WO2015129352A1 - 認証システム、車載制御装置 - Google Patents
認証システム、車載制御装置 Download PDFInfo
- Publication number
- WO2015129352A1 WO2015129352A1 PCT/JP2015/051755 JP2015051755W WO2015129352A1 WO 2015129352 A1 WO2015129352 A1 WO 2015129352A1 JP 2015051755 W JP2015051755 W JP 2015051755W WO 2015129352 A1 WO2015129352 A1 WO 2015129352A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication
- code
- control device
- vehicle control
- authentication code
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/84—Vehicles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Definitions
- the present invention relates to a technique for authenticating an operation terminal used for maintaining and managing an in-vehicle control device that controls the operation of a vehicle.
- Data read from the storage device of the in-vehicle control device by the maintenance management tool includes data for troubleshooting, such as a self-diagnosis history and operation log.
- the data that the maintenance management tool writes to the storage device of the in-vehicle control device is, for example, a device adjustment value that differs for each vehicle in the manufacturer before product shipment, and updates the control software in the dealer specified by the manufacturer after product shipment (rewrite firmware) Update data when doing so.
- the operation of updating the control software may be performed as a recall or a service campaign.
- In-vehicle control devices are particularly responsible for controlling automobiles, and if software or data is changed easily, there is a possibility of failure or accident. Moreover, from the viewpoint of information security, an easy change may threaten the personal property existing on the vehicle. For example, invalidating the electronic key may facilitate vehicle theft. In addition, there is a possibility of collecting personal information of home data stored in the navigation. In addition, an individual credit number may be stolen from an ETC (Electronic Toll Collection System) device. Therefore, the maintenance tool should not be leaked to general users and should not be a substitute that can be easily operated by qualified personnel.
- ETC Electronic Toll Collection System
- the maintenance tool has a function of measuring position information, and the authentication server authenticates the maintenance tool only when the maintenance tool exists within a predetermined latitude / longitude range. To do. By checking the location information of the maintenance management tool, for example, even if the maintenance management tool is stolen, it is intended to prevent it from being used by a malicious third party.
- Patent Document 1 a secret key for a message authentication code (MAC) used for communication with a center that is responsible for issuing an authentication code is stored in a maintenance management tool. Therefore, when the maintenance tool is stolen, the secret key may be leaked from reverse engineering.
- MAC message authentication code
- the GPS receiver inside the maintenance tool is considered to use a general-purpose (general commercially available) GPS receiver module from the viewpoint of suppressing an increase in cost.
- a GPS receiver module has a standardized interface with the CPU (Central Processing Unit) of the tool, and is compliant with the standard NMEA (National Marine Electronics Association) 0183.
- NMEA 0183 is a character-based communication standard established by the association. Therefore, the position information can be easily camouflaged by camouflaging the signal sent from the GPS receiving module to the CPU of the maintenance management tool based on the above standard. This fluctuates the reliability of positioning results.
- a challenge generated by the target device can be captured and monitored at an interface that transmits a signal from the target device to the maintenance management tool.
- the response corresponding to this can be captured and monitored at the interface for transmitting a signal from the center to the maintenance management tool. Therefore, the third party who illegally obtained the maintenance tool can record a set of challenge and response. This gives a clue to the internal hash function and can be vulnerable to security systems.
- the target device generates a pseudo-random number when generating a challenge. However, since the pseudo-random number has periodicity (unlike the cryptographically true random number), a one-cycle challenge and response pair is generated. By recording all of the above, there is a possibility that the response is spoofed. Furthermore, when the pseudo-random number generation mechanism of the other vehicle / other vehicle-mounted control device is also common, the brute force attack as described above can be used for other vehicles.
- the present invention has been made in view of the above-described problems, and an object thereof is to prevent a third party from misusing a maintenance management tool for performing maintenance management work on an in-vehicle control device.
- the authentication device authenticates the operator of the operation terminal (corresponding to the maintenance management tool), and the operation terminal transfers the authentication code generated by the authentication device to the in-vehicle control device.
- the in-vehicle control device uses the authentication code to determine whether or not to allow the operation terminal to perform the maintenance operation.
- the authentication system of the present invention it is not necessary to store authentication information or an authentication mechanism in the operation terminal, so that even if the operation terminal is lost or stolen, the risk of misuse by a third party is suppressed. be able to.
- FIG. 10 is a sequence diagram for explaining an operation of authenticating the maintenance management tool 103 by the authentication system according to the first embodiment.
- the sequence of FIG. 2 is shown as an SDL flowchart.
- FIG. 10 is a sequence diagram for explaining an operation in which the authentication system according to the second embodiment authenticates the maintenance management tool 103.
- FIG. 10 is a sequence diagram for explaining an operation of authenticating a maintenance management tool 103 by an authentication system according to a third embodiment.
- the sequence of FIG. 5 is shown as an SDL flowchart.
- FIG. 1 is a diagram showing a configuration of an authentication system according to Embodiment 1 of the present invention.
- the in-vehicle control device 100 is a so-called ECU (Electronic Control Unit) embedded electronic control device, and is connected to an in-vehicle network 105 such as a CAN (Controller Area Network) to transmit / receive data to / from other in-vehicle control devices. While controlling the vehicle.
- ECU Electronic Control Unit
- CAN Controller Area Network
- the maintenance management tool 103 can be connected to the in-vehicle network 105 via the connector 104 for connection.
- the connection connector 104 may be directly branched out from the in-vehicle network 105, or may be provided through an in-vehicle communication gateway (not shown) for security reasons.
- the in-vehicle control device 100 and the maintenance management tool 103 generally authenticate one-on-one.
- the maintenance management tool 103 since information necessary for authentication is stored in the maintenance management tool 103, if the maintenance management 103 tool is stolen or lost, a malicious third party uses the authentication information to use the in-vehicle network. 105 may be illegally accessed.
- the in-vehicle control device 100 does not authenticate the maintenance management tool 103 but authenticates the operator 107 who operates the maintenance management tool 103. This eliminates the need for the maintenance management tool 103 to hold its own authentication information. Therefore, even if the maintenance management tool 103 is stolen or lost, it is considered that the authentication information does not leak and the security strength can be further increased.
- the authentication system includes an authentication server 101 connected to the maintenance management tool 103 via a communication line, and the authentication server 101 includes a first authentication unit 111 that authenticates the operator 107.
- the first authentication unit 111 receives a signal s110, which will be described later, and uses the signal to check whether or not the operator 107 has the authority to operate the maintenance management tool 103.
- a signal s110 which will be described later
- the authentication method for example, a user ID & password may be used, or authentication using LDAP (Lightweight Directory Access Protocol) linked to work management and work management of the operator 107 may be used. Other suitable authentication methods may be used.
- a man-machine interface used when the operator 107 provides authentication information
- a business personal computer 106 connected to the authentication server 101 may be used, or the maintenance management tool 103 may be used as the authentication server 101.
- a man-machine interface such as a software keyboard on the maintenance management tool 103 may be used by directly connecting to the computer. In any case, since the maintenance management tool 103 itself does not hold authentication information, it is necessary to separately provide authentication information for authenticating the operator 107.
