. 本発明の実施例1に係る外部端末の処理を示すフローチャート。6 is a flowchart showing a process of an external terminal according to the first embodiment of the present invention. 本発明の実施例1に係る車載装置の処理を示すフローチャート。4 is a flowchart showing a process of the in-vehicle device according to the first embodiment of the present invention. 本発明の実施例1に係るサーバーの処理を示すフローチャート。6 is a flowchart showing a process of a server according to the first embodiment of the present invention. 本発明の実施例2に係る外部端末の処理を示すフローチャート。10 is a flowchart showing a process of an external terminal according to the second embodiment of the present invention. 本発明の実施例2に係る車載装置の処理を示すフローチャート。10 is a flowchart showing a process of an in-vehicle device according to a second embodiment of the present invention.

 以下、実施例を図面を用いて説明する。 The following describes the embodiment with reference to the drawings.

[実施例1]
 図1は、本発明の実施例1に係る、車載制御装置100(以下、単に車載装置100と呼称する)と外部端末200とサーバー装置300(以下、単にサーバー300と呼称する)とを有する、車両認証システム1の構成を示す機能ブロック図である。 [Example 1]
FIG. 1 is a functional block diagram showing the configuration of a vehicle authentication system 1 according to a first embodiment of the present invention, which has an in-vehicle control device 100 (hereinafter simply referred to as the in-vehicle device 100), an external terminal 200, and a server device 300 (hereinafter simply referred to as the server 300).

 車両認証システム1において、ユーザーは外部端末200から車両10に対して様々な操作を指示できる。外部端末200からの操作を受け取った車両10に搭載された車載装置100はその操作が正規の操作であるか認証を実施し、認証が成功であれば車両10内の他制御ECUに対して操作実施を指示する。本実施例では、外部端末200がサーバー300と通信可能時はトークンを用いた認証を実施し、前記通信が途絶時には暗号鍵を用いた暗号鍵認証により車載装置100と外部端末200との認証を実施する。 In the vehicle authentication system 1, the user can instruct the vehicle 10 to perform various operations from the external terminal 200. When the in-vehicle device 100 installed in the vehicle 10 receives an operation from the external terminal 200, it authenticates whether the operation is a legitimate operation, and if the authentication is successful, it instructs other control ECUs in the vehicle 10 to perform the operation. In this embodiment, when the external terminal 200 can communicate with the server 300, authentication is performed using a token, and when the communication is interrupted, authentication between the in-vehicle device 100 and the external terminal 200 is performed by encryption key authentication using an encryption key.

 車載装置100は車両10に搭載され、CAN(Control Area Network)等の車内通信路により車外通信装置20、ドア制御ECU30、エンジン制御ECU40、GPS(Grobal Positioning System)受信機50に接続し、通信を行っている。車外通信装置20は、5G等の長距離無線通信規格に対応し、サーバー300との間で無線通信を実施する。 The in-vehicle device 100 is mounted on the vehicle 10, and is connected to the external communication device 20, the door control ECU 30, the engine control ECU 40, and the GPS (Global Positioning System) receiver 50 via an in-vehicle communication path such as a CAN (Control Area Network), and performs communication. The external communication device 20 supports long-distance wireless communication standards such as 5G, and performs wireless communication with the server 300.

 車載装置100は、メモリ及びCPUを備えた周知のマイクロコンピューターからなり、車載通信部110、乱数生成部120、認証部130、動作監視部140、及び記憶部150を備える。記憶部150はさらに鍵情報記憶部160、端末情報記憶部170、機能切替情報記憶部180、及びログ記憶部190を備える。なお、前記鍵情報記憶部160、端末情報記憶部170、機能切替情報記憶部180、及びログ記憶部190は別々のブロックで表現しているが、単一の記憶媒体の記憶領域に個々に割り振る、あるいは複数の記憶媒体の記憶領域に任意に配置されていてもよい。 The in-vehicle device 100 is made up of a well-known microcomputer equipped with a memory and a CPU, and includes an in-vehicle communication unit 110, a random number generation unit 120, an authentication unit 130, an operation monitoring unit 140, and a storage unit 150. The storage unit 150 further includes a key information storage unit 160, a terminal information storage unit 170, a function switching information storage unit 180, and a log storage unit 190. Note that although the key information storage unit 160, the terminal information storage unit 170, the function switching information storage unit 180, and the log storage unit 190 are represented as separate blocks, they may be individually allocated to the storage area of a single storage medium, or may be arbitrarily arranged in the storage areas of multiple storage media.

 車載通信部110は、外部端末200とWi-Fi(登録商標)やBluetooth(登録商標)といった無線通信により通信を行う機能を有する周知の通信モジュールである。また、車外通信装置20を介してサーバー300とも通信を行う。なお、本実施例では車載通信部110は、外部端末200と短距離通信規格で通信を実施するとしているが、5Gのような長距離通信規格に対応している場合、車外通信装置20を介さず直接サーバー300と通信を実施する機能を有していてもよい。 The in-vehicle communication unit 110 is a well-known communication module that has the function of communicating with the external terminal 200 via wireless communication such as Wi-Fi (registered trademark) or Bluetooth (registered trademark). It also communicates with the server 300 via the external communication device 20. Note that in this embodiment, the in-vehicle communication unit 110 communicates with the external terminal 200 using a short-range communication standard, but if it supports a long-range communication standard such as 5G, it may have the function of communicating directly with the server 300 without going through the external communication device 20.

 乱数生成部120は、外部端末200とサーバー300との間が通信途絶時に暗号鍵認証に用いる乱数を生成する周知のモジュールである。 The random number generation unit 120 is a well-known module that generates random numbers to be used for encryption key authentication when communication between the external terminal 200 and the server 300 is interrupted.

 認証部130は、サーバー経由操作認証部132、端末操作認証部134、機能切替認証部136を備え、外部端末200から車両10への操作指示の認証を実施するモジュールである。 The authentication unit 130 is a module that includes a server-via-server operation authentication unit 132, a terminal operation authentication unit 134, and a function switching authentication unit 136, and performs authentication of operation instructions from the external terminal 200 to the vehicle 10.

 サーバー経由操作認証部132は、外部端末200とサーバー300との間が通信可能状態の時アクティブ状態となり、外部端末200から受け付けた操作の認証を実施する。具体的にはサーバー経由操作認証部132では、外部端末200から受け付けた操作指示の認証をサーバーを経由して実施する。本実施例では、サーバー経由操作認証部132はトークンを用いて認証を実施する。サーバー経由操作認証部132では、外部端末200から受け付けた操作指示に付与されたトークンを、車外通信装置20を介してサーバー300に送信しトークンの正否確認を実施する。トークンがサーバー300により認証された場合、外部端末200から要求された操作を実行する。なお、トークンの認証方法は前記方法に限定されるものではなく、例えばサーバー300の所持する暗号鍵によってトークン情報を暗号化し、トークンに対して電子署名することで直接車両10とサーバー300が通信していなくても認証方法にサーバーが介在していればよい。 The server-mediated operation authentication unit 132 is in an active state when communication is possible between the external terminal 200 and the server 300, and performs authentication of the operation received from the external terminal 200. Specifically, the server-mediated operation authentication unit 132 performs authentication of the operation instruction received from the external terminal 200 via the server. In this embodiment, the server-mediated operation authentication unit 132 performs authentication using a token. The server-mediated operation authentication unit 132 transmits the token attached to the operation instruction received from the external terminal 200 to the server 300 via the external communication device 20 and performs verification of the validity of the token. If the token is authenticated by the server 300, the operation requested from the external terminal 200 is executed. Note that the token authentication method is not limited to the above method, and for example, the server 300 may encrypt the token information with an encryption key held by the server 300 and digitally sign the token, so that the server may be involved in the authentication method even if the vehicle 10 and the server 300 do not directly communicate with each other.

 端末操作認証部134は、外部端末200とサーバー300との間が通信途絶状態のとき、外部端末200からの機能切替要求を受けアクティブ状態となり、外部端末200と車両10間で操作指示の認証を実施する。本実施例では、端末操作認証部134は暗号鍵による暗号認証により操作指示の認証を実施する。具体的には外部端末200からの操作情報に付与された暗号鍵暗号を、あらかじめ外部端末200と車両10間で共有した対の暗号鍵により復号し認証を実施する。操作が認証された場合、要求された操作を実行する。 When communication between the external terminal 200 and the server 300 is interrupted, the terminal operation authentication unit 134 becomes active upon receiving a function switching request from the external terminal 200, and performs authentication of operation instructions between the external terminal 200 and the vehicle 10. In this embodiment, the terminal operation authentication unit 134 performs authentication of operation instructions by encryption authentication using an encryption key. Specifically, the encryption key encryption given to the operation information from the external terminal 200 is decrypted by a pair of encryption keys shared in advance between the external terminal 200 and the vehicle 10, and authentication is performed. If the operation is authenticated, the requested operation is executed.