- the authentication server 101 collects a signal s121 describing a vehicle ID for specifying the vehicle to be worked and a signal s130 describing a tool ID for specifying the maintenance management tool 103. These pieces of information may be given by the operator 107 via the business personal computer 106, or the information is stored in advance in the maintenance management tool 103, and the maintenance management tool 103 directly connects to the authentication server 101 to perform manual operations. You may transmit without going through.
- the authentication server 101 generates a signal s140 describing the one-time password for authentication by using information (details will be described later) that fluctuate in synchronization with the in-vehicle control device 100 in addition to these pieces of information. Issue a one-time password. As a form of issuance, it can be issued once to the business personal computer 106 and the operator 107 can transfer it to the maintenance management tool 103 via a medium such as a memory card (not shown). May be obtained by directly connecting to the authentication server 101.
- the operator 107 connects the maintenance management tool 103, which has obtained the one-time password for authentication (s140), to the in-vehicle control device 100 via the connection connector 104 and the in-vehicle network 105.
- the maintenance management tool 103 transmits a signal s131 describing the one-time password for authentication (s140) and the tool ID for specifying the maintenance management tool 103 to the in-vehicle control device 100.
- the in-vehicle control device 100 includes a second authentication unit 112 that authenticates the maintenance management tool 103. After the authentication server 101 authenticates the operator 107 (that is, using the one-time password issued by the authentication server 101), the second authentication unit 112 authenticates the maintenance management tool 103 according to a procedure described later. By this procedure, it is verified whether or not the operator 107 has the authority to perform maintenance work on the in-vehicle control device 100. If the verification result is OK, the in-vehicle control device 100 permits the maintenance management tool 103 to perform the maintenance management operation.
- the one-time password for authentication (s140) issued from the first authentication unit 111 to the second authentication unit 112 is a one-time password, it is only in the vicinity of the time when it is issued or only at the issued timing. It is valid. Therefore, even if this one-time password is copied, it cannot be used in other authentications, so that the so-called replay attack is not effective.
- the first authentication unit 111 can be configured, for example, by software executed by the CPU of the authentication server 101, or can be configured by hardware such as a circuit device having the same function.
- the second authentication unit 112 corresponds to an authentication code generator 220 described later.
- FIG. 2 is a sequence diagram for explaining an operation of authenticating the maintenance management tool 103 by the authentication system according to the first embodiment.
- the operation of the maintenance management tool 103 and the operation of the operator 107 are integrated and represented as an activity 102.
- each step of FIG. 2 will be described.
- the activity 102 transmits the authentication information 101 of the operator 107: s110 to the authentication server 101.
- the authentication server 101 requests the activity 102 to transmit the vehicle ID: s121 and the tool ID: s130.
- the activity 102 transmits these pieces of information to the authentication server 101.
- Vehicle ID: s121 may be information that uniquely identifies the work target vehicle, or may be information that uniquely identifies the work target vehicle-mounted control device 100.
- the operator 107 may obtain the vehicle ID by observing the chassis number stamped on the chassis, or by connecting the maintenance management tool 103 to the in-vehicle control apparatus 100. May be acquired as identification information (shown as vehicle ID: s120 in FIG. 2) that can be collected when authentication is not performed. That is, as will be described later, any information can be used as long as the passcode unique to the vehicle can be searched from the database 201 in the authentication server 101.
- the authentication server 101 includes a database 201 in which a set of a vehicle ID of each vehicle and a passcode corresponding to the vehicle ID is stored for each vehicle.
- the database 201 can be configured using a storage device such as a hard disk device.
- the storage device authentication server 101 searches the database 201 using the vehicle ID: s121, and passes the passcode seed. Find x.
- the same passcode as this passcode is also stored in the storage device 200 in the in-vehicle control device 100, and the CPU of the in-vehicle control device 100 can refer to this.
- Passcode seed. x has a role as a secret key that is held only by the authentication server 101 and the vehicle-mounted control device 100 and is not otherwise disclosed.
- the authentication server 101 and the in-vehicle control device 100 include clocks 211 and 210 that are synchronized with each other as a variable code generation source that generates a variable code that is synchronized with each other.
- the authentication server 101 and the in-vehicle control device 100 also include authentication code generators 221 and 220 that generate an authentication code using the same hash function, respectively.
- the authentication server 101 sets the time of the clock 211: time, pass code seed.
- a hash value hash (time, seed.x, tool ID) is calculated using x and tool ID: s130, and is issued as a one-time password: s140.
- the above three values are bit-concatenated and substituted into the hash function hash () as one bit string.
- the authentication code generators 221 and 220 secretly share the same hash function hash ().
- the hash function hash () between the authentication server 101 and the in-vehicle control device 100 as a pair, it is possible to increase the encryption strength and cope with the compromise.
- the maintenance management tool 103 only transfers the one-time password: s140, the activity 102 is not affected even if the hash function hash () is changed. That is, it is not necessary to replace or repair the maintenance management tool 103.
- encryption compromise refers to a situation in which the level of security of a cryptographic algorithm has decreased, or a situation in which the security of a system in which the cryptographic algorithm is incorporated is threatened.
- the authentication code generator 220 includes a tool ID: s131 transmitted by the maintenance management tool 103, a pass code seed. x and the time of the clock 210: time are substituted into the same hash function hash () as the authentication server 101, and a hash value hash (time, seed.x, tool ID) is calculated (p240).
- the authentication code generator 220 compares the calculated hash value with the one-time password s140 acquired from the maintenance management tool 103, and if they match, the authentication code generator 220 determines that the authenticity of the activity 102 has been verified and maintains it. Allow work.
- the clocks 211 and 210 must have the same time. For example, the clocks 211 and 210 generate times that change periodically in units of minutes and hours, respectively, so that the time of each clock does not change during that period.
- the sequence for authenticating the maintenance management tool 103 may be performed while the time of each clock does not change. If the time has elapsed between the time when the authentication server 101 issues the one-time password: s140 and the time when the in-vehicle control device 100 generates the hash value, the authentication server 101 returns to the step of issuing the one-time password: s140. Therefore, it is necessary to perform the authentication sequence again.
- the authentication server 101 can collect the log 230 based on the information acquired from the activity 102.
- the log 230 can record information such as the identity of the operator 107, the one-time password issuance time, the vehicle ID, and the tool ID. These pieces of information serve as data for identifying the operator 107 and the affected vehicle when some sort of fraud is detected.
- the timepiece 210 on the in-vehicle control device 100 does not necessarily have to be mounted on the in-vehicle control device 100. For example, if the time can be inquired to another ECU through the in-vehicle network 105, it may be used. As means for synchronizing the time with the clock 211 on the authentication server 101 side, for example, reception of a GPS signal, access to an NTP (Network Time Protocol) server on the Internet, and the like can be considered.
- NTP Network Time Protocol
- FIG. 3 shows the sequence of FIG. 2 as an SDL (Specification and Description Language) flowchart.
- SDL Specific and Description Language
- the flow t100 of the in-vehicle control device 100, the flow t102 of the activity 102, the flow t101 of the authentication server 101, event transmission and information exchange between them are indicated by arrows.
- the operation of each apparatus will be described in chronological order based on FIG.
- the lowercase t means a flow tree
- the lowercase p means a process
- the lowercase s means a signal
- the lowercase e means the end of processing (end process).
- FIG. 3 Process p300-p302
- the activity 102 issues the personal authentication information s110 of the operator 107 to the authentication server 101 (p300).
- the authentication server 101 performs personal authentication using the personal authentication information: s110 (p301). If the personal authentication is successful, the process proceeds to the next process. If the authentication is unsuccessful, the process proceeds to the end process e101 to end the present flow (p302).
- FIG. 3 Processes p303 to p304
- the authentication server 101 requests the activity 102 to transmit the vehicle ID: s121 and the tool ID: s130 (p303).
- the activity 102 transmits these signals to the authentication server 101 (p304).
- the authentication code generator 221 searches for the passcode (seed.x) using the vehicle ID acquired from the activity 102 (p305).
- the authentication code generator 221 samples the time time of the clock 211 (p306).
- the authentication code generator 221 generates a one-time password: s140 and transmits it to the activity 102 (p307).
- the authentication code generator 221 outputs the log 230 (p308).
- the maintenance management tool 103 receives the hash value transmitted from the authentication server 101 and stores it as a server hash value (p309).
- the maintenance management tool 103 transmits tool ID: s131 to the in-vehicle control device 100 (p310).
- Figure 3 Processes p311 to p312
- the in-vehicle control device 100 When receiving the tool ID transmitted from the maintenance management tool 103, the in-vehicle control device 100 considers that there is an authentication request from the maintenance management tool 103 and starts the subsequent authentication process (p311).
- the authentication code generator 220 confirms whether or not the tool ID received from the maintenance management tool 103 matches the tool ID stored in advance in the storage device 200 (p312). If they do not match, it is considered that the maintenance management tool 103 is erroneously connected, and the process proceeds to the end process e100 to end this flowchart (reject authentication). If they match, the process proceeds to process p313.
- the authentication code generator 220 samples the time: time of the clock 210 (p313).
- the authentication code generator 220 calculates a hash value by substituting the passcode (seed.x), time: time, and tool ID stored in advance in the storage device 200 into the hash function hash () (p314). .
- the authentication code generator 220 waits for the one-time password: s140 to be transmitted from the maintenance management tool 103 (p315).
- the maintenance management tool 103 transfers the one-time password: s140 received from the authentication server 101 to the in-vehicle control device 100 (p316).
- the authentication code generator 220 determines whether or not the one-time password: s140 received from the maintenance management tool 103 matches the hash value calculated in the process p314. If they match, the process proceeds to process p318, and if they do not match, the process proceeds to end process e100 to end this flowchart (authentication rejection).
- the authentication code generator 220 transmits a signal s300 indicating that the authentication is permitted to the maintenance management tool 103 (p318).
- the maintenance management tool 103 waits for the signal s300 after the process p316.
- the maintenance management tool 103 determines that authentication is permitted and starts a maintenance operation (p319). If the hash value generated by the authentication code generator 220 does not match the one-time password: s140, the authentication code generator 220 notifies the fact using the signal s300 in the process p318.
- the maintenance management tool 103 does not hold authentication information, a secret key, or the like, so that it is not necessary to disclose them to a tool vendor (a manufacturer that manufactures the maintenance management tool 103). . It can be said that reducing the information secretly shared between the manufacturer of the in-vehicle control device 100 and the tool vendor is a preferable transaction form from the viewpoint of preventing the diffusion of secret information.
- the authentication server 101 does not authenticate the main body of the maintenance management tool 103 using the authentication information held by the maintenance management tool 103, but authenticates the operator 107. carry out. Therefore, even when a plurality of operators 107 use the same maintenance management tool 103, the authentication authority can be controlled for each operator 107. In addition, since authentication of the operator 107 is performed, the authentication server 101 can take an access record (operation record for the in-vehicle control device 100) for each operator 107. Thereby, the check effect with respect to an unauthorized access can be given.
- the authentication code generators 220 and 221 generate a hash value using the tool ID of the maintenance management tool 103, but this tool ID is not necessarily used. That is, the process of transmitting the tool ID from the maintenance management tool 103 to the in-vehicle control device 100 (p310 to p312) is omitted, and the hash value is generated by substituting the time and passcode of the clocks 210 and 211 into the hash function. May be. The same applies to the following embodiments.
- clocks 210 and 211 synchronized with each other are used as a variable code generation source that generates a variable code that changes synchronously between the in-vehicle control device 100 and the authentication server 101.
- reception data that can be received by the in-vehicle control device 100 and the authentication server 101 in synchronization with each other is used.
- data that is regularly distributed in road-to-vehicle communication such as ITS (Intelligent Transport Systems) can be used as common knowledge.
- FIG. 4 is a sequence diagram for explaining the operation of authenticating the maintenance management tool 103 by the authentication system according to the second embodiment.
- authentication code generators 220 and 221 use received data 410 and 411 instead of the times of clocks 210 and 211. Therefore, both the authentication code generator 221 and the authentication code generator 220 generate a hash value by hash (reception data, seed.x, tool ID). This hash value is valid until the received data is updated.
- the SDL flowchart corresponding to FIG. 4 is substantially the same as that in FIG. 3, but the processes p306 and p313 are replaced with processes that refer to the received data 410 and 411. Other configurations and processes are the same as those in the first embodiment.
- the means by which the in-vehicle control device 100 acquires the received data 410 does not necessarily have to be mounted on the in-vehicle control device 100.
- another ECU vigation ECU or road-to-vehicle communication ECU
- the data may be used.
- the means by which the authentication server 101 acquires the reception data 411 is not necessarily the same as the means by which the in-vehicle control device 100 acquires the reception data 410, as long as it can ensure that the reception data 410 and 411 are synchronized.
- Embodiment 3 In Embodiment 3 of the present invention, instead of the clocks 210 and 211, the number of times authentication processing is performed is used as a variable code that changes synchronously between the in-vehicle control device 100 and the authentication server 101. That is, the authentication code generators 220 and 221 pass the initial value init. Each time the authentication process is performed on x, the hash function hash () is applied in a superimposed manner, and the value obtained as a result is converted to the time: time and passcode seed. Used in place of x.
- the authentication code generators 220 and 221 have the time: time and passcode seed. Instead of x, ⁇ hash (init.x) ⁇ ⁇ n is used. This sets the initial passcode value to init. This is equivalent to obtaining the following values, where x is the number of authentications and n is: ⁇ Hash (init.x) ⁇ ⁇ n ⁇ hash (hash (... hash (init.x) (7)) This value is init. This corresponds to a value obtained by performing n-fold hash processing on x.
- FIG. 5 is a sequence diagram for explaining an operation of authenticating the maintenance management tool 103 by the authentication system according to the third embodiment. In the following, the configuration different from that of the first embodiment will be mainly described.
- the database 201 stores a set of the vehicle ID of each vehicle, the initial value of the passcode corresponding to the vehicle ID, and the number of times the operator 107 has been authenticated. If the authentication of the operator 107 is successful, the authentication server 101 acquires the vehicle ID: s121 from the activity 102 and increments ((n ⁇ 1) ⁇ n) the number of authentications corresponding to the vehicle ID (p605).