 機能切替認証部136は、外部端末200から受け付けた機能切替要求によりサーバー経由操作認証部132と端末操作認証部134のアクティブ状態の切替を実施する。具体的には機能切替要求に付与されたユーザーのパスワードや、顔、指紋等の生体情報を含む機能切替情報と、あらかじめ登録しておいた正規の機能切替情報とを比較し機能切替の認証を実施する。機能切替要求が認証された場合、サーバー経由操作認証部132を非アクティブ状態に、端末操作認証部134をアクティブ状態に設定し、外部端末200からの操作要求に対する認証を、トークンを用いた認証(トークン認証)から暗号鍵を用いた認証(暗号鍵認証)に切り替える。なお、この切替に用いられるユーザー情報は外部端末200から入力されるのではなく、例えば車両に備え付けられたカメラやナビにより入力されてもよい。 The function switching authentication unit 136 switches between the active states of the server-via-operation authentication unit 132 and the terminal operation authentication unit 134 in response to a function switching request received from the external terminal 200. Specifically, it compares function switching information, including the user's password and biometric information such as face and fingerprint, attached to the function switching request with pre-registered regular function switching information to authenticate the function switching. If the function switching request is authenticated, it sets the server-via-operation authentication unit 132 to an inactive state and the terminal operation authentication unit 134 to an active state, and switches the authentication for the operation request from the external terminal 200 from authentication using a token (token authentication) to authentication using an encryption key (encryption key authentication). Note that the user information used for this switching may not be input from the external terminal 200, but may be input, for example, from a camera or navigation system installed in the vehicle.

 動作監視部140は、認証部130の認証方法がトークン認証から暗号鍵認証へ切り替わった際に、車載通信部110と車外通信装置20とエンジン制御ECU40の監視を開始する。車載通信部110あるいは車外通信装置20の監視は、車両とサーバー間の通信状態を監視し、サーバーとの通信状態が可能であるにもかかわらず、外部端末から暗号鍵認証による操作要求が継続している場合、外部端末へ通知を送信したのち、認証方法をトークン認証へ切り替える。また、エンジン制御ECU40の監視は、暗号鍵認証への切り替え後のエンジン起動後からの移動距離を監視し、暗号鍵認証への切り替え後に一定以上の距離を走行しても外部端末から暗号鍵認証による操作要求が継続していた場合、認証方法をトークン認証へ切り替える。このようにトークン認証へと切り替えるのは、車両の外部通信機能が有効である場合や暗号認証が一定時間以上継続している場合には第三者によるサイバー攻撃を受ける可能性が高いためである。本機能により強制的な認証方法の切り替えを実施した場合、現在通信を行っている外部端末200の端末情報及び通信ログと、GPS受信機50による現在地情報と、切り替えを実施したタイムスタンプとをログ記憶部190に保存する。車両10とサーバー300の通信が可能であればログ記憶部190へ保存した情報をサーバー300へ送信し、不正利用(サイバー攻撃)された可能性があることを通知する。また、不正利用が発覚した場合、以後通信を実施した外部端末が正規の端末であるとサーバー300から再設定されない限り、今回使用した暗号鍵を用いた暗号鍵認証を実施できないようにする。本監視は、サーバーを経由しない認証方法を不正に連続使用されることを抑止するために実施する。 The operation monitoring unit 140 starts monitoring the in-vehicle communication unit 110, the external communication device 20, and the engine control ECU 40 when the authentication method of the authentication unit 130 is switched from token authentication to encryption key authentication. The monitoring of the in-vehicle communication unit 110 or the external communication device 20 monitors the communication state between the vehicle and the server, and if the communication state with the server is possible but an operation request by encryption key authentication from an external terminal continues, a notification is sent to the external terminal and the authentication method is switched to token authentication. The monitoring of the engine control ECU 40 monitors the travel distance from the engine start after switching to encryption key authentication, and if an operation request by encryption key authentication from an external terminal continues even after driving a certain distance or more after switching to encryption key authentication, the authentication method is switched to token authentication. The reason for switching to token authentication in this way is that there is a high possibility of being subjected to a cyber attack by a third party when the external communication function of the vehicle is active or when encryption authentication has continued for a certain period of time or more. When this function is used to forcibly switch the authentication method, the terminal information and communication log of the external terminal 200 currently communicating, current location information from the GPS receiver 50, and the timestamp of the switch are stored in the log storage unit 190. If communication between the vehicle 10 and the server 300 is possible, the information stored in the log storage unit 190 is sent to the server 300 to notify the server 300 of the possibility of unauthorized use (cyber attack). In addition, if unauthorized use is discovered, encryption key authentication using the encryption key used this time will not be possible unless the external terminal that performed the communication is reconfigured by the server 300 as a legitimate terminal. This monitoring is performed to prevent unauthorized and continuous use of authentication methods that do not go through the server.

 鍵情報記憶部160は、あらかじめ外部端末200と車両10との間で共有した暗号鍵情報を保存する。 The key information storage unit 160 stores encryption key information that has been shared in advance between the external terminal 200 and the vehicle 10.

 端末情報記憶部170は、車載装置100と通信を実施する外部端末200を登録する際に取得する外部端末の識別情報を保存する。 The terminal information storage unit 170 stores the identification information of the external terminal acquired when registering the external terminal 200 that communicates with the in-vehicle device 100.

 機能切替情報記憶部180は、機能切替認証部136で使用するユーザー情報を保存する。 The function switching information storage unit 180 stores user information used by the function switching authentication unit 136.

 ログ記憶部190は、動作監視部140による強制的な認証方法切替が実施された際の情報を保存する。 The log storage unit 190 stores information when the operation monitoring unit 140 forcibly switches the authentication method.

 続いて外部端末200の機能構成について説明する。外部端末200はメモリ及びCPUを備えた周知のマイクロコンピューターからなり、端末通信部A210、端末通信部B220、表示部230、操作部240、データ生成部250、及び記憶部260を備える。記憶部260はさらに端末鍵情報記憶部270、トークン記憶部280、及び端末機能切替情報記憶部290を備える。なお、端末鍵情報記憶部270、トークン記憶部280、及び端末機能切替情報記憶部290は別々のブロックで表現しているが、単一の記憶媒体の記憶領域に個々に割り振る、あるいは複数の記憶媒体の記憶領域に任意に配置されていてもよい。 Next, the functional configuration of the external terminal 200 will be described. The external terminal 200 is made up of a well-known microcomputer equipped with a memory and a CPU, and includes a terminal communication unit A210, a terminal communication unit B220, a display unit 230, an operation unit 240, a data generation unit 250, and a storage unit 260. The storage unit 260 further includes a terminal key information storage unit 270, a token storage unit 280, and a terminal function switching information storage unit 290. Note that although the terminal key information storage unit 270, the token storage unit 280, and the terminal function switching information storage unit 290 are represented as separate blocks, they may be individually allocated to the storage area of a single storage medium, or may be arbitrarily arranged in the storage areas of multiple storage media.

 端末通信部A210は、5G(第5世代移動通信システム)のような長距離通信規格により、サーバー300との通信を実施する。 The terminal communication unit A210 communicates with the server 300 using a long-distance communication standard such as 5G (fifth generation mobile communication system).

 端末通信部B220は、車載装置100とWi-Fi(登録商標)やBluetooth(登録商標)といった無線通信により通信を行う機能を有する周知の通信モジュールである。なお、本実施例ではサーバー300との通信を端末通信部A210、車載装置100との通信を端末通信部B220で実施しているが、通信規格を統一できる場合、または一つのモジュールで複数の通信規格に対応するモジュールを使用する場合端末通信部を一つのモジュールにまとめてもよい。 The terminal communication unit B220 is a well-known communication module that has the function of communicating with the in-vehicle device 100 via wireless communication such as Wi-Fi (registered trademark) or Bluetooth (registered trademark). Note that in this embodiment, communication with the server 300 is performed by the terminal communication unit A210, and communication with the in-vehicle device 100 is performed by the terminal communication unit B220, but if the communication standards can be unified or if one module is used that supports multiple communication standards, the terminal communication units may be combined into one module.

 表示部230は、液晶画面にユーザーが車両10に対して、図2のような現在ユーザーが実施できる操作の表示を行う。 The display unit 230 displays on the LCD screen the operations that the user can currently perform on the vehicle 10, as shown in FIG. 2.

 操作部240は、表示部230の表示に伴いユーザーが実施した操作の入力を取得する。 The operation unit 240 acquires input of operations performed by the user in response to the display on the display unit 230.

 データ生成部250は、端末機能切替認証部252、暗号生成部254を備え、車両10に対して送信するデータの生成を行う。通常時は操作部240から得た操作情報に対してトークンを付与して車載装置100に対して送信し、認証方法が暗号鍵認証に切り替わった際は操作情報に対して暗号鍵暗号を付与して車載装置100へ送信する。 The data generation unit 250 includes a terminal function switching authentication unit 252 and a cryptography generation unit 254, and generates data to be sent to the vehicle 10. Normally, a token is attached to the operation information obtained from the operation unit 240 and the data is sent to the in-vehicle device 100. When the authentication method is switched to encryption key authentication, an encryption key cipher is attached to the operation information and the data is sent to the in-vehicle device 100.

 データ生成部250の端末機能切替認証部252は、外部端末200とサーバー300との間の通信が途絶したとき、表示部230へユーザーに対して認証方法の切り替えを実施するか確認する画面を表示させる。ユーザーにより認証方法の切り替えが要求された場合、表示部230へ図3のようなパスワードや生体情報等の機能切替情報の入力を求める画面を表示させ、入力された情報があらかじめ登録していた機能切替情報と一致するか確認する。情報が一致していた場合、取得したユーザー情報を付与した認証方法切替要求のデータを生成し、車載装置100に対して送信する。 When communication between the external terminal 200 and the server 300 is interrupted, the terminal function switching authentication unit 252 of the data generation unit 250 causes the display unit 230 to display a screen that asks the user whether to switch the authentication method. If the user requests to switch the authentication method, the data generation unit 250 causes the display unit 230 to display a screen that asks the user to enter function switching information such as a password or biometric information as shown in FIG. 3, and checks whether the entered information matches the function switching information that was registered in advance. If the information matches, data for an authentication method switching request is generated with the acquired user information attached, and is sent to the in-vehicle device 100.