- the authentication code generator 221 uses an initial passcode init. Corresponding to the vehicle ID. x is read, and the hash function is applied n times in a superimposed manner to calculate ⁇ hash (init.x) ⁇ ⁇ n (p606 described later). The authentication code generator 221 uses the value instead of the pass code and time in the first embodiment. Therefore, the one-time password s140 generated by the authentication server 101 is hash ( ⁇ hash (init.x) ⁇ ⁇ n, tool ID).
- the storage device 200 has the same initial passcode init. x is stored. However, since the vehicle-mounted control apparatus 100 generally does not have calculation power like the authentication server 101, it is difficult to calculate ⁇ hash (init.x) ⁇ ⁇ n every time. Therefore, the authentication code generator 220 uses the init. Each time the hash function is applied to x in a superimposed manner, the value is stored in the storage device 200 as the previous value 510 (p613), and when the authentication code is generated next time, only once with respect to the previous value 510. A hash function hash () is applied. As a result, a passcode sequence can be created with a smaller amount of calculation than the authentication server 101.
- Authentication code generator 220 is init. After the value obtained by applying the hash function to x in a superimposed manner is obtained, an authentication code is generated using the value and the tool ID in the same manner as the authentication code generator 221 (p530 to p531). The authentication code generator 220 compares this authentication code with the one-time password: s140.
- FIG. 6 shows the sequence of FIG. 5 as an SDL flowchart.
- Processes p605 to p606 are provided instead of the processes p305 to p306 in FIG. 3, and a process p613 is provided instead of the process p313.
- Processes p606 and p613 are init. This is a process for obtaining the same value by applying the hash function superimposed on x, but it is applied n times in p606, whereas it is applied only once to the previous value 510 in p613.
- the maintenance management tool 103 may transfer the signal s300 to the authentication server 101.
- the authentication server 101 Upon receiving the signal, the authentication server 101 performs appropriate processing so that the one-time password: s140 is generated using the number of authentications before being incremented when the operator 107 is authenticated next time.
- the number of authentications stored in the database 201 may be directly decremented, or a plurality of one-time passwords: s140 are generated by increasing or decreasing the value of the number of authentications when generating the one-time password: s140. Then, the authentication may be attempted a plurality of times using the plurality of values.
- the authentication code generators 220 and 221 synchronize the number of times the authentication process has been performed, and generate an authentication code using this.
- time-changing information like the clocks 210 and 211 of the first embodiment and the reception data 410 and 411 of the second embodiment, and the means for achieving synchronization can be simplified. it can.
- the present invention is not limited to the above-described embodiment, and includes various modifications.
- the above embodiment has been described in detail for easy understanding of the present invention, and is not necessarily limited to the one having all the configurations described.
- a part of the configuration of one embodiment can be replaced with the configuration of another embodiment.
- the configuration of another embodiment can be added to the configuration of a certain embodiment. Further, with respect to a part of the configuration of each embodiment, another configuration can be added, deleted, or replaced.
- the above components, functions, processing units, processing means, etc. may be realized in hardware by designing some or all of them, for example, with an integrated circuit.
- Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor.
- Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.
- the means for acquiring the authentication code generators 220 and 221, the clocks 210 and 211, and the received data 410 and 411 can be configured by hardware such as a circuit device in which these functions are mounted, and similar functions can be obtained.
- the installed software can also be configured by the authentication server 101 or the CPU of the in-vehicle control device 100 executing the software.
- SYMBOLS 100 In-vehicle control apparatus, 101: Authentication server, 103: Maintenance management tool, 104: Connector for connection, 105: In-vehicle network, 107: Operator, 200: Storage device, 201: Database, 210 and 211: Clock, 220 and 221: Authentication code generator, 410 and 411: Received data.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
上記特許文献1においては、従来と同様に認証システムの構成要素の一部が維持管理ツール内に格納されている。すなわち、認証システムを高度化するためにはハードウェア的な機能増加(例えば位置情報計測機能の追加等)が必要となるので、維持管理ツールのコストが増加すると考えられる。また維持管理ツールを測位する必要があるため、操作者が維持管理作業を開始するまでのリードタイムが増加する可能性がある。
上記特許文献1においては、認証コードを発行する役目を担うセンタと通信するために用いられるメッセージ認証コード(MAC:Message Authentication Code)用の秘密鍵が、維持管理ツール内に格納されている。そのため、維持管理ツールが盗難されたとき、リバースエンジニアリングよりその秘密鍵が漏えいする可能性がある。
近年、GPS(Global Positioning System)を用いた屋内測位技術(IMES:Indoor Messaging System)の発展により、位置情報を偽装するために悪用することができる市販のGPS信号発生器が一般に知られるようになっている。また、別の攻撃方法として次の事実が挙げられる。維持管理ツール内部のGPS受信機は、コスト上昇を抑制する観点から汎用(一般市販)のGPS受信モジュールを使用すると考えられる。このようなGPS受信モジュールは、ツールのCPU(Central Processing Unit)との間のインターフェースが規格化されており、NMEA(全米船舶用電子機器協会:National Marine Electronics Association) 0183という標準規格に準拠した通信プロトコルが採用されている。NMEA 0183は同協会が定めたキャラクタベースの通信規格である。したがって、維持管理ツールのCPUに対してGPS受信モジュールから送られる信号を上記規格に基づいて偽装することにより、位置情報を容易に偽装することができる。これにより測位結果に対する信頼性が揺らぐ。
上記特許文献1においては、対象機器から維持管理ツールへ信号を伝達する界面において、対象機器が生成したチャレンジをキャプチャしモニタすることができる。また、これと対応するレスポンスを、センタから維持管理ツールへ信号を伝達する界面において、キャプチャしモニタすることができる。したがって、維持管理ツールを不正入手した第3者は、チャレンジとレスポンスの組を記録することができる。これは内部ハッシュ関数を類推する糸口を与えることになるので、セキュリティシステムにとって脆弱性となる可能性がある。また、上記特許文献1において対象機器はチャレンジを生成するときに擬似乱数を生成するが、擬似乱数は(暗号学的な真性乱数と異なり)周期性を有するため、1周期のチャレンジ&レスポンスの組を全て記録することにより、レスポンスを偽装される可能性がある。さらには、他車両・他車載制御装置の擬似乱数発生機構も共通である場合、上記のような総当り攻撃は他の車両に対して流用することができる。
図1は、本発明の実施形態1に係る認証システムの構成を示す図である。車載制御装置100は、いわゆるECU(Electronic Control Unit)と称される組込型電子制御装置であり、CAN(Controller Area Network)などの車載ネットワーク105に接続し他の車載制御装置とデータを送受信しながら車両を制御する。
図2は、本実施形態1に係る認証システムが維持管理ツール103を認証する動作を説明するシーケンス図である。図2において、記載の便宜上、維持管理ツール103の動作と操作者107(または業務用コンピュータ106などの操作者107が用いる端末)の動作を一体化し、アクティビティ102として表記した。以下図2の各ステップについて説明する。
(1)一方向性:出力値から入力値を発見することが困難である。すなわち、あるハッシュ値hが与えられたとき、h=hash(m)を満たす任意のmを求めることが困難でなければならない;
(2)第2原像計算困難性:ある入力値と同じハッシュ値となるような別の入力を求めることが困難である。すなわち、あるmについて、hash(m)=hash(m’)となるようなm’(ただし、m≠m’)を求めるのが困難でなければならない;
(3)衝突困難性:同じ出力値を生成する2つの入力値を発見することが困難である。すなわち、hash(m)=hash(m’)(ただし、m≠m’)を満たすmとm’を求めることが困難でなければならない。
アクティビティ102は、操作者107の本人認証情報:s110を認証サーバ101に対して発行する(p300)。認証サーバ101は、本人認証情報:s110を用いて本人認証を実施する(p301)。本人認証に成功した場合は次のプロセスへ進み、失敗した場合はエンドプロセスe101に進んで本フローを終了する(p302)。
認証サーバ101は、アクティビティ102に対して車両ID:s121とツールID:s130を送信するよう要求する(p303)。アクティビティ102は、これら信号を認証サーバ101に対して送信する(p304)。
認証符号生成器221は、アクティビティ102から取得した車両IDを用いてパスコード(seed.x)を検索する(p305)。認証符号生成器221は、時計211の時刻timeをサンプリングする(p306)。認証符号生成器221は、ワンタイムパスワード:s140を生成し、アクティビティ102に対して送信する(p307)。認証符号生成器221は、ログ230を出力する(p308)。
維持管理ツール103は、認証サーバ101が送信したハッシュ値を受け取り、サーバhash値として記憶する(p309)。維持管理ツール103は、車載制御装置100に対してツールID:s131を送信する(p310)。
車載制御装置100は、維持管理ツール103が送信したツールIDを受け取ると、維持管理ツール103から認証要求があったとみなし、以後の認証プロセスを開始する(p311)。認証符号生成器220は、維持管理ツール103から受け取ったツールIDが記憶装置200内にあらかじめ格納されているツールIDと合致するか否か確認する(p312)。合致しない場合は維持管理ツール103が誤接続されたものとみなし、エンドプロセスe100に進んで本フローチャートを終了(認証棄却)する。合致する場合はプロセスp313に進む。
認証符号生成器220は、時計210の時刻:timeをサンプリングする(p313)。認証符号生成器220は、記憶装置200内にあらかじめ格納されているパスコード(seed.x)、時刻:time、およびツールIDをハッシュ関数hash()に代入してハッシュ値を算出する(p314)。
認証符号生成器220は、維持管理ツール103からワンタイムパスワード:s140が送信されてくるのを待機する(p315)。維持管理ツール103は、認証サーバ101から受信したワンタイムパスワード:s140を車載制御装置100へ転送する(p316)。
認証符号生成器220は、維持管理ツール103から受け取ったワンタイムパスワード:s140と、プロセスp314で計算したhash値とが一致するか否か判定する。一致する場合はプロセスp318に進み、一致しない場合はエンドプロセスe100に進んで本フローチャートを終了(認証棄却)する。
認証符号生成器220は、認証許可した旨を示すシグナルs300を維持管理ツール103へ送信する(p318)。維持管理ツール103は、プロセスp316以降はシグナルs300を待機しており、シグナルs300を受け取ると認証許可されたものと判断して維持管理操作を開始する(p319)。認証符号生成器220が生成したハッシュ値がワンタイムパスワード:s140と一致しない場合、認証符号生成器220はプロセスp318において、シグナルs300を用いてその旨を通知する。
以上のように、本実施形態1に係る認証システムにおいて、認証処理のために必要な共通鍵や共通ハッシュ関数は、車載制御装置100と認証サーバ101のみが保持し、維持管理ツール103はこれらを保持していない。そのため、維持管理ツール103を管理するためのコスト、維持管理ツール103のセキュリティを増強させるためのコスト、不要となった維持管理ツール103を情報漏洩なく処分するためのコスト、などが不要となる。また、車両の車種・年式ごとに暗号強度を変更することにより、暗号の危殆化に対して即座に対処できる。
実施形態1においては、車載制御装置100と認証サーバ101との間で同期して変化する変動符号を生成する変動符号生成源として、互いに同期した時計210と211を用いた。本発明の実施形態2においては、時計210と211に代えて、車載制御装置100と認証サーバ101が互いに同期して受信することができる受信データを用いる。本実施形態2における受信データの1例として、ITS(Intelligent Transport Systems:高度道路交通システム)などの路車間通信において定時配信されるデータを共通知識として用いることができる。
本発明の実施形態3においては、車載制御装置100と認証サーバ101との間で同期して変化する変動符号として、時計210と211に代えて、認証処理を実施した回数を用いる。すなわち、認証符号生成器220と221は、パスコードの初期値init.xに対して、認証処理を実施する毎にハッシュ関数hash()を重畳的に適用し、その結果得られた値を実施形態1における時刻:timeおよびパスコードseed.xに代えて用いる。
{hash(init.x)}^n≡hash(hash(...hash(init.x)...))
この値は、init.xに対してn重のhash処理を実施することにより得られた値に相当する。
以上のように、本実施形態3に係る認証システムにおいて、認証符号生成器220と221は、認証処理を実施した回数を互いに同期させ、これを用いて認証符号を生成する。これにより、実施形態1の時計210および211や実施形態2の受信データ410および411のように、時間的に変化する情報を利用する必要がなくなり、同期をとるための手段を簡易化することができる。
Claims (15)
- 車両の動作を制御する車載制御装置を維持管理するために用いる操作端末を認証する認証システムであって、
前記認証システムは、通信回線を介して前記操作端末と接続され前記操作端末を操作する操作者を認証する認証装置、および前記車載制御装置を備え、
前記車載制御装置は、前記操作端末が前記車載制御装置を維持管理する操作を実施することを許可するか否かを判定するように構成されており、
前記認証装置と前記車載制御装置は、
互いに同期して変化する変動符号を生成する変動符号生成源、
前記認証装置と前記車載制御装置との間で共有する前記車両に固有の共通鍵を格納する記憶部、
前記変動符号と前記共通鍵を用いて認証符号を生成する認証符号生成器、
をそれぞれ備え、
前記認証装置は、
前記操作端末から認証要求を受け取ると前記操作者を認証し、
前記操作者の認証が成功すると、前記操作端末から前記共通鍵を特定する情報を取得し、前記変動符号と前記共通鍵を用いて前記認証符号を生成して前記操作端末へ送信し、 前記操作端末は、前記認証装置から受け取った前記認証符号を前記車載制御装置へ送信し、