 データ生成部250の暗号生成部254は、認証方法が暗号鍵認証に切り替わった際に、暗号鍵を用いて操作情報に付与する暗号の生成を実施する。 When the authentication method is switched to encryption key authentication, the encryption code generation unit 254 of the data generation unit 250 uses the encryption key to generate an encryption code to be assigned to the operation information.

 端末鍵情報記憶部270は、認証方法が暗号鍵認証に切り替わった際に用いる暗号鍵を保存する。 The terminal key information storage unit 270 stores the encryption key used when the authentication method is switched to encryption key authentication.

 トークン記憶部280は、認証方法がトークン認証の際に操作情報に付与する、サーバー300から発行されたトークンを保存する。なお、保存されるトークンの数は1つに限定されることはなく、特許文献1のように複数のトークンを保存していてもよい。 The token storage unit 280 stores a token issued by the server 300, which is added to the operation information during token authentication by the authentication method. Note that the number of tokens stored is not limited to one, and multiple tokens may be stored as in Patent Document 1.

 端末機能切替情報記憶部290は、認証方法切替に必要なパスワードや生体情報等のユーザー情報を保存する。 The terminal function switching information storage unit 290 stores user information such as passwords and biometric information required for switching authentication methods.

 続いてサーバー300の機能構成について説明する。サーバー300は、端末情報認証部310、トークン認証部320、トークン生成部330、サーバー通信部340、及び記憶部350を備える。記憶部350はさらに端末情報記憶部360及びサーバートークン記憶部370を備える。 Next, the functional configuration of the server 300 will be described. The server 300 includes a terminal information authentication unit 310, a token authentication unit 320, a token generation unit 330, a server communication unit 340, and a storage unit 350. The storage unit 350 further includes a terminal information storage unit 360 and a server token storage unit 370.

 サーバー300は外部端末200へトークンを発行し、車両10に対してトークンの認証を実施する。なお、端末情報記憶部360、サーバートークン記憶部370は別々のブロックで表現しているが、単一の記憶媒体の記憶領域に個々に割り振る、あるいは複数の記憶媒体の記憶領域に任意に配置されていてもよい。 The server 300 issues a token to the external terminal 200 and authenticates the token with the vehicle 10. Note that the terminal information storage unit 360 and the server token storage unit 370 are represented as separate blocks, but they may be individually allocated to the storage area of a single storage medium, or may be arbitrarily arranged in the storage areas of multiple storage media.

 端末情報認証部310は、外部端末200と最初に通信を実施した際に、外部端末200の端末情報と、対になる車両10の情報をリンクさせて端末情報記憶部360へ保存する。次回以降ある外部端末からアクセスがあったとき、アクセスしてきたその外部端末の情報が端末情報記憶部360に保存している情報と合致しているか確認し、合致していればトークン生成部330によるトークン発行を許可する。 When the terminal information authentication unit 310 first communicates with the external terminal 200, it links the terminal information of the external terminal 200 with the information of the paired vehicle 10 and stores them in the terminal information storage unit 360. From the next time an external terminal accesses the unit, it checks whether the information of the external terminal that accessed the unit matches the information stored in the terminal information storage unit 360, and if they match, it allows the token generation unit 330 to issue a token.

 トークン認証部320は、車両10から送られたトークンが正規の物であるか認証を行い、正規の物であった場合、車両10に対して肯定応答を返信する。 The token authentication unit 320 authenticates whether the token sent from the vehicle 10 is genuine, and if it is genuine, returns a positive response to the vehicle 10.

 トークン生成部330は、外部端末200に対してトークンを発行し、現在発行しているトークン情報と発行した端末情報をセットにしてサーバートークン記憶部370へ保存する。トークン生成は、外部端末200からの発行依頼が端末情報認証部310に許可された場合、または車両10から送付されたトークン認証が認証成功した場合、新規のトークンを外部端末200に対して発行する。また、発行するトークンには使用期限を設定し、トークンの使用期限が切れている場合、または車両10からのトークン認証が失敗した場合、サーバートークン記憶部370に保存している現在のトークン情報を破棄し、同トークンで認証処理が実施できないようにする。 The token generation unit 330 issues a token to the external terminal 200, and stores the currently issued token information and the issued terminal information as a set in the server token storage unit 370. A new token is issued to the external terminal 200 when an issuance request from the external terminal 200 is permitted by the terminal information authentication unit 310, or when the token authentication sent from the vehicle 10 is successful. In addition, an expiration date is set for the issued token, and if the token expiration date has expired or if the token authentication from the vehicle 10 has failed, the current token information stored in the server token storage unit 370 is discarded, and authentication processing cannot be performed with that token.

 サーバー通信部340は、5Gのような長距離通信規格を用いて、外部端末200と車両10、または車載装置100と通信を実施する既存の無線通信モジュールである。 The server communication unit 340 is an existing wireless communication module that communicates between the external terminal 200 and the vehicle 10 or the in-vehicle device 100 using a long-distance communication standard such as 5G.

 端末情報記憶部360は、端末情報認証部310からアクセスを許可された外部端末200の端末情報を保存する。 The terminal information storage unit 360 stores the terminal information of the external terminal 200 that has been permitted to access by the terminal information authentication unit 310.

 サーバートークン記憶部370は、前記トークン生成部330が発行した現在有効であるトークンと、そのトークンが発行されている端末情報を保存する。 The server token storage unit 370 stores the currently valid tokens issued by the token generation unit 330 and the terminal information for which the tokens were issued.

 続いて、本実施例において各処理部が実行する処理についてフローチャートを用いて説明する。図4は、実施例1に係る外部端末200が実行する処理のフローチャートである。 Next, the processing executed by each processing unit in this embodiment will be described using a flowchart. FIG. 4 is a flowchart of the processing executed by the external terminal 200 according to the first embodiment.

 まずステップ100において、外部端末200はサーバー300に対して自身の端末情報を送信し、トークンの発行を依頼してステップ101へ移行する。ステップ101において、外部端末200はサーバー300からの応答を待ち、端末認証が成功であればステップ102へ、失敗であればステップ100へ移行する。 First, in step 100, the external terminal 200 sends its own terminal information to the server 300, requests the issuance of a token, and proceeds to step 101. In step 101, the external terminal 200 waits for a response from the server 300, and if the terminal authentication is successful, it proceeds to step 102, and if it is unsuccessful, it proceeds to step 100.

 ステップ102において、外部端末200はサーバー300から発行されたトークンを、トークン記憶部280へ保存し、ステップ103へ移行する。 In step 102, the external terminal 200 stores the token issued by the server 300 in the token storage unit 280 and proceeds to step 103.

 ステップ103において、外部端末200はサーバー300との通信状態の確認を実施し、ステップ104へ移行する。ステップ104において、外部端末200とサーバー300の通信状態が通信可能であった場合ステップ105へ、通信途絶状態であった場合ステップ111へ移行する。以降、ステップ105~110はトークンを用いた認証処理、ステップ111~125は暗号鍵暗号を用いた認証処理の処理フローを表す。 In step 103, the external terminal 200 checks the communication status with the server 300 and proceeds to step 104. In step 104, if the communication status between the external terminal 200 and the server 300 is available, the process proceeds to step 105, and if the communication status is interrupted, the process proceeds to step 111. From here on, steps 105 to 110 represent the authentication process using a token, and steps 111 to 125 represent the process flow for authentication process using encryption key cryptography.

 ステップ105において、データ生成部250はトークン記憶部280に保存されているトークンの使用期限を確認し、ステップ106へ移行する。ステップ106において、トークン記憶部280に保存されているトークンの使用期限が期限内であった場合ステップ107へ、期限切れであった場合現在保存されているトークンを破棄してステップ100へ遷移する。 In step 105, the data generation unit 250 checks the expiration date of the token stored in the token storage unit 280 and proceeds to step 106. In step 106, if the expiration date of the token stored in the token storage unit 280 is within the expiration date, the process proceeds to step 107; if the expiration date has expired, the currently stored token is discarded and the process proceeds to step 100.

 ステップ107において、データ生成部250は操作部240よりユーザーの入力した操作情報を読み取り、ステップ108へ移行する。 In step 107, the data generation unit 250 reads the operation information input by the user from the operation unit 240, and proceeds to step 108.

 ステップ108において、データ生成部250は操作部240から読み取った操作情報に、トークン記憶部280に保存されているトークンを付与して送信データを生成し、端末通信部B220から車両10に対して送信してステップ109へ移行する。ステップ109において、外部端末200は車両10からの操作情報に対する応答を待ち、肯定応答であった場合ステップ110へ、否定応答であった場合現在保存されているトークンを破棄してステップ100へ移行する。 In step 108, the data generation unit 250 generates transmission data by adding the token stored in the token storage unit 280 to the operation information read from the operation unit 240, and transmits the data from the terminal communication unit B220 to the vehicle 10, and proceeds to step 109. In step 109, the external terminal 200 waits for a response to the operation information from the vehicle 10, and if the response is positive, proceeds to step 110, and if the response is negative, discards the currently stored token and proceeds to step 100.

 ステップ110において、外部端末200は車両10へ送信したトークンを破棄し、サーバー300から新たに発行されたトークンをトークン記憶部280へ保存してステップ103へ移行する。 In step 110, the external terminal 200 discards the token sent to the vehicle 10, stores the newly issued token from the server 300 in the token storage unit 280, and proceeds to step 103.