前記車載制御装置は、前記変動符号と前記共通鍵を用いて前記認証符号を生成し、生成した前記認証符号と前記操作端末から受け取った前記認証符号とが一致する場合は、前記操作端末が前記車載制御装置を維持管理する操作を実施することを許可する
ことを特徴とする認証システム。 - 前記変動符号生成源は、前記認証装置と前記車載制御装置との間で同期した時刻を前記変動符号として生成し、
前記認証符号生成器は、前記認証装置と前記車載制御装置との間で共有するハッシュ関数を、前記変動符号と前記共通鍵に対して適用することにより、前記認証符号としてワンタイムパスワードを生成する
ことを特徴とする請求項1記載の認証システム。 - 前記変動符号生成源は、前記認証装置と前記車載制御装置が同期して受信することができる情報を前記変動符号として用い、
前記認証符号生成器は、前記認証装置と前記車載制御装置との間で共有するハッシュ関数を、前記変動符号と前記共通鍵に対して適用することにより、前記認証符号としてワンタイムパスワードを生成する
ことを特徴とする請求項1記載の認証システム。 - 前記変動符号生成源は、前記認証符号生成器が前記認証符号を生成した回数を特定する情報を前記変動符号として用い、
前記認証符号生成器は、前記認証装置と前記車載制御装置との間で共有するハッシュ関数を前記共通鍵に対して前記回数重畳して適用して得られた重畳符号を前記変動符号と前記共通鍵に代えて用い、前記認証符号としてワンタイムパスワードを生成する
ことを特徴とする請求項1記載の認証システム。 - 前記認証符号生成器は、前記認証符号を生成した回数を前記記憶部に格納し、次回前記認証符号を生成するときは、前記共通鍵に対して前記認証装置と前記車載制御装置との間で共有するハッシュ関数を前記格納した回数だけ重畳適用して得られた重畳符号を、前記変動符号と前記共通鍵に代えて用いる
ことを特徴とする請求項4記載の認証システム。 - 前記認証符号生成器は、前記重畳符号を前記記憶部に格納し、次回前記認証符号を生成するときは、前記格納した前記重畳符号に対して前記認証装置と前記車載制御装置との間で共有するハッシュ関数を1回のみ適用して再格納した重畳符号を、前記変動符号と前記共通鍵に代えて用いる
ことを特徴とする請求項4記載の認証システム。 - 前記車載制御装置の前記認証符号生成器は、生成した前記認証符号と前記操作端末から受け取った前記認証符号とが一致しない場合は、その旨を記述した認証エラーデータを前記操作端末へ送信し、
前記操作端末は、前記認証エラーデータを前記認証装置へ転送する
ことを特徴とする請求項4記載の認証システム。 - 前記認証装置と前記車載制御装置がそれぞれ備える前記認証符号生成器は、前記変動符号と前記共通鍵に加えて前記操作端末に固有の端末IDを用いて前記認証符号を生成する ことを特徴とする請求項1記載の認証システム。
- 車両の動作を制御する車載制御装置であって、
前記車載制御装置を維持管理するために用いる操作端末を操作する操作者を認証する認証装置が生成する変動符号と同期して変化する変動符号を生成する変動符号生成源、
前記認証装置と前記車載制御装置との間で共有する前記車両に固有の共通鍵を格納する記憶部、
前記変動符号と前記共通鍵を用いて認証符号を生成する認証符号生成器、
を備え、
前記認証符号生成器は、
前記操作端末から前記認証符号を受け取り、
前記変動符号と前記共通鍵を用いて前記認証符号を生成し、生成した前記認証符号と前記操作端末から受け取った前記認証符号とが一致する場合は、前記操作端末が前記車載制御装置を維持管理する操作を実施することを許可する
ことを特徴とする車載制御装置。 - 前記変動符号生成源は、前記認証装置と前記車載制御装置との間で同期した時刻を前記変動符号として生成し、
前記認証符号生成器は、前記認証装置と前記車載制御装置との間で共有するハッシュ関数を、前記変動符号と前記共通鍵に対して適用することにより、前記認証符号としてワンタイムパスワードを生成する
ことを特徴とする請求項9記載の車載制御装置。 - 前記変動符号生成源は、前記認証装置と前記車載制御装置が同期して受信することができる情報を前記変動符号として用い、
前記認証符号生成器は、前記認証装置と前記車載制御装置との間で共有するハッシュ関数を、前記変動符号と前記共通鍵に対して適用することにより、前記認証符号としてワンタイムパスワードを生成する
ことを特徴とする請求項9記載の車載制御装置。 - 前記変動符号生成源は、前記認証符号生成器が前記認証符号を生成した回数を特定する情報を前記変動符号として用い、
前記認証符号生成器は、前記認証装置と前記車載制御装置との間で共有するハッシュ関数を前記共通鍵に対して前記回数重畳して適用して得られた重畳符号を前記変動符号と前記共通鍵に代えて用い、前記認証符号としてワンタイムパスワードを生成する
ことを特徴とする請求項9記載の車載制御装置。 - 前記認証符号生成器は、前記重畳符号を前記記憶部に格納し、次回前記認証符号を生成するときは、前記格納した前記重畳符号に対して前記認証装置と前記車載制御装置との間で共有するハッシュ関数を1回のみ適用して再格納した重畳符号を、前記変動符号と前記共通鍵に代えて用いる
ことを特徴とする請求項12記載の車載制御装置。 - 前記認証符号生成器は、生成した前記認証符号と前記操作端末から受け取った前記認証符号とが一致しない場合は、その旨を記述した認証エラーデータを前記操作端末へ送信する
ことを特徴とする請求項12記載の車載制御装置。 - 前記認証符号生成器は、前記変動符号と前記共通鍵に加えて前記操作端末に固有の端末IDを用いて前記認証符号を生成する
ことを特徴とする請求項9記載の車載制御装置。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2016505107A JP6078686B2 (ja) | 2014-02-28 | 2015-01-23 | 認証システム、車載制御装置 |
US15/120,782 US10095859B2 (en) | 2014-02-28 | 2015-01-23 | Authentication system and car onboard control device |
EP15754771.2A EP3113057B1 (en) | 2014-02-28 | 2015-01-23 | Authentication system and car onboard control device |
CN201580010328.4A CN106030600B (zh) | 2014-02-28 | 2015-01-23 | 认证***、车载控制装置 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2014-038125 | 2014-02-28 | ||
JP2014038125 | 2014-02-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015129352A1 true WO2015129352A1 (ja) | 2015-09-03 |
Family
ID=54008681
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2015/051755 WO2015129352A1 (ja) | 2014-02-28 | 2015-01-23 | 認証システム、車載制御装置 |
Country Status (5)
Country | Link |
---|---|
US (1) | US10095859B2 (ja) |
EP (1) | EP3113057B1 (ja) |
JP (1) | JP6078686B2 (ja) |
CN (1) | CN106030600B (ja) |
WO (1) | WO2015129352A1 (ja) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107729757A (zh) * | 2016-08-10 | 2018-02-23 | 福特全球技术公司 | 软件更新之前的软件认证 |
WO2019004097A1 (ja) * | 2017-06-27 | 2019-01-03 | Kddi株式会社 | 保守システム及び保守方法 |
WO2019012888A1 (ja) * | 2017-07-12 | 2019-01-17 | 住友電気工業株式会社 | 車載装置、管理方法および管理プログラム |
JP2019508763A (ja) * | 2016-01-29 | 2019-03-28 | グーグル エルエルシー | ローカルデバイス認証 |
JP2020088836A (ja) * | 2018-11-15 | 2020-06-04 | Kddi株式会社 | 車両メンテナンスシステム、メンテナンスサーバ装置、管理サーバ装置、車載装置、メンテナンスツール、コンピュータプログラム及び車両メンテナンス方法 |
JP2020086540A (ja) * | 2018-11-15 | 2020-06-04 | Kddi株式会社 | メンテナンスサーバ装置、車両メンテナンスシステム、コンピュータプログラム及び車両メンテナンス方法 |
JP2020092289A (ja) * | 2018-12-03 | 2020-06-11 | 大日本印刷株式会社 | 機器統合システム及び更新管理システム |
US11914748B2 (en) | 2020-06-22 | 2024-02-27 | Toyota Jidosha Kabushiki Kaisha | Apparatus and method for collecting data |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6079768B2 (ja) * | 2014-12-15 | 2017-02-15 | トヨタ自動車株式会社 | 車載通信システム |
US10277597B2 (en) | 2015-11-09 | 2019-04-30 | Silvercar, Inc. | Vehicle access systems and methods |
US10098027B2 (en) * | 2016-06-01 | 2018-10-09 | Anatrope, Inc. | Methods and apparatus for intercepting and analyzing signals emitted from vehicles |
US10399706B1 (en) * | 2016-06-22 | 2019-09-03 | Amazon Technologies, Inc. | Unmanned aerial vehicle maintenance troubleshooting decision tree |
US10783724B2 (en) * | 2016-11-07 | 2020-09-22 | Raytheon Technologies Corporation | Vehicle data collection system and method |
JP6683588B2 (ja) * | 2016-11-10 | 2020-04-22 | Kddi株式会社 | 再利用システム、サーバ装置、再利用方法、及びコンピュータプログラム |
US10504373B2 (en) * | 2016-12-29 | 2019-12-10 | Bosch Automotive Service Solutions Inc. | Vehicular zone locating system |
US10491392B2 (en) * | 2017-03-01 | 2019-11-26 | Ford Global Technologies, Llc | End-to-end vehicle secure ECU unlock in a semi-offline environment |
JP6956624B2 (ja) * | 2017-03-13 | 2021-11-02 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America | 情報処理方法、情報処理システム、及びプログラム |
US11539518B2 (en) * | 2017-05-17 | 2022-12-27 | Apple Inc. | Time-based encryption key derivation |
JP6696942B2 (ja) * | 2017-08-14 | 2020-05-20 | Kddi株式会社 | 車両保安システム及び車両保安方法 |
US10464529B1 (en) * | 2018-11-15 | 2019-11-05 | Didi Research America, Llc | Method and system for managing access of vehicle compartment |
US20230108551A1 (en) * | 2020-03-18 | 2023-04-06 | Hitachi Astemo, Ltd. | Cross-referencing device |
CN111709538B (zh) * | 2020-05-25 | 2023-11-24 | 中国商用飞机有限责任公司 | 用于认证飞行器的地面维护设备的***和方法 |
JPWO2022091544A1 (ja) | 2020-10-28 | 2022-05-05 | ||
JP2023049593A (ja) | 2021-09-29 | 2023-04-10 | 株式会社デンソー | 車両用デジタルキーシステム、車両用デジタルキー管理方法、車両用装置、携帯端末 |
JP2023049594A (ja) | 2021-09-29 | 2023-04-10 | 株式会社デンソー | 車両用デジタルキーシステム、車両用デジタルキー管理方法、車両用装置、携帯端末 |
JP2023049595A (ja) | 2021-09-29 | 2023-04-10 | 株式会社デンソー | 車両用デジタルキーシステム、車両用デジタルキー管理方法、車両用装置、携帯端末 |
US11741217B1 (en) * | 2022-11-09 | 2023-08-29 | Ten Root Cyber Security Ltd. | Systems and methods for managing multiple valid one time password (OTP) for a single identity |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001225706A (ja) * | 1999-12-07 | 2001-08-21 | Denso Corp | 電子制御装置の制御情報書換システム、当該システムに用いられるセンタ、電子制御装置、及び書換装置 |
US20060041337A1 (en) * | 2004-08-19 | 2006-02-23 | Augsburger Brett N | Web-enabled engine reprogramming |
JP2013192091A (ja) * | 2012-03-14 | 2013-09-26 | Denso Corp | 通信システム、中継装置、車外装置及び通信方法 |
Family Cites Families (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7068147B2 (en) * | 1999-12-07 | 2006-06-27 | Denso Corporation | Control information rewriting system |
US6694235B2 (en) * | 2001-07-06 | 2004-02-17 | Denso Corporation | Vehicular relay device, in-vehicle communication system, failure diagnostic system, vehicle management device, server device and detection and diagnostic program |
JP4576997B2 (ja) * | 2004-04-28 | 2010-11-10 | 株式会社デンソー | 通信システム、鍵配信装置、暗号処理装置 |
US7721107B2 (en) * | 2006-02-10 | 2010-05-18 | Palo Alto Research Center Incorporated | Physical token for supporting verification of human presence in an online environment |
JP2008059450A (ja) | 2006-09-01 | 2008-03-13 | Denso Corp | 車両情報書換えシステム |
US20110047630A1 (en) * | 2007-02-09 | 2011-02-24 | Agency For Science, Technology And Research | Method and system for tamper proofing a system of interconnected electronic devices |
WO2009147734A1 (ja) * | 2008-06-04 | 2009-12-10 | 株式会社ルネサステクノロジ | 車両、メンテナンス装置、メンテナンスサービスシステム及びメンテナンスサービス方法 |
KR101532587B1 (ko) * | 2009-05-13 | 2015-07-01 | 삼성전자주식회사 | 차량과 이동 단말기간의 데이터 전송 방법 및 인터페이스 장치 |
US9069940B2 (en) * | 2010-09-23 | 2015-06-30 | Seagate Technology Llc | Secure host authentication using symmetric key cryptography |
CN102183945B (zh) * | 2011-01-17 | 2012-11-14 | 武汉理工大学 | 一种多功能电控汽车远程故障诊断*** |
JP2013015884A (ja) | 2011-06-30 | 2013-01-24 | Toyota Infotechnology Center Co Ltd | 認証システムおよび認証方法 |
JP5479408B2 (ja) * | 2011-07-06 | 2014-04-23 | 日立オートモティブシステムズ株式会社 | 車載ネットワークシステム |
US9280653B2 (en) | 2011-10-28 | 2016-03-08 | GM Global Technology Operations LLC | Security access method for automotive electronic control units |
US8856536B2 (en) * | 2011-12-15 | 2014-10-07 | GM Global Technology Operations LLC | Method and apparatus for secure firmware download using diagnostic link connector (DLC) and OnStar system |
US8862888B2 (en) * | 2012-01-11 | 2014-10-14 | King Saud University | Systems and methods for three-factor authentication |
EP2808204B1 (en) * | 2012-01-25 | 2017-12-13 | Toyota Jidosha Kabushiki Kaisha | Vehicle remote operation information provision device, vehicle-mounted remote operation information acquisition device, and vehicle remote operation system comprising these devices |
CN102638562A (zh) * | 2012-02-01 | 2012-08-15 | 浙江大学 | 工程机械车辆联网应用的车载终端通信方法 |
DE102013101508A1 (de) * | 2012-02-20 | 2013-08-22 | Denso Corporation | Datenkommunikationsauthentifizierungssystem für ein Fahrzeug, Netzkopplungsvorrichtung für ein Fahrzeug, Datenkommunikationssystem für ein Fahrzeug und Datenkommunikationsvorrichtung für ein Fahrzeug |
CN104349947B (zh) * | 2012-05-29 | 2016-11-02 | 丰田自动车株式会社 | 认证***和认证方法 |
US8799657B2 (en) * | 2012-08-02 | 2014-08-05 | Gm Global Technology Operations, Llc | Method and system of reconstructing a secret code in a vehicle for performing secure operations |
US20140075517A1 (en) * | 2012-09-12 | 2014-03-13 | GM Global Technology Operations LLC | Authorization scheme to enable special privilege mode in a secure electronic control unit |