 ステップ104において、外部端末200とサーバー300の通信状態が通信途絶状態であった場合はステップ111において、端末機能切替認証部252はユーザーに対して認証方法の切り替えを実施するか確認する画面を表示させてステップ112へ移行する。ステップ112において、端末機能切替認証部252はユーザーからの入力を待ち、操作部240から読み取った入力が認証機能の切り替えが必要であればステップ113へ、不要であればステップ103へ移行する。 If the communication state between the external terminal 200 and the server 300 is interrupted in step 104, then in step 111 the terminal function switching authentication unit 252 displays a screen for the user to confirm whether or not to switch the authentication method, and proceeds to step 112. In step 112, the terminal function switching authentication unit 252 waits for input from the user, and if the input read from the operation unit 240 indicates that switching of the authentication function is necessary, it proceeds to step 113, and if not, it proceeds to step 103.

 ステップ113において、端末機能切替認証部252はユーザーに対して図3のようなパスワードや生体情報等の機能切替情報の入力を求める画面を表示部230に表示させてステップ114へ移行する。 In step 113, the terminal function switching authentication unit 252 displays a screen on the display unit 230 requesting the user to input function switching information such as a password and biometric information as shown in FIG. 3, and then proceeds to step 114.

 ステップ114において、端末機能切替認証部252はユーザーからの入力を待ち、操作部240から読み取った機能切替情報と、端末機能切替情報記憶部290に保存されている機能切替情報とを比較認証を実施し、ステップ115へ移行する。ステップ115において、機能切替情報の認証が成功した場合ステップ116へ、失敗した場合ステップ103へ移行する。 In step 114, the terminal function switching authentication unit 252 waits for input from the user, compares and authenticates the function switching information read from the operation unit 240 with the function switching information stored in the terminal function switching information storage unit 290, and proceeds to step 115. In step 115, if the authentication of the function switching information is successful, the process proceeds to step 116; if it is unsuccessful, the process proceeds to step 103.

 ステップ116において、データ生成部250はステップ114で認証された機能切替情報を認証方法切替要求に付与して端末通信部B220から車両10に送信してステップ117へ移行する。ステップ117において、端末機能切替認証部252は車両10からの認証方法切替要求に対する応答を待ち、肯定応答であればステップ118へ、否定応答であればステップ103へ移行する。 In step 116, the data generation unit 250 adds the function switching information authenticated in step 114 to the authentication method switching request, transmits it from the terminal communication unit B220 to the vehicle 10, and proceeds to step 117. In step 117, the terminal function switching authentication unit 252 waits for a response to the authentication method switching request from the vehicle 10, and proceeds to step 118 if the response is positive, or to step 103 if the response is negative.

 ステップ118において、端末機能切替認証部252は端末通信部A210とサーバー300との通信状態を確認してステップ119へ移行する。ステップ119において、サーバー300との通信状態が通信不可であった場合ステップ121へ、通信可能であった場合ステップ120へ移行する。 In step 118, the terminal function switching authentication unit 252 checks the communication state between the terminal communication unit A210 and the server 300, and proceeds to step 119. In step 119, if the communication state with the server 300 is not available, the process proceeds to step 121; if the communication state is available, the process proceeds to step 120.

 ステップ120において、端末機能切替認証部252は認証方法を暗号鍵認証からトークン認証へと切り替え、ステップ103へ移行する。 In step 120, the terminal function switching authentication unit 252 switches the authentication method from encryption key authentication to token authentication, and proceeds to step 103.

 ステップ121において、端末機能切替認証部252は車両10により認証方法の強制切替が実施されていないか確認する。強制切替が実施されていない場合ステップ122へ、強制切替が実施されている場合外部端末200による車両10に対する操作を停止し処理を終了する。 In step 121, the terminal function switching authentication unit 252 checks whether forced switching of the authentication method has been performed by the vehicle 10. If forced switching has not been performed, the process proceeds to step 122. If forced switching has been performed, the process stops operation of the vehicle 10 by the external terminal 200 and ends the process.

 ステップ122において、データ生成部250は操作部240からユーザーの操作の読み取りを実施し、ステップ123へ移行する。この操作とはユーザーから車両10に指令される任意の操作のことである。 In step 122, the data generation unit 250 reads the user's operation from the operation unit 240, and proceeds to step 123. This operation is any operation commanded by the user to the vehicle 10.

 ステップ123において、データ生成部250は操作部240から読み取った操作情報により送信データを生成し、端末通信部B220から車両10に対して操作要求を送信し、ステップ124へ移行する。 In step 123, the data generation unit 250 generates transmission data based on the operation information read from the operation unit 240, transmits an operation request from the terminal communication unit B220 to the vehicle 10, and proceeds to step 124.

 ステップ124において、暗号生成部254は車両10からの乱数情報を含む暗号鍵暗号要求を受信し、受信した乱数と端末鍵情報記憶部270に保存された暗号鍵から暗号鍵暗号を生成し、ステップ125へ移行する。 In step 124, the encryption key encryption generator 254 receives an encryption key encryption request including random number information from the vehicle 10, generates an encryption key encryption from the received random number and the encryption key stored in the terminal key information storage unit 270, and proceeds to step 125.

 ステップ125において、データ生成部250はステップ124で暗号生成部254が生成した暗号鍵暗号から送信データを生成し、端末通信部B220から車両10へ送信し、車両10からの応答受信後ステップ118へ移行する。 In step 125, the data generation unit 250 generates transmission data from the encryption key encryption generated by the encryption generation unit 254 in step 124, transmits the data from the terminal communication unit B220 to the vehicle 10, and proceeds to step 118 after receiving a response from the vehicle 10.

 図5は、実施例1に係る車載装置100が実行する処理のフローチャートである。 FIG. 5 is a flowchart of the process executed by the in-vehicle device 100 according to the first embodiment.

 まずステップ200において、車載装置100は外部端末200から認証方法の切替要求が来ているか確認し、切替要求がある場合はステップ201へ、切替要求がない場合はステップ221へ移行する。以降、ステップ201~220は暗号鍵暗号を用いた認証処理、ステップ221~226はトークンを用いた認証処理の処理フローを表す。 First, in step 200, the in-vehicle device 100 checks whether a request to switch the authentication method has been received from the external terminal 200. If there is a request to switch, the process proceeds to step 201. If there is no request to switch, the process proceeds to step 221. From here on, steps 201 to 220 represent the process flow of authentication processing using encryption key encryption, and steps 221 to 226 represent the process flow of authentication processing using a token.

 ステップ201において、機能切替認証部136は外部端末200から受信した認証方法切替要求に含まれる、ユーザーのパスワードや顔画像等の生体情報を含む機能切替情報と、機能切替情報記憶部180に保存されている機能切替情報の比較認証を実施し、ステップ202へ移行する。ステップ202において、ステップ201の機能切替情報の認証が成功であればステップ204へ、失敗であればステップ203へ移行する。 In step 201, the function switching authentication unit 136 performs a comparison and authentication between the function switching information, including the user's password and biometric information such as a facial image, contained in the authentication method switching request received from the external terminal 200, and the function switching information stored in the function switching information storage unit 180, and then proceeds to step 202. In step 202, if the authentication of the function switching information in step 201 is successful, the process proceeds to step 204, and if it is unsuccessful, the process proceeds to step 203.

 ステップ203において、認証部130は認証方法切替要求に対する否定応答を車載通信部110から車外端末200へ送信し、ステップ200へ移行する。ステップ204において、認証部130は認証方法切替要求に対する肯定応答を車載通信部110から車外端末200へ送信し、ステップ205へ移行する。 In step 203, the authentication unit 130 transmits a negative response to the authentication method switching request from the in-vehicle communication unit 110 to the external terminal 200, and proceeds to step 200. In step 204, the authentication unit 130 transmits a positive response to the authentication method switching request from the in-vehicle communication unit 110 to the external terminal 200, and proceeds to step 205.

 ステップ205において、機能切替認証部136は外部端末200からの操作要求に対する車載装置100の認証方法を、トークン認証から暗号鍵暗号認証へ切り替える。また、同時に動作監視部140は車載装置100と外部端末200の、認証方法切替以降の通信内容及びタイムスタンプ、外部端末200の情報のログ記憶部190への保存を開始し、ステップ206へ移行する。 In step 205, the function switching authentication unit 136 switches the authentication method of the in-vehicle device 100 in response to an operation request from the external terminal 200 from token authentication to encryption key encryption authentication. At the same time, the operation monitoring unit 140 starts saving the communication contents and timestamps between the in-vehicle device 100 and the external terminal 200 after the authentication method switching, and the information of the external terminal 200 in the log storage unit 190, and proceeds to step 206.

 ステップ206において、動作監視部140による動作監視が実施中であるか確認し、実施中である場合ステップ208へ、実施されていない場合ステップ207へ移行する。ステップ207において、動作監視部140は車外通信装置20による車両10とサーバー300との通信状態、及びエンジン制御ECU40より以降の車両10の走行距離の監視を開始し、ステップ208へ移行する。なお車両10とサーバー300との間の通信状態が通信可能に復帰したのにもかかわらず一定時間以上外部端末200からの操作情報の認証方法が暗号鍵認証であった場合、または暗号鍵認証に切り替わってからの車両10の走行距離が一定距離を超過した場合、動作監視部140は車両の動作状態がNGであると判定する。 In step 206, it is confirmed whether operation monitoring by the operation monitoring unit 140 is being performed. If it is being performed, the process proceeds to step 208. If it is not being performed, the process proceeds to step 207. In step 207, the operation monitoring unit 140 starts monitoring the communication state between the vehicle 10 and the server 300 by the external communication device 20, and the distance traveled by the vehicle 10 after the engine control ECU 40, and proceeds to step 208. Note that if the authentication method for operation information from the external terminal 200 is encryption key authentication for a certain period of time or more even though the communication state between the vehicle 10 and the server 300 has returned to communication-enabled, or if the distance traveled by the vehicle 10 since switching to encryption key authentication exceeds a certain distance, the operation monitoring unit 140 determines that the operation state of the vehicle is NG.

 ステップ208において、認証部130は外部端末200からの操作要求受信を待ち、操作要求を受信した場合、ステップ209へ移行する。操作要求を受信しない場合はそのまま待機する。 In step 208, the authentication unit 130 waits to receive an operation request from the external terminal 200, and if an operation request is received, the process proceeds to step 209. If no operation request is received, the process continues to wait.

 ステップ209において、乱数生成部120は暗号鍵暗号用の乱数を生成し、ステップ210へ移行する。 In step 209, the random number generation unit 120 generates a random number for the encryption key encryption and proceeds to step 210.

 ステップ210において、乱数生成部120はステップ209で生成した乱数情報を車載通信部110から外部端末200へ送信し、ステップ211へ移行する。 In step 210, the random number generation unit 120 transmits the random number information generated in step 209 from the in-vehicle communication unit 110 to the external terminal 200, and then proceeds to step 211.

 ステップ211において、認証部130は外部端末200からの暗号鍵暗号受信を待ち、暗号鍵暗号を受信した場合、ステップ212へ移行する。 In step 211, the authentication unit 130 waits to receive the encryption key cipher from the external terminal 200, and if an encryption key cipher is received, the process proceeds to step 212.

 ステップ212において、端末操作認証部134は外部端末200から受信した暗号鍵暗号と鍵情報記憶部160に保存されている暗号鍵から暗号鍵暗号の復号を行い、ステップ213へ移行する。 In step 212, the terminal operation authentication unit 134 decrypts the encryption key encryption received from the external terminal 200 using the encryption key stored in the key information storage unit 160, and then proceeds to step 213.

 ステップ213において、端末操作認証部134はステップ212で復号した暗号鍵暗号とステップ209で乱数生成部120が生成した乱数が一致しているか確認し、一致している場合ステップ214へ、一致していなければステップ200へ移行する。 In step 213, the terminal operation authentication unit 134 checks whether the encryption key encryption decrypted in step 212 matches the random number generated by the random number generation unit 120 in step 209. If they match, the process proceeds to step 214; if they do not match, the process proceeds to step 200.

 ステップ214において、認証部130は外部端末200に対して否定応答を送信しステップ200へ移行する。 In step 214, the authentication unit 130 sends a negative response to the external terminal 200 and proceeds to step 200.

 ステップ215において、認証部130は外部端末200に対して肯定応答を送信しステップ216へ移行する。 In step 215, the authentication unit 130 sends a positive response to the external terminal 200 and proceeds to step 216.

 ステップ216において、認証部130は外部端末200から要求された操作を実施し、ステップ217へ移行する。 In step 216, the authentication unit 130 performs the operation requested by the external terminal 200 and proceeds to step 217.

 ステップ217において、動作監視部140は現在の車両10の動作状態が動作NG状態であるか確認し、動作NGであればステップ218へ、動作NGでない場合はステップ206へ移行する。 In step 217, the operation monitoring unit 140 checks whether the current operation status of the vehicle 10 is in an operation NG state, and if it is, proceeds to step 218, and if it is not, proceeds to step 206.

 ステップ218において、動作監視部140は認証方法を暗号鍵暗号認証からトークン認証へ強制的に切り替えを実施し、現在の暗号鍵を認証で使用できないようにロックをかけてステップ219へ移行する。 In step 218, the operation monitoring unit 140 forcibly switches the authentication method from encryption key encryption authentication to token authentication, locks the current encryption key so that it cannot be used for authentication, and proceeds to step 219.

 ステップ219において、動作監視部140は車両10とサーバー300との通信状態を監視し、通信可能であればステップ220へ移行する。通信不可であればそのまま待機する。 In step 219, the operation monitoring unit 140 monitors the communication state between the vehicle 10 and the server 300, and if communication is possible, the process proceeds to step 220. If communication is not possible, the process waits.

 ステップ220において、動作監視部140はログ記憶部190における最新ログとGPS受信機50による現在地情報をまとめて、車外通信装置20からサーバー300に対して不正利用通知として送信し認証処理の操作を終了する。 In step 220, the operation monitoring unit 140 combines the latest log in the log storage unit 190 and the current location information from the GPS receiver 50, and transmits this as an unauthorized use notification from the external vehicle communication device 20 to the server 300, and ends the authentication process.

 ステップ200において認証方法の切替要求がない場合、ステップ221において、認証部130は外部端末200からの操作要求及びトークンの受信を待ち、それらを受信した場合、ステップ222へ移行する。受信がない場合にはそのまま待機する。 If there is no request to switch the authentication method in step 200, in step 221, the authentication unit 130 waits for an operation request and token from the external terminal 200, and if they are received, proceeds to step 222. If they are not received, it continues to wait.

 ステップ222において、サーバー経由操作認証部132はステップ221にて受信した操作要求に付与されたトークン情報を抽出し、車外通信装置20からサーバー300へトークン認証要求を送信してステップ223へ移行する。ステップ223においてサーバー300からのトークン認証要求に対する応答を待ち、認証が成功であればステップ225へ移行し、認証失敗であればステップ224へ移行する。 In step 222, the server-via-operation authentication unit 132 extracts the token information attached to the operation request received in step 221, transmits a token authentication request from the exterior vehicle communication device 20 to the server 300, and proceeds to step 223. In step 223, it waits for a response to the token authentication request from the server 300, and proceeds to step 225 if the authentication is successful, or proceeds to step 224 if the authentication is unsuccessful.

 ステップ224において、認証部130は外部端末200に対して否定応答を送信しステップ200へ移行する。 In step 224, the authentication unit 130 sends a negative response to the external terminal 200 and proceeds to step 200.

 ステップ225において、認証部130は外部端末200に対して肯定応答を送信しステップ226へ移行する。 In step 225, the authentication unit 130 sends a positive response to the external terminal 200 and proceeds to step 226.

 ステップ226において、認証部130は外部端末200から要求された操作を実施し、ステップ200へ移行する。 In step 226, the authentication unit 130 performs the operation requested by the external terminal 200 and proceeds to step 200.

 図6は、実施例1に係るサーバー300が実行する処理のフローチャートである。 FIG. 6 is a flowchart of the process executed by the server 300 according to the first embodiment.

 まずステップ300において、サーバー300は自身が受信した要求の種類を判別する。要求が外部端末200から受信したトークン発行要求である場合ステップ301へ、要求が車両10から受信したトークン認証要求である場合ステップ307へ移行する。 First, in step 300, the server 300 determines the type of request it has received. If the request is a token issuance request received from the external terminal 200, it proceeds to step 301. If the request is a token authentication request received from the vehicle 10, it proceeds to step 307.

 受信した要求がトークン発行である場合、ステップ301において、端末情報認証部310は外部端末200から受信した端末情報と、端末情報記憶部360に保存された端末情報と、により比較認証を実施し、ステップ302へ移行する。 If the received request is for token issuance, in step 301, the terminal information authentication unit 310 performs a comparison authentication between the terminal information received from the external terminal 200 and the terminal information stored in the terminal information storage unit 360, and then proceeds to step 302.

 ステップ302において、端末情報認証部310はステップ301で実施した端末情報の比較結果が一致していた場合はステップ304へ、一致していなかった場合ステップ303へ移行する。 In step 302, if the terminal information authentication unit 310 compares the terminal information performed in step 301 and the results show a match, it proceeds to step 304, and if the results show a match, it proceeds to step 303.

 ステップ303において、端末情報認証部310はサーバー通信部340から外部端末200に対して否定応答を送信し、ステップ300へ移行する。 In step 303, the terminal information authentication unit 310 sends a negative response from the server communication unit 340 to the external terminal 200, and proceeds to step 300.

 ステップ304において、端末情報認証部310はサーバー通信部340から外部端末200に対して肯定応答を送信し、ステップ305へ移行する。 In step 304, the terminal information authentication unit 310 sends a positive response from the server communication unit 340 to the external terminal 200, and proceeds to step 305.

 ステップ305において、トークン生成部330は新規のトークンを発行し、サーバートークン記憶部370へトークン情報を保存してステップ306へ移行する。 In step 305, the token generation unit 330 issues a new token, stores the token information in the server token storage unit 370, and proceeds to step 306.

 ステップ306において、トークン生成部330はサーバー通信部340から外部端末200に対してトークンを送信し、ステップ300へ移行する。 In step 306, the token generation unit 330 transmits the token from the server communication unit 340 to the external terminal 200, and the process proceeds to step 300.

 ステップ300において受信した要求がトークン認証である場合、ステップ307において、トークン認証部320は車両10から受信したトークン情報とサーバートークン記憶部370に保存しているトークン情報により認証を実施し、ステップ308へ移行する。  If the request received in step 300 is for token authentication, in step 307, the token authentication unit 320 performs authentication using the token information received from the vehicle 10 and the token information stored in the server token storage unit 370, and proceeds to step 308.

 ステップ308において、トークン認証部320はステップ307で実施した認証結果を確認し、認証成功であればステップ310へ、認証失敗であればステップ309へ移行する。 In step 308, the token authentication unit 320 checks the result of the authentication performed in step 307, and if the authentication is successful, the process proceeds to step 310, and if the authentication is unsuccessful, the process proceeds to step 309.

 ステップ309において、トークン認証部320はサーバー通信部340から車両10に対して否定応答を送信し、ステップ300へ移行する。 In step 309, the token authentication unit 320 sends a negative response from the server communication unit 340 to the vehicle 10, and proceeds to step 300.

 ステップ310において、トークン認証部320はサーバー通信部340から車両10に対して肯定応答を送信し、ステップ311へ移行する。 In step 310, the token authentication unit 320 sends a positive response from the server communication unit 340 to the vehicle 10, and proceeds to step 311.

 ステップ311において、トークン生成部330は更新用のトークンを発行し、ステップ312へ移行する。 In step 311, the token generation unit 330 issues an update token and proceeds to step 312.

 ステップ312において、トークン生成部330はサーバー通信部340から外部端末200に対してステップ311で発行したトークンを送信し、ステップ300へ移行する。 In step 312, the token generation unit 330 transmits the token issued in step 311 to the external terminal 200 from the server communication unit 340, and then proceeds to step 300.

 以上、本実施例によれば、外部端末200とサーバーとの間の通信状況によって外部端末200から車両10に対して送信される操作要求の認証方法を切り替えている。具体的には、外部端末200とサーバー300との間が通信途絶状態にある場合には、外部端末200から車両10に対して送信される操作要求に対して、外部端末200が生成した暗号鍵による認証を実行している。これにより、外部端末200とサーバー300とが通信途絶にある状況であっても、車両が操作不可になってしまう危険性を回避することが可能になっている。 As described above, according to this embodiment, the authentication method for the operation request sent from the external terminal 200 to the vehicle 10 is switched depending on the communication status between the external terminal 200 and the server. Specifically, when communication between the external terminal 200 and the server 300 is interrupted, authentication is performed using an encryption key generated by the external terminal 200 for the operation request sent from the external terminal 200 to the vehicle 10. This makes it possible to avoid the risk of the vehicle becoming inoperable even in a situation where communication between the external terminal 200 and the server 300 is interrupted.

[実施例2]
 続いて本発明の実施例2について図7-8を用いて説明する。本実施例においては、システム構成は実施例1と同様であるが、ユーザーからの操作が外部端末200からではなく車両10に対して直接実施される点が実施例1と異なる。車両10に対して直接実施される操作とは、例えばドアの物理的なボタンからドア制御ECU30が鍵の開閉操作を要求された場合や、スマートプッシュキーによりエンジン制御ECU40がエンジンの始動を要求された場合を指す。 [Example 2]
Next, a second embodiment of the present invention will be described with reference to Figures 7 and 8. In this embodiment, the system configuration is the same as in the first embodiment, but it differs from the first embodiment in that the user's operation is performed directly on the vehicle 10, not through the external terminal 200. An operation performed directly on the vehicle 10 refers to, for example, a case where the door control ECU 30 is requested to open or close the door using a physical button on the door, or a case where the engine control ECU 40 is requested to start the engine using a smart push key.

 図7は実施例2に係る外部端末200が実行する処理を示すフローチャートである。なお、図4にて説明した、実施例1において実施される処理と同一の処理については同じ符号を付し、説明を省略する。また、サーバー300が実行する処理は実施例1に係る図6と同一のため説明は省略する。 FIG. 7 is a flowchart showing the processing executed by the external terminal 200 according to the second embodiment. Note that the same processes as those executed in the first embodiment, explained in FIG. 4, are given the same reference numerals, and the explanation is omitted. Also, the processing executed by the server 300 is the same as that in FIG. 6 according to the first embodiment, and therefore the explanation is omitted.

 ステップ106において、トークン記憶部280に保存されているトークンの使用期限が期限内であった場合、ステップ407において、データ生成部250はユーザーが車両10に対して直接実施した操作情報を受信し、ステップ108へ移行する。その後の処理は図4を用いて説明した処理内容と同一である。  If, in step 106, the token stored in the token storage unit 280 is within its expiration date, in step 407, the data generation unit 250 receives information about the operation performed directly by the user on the vehicle 10, and the process proceeds to step 108. The subsequent processing is the same as that described using FIG. 4.

 ステップ121において、車両10から認証方法の強制的な切り替えがされなかった場合、ステップ421において、データ生成部250はユーザーが車両10に対して直接実施した操作情報を受信し、ステップ123へ移行する。その後の処理は図4を用いて説明した処理内容と同一である。 If the vehicle 10 does not forcibly switch the authentication method in step 121, the data generation unit 250 receives information about the operation performed directly by the user on the vehicle 10 in step 421, and the process proceeds to step 123. The subsequent processing is the same as the processing described with reference to FIG. 4.

 図8は実施例2に係る車載装置100が実施する処理を示すフローチャートである。なお、図5にて説明した、実施例2において実施される処理と同一の処理については同じ符号を付し、説明を省略する。 FIG. 8 is a flowchart showing the process performed by the in-vehicle device 100 according to the second embodiment. Note that the same processes as those performed in the second embodiment described in FIG. 5 are denoted by the same reference numerals, and the description thereof will be omitted.

 ステップ500において、認証部130は車載装置100に接続されている他ECUに対して、ユーザーから直接操作が実施されていないか確認し、されている場合はステップ501へ移行する。ユーザーから直接操作されていない場合にはそのまま待機する。 In step 500, the authentication unit 130 checks whether the other ECUs connected to the in-vehicle device 100 have been directly operated by the user, and if so, proceeds to step 501. If no direct operation has been performed by the user, the process waits.

 ステップ501において、認証部130は他ECUがユーザーから要求された操作情報を外部端末200へ送信し、ステップ200へ移行する。 In step 501, the authentication unit 130 transmits the operation information requested by the user from the other ECU to the external terminal 200, and then proceeds to step 200.

 なお、ステップ500、ステップ501はユーザーから車両10への直接操作があった際に動作し、割り込みでステップ200へ移行する。  Steps 500 and 501 are performed when the user directly operates the vehicle 10, and transition to step 200 occurs as an interrupt.

 本実施例によれば、ユーザーが車両に操作指示を直接与えた場合であっても、車両から外部端末に操作情報が送信されて認証されるため、外部端末とサーバーとが通信途絶状態にある場合であっても車両が操作不能状態に陥ることを防止することが可能になっている。 According to this embodiment, even if the user directly issues operational instructions to the vehicle, the operational information is sent from the vehicle to the external terminal and authenticated, so it is possible to prevent the vehicle from becoming inoperable even if communication between the external terminal and the server is cut off.

 なお、本発明は上記した実施例に限定されるものではなく、様々な変形例が含まれる。例えば、上記した実施例は本発明を分かりやすく説明するために詳細に説明したものであり、必ずしも説明した全ての構成を備えるものに限定されるものではない。 The present invention is not limited to the above-described embodiment, but includes various modifications. For example, the above-described embodiment has been described in detail to clearly explain the present invention, and is not necessarily limited to having all of the configurations described.

 また、本発明の図4~8における処理フローにおいて、2つ以上の装置が相手からの応答を待つ処理が存在するが、これは必ずしも相手からの応答を待ち続けることに限定されず、適宜一定時間応答がなかった場合は処理を終了等のタイムアウト処理を行ってもよい。 In addition, in the processing flows of the present invention in Figures 4 to 8, there is processing in which two or more devices wait for a response from the other party, but this is not necessarily limited to continuing to wait for a response from the other party, and if there is no response for a certain period of time, a timeout process may be performed to terminate the processing, etc.

 また、図4、8においてトークン認証が失敗した場合、外部端末200はサーバー300へ再度端末情報を送信してトークンを再発行しているが、トークン再発行に端末情報を使用することに限定されず、例えばサーバー300から外部端末200に対してトークンを発行する際にリフレッシュトークンを同時に発行し、外部端末200はトークン再発行を要求する際に端末情報ではなくリフレッシュトークンによって再発行要求を実施してもよい。 In addition, in the case where token authentication fails in Figures 4 and 8, the external terminal 200 reissues the token by sending the terminal information to the server 300 again, but it is not limited to using the terminal information to reissue the token. For example, when issuing a token from the server 300 to the external terminal 200, a refresh token may be issued at the same time, and when requesting token reissue, the external terminal 200 may make the reissue request using the refresh token rather than the terminal information.

 また、本発明ではサーバー経由操作認証にトークン認証、端末操作認証に暗号鍵暗号を使用しているが、この認証方法に限定されることはなく、あくまでサーバーによる認証の有無により認証方法が分かれていればよい。例えばトークン認証の代わりにサーバーによる暗号鍵を用いた電子署名を適用してもよい。 In addition, in the present invention, token authentication is used for authentication of operations via the server, and encryption key cryptography is used for authentication of terminal operations, but the present invention is not limited to this authentication method, and it is sufficient that the authentication method is different depending on whether or not authentication is performed by the server. For example, instead of token authentication, an electronic signature using an encryption key by the server may be applied.

 また、本発明ではトークン認証を車両10とサーバー300間で実施しているが、トークンの認証方法はこれに限定されず、外部端末200と車両10間の操作の認証にサーバーが介在していればよい。例えば外部端末200から車両10へ操作を実施する際、サーバー300に対してトークンを送信し、サーバー300はトークン認証後トークンに対して暗号鍵で署名を実施し、返信する。外部端末は返信された署名付きトークンを操作要求に付し、車両10は暗号鍵によって署名検証を実施することでサーバー300から認証された操作であることを確認する、といった手法を用いてもよい。 In addition, although in the present invention token authentication is performed between the vehicle 10 and the server 300, the token authentication method is not limited to this, and it is sufficient that a server is involved in authenticating operations between the external terminal 200 and the vehicle 10. For example, when an operation is performed from the external terminal 200 to the vehicle 10, a token is sent to the server 300, and after token authentication, the server 300 signs the token with an encryption key and returns it. A method in which the external terminal attaches the returned signed token to an operation request, and the vehicle 10 verifies the signature with an encryption key to confirm that the operation has been authenticated by the server 300 may also be used.

 また、各実施例は独立して成り立つ必要はなく、各実施例の機能を同時に実施可能であってもよい。 Furthermore, each embodiment does not need to stand alone, and the functions of each embodiment may be implemented simultaneously.

 また、上記の各構成、機能、処理部、処理手段等は、それらの一部または全部を、例えば集積回路で設計する等によりハードウェアで実現してもよい。 Furthermore, the above-mentioned configurations, functions, processing units, processing means, etc. may be realized in part or in whole in hardware, for example by designing them as integrated circuits.

 また、上記の各構成、機能等は、プロセッサがそれぞれの機能を実現するソフトウェアで実現してもよい。各機能を実現するプログラム、テーブル、ファイル等の情報は、メモリやハードディスク、SSD(Solid State Drive)等の記録装置、または、ICカード、SDカード、DVD等の記録媒体、マイクロコンピューター内に搭載されている各種記録媒体に置くことができる。 Furthermore, each of the above configurations, functions, etc. may be realized by software that causes a processor to realize each function. Information such as programs, tables, files, etc. that realize each function can be stored in a recording device such as memory, a hard disk, or an SSD (Solid State Drive), or in recording media such as IC cards, SD cards, DVDs, or various recording media installed in the microcomputer.

 以上で説明した本発明の実施例により、以下の作用効果が得られる。 The above-described embodiment of the present invention provides the following effects.

(1)本発明に係る車載装置の一例は、外部端末からの要求に対して認証処理を実行する認証部と、外部端末及びサーバーとの間で情報を送受信する通信部とを備え、認証部は、外部端末とサーバーとが通信可能であるとき、サーバーを経由して認証処理を実行し、外部端末とサーバーとが通信途絶であるとき、サーバーを経由せず認証処理を実行する。 (1) An example of an in-vehicle device according to the present invention includes an authentication unit that executes authentication processing in response to a request from an external terminal, and a communication unit that transmits and receives information between the external terminal and a server. When the external terminal and the server are able to communicate, the authentication unit executes authentication processing via the server, and when communication between the external terminal and the server is interrupted, the authentication unit executes authentication processing without going through the server.

 上記構成により、外部端末-サーバー間の通信が途絶している状態であっても車両が操作不能状態に陥ることを防止することが可能になる。 The above configuration makes it possible to prevent the vehicle from becoming inoperable even if communication between the external terminal and the server is interrupted.

(2)認証処理に用いる情報を生成する生成部をさらに備え、通信部は、情報を外部端末へ送信し、外部端末により情報が暗号化された暗号情報を受信し、認証部は、外部端末とサーバーとが通信可能であるとき、サーバーが発行するトークンを用いて認証処理を実行し、外部端末とサーバーとが通信途絶であるとき、暗号情報を用いて認証処理を実行する。(1)の処理は具体的にこのようにして実行される。 (2) The device further includes a generation unit that generates information to be used in the authentication process, the communication unit transmits the information to the external terminal and receives cryptographic information in which the information is encrypted by the external terminal, and the authentication unit executes the authentication process using a token issued by the server when the external terminal and the server are able to communicate with each other, and executes the authentication process using the cryptographic information when communication between the external terminal and the server is interrupted. Specifically, the process of (1) is executed in this manner.

(3)認証部は、外部端末とサーバーとの間の通信途絶が解消されたとき、暗号情報を用いた認証処理からトークンを用いた認証処理に切り替える。暗号認証処理は第三者からサイバー攻撃を受けるリスクがあるため、トークンが使用可能になった段階でこのように速やかにトークン認証に切り替えることが好ましい。 (3) When the communication interruption between the external terminal and the server is resolved, the authentication unit switches from authentication processing using cryptographic information to authentication processing using a token. Because cryptographic authentication processing involves the risk of being subject to cyber attacks from third parties, it is preferable to switch to token authentication in this manner as soon as the token becomes available.

(4)認証部は、車両の外部通信機能が通信可能であり、かつ、外部端末とサーバーとの間の通信途絶が継続しているとき、認証処理を停止する。車両の外部通信機能が通信可能である場合には、第三者がその通信機能を利用してサイバー攻撃を仕掛ける可能性があるので認証処理を停止して内部プログラムが改ざん等されることを防止する。 (4) The authentication unit stops the authentication process when the vehicle's external communication function is capable of communication and communication between the external terminal and the server remains interrupted. If the vehicle's external communication function is capable of communication, a third party may use the communication function to launch a cyber attack, so the authentication process is stopped to prevent the internal program from being tampered with, etc.

(5)サーバーとの間の通信状態を監視する動作監視部をさらに備え、動作監視部は、外部端末とサーバーとの間の通信途絶が継続しており、かつ、サーバーと車両との間の通信途絶が解消されたとき、暗号情報を用いた認証処理を停止し、通信中の外部端末の情報と現在地情報をサーバーへ送信する。サーバーと車両との間の通信途絶が解消されるとトークン認証が再び可能になるためリスクの高い暗号認証処理を停止し、さらに諸情報をサーバーに送信してログ解析のために活用することが好ましい。 (5) The vehicle further includes an operation monitoring unit that monitors the communication status with the server, and when a communication interruption between the external terminal and the server continues and the communication interruption between the server and the vehicle is resolved, the operation monitoring unit stops the authentication process using the encryption information and transmits information on the communicating external terminal and current location information to the server. When the communication interruption between the server and the vehicle is resolved, token authentication becomes possible again, so it is preferable to stop the high-risk encryption authentication process and further transmit various information to the server for use in log analysis.

(6)動作監視部は、車両のエンジン起動からの走行距離をさらに監視し、暗号情報を用いた認証処理実行中の走行距離が一定距離を超過したとき、暗号情報を用いた認証処理を停止する。暗号情報を用いた認証処理があまりに長時間続くと外部からサイバー攻撃を受ける可能性が高まるため、その危険性を排除するために暗号情報を用いた認証処理にこのような制限を設けている。 (6) The operation monitoring unit further monitors the distance traveled since the start of the vehicle's engine, and stops the authentication process using the encryption information when the distance traveled during the authentication process using the encryption information exceeds a certain distance. If the authentication process using the encryption information continues for too long, it increases the possibility of being subjected to a cyber attack from the outside, so this restriction is imposed on the authentication process using the encryption information to eliminate that risk.

(7)認証処理の切り替えを実行するとき、外部端末から取得したパスワードあるいはユーザーの生体情報を用いた認証を必要とする。セキュリティ確保の観点からこのように処理することが好ましい。 (7) When switching between authentication processes, authentication using a password obtained from an external terminal or the user's biometric information is required. From the perspective of ensuring security, it is preferable to process in this manner.

(8)認証処理の切り替えを実行するとき、車載装置から取得したパスワードあるいはユーザーの生体情報を用いた認証を必要とする。(7)と同様にセキュリティ確保の観点からこのように処理することが好ましい。 (8) When switching between authentication processes, authentication using a password or the user's biometric information obtained from the in-vehicle device is required. As with (7), this type of processing is preferable from the perspective of ensuring security.

(9)また、本発明に係る車両認証システムの一例は、サーバーと、外部端末と、車載装置を備え、サーバーと外部端末との間の通信状態により、外部端末と車載装置との間の認証処理方法の切替を実施する車両認証システムであって、車載装置は、外部端末からの要求に対して認証処理を実行する認証部と、外部端末及びサーバーとの間で情報を送受信する通信部とを備え、認証部は、外部端末とサーバーとが通信可能であるとき、サーバーを経由して認証処理を実行し、外部端末とサーバーとが通信途絶であるとき、サーバーを経由せず認証処理を実行する。このようなシステムも、(1)に係る車載装置と同様の効果を期待できる。 (9) Also, one example of a vehicle authentication system according to the present invention is a vehicle authentication system that includes a server, an external terminal, and an in-vehicle device, and switches between authentication processing methods between the external terminal and the in-vehicle device depending on the communication state between the server and the external terminal. The in-vehicle device includes an authentication unit that executes authentication processing in response to a request from the external terminal, and a communication unit that transmits and receives information between the external terminal and the server. When the external terminal and the server are able to communicate, the authentication unit executes authentication processing via the server, and when communication between the external terminal and the server is interrupted, the authentication unit executes authentication processing without going through the server. Such a system can be expected to achieve the same effects as the in-vehicle device according to (1).

1…車両システム、10…車両、100…車載装置、110…車載通信部、120…乱数生成部、130…認証部、140…動作監視部、200…外部端末300…サーバー 1...vehicle system, 10...vehicle, 100...vehicle-mounted device, 110...vehicle-mounted communication unit, 120...random number generation unit, 130...authentication unit, 140...operation monitoring unit, 200...external terminal 300...server

Claims (9)

 外部端末からの要求に対して認証処理を実行する認証部と、
 前記外部端末及びサーバーとの間で情報を送受信する通信部とを備え、
 前記認証部は、前記外部端末と前記サーバーとが通信可能であるとき、前記サーバーを経由して前記認証処理を実行し、前記外部端末と前記サーバーとが通信途絶であるとき、前記サーバーを経由せず前記認証処理を実行する、
 ことを特徴とする車載装置。 an authentication unit that executes authentication processing in response to a request from an external terminal;
A communication unit that transmits and receives information between the external terminal and a server,
the authentication unit executes the authentication process via the server when the external terminal and the server are capable of communicating with each other, and executes the authentication process without going through the server when communication between the external terminal and the server is interrupted.
13. An in-vehicle device comprising:  請求項1に記載の車載装置であって、
 前記認証処理に用いる情報を生成する生成部をさらに備え、
 前記通信部は、前記情報を前記外部端末へ送信し、前記外部端末により前記情報が暗号化された暗号情報を受信し、
 前記認証部は、前記外部端末と前記サーバーとが通信可能であるとき、前記サーバーが発行するトークンを用いて前記認証処理を実行し、前記外部端末と前記サーバーとが通信途絶であるとき、前記暗号情報を用いて前記認証処理を実行する、
 ことを特徴とする車載装置。 The in-vehicle device according to claim 1 ,
A generating unit that generates information used in the authentication process,
The communication unit transmits the information to the external terminal, and receives encrypted information obtained by encrypting the information by the external terminal;
the authentication unit executes the authentication process using a token issued by the server when the external terminal and the server are able to communicate with each other, and executes the authentication process using the encryption information when communication between the external terminal and the server is interrupted.
13. An in-vehicle device comprising:  請求項2に記載の車載装置であって、
 前記認証部は、前記外部端末と前記サーバーとの間の通信途絶が解消されたとき、前記暗号情報を用いた前記認証処理から前記トークンを用いた前記認証処理に切り替える、
ことを特徴とする車載装置。 The in-vehicle device according to claim 2,
the authentication unit switches the authentication process from using the encryption information to using the token when the communication interruption between the external terminal and the server is resolved.
13. An in-vehicle device comprising:  請求項3に記載の車載装置であって、
 前記認証部は、車両の外部通信機能が通信可能であり、かつ、前記外部端末と前記サーバーとの間の通信途絶が継続しているとき、前記認証処理を停止する、
ことを特徴とする車載装置。 The in-vehicle device according to claim 3,
the authentication unit stops the authentication process when an external communication function of the vehicle is capable of communication and a communication interruption between the external terminal and the server continues.
13. An in-vehicle device comprising:  請求項4に記載の車載装置であって、
 前記サーバーとの間の通信状態を監視する動作監視部をさらに備え、
 前記動作監視部は、前記外部端末と前記サーバーとの間の通信途絶が継続しており、かつ、前記サーバーと前記車両との間の通信途絶が解消されたとき、前記暗号情報を用いた認証処理を停止し、通信中の前記外部端末の情報と現在地情報を前記サーバーへ送信する、
ことを特徴とする車載装置。 The in-vehicle device according to claim 4,
An operation monitoring unit that monitors a communication state with the server is further provided,
When the communication interruption between the external terminal and the server continues and the communication interruption between the server and the vehicle is resolved, the operation monitoring unit stops the authentication process using the encryption information and transmits information about the external terminal in communication and current location information to the server.
13. An in-vehicle device comprising:  請求項5に記載の車載装置であって、
 前記動作監視部は、前記車両のエンジン起動からの走行距離をさらに監視し、前記暗号情報を用いた認証処理実行中の前記走行距離が一定距離を超過したとき、前記暗号情報を用いた認証処理を停止する、
ことを特徴とする車載装置。 The in-vehicle device according to claim 5,
The operation monitoring unit further monitors a mileage of the vehicle from engine start, and when the mileage during the execution of the authentication process using the encryption information exceeds a certain distance, stops the authentication process using the encryption information.
13. An in-vehicle device comprising:  請求項3に記載の車載装置であって、
 前記認証処理の切り替えを実行するとき、前記外部端末から取得したパスワードあるいはユーザーの生体情報を用いた認証を必要とする、
 ことを特徴とする車載装置。 The in-vehicle device according to claim 3,
When switching the authentication process, authentication using a password or biometric information of the user acquired from the external terminal is required.
13. An in-vehicle device comprising:  請求項3に記載の車載装置であって、
 前記認証処理の切り替えを実行するとき、前記車載装置から取得したパスワードあるいはユーザーの生体情報を用いた認証を必要とする、
 ことを特徴とする車載装置。 The in-vehicle device according to claim 3,
When switching the authentication process, authentication using a password or biometric information of the user acquired from the in-vehicle device is required.
13. An in-vehicle device comprising:  サーバーと、外部端末と、車載装置を備え、前記サーバーと前記外部端末との間の通信状態により、前記外部端末と前記車載装置との間の認証処理方法の切替を実施する車両認証システムであって、
 前記車載装置は、
 前記外部端末からの要求に対して認証処理を実行する認証部と、
 前記外部端末及びサーバーとの間で情報を送受信する通信部とを備え、
 前記認証部は、前記外部端末と前記サーバーとが通信可能であるとき、前記サーバーを経由して前記認証処理を実行し、前記外部端末と前記サーバーとが通信途絶であるとき、前記サーバーを経由せず前記認証処理を実行する、
ことを特徴とする車両認証システム。 A vehicle authentication system including a server, an external terminal, and an in-vehicle device, the system switching an authentication processing method between the external terminal and the in-vehicle device depending on a communication state between the server and the external terminal,
The in-vehicle device includes:
an authentication unit that executes an authentication process in response to a request from the external terminal;
A communication unit that transmits and receives information between the external terminal and a server,
the authentication unit executes the authentication process via the server when the external terminal and the server are capable of communicating with each other, and executes the authentication process without going through the server when communication between the external terminal and the server is interrupted.
A vehicle authentication system comprising:
PCT/JP2023/023480 2023-06-26 2023-06-26 In-vehicle device and vehicle authentication system Pending WO2025004126A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2023/023480 WO2025004126A1 (en) 2023-06-26 2023-06-26 In-vehicle device and vehicle authentication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2023/023480 WO2025004126A1 (en) 2023-06-26 2023-06-26 In-vehicle device and vehicle authentication system

Publications (1)

Publication Number Publication Date
WO2025004126A1 true WO2025004126A1 (en) 2025-01-02

Family

ID=93937939

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/023480 Pending WO2025004126A1 (en) 2023-06-26 2023-06-26 In-vehicle device and vehicle authentication system

Country Status (1)

Country Link
WO (1) WO2025004126A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12403862B1 (en) * 2024-04-19 2025-09-02 Google Llc Central authority for certifying unbonded access to a vehicle via a digital key device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010143325A (en) * 2008-12-17 2010-07-01 Toyota Motor Corp Biometrics authentication system for vehicle
US20180093641A1 (en) * 2016-09-30 2018-04-05 Volkswagen Ag Method for access management of a vehicle
JP2019036091A (en) * 2017-08-14 2019-03-07 Kddi株式会社 Vehicle security system and vehicle security method
JP2020094346A (en) * 2018-12-10 2020-06-18 トヨタ自動車株式会社 Vehicle lock/unlock device, vehicle provided with the same, and lock/unlock system
JP2021037889A (en) * 2019-09-04 2021-03-11 トヨタ自動車株式会社 Terminals, vehicle operation systems, vehicle operation methods and programs

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010143325A (en) * 2008-12-17 2010-07-01 Toyota Motor Corp Biometrics authentication system for vehicle
US20180093641A1 (en) * 2016-09-30 2018-04-05 Volkswagen Ag Method for access management of a vehicle
JP2019036091A (en) * 2017-08-14 2019-03-07 Kddi株式会社 Vehicle security system and vehicle security method
JP2020094346A (en) * 2018-12-10 2020-06-18 トヨタ自動車株式会社 Vehicle lock/unlock device, vehicle provided with the same, and lock/unlock system
JP2021037889A (en) * 2019-09-04 2021-03-11 トヨタ自動車株式会社 Terminals, vehicle operation systems, vehicle operation methods and programs

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12403862B1 (en) * 2024-04-19 2025-09-02 Google Llc Central authority for certifying unbonded access to a vehicle via a digital key device

Similar Documents

Publication Publication Date Title
US11888594B2 (en) System access using a mobile device
CN111049660B (en) Certificate distribution method, system, device and equipment, and storage medium
JP7194847B2 (en) A method for authenticating the identity of digital keys, terminal devices, and media
JP5344716B2 (en) Secure remote startup, boot, and login methods, systems, and programs from a mobile device to a computer
US10382419B2 (en) Communication device, LSI, program, and communication system
US9571284B2 (en) Controlling access to personal information stored in a vehicle using a cryptographic key
CN110708388B (en) Vehicle body safety anchor node device, method and network system for providing safety service
KR101838511B1 (en) Method of providing security for controller using encryption and appratus for implementing the same
CN112396735B (en) Internet automobile digital key safety authentication method and device
WO2008070857A1 (en) Real-time checking of online digital certificates
US11424915B2 (en) Terminal registration system and terminal registration method with reduced number of communication operations
GB2516939A (en) Access authorisation system and secure data communications system
US10277404B2 (en) Communication system for the detection of a driving license
WO2025077937A1 (en) Communication method and system for smart door lock, device, and medium
CN117439740A (en) In-vehicle network identity authentication and key negotiation method, system and terminal
WO2025004126A1 (en) In-vehicle device and vehicle authentication system
KR20160093764A (en) Secure communication system of ecu utilizing otp rom
KR102081875B1 (en) Methods for secure interaction between users and mobile devices and additional instances
CN114866982B (en) Method and system for vehicle-end ECU to access public network for data interaction
Patsakis et al. Securing In-vehicle Communication and Redefining the Role of Automotive Immobilizer.
CN115296813B (en) Automotive Ethernet controller identity authentication method and system
CN120166131A (en) Remote starting method for vehicle and vehicle
JP2024055384A (en) Vehicle control device
KR20250070559A (en) Method and device for activating a usage scenario of a digital key
CN117041958A (en) Authentication method for communication content between vehicle-mounted V2X-OBU and intelligent domain controller

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23943531

Country of ref document: EP

Kind code of ref document: A1