JP6036845B2 (ja) * | 2012-12-05 | 2016-11-30 | トヨタ自動車株式会社 | 車両用ネットワークの認証システム及び車両用ネットワークの認証方法 |
US20180063098A1 (en) * | 2016-08-29 | 2018-03-01 | David Robins | Vehicle Network Interface Tool |
-
2015
- 2015-01-23 WO PCT/JP2015/051755 patent/WO2015129352A1/ja active Application Filing
- 2015-01-23 CN CN201580010328.4A patent/CN106030600B/zh active Active
- 2015-01-23 EP EP15754771.2A patent/EP3113057B1/en active Active
- 2015-01-23 JP JP2016505107A patent/JP6078686B2/ja active Active
- 2015-01-23 US US15/120,782 patent/US10095859B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001225706A (ja) * | 1999-12-07 | 2001-08-21 | Denso Corp | 電子制御装置の制御情報書換システム、当該システムに用いられるセンタ、電子制御装置、及び書換装置 |
US20060041337A1 (en) * | 2004-08-19 | 2006-02-23 | Augsburger Brett N | Web-enabled engine reprogramming |
JP2013192091A (ja) * | 2012-03-14 | 2013-09-26 | Denso Corp | 通信システム、中継装置、車外装置及び通信方法 |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2019508763A (ja) * | 2016-01-29 | 2019-03-28 | グーグル エルエルシー | ローカルデバイス認証 |
CN107729757A (zh) * | 2016-08-10 | 2018-02-23 | 福特全球技术公司 | 软件更新之前的软件认证 |
CN107729757B (zh) * | 2016-08-10 | 2024-05-17 | 福特全球技术公司 | 软件更新之前的软件认证 |
WO2019004097A1 (ja) * | 2017-06-27 | 2019-01-03 | Kddi株式会社 | 保守システム及び保守方法 |
JP2019009688A (ja) * | 2017-06-27 | 2019-01-17 | Kddi株式会社 | 保守システム及び保守方法 |
US11330432B2 (en) | 2017-06-27 | 2022-05-10 | Kddi Corporation | Maintenance system and maintenance method |
CN110892683A (zh) * | 2017-07-12 | 2020-03-17 | 住友电气工业株式会社 | 车载装置、管理方法和管理程序 |
JP2019021973A (ja) * | 2017-07-12 | 2019-02-07 | 住友電気工業株式会社 | 車載装置、管理方法および管理プログラム |
US11938897B2 (en) | 2017-07-12 | 2024-03-26 | Sumitomo Electric Industries, Ltd. | On-vehicle device, management method, and management program |
WO2019012888A1 (ja) * | 2017-07-12 | 2019-01-17 | 住友電気工業株式会社 | 車載装置、管理方法および管理プログラム |
JP2020088836A (ja) * | 2018-11-15 | 2020-06-04 | Kddi株式会社 | 車両メンテナンスシステム、メンテナンスサーバ装置、管理サーバ装置、車載装置、メンテナンスツール、コンピュータプログラム及び車両メンテナンス方法 |
JP2020086540A (ja) * | 2018-11-15 | 2020-06-04 | Kddi株式会社 | メンテナンスサーバ装置、車両メンテナンスシステム、コンピュータプログラム及び車両メンテナンス方法 |
JP2020092289A (ja) * | 2018-12-03 | 2020-06-11 | 大日本印刷株式会社 | 機器統合システム及び更新管理システム |
JP7143744B2 (ja) | 2018-12-03 | 2022-09-29 | 大日本印刷株式会社 | 機器統合システム及び更新管理システム |
US11914748B2 (en) | 2020-06-22 | 2024-02-27 | Toyota Jidosha Kabushiki Kaisha | Apparatus and method for collecting data |
Also Published As
Publication number | Publication date |
---|---|
EP3113057B1 (en) | 2020-07-01 |
EP3113057A1 (en) | 2017-01-04 |
CN106030600A (zh) | 2016-10-12 |
CN106030600B (zh) | 2018-10-16 |
US10095859B2 (en) | 2018-10-09 |
EP3113057A4 (en) | 2017-10-11 |
JP6078686B2 (ja) | 2017-02-08 |
JPWO2015129352A1 (ja) | 2017-03-30 |
US20160371481A1 (en) | 2016-12-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6078686B2 (ja) | 認証システム、車載制御装置 | |
US10021113B2 (en) | System and method for an integrity focused authentication service | |
CN110785961B (zh) | 车载认证***、通信装置、车载认证装置、记录介质、通信装置的认证方法及制造方法 | |
US11330432B2 (en) | Maintenance system and maintenance method | |
JP5189073B2 (ja) | 動産、特に自動車を未許可の使用から保護する方法、コンピュータプログラム、および動産 | |
EP3704610A1 (en) | Systems and methods of providing and validating digital tickets | |
KR102639075B1 (ko) | 차량용 진단기 및 그 인증서 관리 방법 | |
JP2005050308A (ja) | 個人認証デバイスとこのシステムおよび方法 | |
JP6609788B1 (ja) | 情報通信機器、情報通信機器用認証プログラム及び認証方法 | |
KR20150052261A (ko) | 액세스 요청을 검증하기 위한 방법 및 시스템 | |
US20170041150A1 (en) | Device certificate providing apparatus, device certificate providing system, and non-transitory computer readable recording medium which stores device certificate providing program | |
JP5183517B2 (ja) | 情報処理装置及びプログラム | |
WO2001082035A2 (en) | Method and apparatus verifying parts and parts lists in an assembly | |
CN112887099A (zh) | 数据签名方法、电子设备及计算机可读存储介质 | |
KR101611099B1 (ko) | 본인 실명 확인을 위한 인증 토큰 발급 방법, 인증 토큰을 이용하는 사용자 인증 방법 및 이를 수행하는 장치 | |
CN102474498B (zh) | 用户识别设备认证方法 | |
KR20230029952A (ko) | 차량에 개별 인증서의 보안 탑재를 위한 방법 | |
Mansor | Security and privacy aspects of automotive systems | |
US20220269770A1 (en) | Information processing system, server apparatus, information processing method, and computer program product | |
CN110972141B (zh) | 信息验证方法、装置、电子设备及可读存储介质 | |
KR102378989B1 (ko) | 산업제어시스템 운영 환경을 고려한 취약점 시험 결과 확인 시스템 및 방법 | |
JP5386860B2 (ja) | 決済システム、決済処理装置、正当性検証装置、正当性検証要求処理プログラム、正当性検証処理プログラム、及び正当性検証方法 | |
TWI633231B (zh) | Smart lock and smart lock control method | |
JP6023689B2 (ja) | 電子デバイス、認証方法、プログラム | |
KR20190133652A (ko) | 모바일 어플리케이션을 이용한 결제방법 및 이를 위한 장치 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15754771 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2016505107 Country of ref document: JP Kind code of ref document: A |
|
REEP | Request for entry into the european phase |
Ref document number: 2015754771 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15120782 Country of ref document: US Ref document number: 2015754771 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |