US20130219170A1 - Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle - Google Patents
Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle Download PDFInfo
- Publication number
- US20130219170A1 US20130219170A1 US13/771,696 US201313771696A US2013219170A1 US 20130219170 A1 US20130219170 A1 US 20130219170A1 US 201313771696 A US201313771696 A US 201313771696A US 2013219170 A1 US2013219170 A1 US 2013219170A1
- Authority
- US
- United States
- Prior art keywords
- authentication
- data
- vehicular
- control device
- ecu
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/64—Hybrid switching systems
- H04L12/6418—Hybrid transport
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0471—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying encryption by an intermediary, e.g. receiving clear information at the intermediary and encrypting the received information at the intermediary before forwarding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Definitions
- the present disclosure relates to a vehicular data communication authentication system in which an external tool is connectable to an electronic control unit (ECU).
- the present disclosure also relates to a vehicular gateway apparatus connected with the vehicular data communication authentication system to partition the external tool from the ECU.
- the present disclosure also relates to a vehicular data communication system including a vehicular data communication apparatus connected with multiple nodes through a bus.
- the present disclosure also relates to such a vehicular data communication apparatus.
- CAN controller area network
- the CAN provides a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc.
- a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not provided.
- a vehicular data communication authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, includes an authentication device, an authentication control device and an authentication maintain device.
- the authentication device performs authentication of the external tool connected to the bus.
- the authentication control device determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative. When determining that the result of the authentication of the external tool is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU.
- the authentication control device When determining that the result of the authentication of the external tool is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU.
- the authentication maintain device After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
- a vehicular data communication authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, includes an authentication device, an authentication control device and an authentication maintain device.
- the authentication device performs authentication of a vehicle state.
- the authentication control device determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative. When determining that the result of the authentication of the vehicle state is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU.
- the authentication control device When determining that the result of the authentication of the vehicle state is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU.
- the authentication maintain device After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which the vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
- a vehicular gateway apparatus in a vehicular data authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, includes an authentication device, an authentication control device and an authentication maintain device.
- the authentication device performs authentication of the external tool connected to the bus.
- the authentication control device determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative. When determining that the result of the authentication of the external tool is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU.
- the authentication control device When determining that the result of the authentication of the external tool is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU.
- the authentication maintain device After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device ( 102 e ); a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
- a vehicular gateway apparatus in a vehicular data authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, includes an authentication device, an authentication control device and an authentication maintain device.
- the authentication device performs authentication of a vehicle state.
- the authentication control device determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative. When determining that the result of the authentication of the vehicle state is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU.
- the authentication control device When determining that the result of the authentication of the vehicle state is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU.
- the authentication maintain device After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device ( 102 e ); a third period, which is a period during which the vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
- a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses.
- the vehicular data communication apparatus includes an encryption information storage device and an encryption control device.
- the encryption information storage device stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data.
- the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device.
- Each node includes an decryption information storage device and a decryption control device. For each bus connected with the data source node, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted.
- a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses.
- the vehicular data communication apparatus includes an encryption information storage device and an encryption control device.
- the encryption information storage device stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data.
- the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device.
- Each node includes an decryption information storage device and a decryption control device. For each data source node, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted.
- the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
- a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses.
- the vehicular data communication apparatus includes an encryption information storage device and an encryption control device.
- the encryption information storage device stores an encryption information indicating whether or not the data is to be encrypted.
- an encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device.
- Each node includes an decryption information storage device and a decryption control device. For each identifier indicative of the type of the data frame storing the data, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted.
- the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
- a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses.
- the vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each data storage area of a data frame storing a data, the encryption information storage device stores an encryption information indicating whether or not the data is to be encrypted.
- the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device.
- Each node includes an decryption information storage device and a decryption control device. For each data storage area of the data frame storing the data, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted.
- the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
- FIG. 1 is a functional block diagram illustrating a data communication authentication system of a first example of a first embodiment
- FIG. 2 is a sequence diagram illustrating operations
- FIG. 3 is a sequence diagram illustrating operations performed after those in FIG. 2 ;
- FIG. 4 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus discards a data request command in response to a negative result of authentication
- FIG. 5 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus includes a timer for maintaining an authenticated state
- FIG. 6 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which an authenticated state maintain request is inputted from an external tool;
- FIG. 7 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which an authenticated state maintain request is inputted from an access target ECU;
- FIG. 8 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which a vehicle state satisfies a predetermined condition
- FIG. 9 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which a bus is in a communicating state;
- FIG. 10 is a functional block diagram illustrating a data communication authentication system of a second example of the first embodiment
- FIG. 11 is a sequence diagram illustrating operations of the second example of the first embodiment
- FIG. 12 is a functional block diagram illustrating a data communication authentication system of a third example of the first embodiment
- FIG. 13 is a sequence diagram illustrating operations of the third example of the first embodiment
- FIG. 14 is a functional block diagram illustrating a data communication authentication system of a fourth example of the first embodiment
- FIG. 15 is a sequence diagram illustrating operations of the fourth example of the first embodiment
- FIG. 16 is a functional block diagram illustrating a data communication authentication system of a fifth example of the first embodiment
- FIG. 17 is a sequence diagram illustrating operations of the fifth example of the first embodiment.
- FIG. 18 is a functional block diagram illustrating a data communication authentication system of a sixth example of the first embodiment
- FIG. 19 is a sequence diagram illustrating operations of the sixth example of the first embodiment.
- FIG. 20 is a sequence diagram illustrating operations of a seventh example of the first embodiment
- FIG. 21 is a sequence diagram illustrating operations of an eighth example of the first embodiment.
- FIG. 22 is a sequence diagram illustrating operations of a ninth example of the first embodiment
- FIG. 23 is a sequence diagram illustrating operations of a tenth example of the first embodiment
- FIG. 24 is a functional block diagram illustrating a vehicular data communication system of a first example of a second embodiment
- FIG. 25 is a sequence diagram illustrating operations in a first situation in accordance with the first example of the second embodiment
- FIG. 26 is a sequence diagram illustrating operations in a second situation in accordance with the first example of the second embodiment
- FIG. 27 is a sequence diagram illustrating operations in a third situation in accordance with the first example of the second embodiment
- FIG. 28 is a block diagram illustrating a encryption table and a decryption table in accordance with the first example of the second embodiment
- FIG. 29 is a functional block diagram illustrating a vehicular data communication system of a second example of the second embodiment
- FIG. 30 is a block diagram illustrating a encryption table and a decryption table in accordance with the second example of the second embodiment
- FIG. 31 is a functional block diagram illustrating a vehicular data communication system of a third example of the second embodiment
- FIG. 32 is a diagram illustrating a configuration of a data frame
- FIG. 33 is a functional block diagram illustrating a vehicular data communication system of a fourth example of the second embodiment.
- a first embodiment will be described with reference to FIGS. 1 to 23 .
- FIGS. 1 to 9 A first example of the first embodiment will be described with reference to FIGS. 1 to 9 .
- a vehicular gateway apparatus 102 is connected with a bus 106 so that the gateway apparatus 102 partitions (separates) multiple electronic control units (ECUs) 103 , 104 from an external tool 105 (an operating device) operable by an operator.
- ECUs electronice control units
- FIG. 1 two ECUs are illustrated as the multiple ECUs 103 , 104 .
- a portion of the bus 106 on an ECU side of the gateway apparatus 102 is referred to as an ECU-side bus 106 a . That is, the ECU-side bus 106 a is a bus for transmitting data between the gateway apparatus 102 and the ECUs 103 , 104 .
- a portion of the bus 106 on an external tool side of the gateway apparatus 102 is referred to as an external-tool-side bus 106 b . That is, the external-tool-side bus 106 b is a bus for transmitting data between the gateway apparatus 102 and the external tool 105 .
- the ECUs 103 , 104 may include, for example, an engine ECU for controlling operation of the engine, a door lock ECU for controlling operation of door lock mechanism, a navigation ECU for controlling navigation operation, a meter ECU for controlling operation of a meter (indicator), or the like.
- the number of ECUs may be two, three or more, or may be one.
- the external-tool-side bus 106 b is provided with a connector 107 to which the external tool 105 is detachably connectable. By being connected to the connector 107 , the external tool 105 is connected to the external-tool-side bus 106 b and becomes able to perform the data communication with the gateway apparatus 102 .
- the bus 106 adopts a controller area network (CAN) as a data communication method.
- the CAN communication defines a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc.
- CRC cyclic redundancy check
- a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not defined.
- the gateway apparatus 102 includes a control device 102 a , an ECU-side bus communication device 102 b , an external-tool-side bus communication device 102 c , an authentication device 102 d , an authentication control device 102 e , a communication control device 102 f , a filtering device 102 g , and an authentication maintain device 102 h .
- the authentication device 102 d can correspond to an example of authentication means or device, and an example of second authentication means or device.
- the authentication control device 102 e can correspond to an example of authentication control means or device, and an example of authentication control means or device.
- the communication control device 102 f can correspond to an example of communication control means or device, and an example of communication control means or device.
- the authentication maintain device 102 h can correspond to an example of authentication maintain means or device, and an example of authentication maintain means or device.
- the control device 102 a includes a microcomputer. By executing a control program with the microcomputer, the control device 102 a controls operations of the ECU-side bus communication device 102 b , the external-tool-side bus communication device 102 c , the authentication device 102 d , the authentication control device 102 e , the communication control device 102 f , the filtering device 102 g , and the authentication maintain device 102 h .
- the ECU-side bus communication device 102 b is connected with the ECU-side bus 106 a , and controls communication, such as data transmission and receipt, with the ECUs 103 and 104 .
- the external-tool-side bus communication device 102 c is connected with the external-tool-side bus 106 b .
- the external-tool-side bus communication device 102 c controls communications, such as data transmission and receipt, with the external tool 105 .
- the authentication device 102 d performs authentication of the external tool 105 (a procedure of the authentication will be described later). Based on a result of the authentication of the external tool 105 by the authentication device 102 d , the authentication control device 102 e sets whether the data communication between the external tool 105 and an access target ECU should be permitted or prohibited. Specifically, when the result of the authentication of the external tool 105 is affirmative, the authentication control device 102 e sets an authenticated state and permits the data communication between the external tool 105 and the access target ECU. When the result of the authentication of the external tool 105 is negative (not affirmative), the authentication control device 102 e does not set the authenticated stat and prohibits the data communication between the external tool 105 and the access target ECU
- the communication control device 102 f sets whether the data communication between the external tool 105 and an access target ECU should be permitted or prohibited.
- a reason for this exceptional permission is as follows. In a data communication for a vehicle, since it is necessary to always permit a certain part of the data communication, the communication control device 102 f exceptionally permits the data communication for a specified data e.g., the below-described regulation message) between the external tool 105 and the access target ECU.
- the filtering device 102 g exceptionally permits only for specified data communication.
- the authentication control device 102 e sets the authenticated state
- the authentication maintain device 102 h maintains the set authenticated state. That is, when the authentication control device 102 e sets the authenticated state, the authentication maintain device 102 h maintains a period of permitting the data communication between the external tool 105 and the access target ECU.
- the control device 102 a has an encryption function and a decryption function. Specifically, when the external-tool-side-bus communication device 102 c receives a plaintext command from the external tool 105 , the control device 102 a encrypts and rewrites the received plaintext command into an encrypted-text command. When the ECU-side-bus communication device 102 b receives an encrypted-text command from the ECU 103 or the ECU 104 , the control device 102 a decrypts and rewrites the received encrypted-text command into a plaintext command.
- the encryption and description may use a public-key cryptography, in which the encryption is performed with a public-key and the description is performed with a private-key. Alternatively, the encryption and description may use a common-key cryptography, in which the encryption and decryption are performed with a common-key.
- the ECU 103 includes a control device 103 a , a bus communication device 103 b , and a vehicle state input device 103 c .
- the control device 103 a includes a microcomputer. By executing a control program with the microcomputer, the control device 103 a controls the bus communication device 103 b and the vehicle state input device 103 c .
- the bus communication device 103 b is connected with the ECU-side bus 106 a and controls communications, such as data transmission and receipt, with the gateway apparatus 102 .
- the vehicle state input device 103 c receives and inputs a vehicle state from an external device (e.g., various sensors, different ECUs, wireless communication device etc).
- the vehicle state inputted by the vehicle state input device 103 c may be, for example, a immobilizer state (locked state or unlocked state), an ignition (IG) switch state (on and off), a door state (open state or closed state), or the like.
- the ECU 104 includes a control device 104 a and a bus communication device 104 b .
- the control device 104 a includes a microcomputer. By executing a control program with the microcomputer, the control device 104 a controls the bus communication device 104 b .
- the bus communication device 104 b is connected with the ECU-side bus 106 a and controls communications, such as data transmission and receipt, with the gateway apparatus 102 .
- the ECU 103 or 104 is the engine ECU for example, the ECU 103 or 104 includes a functional block (not shown) for controlling the operation of the engine in addition to the above-described functional blocks. If the ECU 103 or 104 is the door lock ECU, the ECU 103 or 104 includes a functional block (not shown) for controlling the operation of the door lock mechanism in addition to the above-described functional blocks. The same is applicable to cases where the ECU 103 or 104 is an ECU other than the engine ECU and the door lock ECU. Alternatively, both of the ECU 103 and the ECU 104 receive and input the vehicle states from externals
- the external tool 105 includes a control device 105 a , a bus communication device 105 b and an input/output interface (IF) 105 c .
- the control device 105 a includes a microcomputer. By executing a control program with the microcomputer, the control device 105 a controls operations of the bus communication device 105 b and the input/output interface (IF) 105 c .
- the bus communication device 105 b is connected with the external-tool-side bus 106 b and controls communications, such as data transmission and receipt, with the gateway apparatus 102 .
- the input/output IF 105 c has a function to accept an input operation from the operator operating the external tool 105 , and has a function to issue a notification by, for example, displaying a data.
- the operator can rewrite the control program of the access target ECU and read out a data from the access target ECU.
- the external tool 105 is not limited to a dedicated apparatus for rewriting the control program of the access target ECU and reading out the data from the access target ECU.
- the external tool 105 may be a cellular phone, a personal digital assistance or the like having the above functions.
- the control device 105 a of the external tool 105 determines that the external tool 105 is connected to the connector 107 .
- the control device 105 a transmits an authentication seed request command from the bus communication device 105 b to the gateway apparatus 102 .
- the control device 102 a of the gateway apparatus 102 determines that the external-tool-side-bus communication device 102 c receives the authentication seed request command from the external tool 105
- the control device 102 a generates an authentication seed at B 101 (see FIG. 2 ) and transmits the generated authentication seed from the external-tool-side-bus communication device 102 c to the external tool 105 .
- the authentication seed includes information used in generating the below-described authentication code, and is written in random number.
- the control device 105 a of the external tool 105 determines that the bus communication device 105 b receives the authentication seed from the gateway apparatus 102 , the control device 105 a generates an authentication code based on the authentication seed (while associating the authentication code with the authentication seed) at A 101 , and the control device 105 a transmits the generated authentication code from the bus communication device 105 b to the gateway apparatus 102 .
- the authentication code is expressed in random number, like the authentication seed. In the above, it is assumed that the external tool 105 does not possess the authentication seed. However, the external tool 105 may possess the authentication seed. In this configuration, the external tool 105 may generate the authentication code based on the authentication seed possessed by the external tool 105 itself and may transmit the generated authentication code from the bus communication device 105 b to the gateway apparatus 102 .
- the control device 102 a determines that the external-tool-side-bus communication device 102 c receives the authentication code from the external tool 105 , the control device 102 a performs B 102 . Specifically, at B 102 , the control device 102 a performs cross-check between the authentication seed, which was transmitted to the external tool 105 , and the authentication code received from the external tool 105 , and determines whether or not the result of the authentication of the external tool 105 is affirmative.
- a proper external tool which is connected to the connector 107 by a proper operator, is equipped with a function to (i) correctly generate an authentication based on the authentication seed received from the gateway apparatus 102 and (ii) transmit the correctly-generated authentication code to the gateway apparatus 102 . Therefore, when the proper operator connects the proper external tool to the connector 107 , there is match between the authentication seed and the authentication code, and the result of the authentication of the external tool 105 becomes affirmative.
- An improper external tool which may be connected to the connector 107 by a third party having a bad intention, is not equipped with the function to correctly generate the authentication based on the authentication seed received from the gateway apparatus 102 .
- the improper external tool is unable to correctly generate an authentication code or transmit the authentication code to the gateway apparatus, or may transmit an incorrect authentication code to the gateway apparatus 102 .
- a third party having a bad intention connects an improper external tool to the connector 107 , there is mismatch between the authentication seed and the authentication code, and the result of the authentication of the external tool 105 becomes not affirmative.
- the control device 102 a determines that the result of the authentication of the external tool 105 is affirmative and the external tool 105 is a proper external tool (YES at B 103 ), the control device 102 a performs B 104 .
- the control device 102 a transmits am affirmative authentication result response command, which indicates that the result of the authentication is affirmative, from the external-tool-side-bus communication device 102 c to the external tool 105 , and additionally, the control device 102 a sets the authenticated state, which is a state where the external tool 105 is authenticated.
- the control device 102 a permits receipt of a data request command from the external tool 105 and permits the data communication. Within a period during which the authenticated state is not set, the control device 102 a prohibits the receipt of the data request command from the external tool 105 and prohibits the data communication.
- the control device 105 a when the control device 105 a accepts, for example, the input operation from the operator after the control device 105 a determines that the bus communication device 105 b receives the affirmative authentication response command from the gateway apparatus 102 , the control device 105 a transmits the data request command from the bus communication device 105 b to the gateway apparatus in accordance with the input operation.
- the data request command transmitted from the external tool 105 to the gateway apparatus 102 includes information for identifying the access target ECU 104 , which is a destination of the data request command.
- the control device 102 a of the gateway apparatus 102 determines that the external-tool-side-bus communication device 102 c receives the data request command from the external tool 105 , the control device 102 a performs B 105 . Specifically, at B 105 , the control device 102 a analyzes the received data request command and determines whether or not it is necessary to perform the authentication of the external tool 105 . For example, by determining whether the data request command is a regulation message (regulation command) or a non-regulation message (non-regulation command), the control device 102 a determines whether or not it is necessary to perform the authentication of the external tool 105 .
- the law-regulation message is a message that gives obligation to answer in response to the request from the external tool 105 .
- the regulation message may be a massage that requests a data about, for example, an engine system, or the like.
- the non-regulation message is a message that does not give obligation to answer in response to the request from the external tool 105 . It should be noted that a determination of whether the data request command is a regulation message or a non-regulation message may correspond to a determination of whether the access target ECU 104 , which is a transmission destination of the data request command, is a regulation ECU or a non-regulation ECU.
- the control device 102 a determines that the data request command is the non-regulation message and determines that it is necessary perform the authentication of the external tool 105 (YES at B 105 ).
- the control device performs B 106 .
- the control device 102 a determines whether the result of the previously-preformed authentication is affirmative or negative.
- the control device 102 a determines that the result of the previously-preformed authentication is affirmative (YES at B 106 )
- the process proceeds to B 107 .
- the control device 102 a determines whether or not it is necessary to encrypt the data request command. Specifically, the control device 102 a determines whether the data request command is the regulation message or the non-regulation message, thereby determining whether or not it is necessary to encrypt the data request command.
- the control device 102 a determines that the data request command is the non-regulation message and determines that it is necessary to encrypt the data request command (YES at B 107 )
- the control device 102 a encrypts the data request command (B 108 ) and transmits the encrypted data request command from the ECU-side-bus communication device 102 b to the access target ECU 104 .
- the control device 102 a determines that the data request command is the regulation message and determines that it is unnecessary to encrypt the data request command (NO at B 107 )
- the control device 102 a transmits, without encrypting the data request command, the data request command from the ECU-side-bus communication device 102 b to the access target ECU 104 .
- the control device 104 a determines whether or not it is necessary to decrypt the received data request command (C 101 ). Specifically, when the control device 104 a determines that the data request command received from the vehicular gateway apparatus 102 is the encrypted data request command, the control device 104 a determines that it is necessary to decrypt the data request command (YES at C 101 ). In this case, the control device 104 a decrypts the data request command (C 102 ) and performs data processing according to content of the data request command (C 103 ).
- the data processing may include rewriting a control program, reading out a data, or the like.
- the control device 104 a determines that the data request command received from the vehicular gateway apparatus 102 is not encrypted, the control device 104 a determines that it is unnecessary to decrypt the data request command (NO at C 101 ). In this case, the control device 104 a performs the data processing according to the content of the data request command (C 103 ).
- the control device 104 a determines whether or not it is necessary to encrypt a data response command indicative of the completion of the data processing (C 104 ). For example, when the data request command received from the gateway apparatus 102 is encrypted, the control device 104 a determines that it is necessary to encrypt a data response command indicative of the completion of the data processing. When the data request command received from the gateway apparatus 102 was not encrypted, the control device 104 a determines that it is unnecessary to encrypt the data response command indicative of the completion of the data processing.
- importance degrees of data response commands may be preset, and the control device 104 a may determines whether or not it is unnecessary to encrypt the data response command indicative of the completion of the data processing, regardless of whether or not the data request command received from the gateway apparatus 102 was encrypted.
- control device 104 a determines that it is necessary to encrypt the data response command (YES at C 104 )
- the control device 104 a encrypts the data response command (C 105 ) and transmits the encrypted data response command from the bus communication device 104 b to the vehicular gateway apparatus 102 .
- the control device 104 a determines that it is unnecessary to encrypt the data response command (NO at C 104 )
- the control device 104 a transmits, without encrypting the data response command, the data response command from the bus communication device 104 b to the vehicular gateway apparatus 102 .
- the control device 102 a determines that the ECU-side-bus communication device 102 b receives the data response command from the access target ECU 104 , the control device 102 a determines whether or not it is necessary to decrypt the received data response command (B 109 ). Specifically, when the control device 102 a determines that the data response command received from the access target ECU 104 is encrypted, the control device 102 a determines that it is necessary to decrypt the received data response command (YES at B 109 ).
- the control device 102 a decrypt the encrypted data response command (B 110 ) and transmits the decrypted data response command from the external-tool-side communication device 102 c to the external tool 105 .
- the control device 102 a determines that the data response command received from the access target ECU 104 is not encrypted, the control device 102 a determines that it is unnecessary to decrypt the received data response command (NO at B 109 ). In this case, the control device 102 a transmits, without decrypting, the data response command from the external-tool-side communication device 102 c to the external tool 105 .
- the control device 102 a of vehicular gateway apparatus 102 performs the authentication of the external tool 105 .
- the control device 102 a specifies the external tool 105 connected to the connector 107 as a proper external tool 105 , and sets the authenticated state (step B 104 ), as illustrated in FIG. 2 .
- the control device 102 a permits receipt of a data request command regardless of whether the data request command is a regulation message or a non-regulation message.
- the control device 102 a determines that the result of the authentication of the external tool 105 is negative (NO at B 103 ), the control device 102 a specifies the external tool 105 connected to the connector 107 an improper external tool, and does not set the authenticated state. Therefore, when the control device 102 a determines that an data request command from the external tool 105 is a non-regulation message requiring the authentication, the control device 102 a discards the data request command and rejects the receipt of the data request command to reject the data communication (B 111 ), because the result of the previously-performed authentication is negative and the authenticated state is not set. That is, at B 111 , the control device 102 a rejects the data communication. In this case, the rejection of the receipt of the data request command may include nullifying the data request command without discarding data request command. That is, the rejection of the receipt of the data request command may include prohibiting the processing in line with the content of the data request command.
- the vehicular gateway apparatus 102 encrypts the data request command received from the external tool 105 .
- the external tool 105 may have a function to encrypt the data request command, and may encrypt the data request command on an as-needed basis.
- control device 102 a determines that the result of the authentication is affirmative, the control device 102 a sets the authenticated state to permit the receipt of the data request command from the external tool 105 .
- a period of maintaining the authenticated state is managed in the following ways.
- control device 102 a manages the period of maintaining the authenticated state, based on the following first to fourth periods:
- the control device 102 a sets the authenticated state (B 104 ), starts an authentication maintain timer for counting a predetermined time (B 112 ), and monitors whether or not the authentication maintain timer reaches the predetermined time (B 113 ).
- the control device 102 a determines that the authentication maintain timer reaches the predetermined time (YES at B 113 )
- the control device 102 a ends the authenticated state.
- the period of maintaining the authenticated state is managed by the vehicular gateway apparatus 102 alone.
- the predetermined time to be counted by the authentication maintain timer may be an initial value set in production, or may be a set value which is set and inputted by the operator operating the external tool 105 .
- the Second Period (a Period During which the Authenticated State Maintain Request Signal is Inputted from an External).
- FIG. 6 One example is illustrated in FIG. 6 .
- the control device 102 a of the vehicular gateway apparatus 102 maintains the authenticated state within a period during which the control device 102 a determines that the authenticated state maintain request command is received by the external-tool-side-bus communication device 102 c .
- the control device 102 a ends the authenticated state (B 114 ).
- the external tool 105 leads the control of the period of maintaining the authenticated state.
- FIG. 7 Another example is illustrated in FIG. 7 .
- the control device 102 a of the vehicular gateway apparatus 102 transmits an authenticated state notice command from the ECU-side-bus communication device 102 b to the access target ECU 104 , so that the access target ECU 104 transmits the authenticated state maintain request command.
- the control device 102 a determines that the authenticated state maintain request command from the access target ECU 104 is received by the ECU-side-bus communication device 102 b , the control device 102 a maintains the authenticated state.
- the control device 102 a Upon determining that the authenticated state end request command from the access target ECU is received by the ECU-side-bus communication device 102 b , the control device 102 a ends the authenticated state (B 114 ). In this example, the access target ECU 104 leads the control of the period of maintaining the authenticated state. It should be noted that the predetermined period during which the external tool 105 or the access target ECU 104 periodically transmits the authenticated state maintain request command to the vehicular gateway apparatus 102 may be an initial value set in production or may be a set value which is set and inputted by the operator operating the external tool 105 .
- the control device 102 a determines whether or not the vehicle state satisfies a predetermined condition (B 115 ), by receiving the vehicle state from the ECU 104 through the ECU-side-bus communication device 102 b .
- the predetermined condition may be one of the followings: the immobilizer is in an unlocked state (released state); the ignition switch is off; and the door is in a closed state. That is, when at least one of the above three conditions is satisfied, the control device 102 a determines that the vehicle state satisfies the predetermined condition (YES at B 115 ).
- the control device 102 a During a period of determining that the vehicle state satisfies the predetermined condition, the control device 102 a maintains the authenticated state. When the control device 102 a determines that the vehicle state becomes failing to satisfy the predetermined condition (NO at B 115 ), the control device 102 a ends the authenticated state. In this case, the vehicular gateway apparatus 102 leads the control of the period of maintaining the authenticated state.
- the control device 102 a of the vehicular gateway apparatus 102 determines whether or not the bus 106 is in the communicating state (B 116 ). Specifically, when the control device 102 a determines that one of the ECU-side-bus communication device 102 b and the external-tool-bus communication device 102 b is in the communicating state, the control device 102 a determines that the bus 106 is in the communicating state (YES at B 116 ). Within the period during which the control device 102 a determines that the bus is in the communicating state, the control device 102 a maintains the authenticated state.
- the control device 102 a Upon determining that the bus 106 is changed into a not-communicating state (NO at B 116 ), the control device 102 a ends the authenticated state (B 114 ). In this case, the vehicular gateway apparatus manages the period of maintaining the authenticated state, based on the communicating state of the bus 106 .
- the vehicular gateway apparatus 102 is connected with the bus 106 so as to partition (separate) the external tool 105 from the ECU 103 and the ECU 104 .
- the vehicular gateway apparatus 102 performs the authentication of the external tool 105 .
- the vehicular gateway apparatus 102 sets the authenticated state, so that the vehicular gateway apparatus 102 permits the receipt of a subsequent data request command from the external tool 105 regardless of whether or not the data request command is a non-regulation message requiring the authentication.
- the vehicular gateway apparatus 102 When the result of the authentication of the external tool 105 is negative, the vehicular gateway apparatus 102 does not set the authenticated state, so that when the vehicular gateway apparatus 102 determines that a subsequent data request command from the external tool 105 is a non-regulation message requiring the authentication, the vehicular gateway apparatus 102 rejects the receipt of the data request command.
- the period of maintaining the authenticated state is managed, it is possible to avoid unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU after cutting off the connection of the external tool. As a result, it is possible to further enhance the security. Additionally, since the authenticating of the external tool 105 , the setting of the authenticated state, and the maintaining of the authenticated state are collectively performed by the vehicular gateway apparatus 102 , it is possible to achieve the above advantages by adding the vehicular gateway apparatus 102 . Therefore, it is possible to achieve the above advantages while minimizing a change in an existing system.
- the data communication of a specified data (e.g., regulation message) between external tool 105 and the access target ECU is exceptionally permitted. Therefore, while preventing the harms resulting from the connection of the improper external tool, it is possible to ensure the data communication of the specified data.
- a specified data e.g., regulation message
- FIGS. 9 and 10 A second example of the first embodiment will be described with reference to FIGS. 9 and 10 .
- the vehicular gateway apparatus 102 performs the authentication of the external tool 105 , sets the authenticated state and maintains the authenticated state.
- one of ECUs has an authentication function, so that the one of ECUs is designated as an authentication ECU.
- this authentication ECU performs the authentication of the external tool 105 , and the vehicular gateway apparatus 102 sets the authenticated state and maintains the authenticated state.
- the authentication ECU 103 includes an authentication device 103 d .
- the authentication device 103 d is provided as a substitute for the authentication device 103 d of the vehicular gateway apparatus 102 of the first example of the first embodiment. That is, the authentication device 103 d has substantially the same function as the authentication device 103 d.
- the control device 103 a determines that the bus communication device 103 b has received an authentication seed request command from the external tool 105 through the vehicular gateway apparatus 102 , the control device 103 a performs D 101 to D 103 , which correspond to B 101 to B 103 performed by the vehicular gateway apparatus 102 as illustrated in the first example.
- the control device 103 a determines that a result of the authentication of the external tool 105 is affirmative (YES at D 103 )
- the control device 103 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, from the bus communication device 103 b to the vehicular gateway apparatus 102 .
- the control device 102 a of the vehicular gateway apparatus 102 determines that the ECU-side-bus communication device 102 b has received the authentication result affirmative response command from the authentication ECU, the control device 102 a transmits the authentication result affirmative response command to the external tool 105 by using the external-tool-side communication device 102 c . Thereafter, the control device 102 a performs B 104 and B 112 to B 114 , which have already illustrated in the first example. Specifically, the authentication ECU 103 performs the authentication of the external tool 105 , and the vehicular gateway apparatus 102 sets the authenticated state. Thereafter, the vehicular gateway apparatus 102 maintains the authenticated state until the predetermined time has elapsed since the authenticated state was set.
- the authenticated state is maintained only within the predetermined period after the authenticated state is set.
- the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
- the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication ECU 103 performs the authentication of the external tool 105 and since the vehicular gateway apparatus 102 sets and maintains the authenticated state, the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the authentication ECU 103 and the vehicular gateway apparatus 102 .
- FIGS. 12 and 13 In the third example, the vehicular gateway apparatus 102 connected with the bus 106 is absent.
- the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state are preformed by authentication ECU 103 .
- the authentication ECU 103 includes an authentication device 103 d , an authentication control device 103 e , a communication control device 103 f , a filtering device 103 g , and an authentication maintain device 103 h .
- the authentication device 103 d , the authentication control device 103 e , the communication control device 103 f , the filtering device 103 g and the authentication maintain device 103 h respectively, have substantially the same function as the authentication device 102 d , the authentication control device 102 e , the communication control device 102 f , the filtering device 102 g and the authentication maintain device 102 h illustrated in the first example.
- the control device 103 a determines that the bus communication device 103 b has received an authentication seed request command from the external tool 105 through the vehicular gateway apparatus 102 , the control device 103 a performs D 101 to D 103 , which correspond to B 101 to B 103 performed by the vehicular gateway apparatus 102 as illustrated in the first example.
- the control device 103 a determines that a result of the authentication of the external tool 105 is affirmative (YES at D 103 )
- the control device 103 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 103 b .
- the control device 103 a performs D 104 to D 107 , which correspond to B 104 and B 112 to B 114 performed by the vehicular gateway apparatus 102 of the first example.
- the authenticated state can be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
- the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication ECU 103 performs the authentication of the external tool 105 , sets the authenticated state and maintains the authenticated state, it is possible to omit the vehicular gateway apparatus 102 .
- the access target ECU 104 may include an authentication control device 104 d and an authentication maintain device 104 g , so that the authentication ECU 103 performs the authentication of the external tool 105 and that the access target ECU 104 sets and maintains the authenticated state. That is, the authentication of the external tool 105 , the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
- a fourth example of the first embodiment will be described with reference to FIGS. 14 and 15 .
- the vehicular gateway apparatus 102 is not connected with the bus 106 .
- the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state are preformed by the access target ECU 104 .
- the access target ECU 104 includes an authentication device 104 c , an authentication control device 104 d , a communication control device 104 e , a filtering device 104 f , and an authentication maintain device 104 g .
- the authentication device 104 c , the authentication control device 104 d , the communication control device 104 e , the filtering device 104 f and the authentication maintain device 104 g respectively, have substantially the same functions as the authentication device 102 d , the authentication control device 102 e , the communication control device 102 f , the filtering device 102 g and the authentication maintain device 102 h illustrated in the first example.
- the control device 104 a of the access target ECU 104 determines that the bus communication device 104 b has received the authentication seed request command from the external tool 105 , the control device 104 a performs C 106 to C 112 , which correspond to D 101 to D 107 performed by the authentication ECU 103 of the third example.
- the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
- the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, after cutting off the connection of the external tool for example, it is possible to enhance the security. Additionally, since the access target ECU 104 performs the authentication of the external tool 105 , sets the authenticated state and maintains the authenticated stat, it is possible to omit the vehicular gateway apparatus 102 .
- the authentication ECU 103 may include an authentication control device 103 e and an authentication maintain device 103 h , so that the access target ECU 104 performs the authentication of the external tool 105 and that the authentication ECU 103 sets and maintains the authenticated state. That is, the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
- FIGS. 16 and 17 As shown in FIG. 16 , in the fifth example, a communication device 108 is connected with the ECU-side-bus 106 a . Additionally, a center (sever) 109 communicable with the external tool 105 and the communication device 108 via a wide area communication network are present. The center 109 performs the authentication of the external tool 105 , and the vehicular gateway apparatus 102 sets and maintains the authenticated state.
- the center 109 includes an authentication device 109 a .
- the authentication device 109 a is provided as a substitute for the authentication device 102 d of the vehicular gateway apparatus 102 of the first example.
- the authentication device 109 a has substantially the same function as the authentication device 102 d illustrated in the first example.
- the center 109 determines that the center 109 has receives the authentication seed request command from the external tool 105 , the center 109 performs E 101 to E 103 , which correspond to B 101 to B 103 performed by the vehicular gateway apparatus 102 illustrated in the first example.
- the center 109 determines that the result of the authentication of the external tool 105 is affirmative (YES at E 103 )
- the center 109 transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 and the communication device 108 .
- the control device 102 a of the vehicular gateway apparatus 102 receives the authentication result affirmative response command from the center 109 through the communication device 108 .
- the control device 102 a performs B 104 and B 112 to B 114 , which have been already illustrated in the first example.
- the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
- the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the center 109 performs the authentication of the external tool 105 and since the vehicular gateway apparatus 102 sets and maintains the authenticated state, the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the center 109 and the vehicular gateway apparatus 102 .
- the center 109 which is located outside of the vehicular data communication authentication system 141 , performs the authentication of the external tool 105 , it is possible to perform high-security authentication by, for example, minutely updating the authentication seeds. Therefore, it is possible to further enhance security.
- FIG. 18 A sixth example of the first embodiment will be described with reference to FIGS. 18 and 19 .
- a communication device 108 is connected with the ECU-side-bus 106 a .
- a center (sever) 109 communicable with the external tool 105 and the communication device 108 through a wide area communication network is present.
- the center 109 performs the authentication of the external tool 105 , and the authentication ECU 103 sets and maintains the authenticated state.
- the center 109 determines that the center 109 has receives the authentication seed request command from the external tool 105 , the center 109 performs E 101 to E 103 , which correspond to B 101 to B 103 performed by the vehicular gateway apparatus 102 of the first example.
- the center 109 determines that the result of the authentication of the external tool 105 is affirmative (YES at E 103 )
- the center 109 transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 and the communication device 108 .
- the control device 103 a of the authentication ECU 103 receives the authentication result affirmative response command from the center 109 through the communication device 108 .
- the control device 103 a performs D 104 and D 107 as illustrated in the second example.
- the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
- the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the center 109 performs the authentication of the external tool 105 and since the authentication ECU 103 sets and maintains the authenticated state, the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the center 109 and the authentication ECU 103 .
- the center 109 which is located outside of a vehicular data communication authentication system 151 , performs the authentication of the external tool 105 , it is possible to perform high-security authentication by, for example, minutely updating the authentication seeds. Therefore, it is possible to further enhance security.
- a seventh example will be described with reference to FIG. 20 .
- the system enables indirect authentication of the external tool 105 by performing the authentication of the vehicle state.
- the seventh example can be achieved by using the same functional blocks ( FIG. 1 ) as the first example.
- the control device 102 a of the vehicular gateway apparatus 102 receives the vehicle state from the ECU 103 through the ECU-side-bus communication device 102 b , thereby specifying the vehicle state (B 117 ). Then the control device 102 a determines whether or not the vehicle state satisfies a predetermined condition, thereby performing the authentication of the vehicle state. In this way, the control device 102 a determines whether a result of the authentication of the vehicle state is affirmative or negative (B 118 ). For example, the control device 102 a determines whether or not the immobilizer is in the unlocked state, whether or not the ignition switch is off, and whether or not the door is in the closed state.
- the vehicle state is a normal state in which the immobilizer is in the released state (unlocked state), the ignition switch is off or the door is in the closed state.
- the vehicle state is a abnormal state in which the immobilizer is not in the released state; the ignition switch is not off; or the door is not the not-closed state.
- the result of the authentication of the vehicle state is not affirmative.
- the control device 102 a determines that the result of the authentication of the vehicle state is affirmative (YES at B 119 )
- the control device 102 a performs B 104 .
- the control device 102 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the external-tool-side-bus communication device 102 c .
- the control device 102 a sets the authenticated state, which is a state where the vehicle state is authenticated. Within a period during which the authenticated state is set, the control device 102 a permits receipt of a data request command from the external tool 105 (permits the data communalization). Within a period during which the authenticated state is not set, the control device 102 a prohibits the receipt of the data request command from the external tool 105 (prohibits the data communalization).
- the control device 102 a When the authenticated state is set in the above way (B 104 ), the control device 102 a performs B 112 to B 114 as illustrated in the first example.
- the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
- the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authenticating of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state are collectively performed by the vehicular gateway apparatus 102 , it is possible to achieve the above advantages by adding the vehicular gateway apparatus 102 . Therefore, it is possible to achieve the above advantages while minimizing a change in an existing system.
- the authentication ECU performs the authentication of the vehicle state and the vehicular gateway apparatus 102 sets and maintains the authenticated state.
- the eighth example can be achieved by using the same functional blocks ( FIG. 10 ) as the second example.
- the control device 103 a of the authentication ECU 103 receives the vehicle state from an external, thereby specifying the vehicle state (D 108 ). Then the control device 103 a determines whether or not the vehicle state satisfies a predetermined condition, thereby performing the authentication of the vehicle state. In this way, the control device 102 a determines whether a result of the authentication of the vehicle state is affirmative or negative (D 109 ).
- the control device 103 a determines that the result of the he authentication of the vehicle state is affirmative (YES at D 110 ), the control device 103 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, from the bus communication device 103 b to the vehicular gateway apparatus 102 .
- the control device 102 a of the vehicular gateway apparatus 102 determines that the authentication result affirmative response command from the authentication ECU 103 is received by the ECU-side-bus communication device 102 b , the control device 102 a transmits the authentication result affirmative response command to the external tool 105 by using the external-tool-side communication device 102 c . Thereafter, the control device 102 a performs B 104 , and B 112 to B 114 as illustrated in the first example. In other words, the authentication ECU 103 performs the authentication of the vehicle state, and the vehicular gateway apparatus 102 sets the authenticated state, and maintains the authenticated state only within the predetermined period after the authenticated state was set.
- the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
- the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security.
- a ninth example will be described with reference to FIG. 22 .
- the authentication ECU 103 performs the authentication of the vehicle state, sets the authenticated state, and maintains the authenticated state.
- the ninth example can be achieved by using the same functional blocks ( FIG. 12 ) as the third example.
- the control device 103 a of the authentication ECU 103 receives the vehicle state from an external and performs D 108 to D 110 as illustrated in the seventh example.
- the control device 103 a determines that the result of the authentication of the vehicle state is affirmative (YES at D 110 )
- the control device 103 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 103 b .
- the control device 103 a performs D 104 to D 107 as illustrated in the third example.
- the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
- the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security.
- the access target ECU 104 may include an authentication control device 104 d and an authentication maintain device 104 g , so that the authentication ECU 103 performs the authentication of the vehicle state and that the access target ECU 104 sets and maintains the authenticated state.
- the authentication of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
- a tenth example will be described with reference to FIG. 23 .
- the access target ECU 104 performs the authentication of the vehicle state, sets the authenticated state, and maintains the authenticated state.
- the tenth example can be achieved by using the same functional blocks ( FIG. 14 ) as the fourth example.
- the control device 104 a of the access target ECU 104 receives the vehicle state from the ECU 103 through the bus communication device 104 b , thereby specifying the vehicle state (C 13 ). Then the control device 104 a determines whether or not the vehicle state satisfies the predetermined condition, thereby performing the authentication of the vehicle state and determining whether or not a result of the authentication is affirmative or negative (C 14 ). When the result of the authentication is affirmative (YES at C 14 ), the control device 104 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 104 b .
- the control device 104 a performs C 109 to C 112 as illustrated in the fourth example.
- the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
- the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security.
- the authentication ECU 103 may include an authentication control device 103 e and an authentication maintain device 103 h , so that the access target ECU 104 performs the authentication of the vehicle state and that the authentication ECU 103 sets and maintains the authenticated state. That is, the authentication of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
- the above-illustrated examples do not limit examples of the first embodiment.
- the first embodiment can be modified and extended in various ways.
- the authenticated state may be set.
- the vehicle state to be authenticate is not limited to the state (locked state, released stated) of the immobilizer, the state (on, off) of the initiation switch, and the state of the door (open state, closed state). Any state can be adopted as long as the state enable a determination as to whether or not a proper operator connects a proper external tool or an improper operator connects an improper external tool.
- the determination may be used by using a single one of the states or by using a combination of the states.
- the filtering device 102 g of the vehicular gateway apparatus 102 , the filtering device 103 g of the authentication ECU 103 , and the filtering device 104 f of the access target ECU 104 may be omissible.
- a vehicular data communication apparatus 202 is connected with a bus so as to partition (separate) multiple ECUs including a first ECU 203 and a second ECU 204 from an external tool 205 .
- Each of the ECUs and the external tool 205 serves as a node.
- the external tool 205 is operable by an operator.
- a bus connecting the vehicular data communication apparatus 202 and the external tool 205 is called a bus A. That is, the bus A is a bus for data transmission between the vehicular data communication apparatus 202 and the external tool 205 .
- a bus connecting the vehicular data communication apparatus 202 and the first ECU 203 is called a bus B. That is, the bus B is a bus for data transmission between the vehicular data communication apparatus 202 and the first ECU 203 .
- a bus connecting the vehicular data communication apparatus 202 and the second ECU 204 is called a bus C. That is, the bus C is a bus for data transmission between the vehicular data communication apparatus 202 and the second ECU 204 .
- a connector 206 to which the external tool 205 is connectable, is provided on an external tool side of the bus A.
- the external tool 205 becomes able to communicate with the vehicular data communication apparatus 202 .
- the bus A, the bust B and the bus C adopt a control device area network (CAN) as a data communication method.
- the CAN communication defines a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc.
- CRC cyclic redundancy check
- a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not defined.
- the vehicular data communication apparatus 202 includes a control device 202 a (which can correspond to an example of encryption control device and means), an ECU-side-bus communication device 202 b , an external-tool-side-bus communication device 202 c , an encryption device 202 d , and an encryption table 202 e (which can correspond to an encryption information storage device or means).
- the control device 202 a includes a microcomputer. By executing a control program with the microcomputer, the control device 202 a controls operations of the ECU-side-bus communication device 202 b , the external-tool-side-bus communication device 202 c and the encryption device 202 d .
- the ECU-side bus communication device 202 b is connected with the bus B and the bus C, and controls data transmission and receipt between the first ECU 203 and the second ECU 204 .
- the external-tool-side bus communication device 202 c is connected with the bus A. In a state where the external tool 205 is connected to the connector 206 , the external-tool-side bus communication device 202 c controls communications, such as data transmission and receipt, with the external tool 205 .
- the encryption device 202 d references the encryption table 202 e to encrypt and rewrite a plaintext data into an encrypted-text data.
- the plaintext data to be encrypted may be (i) a plaintext data which the external-tool-side bus communication device 202 c receives from the external tool 205 , and (ii) a plaintext data which the ECU-side-bus communication device 202 b receives from the first ECU 203 or the second ECU 204 .
- the encryption table 202 e stores an encryption information. For example, as illustrated in FIG.
- the encryption table 202 e stores the encryption information (“encr” in FIG. 24 ) indicating that the plaintext is to be encrypted.
- the encryption table 202 e stores the encryption information (“plain” in FIG. 24 ) indicating that the plaintext is not to be encrypted.
- the first ECU 203 includes a control device 203 a (which can correspond to an example of decryption control device and means), a bus communication device 203 b , a decryption device 203 c , and a decryption table 203 d (which can correspond to an example of decryption information storage device and means).
- the control device 203 a includes a microcomputer. By executing a control program with the microcomputer, the control device 203 a controls the bus communication device 203 b and the decryption device 203 c .
- the bus communication device 203 b is connected with the bus B and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202 .
- the decryption device 203 c decrypts an encrypted-text data received from the vehicular data communication apparatus 202 , by rewriting the encrypted-text data into a plain text data when the bus communication device 203 b receives the encrypted-text data from the vehicular data communication apparatus 202 .
- the decryption table 203 d stores decryption information. For example, as illustrated in FIG. 24 , for the case where the bus connected with the data source node is the bus A, the decryption table 203 d stores “decry” indicating that the encrypted-text data is to be decrypted. For the case where the bus connected with the source node is the bus C, the decryption table 203 d stores “plain” indicating that the plain-text data is not to be decrypted.
- the second ECU 204 has substantially the same configuration as the first ECU 203 .
- the second ECU 204 includes a control device 204 a (which can correspond to an example of decryption control device and means), a bus communication device 204 b , a decryption device 204 c , and a decryption table 204 d (which can correspond to an example of decryption information storage device and means).
- the control device 204 a includes a microcomputer. By executing a control program with the microcomputer, the control device 204 a controls the bus communication device 204 b and the decryption device 204 c .
- the bus communication device 204 b is connected with the bus C and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202 .
- the decryption device 204 c decrypts an encrypted-text data by rewriting the encrypted-text data into a plain text data when the bus communication device 204 b receives the encrypted-text data from the vehicular data communication apparatus 202 .
- the decryption table 204 d stores decryption information. For example, as illustrated in FIG. 24 , for the case where the bus connected with the data source node is the bust A, the information “plain” indicating that the plain-text data is not encrypted is stored. For the case where the bus connected with the data source node is the bus C, “the information decry” indicating that the encrypted-text data is to be decrypted is stored.
- the external tool 205 includes a control device 205 a (which can correspond to a decryption control device and means), a bus communication device 205 b , a decryption device 205 c , a decryption table 205 d (which can correspond to a decryption information storage device and means), an input/output interface (IF) 205 e .
- the control device 205 a includes a microcomputer. By executing a control program with the microcomputer, the control device 205 a controls operations of the bus communication device 205 b , the decryption device 205 c , and the input/output interface (IF) 205 e .
- the bus communication device 205 b is connected with the bus A and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202 .
- the decryption device 205 c decrypts an encrypted-text data by rewriting the encrypted-text data into a plain text data when the bus communication device 205 b receives the encrypted-text data from the vehicular data communication apparatus 202 .
- the decryption table 205 d stores decryption information for each data bus connected with the data source node. For example, as illustrated in FIG. 24 , for the case where the bus connected with the data source node is the bus B, the information “decry” indicating that the encrypted-text data is to be decrypted is stored. For the case where the bus connected with the data source node is the bus C, the information “plain” indicating that the plain-text data is not decrypted is stored.
- the input/output IF 205 e has a function to accept an input operation from the operator operating the external tool 205 , and has a function to issue a notification by, for example, displaying a data. Specifically, by connecting the external tool 205 to the connector 206 and performing the input operation to the external tool 205 , the operator can rewrite the control program of an access target ECU and read out a data from the access target ECU.
- the external tool 205 is not limited to a dedicated node for rewriting the control program of the access target ECU and reading out the data from the access target ECU but the external tool 205 may be a cellular phone, a personal digital assistance or the like having the above functions.
- the encryption and decryption may use a public-key cryptography, in which the encryption is performed with a public-key and the decryption is performed with a private-key.
- the encryption and decryption may use a common-key cryptography, in which the encryption and decryption are performed with a common-key.
- Various ECUs may be used as the first ECU 203 and the second ECU 204 .
- the first ECU 203 or the second ECU 204 may be one of an engine ECU for controlling an engine, a door lock ECU for controlling operations of a door lock mechanism, a navigation ECU for controlling navigation operations, a meter ECU for controlling operations of a meter (indicator), and the like.
- the first ECU 203 or the second ECU 204 when the first ECU 203 or the second ECU 204 is the engine ECU, the first ECU 203 or the second ECU 204 includes a functional block for controlling the engine in addition to the above-described functional blocks.
- the number of ECUs is two. However, the number of ECUs may be one, or more than two.
- the encryption table and the decryption table are set up based on, for example, the following. Let us assume that the data transmitting through the bus can be classified into a regulation message (i.e., the message that gives obligation to answer in response to the request) and a non-regulation message (i.e., the message that does not give obligation to answer in response to the request).
- the encryption table and the decryption table are set up, so that (i) the information indicating that the encryption or decryption is not to be performed is set for the bus connected with the node that transmits and receives the regulation message, and (ii) the information indicating that the encryption or decryption is to be performed is set for the bus connected with the node that transmits and receives the non-regulation message.
- a first situation is that the external tool 205 and the first ECU 203 perform the data communication.
- a second situation is that the external tool 205 and the second ECU 204 perform the data communication.
- a third situation is that the first ECU 203 and the second ECU 204 perform the data communication.
- the processes illustrated in FIG. 25 are performed by the external tool 205 , the first ECU 203 , and the vehicular data communication apparatus 202 .
- the plain-text data is transmitted from the external tool 205 to the first ECU 203 (data destination node).
- the control device 202 a of the vehicular data communication apparatus 202 determines that the plain-text data is received by the external-tool-side-bus communication device 202 c , the control device 202 a determines whether or not it is necessary to encrypt the received plain-text data (B 201 ).
- the control device 202 a determines that it is necessary to encrypt the received plain-text data (YES at B 201 )
- the control device 202 a encrypts the plaintext data by using the encryption device 202 d (B 202 ), and transmits the encrypted-text data to the first ECU 203 by using the ECU-side-bus communication device 202 b .
- the control device 202 a determines that it is not necessary to encrypt the plaintext data (NO at B 201 )
- the control device 202 a transmits the plaintext data to the first ECU 203 by using the ECU-side-bus communication device 202 b , without encrypting the plaintext data by using the encryption device 202 d .
- the control device 202 a since “encry” is stored for a combination of the bus A connected with the source and the bus B connected with the destination, the control device 202 a encrypts the plaintext data received from the external tool 205 , and transmits the encrypted-text data to the first ECU 203 .
- the control device 203 a of the first ECU 203 determines that the bus communication device 203 b has received the data, which is addressed to the first ECU 203 , from the vehicular data communication apparatus 202 , the control device 203 a performs C 201 .
- the control device 203 a determines whether or not it is necessary to decrypt the received data.
- control device 203 a determines that it is necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the encrypted-text data (YES at C 201 ), the control device 203 a decrypts the encrypted-text data (C 202 ) and performs data processing based on the decrypted data.
- the control device 203 a determines that it is not necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the plaintext data (NO at C 201 ), the control device 203 a performs data processing based on the plaintext data without decrypting the plaintext data (C 203 ).
- the control device 203 a since “decry” is stored for the bus A connected with the data source node, the control device 203 a decrypts the encrypted-text data received from the vehicular data communication apparatus 202 , and performs the data processing based on the plaintext data. Thereafter, the control device 203 a transmits a plaintext data to the vehicular data communication apparatus 202 by using the bus communication device 203 b.
- the control device 202 a of the vehicular data communication apparatus 202 determines that the external-tool-side-bus communication device 202 c has received the plain-text data, which is addressed to the external tool 205 , from the external tool 205 , the control device 202 a performs B 203 .
- the control device 202 a determines whether or not it is necessary to encrypt the received plain-text data (B 203 ).
- the control device 202 a determines that it is necessary to encrypt the received plain-text data (YES at B 203 )
- the control device 202 a encrypts the plaintext data by using the encryption device 202 d (B 204 ), and transmits the encrypted-text data to the external tool 205 by using the external-tool-side-bus communication device 202 c .
- the control device 202 a determines that it is not necessary to encrypt the received plain-text data (NO at B 203 )
- the control device 202 a transmits the plaintext data to the external tool 205 by using the external-tool-side-bus communication device 202 c , without encrypting the plaintext data by using the encryption device 202 d .
- the control device 202 a since “encry” is stored for a combination of the bus B on a source side and the bus A on a destination side, the control device 202 a encrypts the plaintext data received from the first ECU 203 , and transmits the encrypted-text data to the external tool 205 .
- the control device 205 a of the external tool 205 determines that the bus communication device 205 b has received the data, which is addressed to the external tool 205 , from the vehicular data communication apparatus 202 , the control device 205 a performs A 201 .
- the control device 205 a determines whether or not it is necessary to decrypt the received data.
- control device 205 a determines that it is necessary to decrypt the received data, in other words, when the control device 205 a determines that the received data is the encrypted-text data (YES at A 201 ), the control device 205 a decrypts the encrypted-text data (A 202 ) and performs data processing based on the decrypted data (A 203 ).
- the control device 205 a determines that it is not necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the plaintext data (NO at A 201 ), the control device 203 a performs data processing based on the plaintext data without decrypting the plaintext data (A 203 ).
- the control device 205 a decrypts the decrypted-text data received from the vehicular data communication apparatus 202 to obtain a plaintext data and performs the data processing based on the plaintext data
- the vehicular data communication apparatus 202 stores “encry” for the combination of the bus A on the data source side and the bus B on the data destination side.
- the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the first ECU 203 .
- the vehicular data communication apparatus 202 stores “encry” for the combination of the bus B on the data source side and the bus A on the data destination side.
- the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the external tool 205 .
- the vehicular data communication apparatus 202 performs step B 211 and B 212 , and then, the second ECU 204 performs D 211 to D 213 , and then the vehicular data communication apparatus 202 performs B 213 and B 214 , and then the external tool 205 performs A 211 to A 213 .
- the vehicular data communication apparatus 202 stores “plain” for the combination of the bus A on the data source side and the bus C on the data destination side.
- the vehicular data communication apparatus 202 transmits the received plaintext data to the second ECU 204 without encrypting the received plaintext data.
- the vehicular data communication apparatus 202 stores “plain” for the combination of the bus C on the data source side and the bus A on the data destination side. Thus, upon receipt of the plaintext data from the second ECU 204 , the vehicular data communication apparatus 202 transmits the received plaintext data to the external tool 205 without encrypting the received plaintext data.
- the vehicular data communication apparatus 202 performs step B 221 and B 222 , and then, the second ECU 204 performs D 221 to D 223 , and then the vehicular data communication apparatus 202 performs B 223 and B 224 , and then the first ECU 203 performs C 221 to C 223 .
- the vehicular data communication apparatus 202 stores “encry” for the combination of the bus B on the data source side and the bus C on the data destination side.
- the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the second ECU 204 . Moreover, the vehicular data communication apparatus 202 stores “plain” for the combination of the bus C on the data source side and the bus B on the data destination side. Thus, upon receipt of the plaintext data from the second ECU 204 , the vehicular data communication apparatus 202 transmits the received plaintext data to the first ECU 203 without encrypting the received plaintext data.
- the vehicular data communication apparatus 202 relays a data among the external tool 205 , the first ECU 203 and the second ECU 204 .
- the encryption information (the encryption table) indicating whether or not the data is to be encrypted is uniformly managed by the vehicular data communication apparatus 202 .
- the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205 , the first ECU 203 and the second ECU 204 .
- the external tool 205 , the first ECU 203 and the second ECU 204 are not required to encrypt the data.
- the external tool 205 , the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data.
- a processing capacity e.g., a memory capacity
- it is possible to use a processing capacity e.g., a memory capacity
- a negative influence may be give on, for example, vehicle control during the vehicle traveling. Therefore, the configuration of the present example is remarkably advantageous in a system in which the ECU serves as a node.
- the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.
- an encryption table and/or an decryption table targeted for respective individual nodes are not required to be set up. Instead, the encryption table and/or the decryption table targeted for respective individual nodes are set up. Therefore, a work for setting up the encryption table and/or the decryption table is simple.
- the above illustration is directed to the system in which the first ECU 203 is connected with the vehicular data communication apparatus 202 through the bus B
- ideas of the above illustration are applicable to a system in which multiple ECUs including the first ECU 203 are connected with the vehicular data communication apparatus 202 through the bus B.
- the first ECU 203 and a third ECU 207 may be connected with the vehicular data communication apparatus 202 through the bus B.
- the third ECU 207 stores the same decryption table as the first ECU 203 stores, so that the third ECU 207 can performs substantially the same process as the first ECU 203 .
- the encryption table stored in the vehicular data communication apparatus 202 is not used, because the vehicular data communication apparatus 202 does not relay the data.
- the same is applied to cases where the second ECU 204 and the fourth ECU 208 are connected with the vehicular data communication apparatus 202 through the bus C.
- the encryption table is uniformly managed by the vehicular data communication apparatus 202 relaying a data.
- the decryption table is uniformly managed by the external tool 205 , the first ECU 203 , and the second ECU 204 .
- the information indicating that the decryption or the encryption is not to be performed is set for a node that transmits and receives a non-regulation message.
- the information indicating that the decryption or the encryption is to be performed is set for a node that transmits and receives a regulation message.
- the vehicular data communication apparatus 202 is connected with the first ECU 203 and the second ECU 204 through the bus B.
- the vehicular data communication apparatus 202 stores the encryption information as the encryption table 202 e for each combination of a data source node and a data destination node. For example, as illustrated in FIG. 29 , for the case where the data source node is the external tool 205 and the data destination node is the first ECU 203 , the stored encryption information indicates that the plaintext data is to be encrypted.
- the stored encryption information indicates that the plaintext data is not to be encrypted
- the first ECU 203 stores the decryption information as the decryption table 203 d .
- the stored decryption information indicates that the encrypted-text data is to be decrypted.
- the second ECU 204 stores the decryption information as the decryption table 204 d . For example, as illustrated in FIG. 29 , for the case where the data source node is the external tool 205 , the stored decryption information indicates that the encrypted-text data is to be decrypted.
- the second ECU 204 stores the decryption information as the decryption table 204 d . For example, as illustrated in FIG.
- the stored decryption information indicates that the plaintext data is not to be decrypted.
- the external tool 205 stores the decryption information as the decryption table 205 d .
- the stored decryption information indicates that the encrypted-text data is to be decrypted.
- the stored decryption information indicates that the plain-text data is not to be decrypted.
- the vehicular data communication apparatus 202 relays a data among the external tool 205 , the first ECU 203 and the second ECU 204 .
- the vehicular data communication apparatus 202 For each combination of a data source node and a data destination node, the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted. Additionally, for each data source node, the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205 , the first ECU 203 and the second ECU 204 .
- the second example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment.
- the external tool 205 , the first ECU 203 and the second ECU 204 are not required to encrypt the data.
- the external tool 205 , the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data.
- the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.
- the above illustration is directed to the system in which the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through the bus B.
- ideas of the above illustration are applicable to a system in which multiple ECUs including the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through multiple buses including the bus B.
- the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through the bus B, and additionally, the third ECU 207 and the fourth ECU 208 are connected with the vehicular data communication apparatus 202 through the bus C.
- the vehicular data communication apparatus 202 stores the encryption table by designating the third ECU 207 and the fourth ECU 208 as the data source node and the data destination node.
- Each of the first ECU 203 , the second ECU 204 and the external tool 205 stores the decryption table by designating the third ECU 207 and the fourth ECU 208 as the data source node.
- the vehicular data communication apparatus 202 for relaying a data uniformly manages the encryption table for each identifier (CAN_ID) indicative of type of a data frame storing a data.
- CAN_ID identifier indicative of type of a data frame storing a data
- the decryption table is uniformly managed by the external tool 205 , the first ECU 203 and the second ECU 204 .
- the information indicating that the decryption or the encryption is not to be performed is set for the CAN_ID of the data frame having the regulation message.
- the information indicating that the decryption or the encryption is not to be performed is set for the CAN_ID of the data frame having the non-regulation message.
- the CAN_ID refers to information identifying data content or the like, and has 11-bit length in standard format, as illustrated in FIG. 32 .
- the vehicular data communication apparatus 202 stores the encryption as the encryption table 202 e .
- the stored encryption information indicates that the plaintext data is to be encrypted.
- the stored encryption information indicates that the plaintext data is not to be encrypted.
- the first ECU 203 For each CAN_ID indicative of the type of the data frame, the first ECU 203 stores the decryption information as the decryption table 203 d .
- the stored decryption information indicates that the plaintext data is to be decrypted.
- the stored encryption information indicates that the plaintext data is not to be decrypted.
- the second ECU 204 stores, for each CAN_ID indicative of the type of the data frame, the decryption information as the decryption table 204 d .
- the external tool 205 also stores, for each CAN_ID indicative of the type of the data frame, the decryption information as the decryption table 205 d.
- the vehicular data communication apparatus 202 relays a data among the external tool 205 , the first ECU 203 and the second ECU 204 .
- the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted.
- the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205 , the first ECU 203 and the second ECU 204 .
- the third example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment.
- the external tool 205 , the first ECU 203 and the second ECU 204 are not required to encrypt the data.
- the external tool 205 , the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data.
- the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.
- the vehicular data communication apparatus 202 for relaying a data uniformly manages the encryption table for each data storage area (data field) of a data frame storing a data.
- the decryption table is uniformly managed by the external tool 205 , the first ECU 203 and the second ECU 204 .
- the information indicating that the decryption or the encryption is not to be performed is set for the data storage area of the data frame having the regulation message.
- the information indicating that the decryption or the encryption is not to be performed is set for the data storage area of the data frame having the non-regulation message.
- the vehicular data communication apparatus 202 stores the encryption as the encryption table 202 e .
- the stored encryption information indicates that the plaintext data is to be encrypted.
- the stored encryption information indicates that the plaintext data is not to be encrypted.
- the first ECU 203 For each data storage area of the data frame, the first ECU 203 stores the decryption information as the decryption table 203 d .
- the stored decryption information indicates that the encrypted-text data is to be decrypted.
- the second ECU 204 stores, for each data storage area of the data frame, the decryption information as the decryption table 204 d .
- the external tool 205 also stores, for each data storage area of the data frame, the decryption information as the decryption table 205 d.
- the vehicular data communication apparatus 202 relays a data among the external tool 205 , the first ECU 203 and the second ECU 204 .
- the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted.
- the data destination node uniformly manages the decryption information (the decryption table) indicating whether or not the data is to be decrypted.
- the data destination node is, for example, the external tool 205 , the first ECU 203 and the second ECU 204 .
- the third example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment.
- the external tool 205 , the first ECU 203 and the second ECU 204 are not required to encrypt the data.
- the external tool 205 , the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data.
- the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.
- the second embodiment is not limited to the above-illustrated examples, and can be modified and extended in, for example, the following way. Two or more of the first to fourth examples may be combined.
- the system may employ the tow or more of: a configuration in which the encryption information and the decryption information are managed on a bus-by-bus basis; a configuration in which the encryption information and the decryption information are managed on a node-by-node basis; a configuration in which the encryption information and the decryption information are managed on a CAN_ID-by-CAN_ID basis; and a configuration in which the encryption information and the decryption information are managed on a data-field-by-data-field basis.
- the vehicular data communication apparatus 202 is not limited to a dedicated apparatus for encrypting a data by determining whether or not to encrypt the data.
- the vehicular data communication apparatus 202 is not limited to a dedicated apparatus for encrypting a data by determining whether or not to encrypt the data.
- an ECU having a high processing capacity may be provided in the system, so that, while fulfilling its primary function, the ECU encrypts a data by determining whether or not to encrypt the data.
Abstract
A vehicular data communication system is disclosed. The vehicular data communication system includes an authentication device for authenticating an external tool connected to a bus, an authentication control device for determining whether an external tool is authenticated by the authentication device and for setting an authenticated state to permit a data communication between the external tool and an access target ECU on the bus upon determining that the external tool is authenticated by the authentication device, and an authentication maintain device for maintaining the authenticated state within a predetermined period after the authenticated state is set by the authentication control device.
Description
- The present application is based on Japanese Patent Applications No. 2012-33945 filed on Feb. 20, 2012 and 2012-67383 filed on Mar. 23, 2012, disclosures of which are incorporated herein by reference.
- The present disclosure relates to a vehicular data communication authentication system in which an external tool is connectable to an electronic control unit (ECU). The present disclosure also relates to a vehicular gateway apparatus connected with the vehicular data communication authentication system to partition the external tool from the ECU. The present disclosure also relates to a vehicular data communication system including a vehicular data communication apparatus connected with multiple nodes through a bus. The present disclosure also relates to such a vehicular data communication apparatus.
- It is known that a data communication between electronic control units (ECUs) serving as nodes is performed through a bus, and that a data communication between an ECU and an external tool is performed through a bus. When the data communication is performed between the external tool and the ECU, it becomes possible to access to the ECU by connecting the external tool to the bus, and it becomes possible to rewrite a control program of the ECU and read out a data from the ECU (see
Patent Document 1 for example). - Patent Document 1: JP 2004-192277A
- Specifications of data communication standards and connection interfaces between an external tool and a bus are open to the public. Thus, not only a proper worker can connect a proper external tool to the bus but also a third party having a bad intention can connect an improper external tool to the bus. If the improper external tool is connected to the bus, the vehicle may be subject to attack such as the improper rewriting of the control program of the ECU, the improper reading out of the data from the ECU (so called a masquerading), or the like. The controller area network (CAN) is a data communication standard between the external tool and the ECU. In the CAN, since a data frame is broadcasted, wiretapping and analysis are relatively easy. Additionally, the CAN provides a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc. However, in the CAN, a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not provided.
- Because of the above, protection measures against the improper connection of the external tool to the bus are desired.
- Further, enhancement of security in data communication between ECUs and between the external tool and the ECU is desired. Although it may be possible to enhance the security by providing a node with a data encryption function, this leads to various difficulties such as configuration complication, processing load increase, and the like.
- In view of the foregoing, it is an object of the present disclosure to provide a vehicular data communication authentication system and a vehicular gateway apparatus that can prevent damages resulting from a connection of an improper external tool and can enhance security even if the improper external tool is connected to a bus connected with an ECU.
- It is also an object of the present disclosure to provide a vehicular data communication system and a vehicular data communication apparatus that can enhance security in data communication while minimizing node load even if a node does not have a data encryption function.
- According to a first example of embodiments, a vehicular data communication authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of the external tool connected to the bus. The authentication control device determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative. When determining that the result of the authentication of the external tool is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the external tool is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
- According to a second example of embodiments, a vehicular data communication authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of a vehicle state. The authentication control device determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative. When determining that the result of the authentication of the vehicle state is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the vehicle state is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which the vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
- According to a third example of embodiments, a vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of the external tool connected to the bus. The authentication control device determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative. When determining that the result of the authentication of the external tool is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the external tool is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device (102 e); a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
- According to a fourth example of embodiments, a vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of a vehicle state. The authentication control device determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative. When determining that the result of the authentication of the vehicle state is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the vehicle state is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device (102 e); a third period, which is a period during which the vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
- According to the above vehicular data communication authentication systems and the vehicular gateway apparatuses, even if an improper external tool is connected to a bus connected with an ECU, it is possible to prevent damages resulting from a connection of the improper external tool and it is possible to enhance security.
- According to a fifth example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each combination of one bus connected with a data source node and another bus connected with a data destination node, the encryption information storage device stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data. in cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each bus connected with the data source node, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
- According to a sixth example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each combination of a data source node and a data destination node, the encryption information storage device stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data. In cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each data source node, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
- According to a seventh example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each identifier indicative of class a data frame storing a data, the encryption information storage device stores an encryption information indicating whether or not the data is to be encrypted. In cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, an encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each identifier indicative of the type of the data frame storing the data, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
- According to an eighth example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each data storage area of a data frame storing a data, the encryption information storage device stores an encryption information indicating whether or not the data is to be encrypted. In cases where the vehicular data communication apparatus receives a data from a first node through a first bus and transmits the received data to a second node through a second bus, the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each data storage area of the data frame storing the data, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
- According to the vehicular data communication systems and the vehicular data communication apparatuses, it is possible to enhance security in data communication while minimizing node load even if a node does not have a data encryption function.
- The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description made with reference to the accompanying drawings. In the drawings:
-
FIG. 1 is a functional block diagram illustrating a data communication authentication system of a first example of a first embodiment; -
FIG. 2 is a sequence diagram illustrating operations; -
FIG. 3 is a sequence diagram illustrating operations performed after those inFIG. 2 ; -
FIG. 4 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus discards a data request command in response to a negative result of authentication; -
FIG. 5 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus includes a timer for maintaining an authenticated state; -
FIG. 6 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which an authenticated state maintain request is inputted from an external tool; -
FIG. 7 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which an authenticated state maintain request is inputted from an access target ECU; -
FIG. 8 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which a vehicle state satisfies a predetermined condition; -
FIG. 9 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which a bus is in a communicating state; -
FIG. 10 is a functional block diagram illustrating a data communication authentication system of a second example of the first embodiment; -
FIG. 11 is a sequence diagram illustrating operations of the second example of the first embodiment; -
FIG. 12 is a functional block diagram illustrating a data communication authentication system of a third example of the first embodiment; -
FIG. 13 is a sequence diagram illustrating operations of the third example of the first embodiment; -
FIG. 14 is a functional block diagram illustrating a data communication authentication system of a fourth example of the first embodiment; -
FIG. 15 is a sequence diagram illustrating operations of the fourth example of the first embodiment; -
FIG. 16 is a functional block diagram illustrating a data communication authentication system of a fifth example of the first embodiment; -
FIG. 17 is a sequence diagram illustrating operations of the fifth example of the first embodiment; -
FIG. 18 is a functional block diagram illustrating a data communication authentication system of a sixth example of the first embodiment; -
FIG. 19 is a sequence diagram illustrating operations of the sixth example of the first embodiment; -
FIG. 20 is a sequence diagram illustrating operations of a seventh example of the first embodiment; -
FIG. 21 is a sequence diagram illustrating operations of an eighth example of the first embodiment; -
FIG. 22 is a sequence diagram illustrating operations of a ninth example of the first embodiment; -
FIG. 23 is a sequence diagram illustrating operations of a tenth example of the first embodiment; -
FIG. 24 is a functional block diagram illustrating a vehicular data communication system of a first example of a second embodiment; -
FIG. 25 is a sequence diagram illustrating operations in a first situation in accordance with the first example of the second embodiment; -
FIG. 26 is a sequence diagram illustrating operations in a second situation in accordance with the first example of the second embodiment; -
FIG. 27 is a sequence diagram illustrating operations in a third situation in accordance with the first example of the second embodiment; -
FIG. 28 is a block diagram illustrating a encryption table and a decryption table in accordance with the first example of the second embodiment; -
FIG. 29 is a functional block diagram illustrating a vehicular data communication system of a second example of the second embodiment; -
FIG. 30 is a block diagram illustrating a encryption table and a decryption table in accordance with the second example of the second embodiment; -
FIG. 31 is a functional block diagram illustrating a vehicular data communication system of a third example of the second embodiment; -
FIG. 32 is a diagram illustrating a configuration of a data frame; and -
FIG. 33 is a functional block diagram illustrating a vehicular data communication system of a fourth example of the second embodiment. - Embodiments will be described with reference to the drawings. Throughout the below-embodiments, like reference numerals are used to refer to like parts.
- A first embodiment will be described with reference to
FIGS. 1 to 23 . - A first example of the first embodiment will be described with reference to
FIGS. 1 to 9 . - As shown in
FIG. 1 , in a vehicular datacommunication authentication system 101, avehicular gateway apparatus 102 is connected with abus 106 so that thegateway apparatus 102 partitions (separates) multiple electronic control units (ECUs) 103, 104 from an external tool 105 (an operating device) operable by an operator. InFIG. 1 , two ECUs are illustrated as themultiple ECUs bus 106 on an ECU side of thegateway apparatus 102 is referred to as an ECU-side bus 106 a. That is, the ECU-side bus 106 a is a bus for transmitting data between thegateway apparatus 102 and theECUs bus 106 on an external tool side of thegateway apparatus 102 is referred to as an external-tool-side bus 106 b. That is, the external-tool-side bus 106 b is a bus for transmitting data between thegateway apparatus 102 and theexternal tool 105. - The
ECUs side bus 106 b is provided with aconnector 107 to which theexternal tool 105 is detachably connectable. By being connected to theconnector 107, theexternal tool 105 is connected to the external-tool-side bus 106 b and becomes able to perform the data communication with thegateway apparatus 102. - The
bus 106 adopts a controller area network (CAN) as a data communication method. The CAN communication defines a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc. However, in the CAN communication, a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not defined. - The
gateway apparatus 102 includes acontrol device 102 a, an ECU-sidebus communication device 102 b, an external-tool-sidebus communication device 102 c, anauthentication device 102 d, anauthentication control device 102 e, acommunication control device 102 f, afiltering device 102 g, and an authentication maintaindevice 102 h. Theauthentication device 102 d can correspond to an example of authentication means or device, and an example of second authentication means or device. Theauthentication control device 102 e can correspond to an example of authentication control means or device, and an example of authentication control means or device. Thecommunication control device 102 f can correspond to an example of communication control means or device, and an example of communication control means or device. The authentication maintaindevice 102 h can correspond to an example of authentication maintain means or device, and an example of authentication maintain means or device. - The
control device 102 a includes a microcomputer. By executing a control program with the microcomputer, thecontrol device 102 a controls operations of the ECU-sidebus communication device 102 b, the external-tool-sidebus communication device 102 c, theauthentication device 102 d, theauthentication control device 102 e, thecommunication control device 102 f, thefiltering device 102 g, and the authentication maintaindevice 102 h. The ECU-sidebus communication device 102 b is connected with the ECU-side bus 106 a, and controls communication, such as data transmission and receipt, with theECUs bus communication device 102 c is connected with the external-tool-side bus 106 b. In a state where theexternal tool 105 is connected to theconnector 107, the external-tool-sidebus communication device 102 c controls communications, such as data transmission and receipt, with theexternal tool 105. - In the situation where the
external tool 105 is connected to theconnector 107, theauthentication device 102 d performs authentication of the external tool 105 (a procedure of the authentication will be described later). Based on a result of the authentication of theexternal tool 105 by theauthentication device 102 d, theauthentication control device 102 e sets whether the data communication between theexternal tool 105 and an access target ECU should be permitted or prohibited. Specifically, when the result of the authentication of theexternal tool 105 is affirmative, theauthentication control device 102 e sets an authenticated state and permits the data communication between theexternal tool 105 and the access target ECU. When the result of the authentication of theexternal tool 105 is negative (not affirmative), theauthentication control device 102 e does not set the authenticated stat and prohibits the data communication between theexternal tool 105 and the access target ECU - Regardless of whether the result of the authentication of the
external tool 105 performed by theauthentication device 102 d is affirmative or not, thecommunication control device 102 f sets whether the data communication between theexternal tool 105 and an access target ECU should be permitted or prohibited. A reason for this exceptional permission is as follows. In a data communication for a vehicle, since it is necessary to always permit a certain part of the data communication, thecommunication control device 102 f exceptionally permits the data communication for a specified data e.g., the below-described regulation message) between theexternal tool 105 and the access target ECU. In a situation where theauthentication control device 102 e or thecommunication control device 102 f prohibits the data communication between theexternal tool 105 and the access target ECU, thefiltering device 102 g exceptionally permits only for specified data communication. When theauthentication control device 102 e sets the authenticated state, the authentication maintaindevice 102 h maintains the set authenticated state. That is, when theauthentication control device 102 e sets the authenticated state, the authentication maintaindevice 102 h maintains a period of permitting the data communication between theexternal tool 105 and the access target ECU. - The
control device 102 a has an encryption function and a decryption function. Specifically, when the external-tool-side-bus communication device 102 c receives a plaintext command from theexternal tool 105, thecontrol device 102 a encrypts and rewrites the received plaintext command into an encrypted-text command. When the ECU-side-bus communication device 102 b receives an encrypted-text command from theECU 103 or theECU 104, thecontrol device 102 a decrypts and rewrites the received encrypted-text command into a plaintext command. The encryption and description may use a public-key cryptography, in which the encryption is performed with a public-key and the description is performed with a private-key. Alternatively, the encryption and description may use a common-key cryptography, in which the encryption and decryption are performed with a common-key. - The
ECU 103 includes acontrol device 103 a, abus communication device 103 b, and a vehiclestate input device 103 c. Thecontrol device 103 a includes a microcomputer. By executing a control program with the microcomputer, thecontrol device 103 a controls thebus communication device 103 b and the vehiclestate input device 103 c. Thebus communication device 103 b is connected with the ECU-side bus 106 a and controls communications, such as data transmission and receipt, with thegateway apparatus 102. The vehiclestate input device 103 c receives and inputs a vehicle state from an external device (e.g., various sensors, different ECUs, wireless communication device etc). The vehicle state inputted by the vehiclestate input device 103 c may be, for example, a immobilizer state (locked state or unlocked state), an ignition (IG) switch state (on and off), a door state (open state or closed state), or the like. - The
ECU 104 includes acontrol device 104 a and abus communication device 104 b. Thecontrol device 104 a includes a microcomputer. By executing a control program with the microcomputer, thecontrol device 104 a controls thebus communication device 104 b. Thebus communication device 104 b is connected with the ECU-side bus 106 a and controls communications, such as data transmission and receipt, with thegateway apparatus 102. - It should be noted that if the
ECU ECU ECU ECU ECU ECU 103 and theECU 104 receive and input the vehicle states from externals - The
external tool 105 includes acontrol device 105 a, abus communication device 105 b and an input/output interface (IF) 105 c. Thecontrol device 105 a includes a microcomputer. By executing a control program with the microcomputer, thecontrol device 105 a controls operations of thebus communication device 105 b and the input/output interface (IF) 105 c. Thebus communication device 105 b is connected with the external-tool-side bus 106 b and controls communications, such as data transmission and receipt, with thegateway apparatus 102. The input/output IF 105 c has a function to accept an input operation from the operator operating theexternal tool 105, and has a function to issue a notification by, for example, displaying a data. - Specifically, by connecting the
external tool 105 to theconnector 107 and by performing the input operation to theexternal tool 105, the operator can rewrite the control program of the access target ECU and read out a data from the access target ECU. Theexternal tool 105 is not limited to a dedicated apparatus for rewriting the control program of the access target ECU and reading out the data from the access target ECU. For example, theexternal tool 105 may be a cellular phone, a personal digital assistance or the like having the above functions. - Operations will be described with reference to
FIGS. 2 to 9 . Now, it is assumed that theECU 104 is the access target ECU and that theexternal tool 105 transmits a data request command to theaccess target ECU 104 in order to rewrite the control program of theaccess target ECU 104 or read out a data from theaccess target ECU 104. - When the
control device 105 a of theexternal tool 105 determines that theexternal tool 105 is connected to theconnector 107, thecontrol device 105 a transmits an authentication seed request command from thebus communication device 105 b to thegateway apparatus 102. When thecontrol device 102 a of thegateway apparatus 102 determines that the external-tool-side-bus communication device 102 c receives the authentication seed request command from theexternal tool 105, thecontrol device 102 a generates an authentication seed at B101 (seeFIG. 2 ) and transmits the generated authentication seed from the external-tool-side-bus communication device 102 c to theexternal tool 105. The authentication seed includes information used in generating the below-described authentication code, and is written in random number. - When the
control device 105 a of theexternal tool 105 determines that thebus communication device 105 b receives the authentication seed from thegateway apparatus 102, thecontrol device 105 a generates an authentication code based on the authentication seed (while associating the authentication code with the authentication seed) at A101, and thecontrol device 105 a transmits the generated authentication code from thebus communication device 105 b to thegateway apparatus 102. The authentication code is expressed in random number, like the authentication seed. In the above, it is assumed that theexternal tool 105 does not possess the authentication seed. However, theexternal tool 105 may possess the authentication seed. In this configuration, theexternal tool 105 may generate the authentication code based on the authentication seed possessed by theexternal tool 105 itself and may transmit the generated authentication code from thebus communication device 105 b to thegateway apparatus 102. - In the
gateway apparatus 102, when thecontrol device 102 a determines that the external-tool-side-bus communication device 102 c receives the authentication code from theexternal tool 105, thecontrol device 102 a performs B102. Specifically, at B102, thecontrol device 102 a performs cross-check between the authentication seed, which was transmitted to theexternal tool 105, and the authentication code received from theexternal tool 105, and determines whether or not the result of the authentication of theexternal tool 105 is affirmative. - More specifically, a proper external tool, which is connected to the
connector 107 by a proper operator, is equipped with a function to (i) correctly generate an authentication based on the authentication seed received from thegateway apparatus 102 and (ii) transmit the correctly-generated authentication code to thegateway apparatus 102. Therefore, when the proper operator connects the proper external tool to theconnector 107, there is match between the authentication seed and the authentication code, and the result of the authentication of theexternal tool 105 becomes affirmative. - An improper external tool, which may be connected to the
connector 107 by a third party having a bad intention, is not equipped with the function to correctly generate the authentication based on the authentication seed received from thegateway apparatus 102. Thus, the improper external tool is unable to correctly generate an authentication code or transmit the authentication code to the gateway apparatus, or may transmit an incorrect authentication code to thegateway apparatus 102. As a result, when a third party having a bad intention connects an improper external tool to theconnector 107, there is mismatch between the authentication seed and the authentication code, and the result of the authentication of theexternal tool 105 becomes not affirmative. - In the
gateway apparatus 102, when thecontrol device 102 a determines that the result of the authentication of theexternal tool 105 is affirmative and theexternal tool 105 is a proper external tool (YES at B103), thecontrol device 102 a performs B104. At B104, thecontrol device 102 a transmits am affirmative authentication result response command, which indicates that the result of the authentication is affirmative, from the external-tool-side-bus communication device 102 c to theexternal tool 105, and additionally, thecontrol device 102 a sets the authenticated state, which is a state where theexternal tool 105 is authenticated. Within a period during which the authenticated state is set, thecontrol device 102 a permits receipt of a data request command from theexternal tool 105 and permits the data communication. Within a period during which the authenticated state is not set, thecontrol device 102 a prohibits the receipt of the data request command from theexternal tool 105 and prohibits the data communication. - In the
external tool 105, when thecontrol device 105 a accepts, for example, the input operation from the operator after thecontrol device 105 a determines that thebus communication device 105 b receives the affirmative authentication response command from thegateway apparatus 102, thecontrol device 105 a transmits the data request command from thebus communication device 105 b to the gateway apparatus in accordance with the input operation. It should be noted that the data request command transmitted from theexternal tool 105 to thegateway apparatus 102 includes information for identifying theaccess target ECU 104, which is a destination of the data request command. - The
control device 102 a of thegateway apparatus 102 determines that the external-tool-side-bus communication device 102 c receives the data request command from theexternal tool 105, thecontrol device 102 a performs B105. Specifically, at B105, thecontrol device 102 a analyzes the received data request command and determines whether or not it is necessary to perform the authentication of theexternal tool 105. For example, by determining whether the data request command is a regulation message (regulation command) or a non-regulation message (non-regulation command), thecontrol device 102 a determines whether or not it is necessary to perform the authentication of theexternal tool 105. The law-regulation message is a message that gives obligation to answer in response to the request from theexternal tool 105. For example, the regulation message may be a massage that requests a data about, for example, an engine system, or the like. The non-regulation message is a message that does not give obligation to answer in response to the request from theexternal tool 105. It should be noted that a determination of whether the data request command is a regulation message or a non-regulation message may correspond to a determination of whether theaccess target ECU 104, which is a transmission destination of the data request command, is a regulation ECU or a non-regulation ECU. - When the
control device 102 a determines that the data request command is the non-regulation message and determines that it is necessary perform the authentication of the external tool 105 (YES at B105), the control device performs B106. At B106, thecontrol device 102 a determines whether the result of the previously-preformed authentication is affirmative or negative. When thecontrol device 102 a determines that the result of the previously-preformed authentication is affirmative (YES at B106), the process proceeds to B107. At B107, thecontrol device 102 a determines whether or not it is necessary to encrypt the data request command. Specifically, thecontrol device 102 a determines whether the data request command is the regulation message or the non-regulation message, thereby determining whether or not it is necessary to encrypt the data request command. - When the
control device 102 a determines that the data request command is the non-regulation message and determines that it is necessary to encrypt the data request command (YES at B107), thecontrol device 102 a encrypts the data request command (B108) and transmits the encrypted data request command from the ECU-side-bus communication device 102 b to theaccess target ECU 104. When thecontrol device 102 a determines that the data request command is the regulation message and determines that it is unnecessary to encrypt the data request command (NO at B107), thecontrol device 102 a transmits, without encrypting the data request command, the data request command from the ECU-side-bus communication device 102 b to theaccess target ECU 104. - As shown in
FIG. 3 , in theaccess target ECU 104, when thecontrol device 104 a determines that thebus communication device 104 b receives the data request command from thevehicular gateway apparatus 102, thecontrol device 104 a determines whether or not it is necessary to decrypt the received data request command (C101). Specifically, when thecontrol device 104 a determines that the data request command received from thevehicular gateway apparatus 102 is the encrypted data request command, thecontrol device 104 a determines that it is necessary to decrypt the data request command (YES at C101). In this case, thecontrol device 104 a decrypts the data request command (C102) and performs data processing according to content of the data request command (C103). The data processing may include rewriting a control program, reading out a data, or the like. When thecontrol device 104 a determines that the data request command received from thevehicular gateway apparatus 102 is not encrypted, thecontrol device 104 a determines that it is unnecessary to decrypt the data request command (NO at C101). In this case, thecontrol device 104 a performs the data processing according to the content of the data request command (C103). - Upon completion of the data processing, the
control device 104 a determines whether or not it is necessary to encrypt a data response command indicative of the completion of the data processing (C104). For example, when the data request command received from thegateway apparatus 102 is encrypted, thecontrol device 104 a determines that it is necessary to encrypt a data response command indicative of the completion of the data processing. When the data request command received from thegateway apparatus 102 was not encrypted, thecontrol device 104 a determines that it is unnecessary to encrypt the data response command indicative of the completion of the data processing. Alternatively, importance degrees of data response commands may be preset, and thecontrol device 104 a may determines whether or not it is unnecessary to encrypt the data response command indicative of the completion of the data processing, regardless of whether or not the data request command received from thegateway apparatus 102 was encrypted. - When the
control device 104 a determines that it is necessary to encrypt the data response command (YES at C104), thecontrol device 104 a encrypts the data response command (C105) and transmits the encrypted data response command from thebus communication device 104 b to thevehicular gateway apparatus 102. When thecontrol device 104 a determines that it is unnecessary to encrypt the data response command (NO at C104), thecontrol device 104 a transmits, without encrypting the data response command, the data response command from thebus communication device 104 b to thevehicular gateway apparatus 102. - In the
vehicular gateway apparatus 102, thecontrol device 102 a determines that the ECU-side-bus communication device 102 b receives the data response command from theaccess target ECU 104, thecontrol device 102 a determines whether or not it is necessary to decrypt the received data response command (B109). Specifically, when thecontrol device 102 a determines that the data response command received from theaccess target ECU 104 is encrypted, thecontrol device 102 a determines that it is necessary to decrypt the received data response command (YES at B109). In this case, thecontrol device 102 a decrypt the encrypted data response command (B110) and transmits the decrypted data response command from the external-tool-side communication device 102 c to theexternal tool 105. When thecontrol device 102 a determines that the data response command received from theaccess target ECU 104 is not encrypted, thecontrol device 102 a determines that it is unnecessary to decrypt the received data response command (NO at B109). In this case, thecontrol device 102 a transmits, without decrypting, the data response command from the external-tool-side communication device 102 c to theexternal tool 105. - As described above, in response to connecting the
external tool 105, thecontrol device 102 a ofvehicular gateway apparatus 102 performs the authentication of theexternal tool 105. When a result of the authentication of theexternal tool 105 is affirmative (YES at B103), thecontrol device 102 a specifies theexternal tool 105 connected to theconnector 107 as a properexternal tool 105, and sets the authenticated state (step B104), as illustrated inFIG. 2 . Thereafter, thecontrol device 102 a permits receipt of a data request command regardless of whether the data request command is a regulation message or a non-regulation message. - As illustrated in
FIG. 4 , when thecontrol device 102 a determines that the result of the authentication of theexternal tool 105 is negative (NO at B103), thecontrol device 102 a specifies theexternal tool 105 connected to theconnector 107 an improper external tool, and does not set the authenticated state. Therefore, when thecontrol device 102 a determines that an data request command from theexternal tool 105 is a non-regulation message requiring the authentication, thecontrol device 102 a discards the data request command and rejects the receipt of the data request command to reject the data communication (B111), because the result of the previously-performed authentication is negative and the authenticated state is not set. That is, at B111, thecontrol device 102 a rejects the data communication. In this case, the rejection of the receipt of the data request command may include nullifying the data request command without discarding data request command. That is, the rejection of the receipt of the data request command may include prohibiting the processing in line with the content of the data request command. - The above illustration is directed to a situation where, on an as-needed basis, the
vehicular gateway apparatus 102 encrypts the data request command received from theexternal tool 105. Alternatively, theexternal tool 105 may have a function to encrypt the data request command, and may encrypt the data request command on an as-needed basis. - As described above, when the
control device 102 a determines that the result of the authentication is affirmative, thecontrol device 102 a sets the authenticated state to permit the receipt of the data request command from theexternal tool 105. A period of maintaining the authenticated state is managed in the following ways. - Specifically, the
control device 102 a manages the period of maintaining the authenticated state, based on the following first to fourth periods: - (1) A first period from a time when the authenticated state was set to a time a predetermined time has elapsed.
- (2) A second period during which an authenticated state maintain request signal is inputted from an external.
- (3) A third period during which a vehicle state satisfies a predetermined condition.
- (4) A fourth period during which the
bus 106 is in a communicating state. - In the following, the first to fourth periods will be illustrated.
- (1) The First Period (from a Time when the Authenticated State was Set to a Time a Predetermined Time has Elapsed).
- As shown in
FIG. 5 , in thevehicular gateway apparatus 102, thecontrol device 102 a sets the authenticated state (B104), starts an authentication maintain timer for counting a predetermined time (B112), and monitors whether or not the authentication maintain timer reaches the predetermined time (B113). When thecontrol device 102 a determines that the authentication maintain timer reaches the predetermined time (YES at B113), thecontrol device 102 a ends the authenticated state. In this example, the period of maintaining the authenticated state is managed by thevehicular gateway apparatus 102 alone. The predetermined time to be counted by the authentication maintain timer may be an initial value set in production, or may be a set value which is set and inputted by the operator operating theexternal tool 105. - (2) The Second Period (a Period During which the Authenticated State Maintain Request Signal is Inputted from an External).
- One example is illustrated in
FIG. 6 . InFIG. 6 , after the authenticated state is set (B104), thecontrol device 102 a of thevehicular gateway apparatus 102 maintains the authenticated state within a period during which thecontrol device 102 a determines that the authenticated state maintain request command is received by the external-tool-side-bus communication device 102 c. Upon determining that an authenticated state end request command is received by the external-tool-side-bus communication device 102 c, thecontrol device 102 a ends the authenticated state (B114). In this example, theexternal tool 105 leads the control of the period of maintaining the authenticated state. - Another example is illustrated in
FIG. 7 . InFIG. 7 , after setting the authenticated state (B104), thecontrol device 102 a of thevehicular gateway apparatus 102 transmits an authenticated state notice command from the ECU-side-bus communication device 102 b to theaccess target ECU 104, so that theaccess target ECU 104 transmits the authenticated state maintain request command. Within the period during which thecontrol device 102 a determines that the authenticated state maintain request command from theaccess target ECU 104 is received by the ECU-side-bus communication device 102 b, thecontrol device 102 a maintains the authenticated state. Upon determining that the authenticated state end request command from the access target ECU is received by the ECU-side-bus communication device 102 b, thecontrol device 102 a ends the authenticated state (B114). In this example, theaccess target ECU 104 leads the control of the period of maintaining the authenticated state. It should be noted that the predetermined period during which theexternal tool 105 or theaccess target ECU 104 periodically transmits the authenticated state maintain request command to thevehicular gateway apparatus 102 may be an initial value set in production or may be a set value which is set and inputted by the operator operating theexternal tool 105. - (3) The Third Period (a Period During which the Vehicle State Satisfies the Predetermined Condition)
- As shown in
FIG. 8 , in thevehicular gateway apparatus 102, after setting the authenticated state (B104), thecontrol device 102 a determines whether or not the vehicle state satisfies a predetermined condition (B115), by receiving the vehicle state from theECU 104 through the ECU-side-bus communication device 102 b. For example, the predetermined condition may be one of the followings: the immobilizer is in an unlocked state (released state); the ignition switch is off; and the door is in a closed state. That is, when at least one of the above three conditions is satisfied, thecontrol device 102 a determines that the vehicle state satisfies the predetermined condition (YES at B115). During a period of determining that the vehicle state satisfies the predetermined condition, thecontrol device 102 a maintains the authenticated state. When thecontrol device 102 a determines that the vehicle state becomes failing to satisfy the predetermined condition (NO at B115), thecontrol device 102 a ends the authenticated state. In this case, thevehicular gateway apparatus 102 leads the control of the period of maintaining the authenticated state. - (4) The Fourth Period (the Period During which the
Bus 106 is in the Communicating State) - As shown in
FIG. 9 , after setting the authenticated state (B104), thecontrol device 102 a of thevehicular gateway apparatus 102 determines whether or not thebus 106 is in the communicating state (B116). Specifically, when thecontrol device 102 a determines that one of the ECU-side-bus communication device 102 b and the external-tool-bus communication device 102 b is in the communicating state, thecontrol device 102 a determines that thebus 106 is in the communicating state (YES at B116). Within the period during which thecontrol device 102 a determines that the bus is in the communicating state, thecontrol device 102 a maintains the authenticated state. Upon determining that thebus 106 is changed into a not-communicating state (NO at B116), thecontrol device 102 a ends the authenticated state (B114). In this case, the vehicular gateway apparatus manages the period of maintaining the authenticated state, based on the communicating state of thebus 106. - As described above, in the present example of the first embodiment, the
vehicular gateway apparatus 102 is connected with thebus 106 so as to partition (separate) theexternal tool 105 from theECU 103 and theECU 104. When theexternal tool 105 is connected, thevehicular gateway apparatus 102 performs the authentication of theexternal tool 105. When a result of the authentication of theexternal tool 105 is affirmative, thevehicular gateway apparatus 102 sets the authenticated state, so that thevehicular gateway apparatus 102 permits the receipt of a subsequent data request command from theexternal tool 105 regardless of whether or not the data request command is a non-regulation message requiring the authentication. When the result of the authentication of theexternal tool 105 is negative, thevehicular gateway apparatus 102 does not set the authenticated state, so that when thevehicular gateway apparatus 102 determines that a subsequent data request command from theexternal tool 105 is a non-regulation message requiring the authentication, thevehicular gateway apparatus 102 rejects the receipt of the data request command. - According to the above configuration, even in cases where an improper external tool is connected to the
bus 106, the harms resulting from the connection of the improper external tool can be prevented. As a result, it is possible to enhance security. To achieve this advantage, it is unnecessary to change specifications of data communication between theexternal tool 105 and theECUs - Additionally, since the period of maintaining the authenticated state is managed, it is possible to avoid unnecessary extension of the period of permitting the data communication between the
external tool 105 and the access target ECU after cutting off the connection of the external tool. As a result, it is possible to further enhance the security. Additionally, since the authenticating of theexternal tool 105, the setting of the authenticated state, and the maintaining of the authenticated state are collectively performed by thevehicular gateway apparatus 102, it is possible to achieve the above advantages by adding thevehicular gateway apparatus 102. Therefore, it is possible to achieve the above advantages while minimizing a change in an existing system. - Additionally, during the period of prohibiting the data communication between the
external tool 105 and the access target ECU, the data communication of a specified data (e.g., regulation message) betweenexternal tool 105 and the access target ECU is exceptionally permitted. Therefore, while preventing the harms resulting from the connection of the improper external tool, it is possible to ensure the data communication of the specified data. - A second example of the first embodiment will be described with reference to
FIGS. 9 and 10 . - In the first example of the first embodiment, the
vehicular gateway apparatus 102 performs the authentication of theexternal tool 105, sets the authenticated state and maintains the authenticated state. In an vehicular datacommunication authentication system 121 of the second example, one of ECUs has an authentication function, so that the one of ECUs is designated as an authentication ECU. - Additionally, this authentication ECU performs the authentication of the
external tool 105, and thevehicular gateway apparatus 102 sets the authenticated state and maintains the authenticated state. - As shown in
FIG. 9 , in a vehicular datacommunication authentication system 111, theauthentication ECU 103 includes anauthentication device 103 d. Theauthentication device 103 d is provided as a substitute for theauthentication device 103 d of thevehicular gateway apparatus 102 of the first example of the first embodiment. That is, theauthentication device 103 d has substantially the same function as theauthentication device 103 d. - As shown in
FIG. 10 , in theauthentication ECU 103, when thecontrol device 103 a determines that thebus communication device 103 b has received an authentication seed request command from theexternal tool 105 through thevehicular gateway apparatus 102, thecontrol device 103 a performs D101 to D103, which correspond to B101 to B103 performed by thevehicular gateway apparatus 102 as illustrated in the first example. When thecontrol device 103 a determines that a result of the authentication of theexternal tool 105 is affirmative (YES at D103), thecontrol device 103 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, from thebus communication device 103 b to thevehicular gateway apparatus 102. - When the
control device 102 a of thevehicular gateway apparatus 102 determines that the ECU-side-bus communication device 102 b has received the authentication result affirmative response command from the authentication ECU, thecontrol device 102 a transmits the authentication result affirmative response command to theexternal tool 105 by using the external-tool-side communication device 102 c. Thereafter, thecontrol device 102 a performs B104 and B112 to B114, which have already illustrated in the first example. Specifically, theauthentication ECU 103 performs the authentication of theexternal tool 105, and thevehicular gateway apparatus 102 sets the authenticated state. Thereafter, thevehicular gateway apparatus 102 maintains the authenticated state until the predetermined time has elapsed since the authenticated state was set. In the above illustration, the authenticated state is maintained only within the predetermined period after the authenticated state is set. However, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as theexternal tool 105, theauthentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which thebus 106 is in the communicating state. - In the second example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the
external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since theauthentication ECU 103 performs the authentication of theexternal tool 105 and since thevehicular gateway apparatus 102 sets and maintains the authenticated state, the authentication of theexternal tool 105, the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by theauthentication ECU 103 and thevehicular gateway apparatus 102. - A third example of the first embodiment will be described with reference to
-
FIGS. 12 and 13 . In the third example, thevehicular gateway apparatus 102 connected with thebus 106 is absent. The authentication of theexternal tool 105, the setting of the authenticated state and the maintaining of the authenticated state are preformed byauthentication ECU 103. - Specifically, as shown in
FIG. 12 , in a vehicular datacommunication authentication system 131, theauthentication ECU 103 includes anauthentication device 103 d, anauthentication control device 103 e, acommunication control device 103 f, afiltering device 103 g, and an authentication maintaindevice 103 h. Theauthentication device 103 d, theauthentication control device 103 e, thecommunication control device 103 f, thefiltering device 103 g and the authentication maintaindevice 103 h, respectively, have substantially the same function as theauthentication device 102 d, theauthentication control device 102 e, thecommunication control device 102 f, thefiltering device 102 g and the authentication maintaindevice 102 h illustrated in the first example. - As shown in
FIG. 13 , in theauthentication ECU 103, thecontrol device 103 a determines that thebus communication device 103 b has received an authentication seed request command from theexternal tool 105 through thevehicular gateway apparatus 102, thecontrol device 103 a performs D101 to D103, which correspond to B101 to B103 performed by thevehicular gateway apparatus 102 as illustrated in the first example. When thecontrol device 103 a determines that a result of the authentication of theexternal tool 105 is affirmative (YES at D103), thecontrol device 103 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to theexternal tool 105 by using thebus communication device 103 b. Additionally, thecontrol device 103 a performs D104 to D107, which correspond to B104 and B112 to B114 performed by thevehicular gateway apparatus 102 of the first example. In the present example also, as is the cases in the first example, the authenticated state can be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as theexternal tool 105, theauthentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which thebus 106 is in the communicating state. - In the third example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the
external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since theauthentication ECU 103 performs the authentication of theexternal tool 105, sets the authenticated state and maintains the authenticated state, it is possible to omit thevehicular gateway apparatus 102. In the present example, theaccess target ECU 104 may include anauthentication control device 104 d and an authentication maintaindevice 104 g, so that theauthentication ECU 103 performs the authentication of theexternal tool 105 and that theaccess target ECU 104 sets and maintains the authenticated state. That is, the authentication of theexternal tool 105, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs. - A fourth example of the first embodiment will be described with reference to
FIGS. 14 and 15 . In the fourth example of the first embodiment, thevehicular gateway apparatus 102 is not connected with thebus 106. The authentication of theexternal tool 105, the setting of the authenticated state and the maintaining of the authenticated state are preformed by theaccess target ECU 104. - Specifically, as shown in
FIG. 14 , in a vehicular datacommunication authentication system 131, theaccess target ECU 104 includes anauthentication device 104 c, anauthentication control device 104 d, acommunication control device 104 e, afiltering device 104 f, and an authentication maintaindevice 104 g. Theauthentication device 104 c, theauthentication control device 104 d, thecommunication control device 104 e, thefiltering device 104 f and the authentication maintaindevice 104 g, respectively, have substantially the same functions as theauthentication device 102 d, theauthentication control device 102 e, thecommunication control device 102 f, thefiltering device 102 g and the authentication maintaindevice 102 h illustrated in the first example. - As shown in
FIG. 15 , when thecontrol device 104 a of theaccess target ECU 104 determines that thebus communication device 104 b has received the authentication seed request command from theexternal tool 105, thecontrol device 104 a performs C106 to C112, which correspond to D101 to D107 performed by theauthentication ECU 103 of the third example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as theexternal tool 105, theauthentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which thebus 106 is in the communicating state. In the fourth example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, it is possible to avoid the unnecessary extension of the period of permitting the data communication between theexternal tool 105 and the access target ECU. As a result, after cutting off the connection of the external tool for example, it is possible to enhance the security. Additionally, since theaccess target ECU 104 performs the authentication of theexternal tool 105, sets the authenticated state and maintains the authenticated stat, it is possible to omit thevehicular gateway apparatus 102. In the present example, theauthentication ECU 103 may include anauthentication control device 103 e and an authentication maintaindevice 103 h, so that theaccess target ECU 104 performs the authentication of theexternal tool 105 and that theauthentication ECU 103 sets and maintains the authenticated state. That is, the authentication of theexternal tool 105, the setting of the authenticated state and the maintaining of the authenticated state may be decentrally performed by multiple ECUs. - A fifth example of the first embodiment will be described with reference to
-
FIGS. 16 and 17 . As shown inFIG. 16 , in the fifth example, acommunication device 108 is connected with the ECU-side-bus 106 a. Additionally, a center (sever) 109 communicable with theexternal tool 105 and thecommunication device 108 via a wide area communication network are present. Thecenter 109 performs the authentication of theexternal tool 105, and thevehicular gateway apparatus 102 sets and maintains the authenticated state. - Specifically, in a vehicular data
communication authentication system 141, thecenter 109 includes anauthentication device 109 a. Theauthentication device 109 a is provided as a substitute for theauthentication device 102 d of thevehicular gateway apparatus 102 of the first example. Theauthentication device 109 a has substantially the same function as theauthentication device 102 d illustrated in the first example. - As shown in
FIG. 17 , when thecenter 109 determines that thecenter 109 has receives the authentication seed request command from theexternal tool 105, thecenter 109 performs E101 to E103, which correspond to B101 to B103 performed by thevehicular gateway apparatus 102 illustrated in the first example. When thecenter 109 determines that the result of the authentication of theexternal tool 105 is affirmative (YES at E103), thecenter 109 transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to theexternal tool 105 and thecommunication device 108. - The
control device 102 a of thevehicular gateway apparatus 102 receives the authentication result affirmative response command from thecenter 109 through thecommunication device 108. When determining that thecontrol device 102 a receives the authentication result affirmative response command from thecommunication device 108, thecontrol device 102 a performs B104 and B112 to B114, which have been already illustrated in the first example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as theexternal tool 105, theauthentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which thebus 106 is in the communicating state. - In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the
external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since thecenter 109 performs the authentication of theexternal tool 105 and since thevehicular gateway apparatus 102 sets and maintains the authenticated state, the authentication of theexternal tool 105, the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by thecenter 109 and thevehicular gateway apparatus 102. Additionally, since thecenter 109, which is located outside of the vehicular datacommunication authentication system 141, performs the authentication of theexternal tool 105, it is possible to perform high-security authentication by, for example, minutely updating the authentication seeds. Therefore, it is possible to further enhance security. - A sixth example of the first embodiment will be described with reference to
FIGS. 18 and 19 . As shownFIG. 18 , in the sixth example, acommunication device 108 is connected with the ECU-side-bus 106 a. Additionally, a center (sever) 109 communicable with theexternal tool 105 and thecommunication device 108 through a wide area communication network is present. Thecenter 109 performs the authentication of theexternal tool 105, and theauthentication ECU 103 sets and maintains the authenticated state. - As shown in
FIG. 19 , when thecenter 109 determines that thecenter 109 has receives the authentication seed request command from theexternal tool 105, thecenter 109 performs E101 to E103, which correspond to B101 to B103 performed by thevehicular gateway apparatus 102 of the first example. When thecenter 109 determines that the result of the authentication of theexternal tool 105 is affirmative (YES at E103), thecenter 109 transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to theexternal tool 105 and thecommunication device 108. - The
control device 103 a of theauthentication ECU 103 receives the authentication result affirmative response command from thecenter 109 through thecommunication device 108. When determining that thecontrol device 103 a receives the authentication result affirmative response command from thecommunication device 108, thecontrol device 103 a performs D104 and D107 as illustrated in the second example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as theexternal tool 105, theauthentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which thebus 106 is in the communicating state. - In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the
external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since thecenter 109 performs the authentication of theexternal tool 105 and since theauthentication ECU 103 sets and maintains the authenticated state, the authentication of theexternal tool 105, the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by thecenter 109 and theauthentication ECU 103. Additionally, since thecenter 109, which is located outside of a vehicular datacommunication authentication system 151, performs the authentication of theexternal tool 105, it is possible to perform high-security authentication by, for example, minutely updating the authentication seeds. Therefore, it is possible to further enhance security. - A seventh example will be described with reference to
FIG. 20 . In the seventh example, even in cases where it is impossible to directly perform the authentication of theexternal tool 105, the system enables indirect authentication of theexternal tool 105 by performing the authentication of the vehicle state. The seventh example can be achieved by using the same functional blocks (FIG. 1 ) as the first example. - As shown in
FIG. 20 , thecontrol device 102 a of thevehicular gateway apparatus 102 receives the vehicle state from theECU 103 through the ECU-side-bus communication device 102 b, thereby specifying the vehicle state (B117). Then thecontrol device 102 a determines whether or not the vehicle state satisfies a predetermined condition, thereby performing the authentication of the vehicle state. In this way, thecontrol device 102 a determines whether a result of the authentication of the vehicle state is affirmative or negative (B118). For example, thecontrol device 102 a determines whether or not the immobilizer is in the unlocked state, whether or not the ignition switch is off, and whether or not the door is in the closed state. - Specifically, when a proper worker connects a proper external tool to the
connector 107, the vehicle state is a normal state in which the immobilizer is in the released state (unlocked state), the ignition switch is off or the door is in the closed state. Thus, in the above situation, it is determined that the result of the authentication of the vehicle state is affirmative. However, when a third party having a bad intention connects a improper external tool to theconnector 107, the vehicle state is a abnormal state in which the immobilizer is not in the released state; the ignition switch is not off; or the door is not the not-closed state. Thus, in the above situation, it is determined that the result of the authentication of the vehicle state is not affirmative. - In the
gateway apparatus 102, when thecontrol device 102 a determines that the result of the authentication of the vehicle state is affirmative (YES at B119), thecontrol device 102 a performs B104. At B104, thecontrol device 102 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to theexternal tool 105 by using the external-tool-side-bus communication device 102 c. Additionally, thecontrol device 102 a sets the authenticated state, which is a state where the vehicle state is authenticated. Within a period during which the authenticated state is set, thecontrol device 102 a permits receipt of a data request command from the external tool 105 (permits the data communalization). Within a period during which the authenticated state is not set, thecontrol device 102 a prohibits the receipt of the data request command from the external tool 105 (prohibits the data communalization). - When the authenticated state is set in the above way (B104), the
control device 102 a performs B112 to B114 as illustrated in the first example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as theexternal tool 105, theauthentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which thebus 106 is in the communicating state. - In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the
external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authenticating of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state are collectively performed by thevehicular gateway apparatus 102, it is possible to achieve the above advantages by adding thevehicular gateway apparatus 102. Therefore, it is possible to achieve the above advantages while minimizing a change in an existing system. - An eighth example will be described with reference to
FIG. 21 . In the eighth example, the authentication ECU performs the authentication of the vehicle state and thevehicular gateway apparatus 102 sets and maintains the authenticated state. - The eighth example can be achieved by using the same functional blocks (
FIG. 10 ) as the second example. - As shown in
FIG. 21 , thecontrol device 103 a of theauthentication ECU 103 receives the vehicle state from an external, thereby specifying the vehicle state (D108). Then thecontrol device 103 a determines whether or not the vehicle state satisfies a predetermined condition, thereby performing the authentication of the vehicle state. In this way, thecontrol device 102 a determines whether a result of the authentication of the vehicle state is affirmative or negative (D109). Thecontrol device 103 a determines that the result of the he authentication of the vehicle state is affirmative (YES at D110), thecontrol device 103 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, from thebus communication device 103 b to thevehicular gateway apparatus 102. - When the
control device 102 a of thevehicular gateway apparatus 102 determines that the authentication result affirmative response command from theauthentication ECU 103 is received by the ECU-side-bus communication device 102 b, thecontrol device 102 a transmits the authentication result affirmative response command to theexternal tool 105 by using the external-tool-side communication device 102 c. Thereafter, thecontrol device 102 a performs B104, and B112 to B114 as illustrated in the first example. In other words, theauthentication ECU 103 performs the authentication of the vehicle state, and thevehicular gateway apparatus 102 sets the authenticated state, and maintains the authenticated state only within the predetermined period after the authenticated state was set. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as theexternal tool 105, theauthentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which thebus 106 is in the communicating state. - In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the
external tool 105 and the access target ECU. As a result, it is possible to enhance the security. - A ninth example will be described with reference to
FIG. 22 . In the ninth example, theauthentication ECU 103 performs the authentication of the vehicle state, sets the authenticated state, and maintains the authenticated state. The ninth example can be achieved by using the same functional blocks (FIG. 12 ) as the third example. - As shown in
FIG. 22 , thecontrol device 103 a of theauthentication ECU 103 receives the vehicle state from an external and performs D108 to D110 as illustrated in the seventh example. When thecontrol device 103 a determines that the result of the authentication of the vehicle state is affirmative (YES at D110), thecontrol device 103 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to theexternal tool 105 by using thebus communication device 103 b. Thereafter, thecontrol device 103 a performs D104 to D107 as illustrated in the third example. In the present example also, as is the cases inn the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as theexternal tool 105, theauthentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which thebus 106 is in the communicating state. In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between theexternal tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication of the vehicle state, the setting of the authenticated state and the maintaining of the authenticated state are preformed by theauthentication ECU 103, it is possible to omit thevehicular gateway apparatus 102. Alternatively, theaccess target ECU 104 may include anauthentication control device 104 d and an authentication maintaindevice 104 g, so that theauthentication ECU 103 performs the authentication of the vehicle state and that theaccess target ECU 104 sets and maintains the authenticated state. In other words, the authentication of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs. - A tenth example will be described with reference to
FIG. 23 . In the tenth example, theaccess target ECU 104 performs the authentication of the vehicle state, sets the authenticated state, and maintains the authenticated state. The tenth example can be achieved by using the same functional blocks (FIG. 14 ) as the fourth example. - As shown in
FIG. 23 , thecontrol device 104 a of theaccess target ECU 104 receives the vehicle state from theECU 103 through thebus communication device 104 b, thereby specifying the vehicle state (C13). Then thecontrol device 104 a determines whether or not the vehicle state satisfies the predetermined condition, thereby performing the authentication of the vehicle state and determining whether or not a result of the authentication is affirmative or negative (C14). When the result of the authentication is affirmative (YES at C14), thecontrol device 104 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to theexternal tool 105 by using thebus communication device 104 b. Then thecontrol device 104 a performs C109 to C112 as illustrated in the fourth example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as theexternal tool 105, theauthentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which thebus 106 is in the communicating state. - In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the
external tool 105 and the access target ECU. As a result, it is possible to enhance the security. - Additionally, since the authentication of the vehicle state, the setting of the authenticated state and the maintaining of the authenticated state are preformed by the
access target ECU 104, it is possible to omit thevehicular gateway apparatus 102. Alternatively, theauthentication ECU 103 may include anauthentication control device 103 e and an authentication maintaindevice 103 h, so that theaccess target ECU 104 performs the authentication of the vehicle state and that theauthentication ECU 103 sets and maintains the authenticated state. That is, the authentication of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs. - The above-illustrated examples do not limit examples of the first embodiment. The first embodiment can be modified and extended in various ways. For example, when (i) the result of the authentication of the
external tool 105 is affirmative and (ii) the result of the authentication of the vehicle state is affirmative, the authenticated state may be set. The vehicle state to be authenticate is not limited to the state (locked state, released stated) of the immobilizer, the state (on, off) of the initiation switch, and the state of the door (open state, closed state). Any state can be adopted as long as the state enable a determination as to whether or not a proper operator connects a proper external tool or an improper operator connects an improper external tool. Further, the determination may be used by using a single one of the states or by using a combination of the states. Thefiltering device 102 g of thevehicular gateway apparatus 102, thefiltering device 103 g of theauthentication ECU 103, and thefiltering device 104 f of theaccess target ECU 104 may be omissible. - A first example of the embodiment will be described with reference to
FIGS. 24 to 27 . As shown inFIG. 24 , in a vehiculardata communication system 201, a vehiculardata communication apparatus 202 is connected with a bus so as to partition (separate) multiple ECUs including afirst ECU 203 and asecond ECU 204 from anexternal tool 205. Each of the ECUs and theexternal tool 205 serves as a node. - The
external tool 205 is operable by an operator. A bus connecting the vehiculardata communication apparatus 202 and theexternal tool 205 is called a bus A. That is, the bus A is a bus for data transmission between the vehiculardata communication apparatus 202 and theexternal tool 205. A bus connecting the vehiculardata communication apparatus 202 and thefirst ECU 203 is called a bus B. That is, the bus B is a bus for data transmission between the vehiculardata communication apparatus 202 and thefirst ECU 203. A bus connecting the vehiculardata communication apparatus 202 and thesecond ECU 204 is called a bus C. That is, the bus C is a bus for data transmission between the vehiculardata communication apparatus 202 and thesecond ECU 204. Aconnector 206, to which theexternal tool 205 is connectable, is provided on an external tool side of the bus A. When theexternal tool 205 is connected to theconnector 206, theexternal tool 205 becomes able to communicate with the vehiculardata communication apparatus 202. - The bus A, the bust B and the bus C adopt a control device area network (CAN) as a data communication method. The CAN communication defines a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc. However, in the CAN communication, a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not defined.
- The vehicular
data communication apparatus 202 includes acontrol device 202 a (which can correspond to an example of encryption control device and means), an ECU-side-bus communication device 202 b, an external-tool-side-bus communication device 202 c, anencryption device 202 d, and an encryption table 202 e (which can correspond to an encryption information storage device or means). Thecontrol device 202 a includes a microcomputer. By executing a control program with the microcomputer, thecontrol device 202 a controls operations of the ECU-side-bus communication device 202 b, the external-tool-side-bus communication device 202 c and theencryption device 202 d. The ECU-sidebus communication device 202 b is connected with the bus B and the bus C, and controls data transmission and receipt between thefirst ECU 203 and thesecond ECU 204. The external-tool-sidebus communication device 202 c is connected with the bus A. In a state where theexternal tool 205 is connected to theconnector 206, the external-tool-sidebus communication device 202 c controls communications, such as data transmission and receipt, with theexternal tool 205. - By referencing the encryption table 202 e, the
encryption device 202 d references the encryption table 202 e to encrypt and rewrite a plaintext data into an encrypted-text data. In the above, the plaintext data to be encrypted may be (i) a plaintext data which the external-tool-sidebus communication device 202 c receives from theexternal tool 205, and (ii) a plaintext data which the ECU-side-bus communication device 202 b receives from thefirst ECU 203 or thesecond ECU 204. For each combination of a bus connected with a data source node and a bus connected with a data destination node, the encryption table 202 e stores an encryption information. For example, as illustrated inFIG. 24 , for the case where the bus connected with the data source node is the bus A and the bus connected with the data destination node is the bus B, the encryption table 202 e stores the encryption information (“encr” inFIG. 24 ) indicating that the plaintext is to be encrypted. For the case where the bus connected with the data source node is the bus A and the bus connected with the data destination node is the bus C, the encryption table 202 e stores the encryption information (“plain” inFIG. 24 ) indicating that the plaintext is not to be encrypted. - The
first ECU 203 includes acontrol device 203 a (which can correspond to an example of decryption control device and means), abus communication device 203 b, adecryption device 203 c, and a decryption table 203 d (which can correspond to an example of decryption information storage device and means). Thecontrol device 203 a includes a microcomputer. By executing a control program with the microcomputer, thecontrol device 203 a controls thebus communication device 203 b and thedecryption device 203 c. Thebus communication device 203 b is connected with the bus B and controls communication, such as data transmission and receipt, with the vehiculardata communication apparatus 202. - The
decryption device 203 c decrypts an encrypted-text data received from the vehiculardata communication apparatus 202, by rewriting the encrypted-text data into a plain text data when thebus communication device 203 b receives the encrypted-text data from the vehiculardata communication apparatus 202. For each bus connected with a data source node, the decryption table 203 d stores decryption information. For example, as illustrated inFIG. 24 , for the case where the bus connected with the data source node is the bus A, the decryption table 203 d stores “decry” indicating that the encrypted-text data is to be decrypted. For the case where the bus connected with the source node is the bus C, the decryption table 203 d stores “plain” indicating that the plain-text data is not to be decrypted. - The
second ECU 204 has substantially the same configuration as thefirst ECU 203. Thesecond ECU 204 includes acontrol device 204 a (which can correspond to an example of decryption control device and means), abus communication device 204 b, adecryption device 204 c, and a decryption table 204 d (which can correspond to an example of decryption information storage device and means). Thecontrol device 204 a includes a microcomputer. By executing a control program with the microcomputer, thecontrol device 204 a controls thebus communication device 204 b and thedecryption device 204 c. Thebus communication device 204 b is connected with the bus C and controls communication, such as data transmission and receipt, with the vehiculardata communication apparatus 202. - The
decryption device 204 c decrypts an encrypted-text data by rewriting the encrypted-text data into a plain text data when thebus communication device 204 b receives the encrypted-text data from the vehiculardata communication apparatus 202. For each bus connected with the data source node, the decryption table 204 d stores decryption information. For example, as illustrated inFIG. 24 , for the case where the bus connected with the data source node is the bust A, the information “plain” indicating that the plain-text data is not encrypted is stored. For the case where the bus connected with the data source node is the bus C, “the information decry” indicating that the encrypted-text data is to be decrypted is stored. - The
external tool 205 includes acontrol device 205 a (which can correspond to a decryption control device and means), abus communication device 205 b, adecryption device 205 c, a decryption table 205 d (which can correspond to a decryption information storage device and means), an input/output interface (IF) 205 e. Thecontrol device 205 a includes a microcomputer. By executing a control program with the microcomputer, thecontrol device 205 a controls operations of thebus communication device 205 b, thedecryption device 205 c, and the input/output interface (IF) 205 e. Thebus communication device 205 b is connected with the bus A and controls communication, such as data transmission and receipt, with the vehiculardata communication apparatus 202. - The
decryption device 205 c decrypts an encrypted-text data by rewriting the encrypted-text data into a plain text data when thebus communication device 205 b receives the encrypted-text data from the vehiculardata communication apparatus 202. The decryption table 205 d stores decryption information for each data bus connected with the data source node. For example, as illustrated inFIG. 24 , for the case where the bus connected with the data source node is the bus B, the information “decry” indicating that the encrypted-text data is to be decrypted is stored. For the case where the bus connected with the data source node is the bus C, the information “plain” indicating that the plain-text data is not decrypted is stored. - The input/output IF 205 e has a function to accept an input operation from the operator operating the
external tool 205, and has a function to issue a notification by, for example, displaying a data. Specifically, by connecting theexternal tool 205 to theconnector 206 and performing the input operation to theexternal tool 205, the operator can rewrite the control program of an access target ECU and read out a data from the access target ECU. Theexternal tool 205 is not limited to a dedicated node for rewriting the control program of the access target ECU and reading out the data from the access target ECU but theexternal tool 205 may be a cellular phone, a personal digital assistance or the like having the above functions. - The encryption and decryption may use a public-key cryptography, in which the encryption is performed with a public-key and the decryption is performed with a private-key. Alternatively, the encryption and decryption may use a common-key cryptography, in which the encryption and decryption are performed with a common-key. Various ECUs may be used as the
first ECU 203 and thesecond ECU 204. For example, thefirst ECU 203 or thesecond ECU 204 may be one of an engine ECU for controlling an engine, a door lock ECU for controlling operations of a door lock mechanism, a navigation ECU for controlling navigation operations, a meter ECU for controlling operations of a meter (indicator), and the like. For example, when thefirst ECU 203 or thesecond ECU 204 is the engine ECU, thefirst ECU 203 or thesecond ECU 204 includes a functional block for controlling the engine in addition to the above-described functional blocks. In the example shown inFIG. 24 , the number of ECUs is two. However, the number of ECUs may be one, or more than two. - The encryption table and the decryption table are set up based on, for example, the following. Let us assume that the data transmitting through the bus can be classified into a regulation message (i.e., the message that gives obligation to answer in response to the request) and a non-regulation message (i.e., the message that does not give obligation to answer in response to the request). In this case, the encryption table and the decryption table are set up, so that (i) the information indicating that the encryption or decryption is not to be performed is set for the bus connected with the node that transmits and receives the regulation message, and (ii) the information indicating that the encryption or decryption is to be performed is set for the bus connected with the node that transmits and receives the non-regulation message.
- Operations will be described with reference to
FIGS. 25 to 28 . In the following, three situations are illustrated. A first situation is that theexternal tool 205 and thefirst ECU 203 perform the data communication. A second situation is that theexternal tool 205 and thesecond ECU 204 perform the data communication. A third situation is that thefirst ECU 203 and thesecond ECU 204 perform the data communication. - (1) The First Situation (the
External Tool 205 and theFirst ECU 203 Perform The Data Communication) - In this situation, the processes illustrated in
FIG. 25 are performed by theexternal tool 205, thefirst ECU 203, and the vehiculardata communication apparatus 202. As illustrated inFIG. 25 , when theexternal tool 205 is connected to theconnector 206, the plain-text data is transmitted from theexternal tool 205 to the first ECU 203 (data destination node). In this case, when thecontrol device 202 a of the vehiculardata communication apparatus 202 determines that the plain-text data is received by the external-tool-side-bus communication device 202 c, thecontrol device 202 a determines whether or not it is necessary to encrypt the received plain-text data (B201). When thecontrol device 202 a determines that it is necessary to encrypt the received plain-text data (YES at B201), thecontrol device 202 a encrypts the plaintext data by using theencryption device 202 d (B202), and transmits the encrypted-text data to thefirst ECU 203 by using the ECU-side-bus communication device 202 b. When thecontrol device 202 a determines that it is not necessary to encrypt the plaintext data (NO at B201), thecontrol device 202 a transmits the plaintext data to thefirst ECU 203 by using the ECU-side-bus communication device 202 b, without encrypting the plaintext data by using theencryption device 202 d. In the present example, since “encry” is stored for a combination of the bus A connected with the source and the bus B connected with the destination, thecontrol device 202 a encrypts the plaintext data received from theexternal tool 205, and transmits the encrypted-text data to thefirst ECU 203. - When the
control device 203 a of thefirst ECU 203 determines that thebus communication device 203 b has received the data, which is addressed to thefirst ECU 203, from the vehiculardata communication apparatus 202, thecontrol device 203 a performs C201. At C201, by referencing the decryption table 203 d, thecontrol device 203 a determines whether or not it is necessary to decrypt the received data. When thecontrol device 203 a determines that it is necessary to decrypt the received data, in other words, when thecontrol device 203 a determines that the received data is the encrypted-text data (YES at C201), thecontrol device 203 a decrypts the encrypted-text data (C202) and performs data processing based on the decrypted data. When thecontrol device 203 a determines that it is not necessary to decrypt the received data, in other words, when thecontrol device 203 a determines that the received data is the plaintext data (NO at C201), thecontrol device 203 a performs data processing based on the plaintext data without decrypting the plaintext data (C203). In the present example, since “decry” is stored for the bus A connected with the data source node, thecontrol device 203 a decrypts the encrypted-text data received from the vehiculardata communication apparatus 202, and performs the data processing based on the plaintext data. Thereafter, thecontrol device 203 a transmits a plaintext data to the vehiculardata communication apparatus 202 by using thebus communication device 203 b. - When the
control device 202 a of the vehiculardata communication apparatus 202 determines that the external-tool-side-bus communication device 202 c has received the plain-text data, which is addressed to theexternal tool 205, from theexternal tool 205, thecontrol device 202 a performs B203. At B203, by referencing the encryption table 202 e, thecontrol device 202 a determines whether or not it is necessary to encrypt the received plain-text data (B203). When thecontrol device 202 a determines that it is necessary to encrypt the received plain-text data (YES at B203), thecontrol device 202 a encrypts the plaintext data by using theencryption device 202 d (B204), and transmits the encrypted-text data to theexternal tool 205 by using the external-tool-side-bus communication device 202 c. When thecontrol device 202 a determines that it is not necessary to encrypt the received plain-text data (NO at B203), thecontrol device 202 a transmits the plaintext data to theexternal tool 205 by using the external-tool-side-bus communication device 202 c, without encrypting the plaintext data by using theencryption device 202 d. In the present example, since “encry” is stored for a combination of the bus B on a source side and the bus A on a destination side, thecontrol device 202 a encrypts the plaintext data received from thefirst ECU 203, and transmits the encrypted-text data to theexternal tool 205. - When the
control device 205 a of theexternal tool 205 determines that thebus communication device 205 b has received the data, which is addressed to theexternal tool 205, from the vehiculardata communication apparatus 202, thecontrol device 205 a performs A201. At A201, by referencing the decryption table 205 d, thecontrol device 205 a determines whether or not it is necessary to decrypt the received data. When thecontrol device 205 a determines that it is necessary to decrypt the received data, in other words, when thecontrol device 205 a determines that the received data is the encrypted-text data (YES at A201), thecontrol device 205 a decrypts the encrypted-text data (A202) and performs data processing based on the decrypted data (A203). When thecontrol device 205 a determines that it is not necessary to decrypt the received data, in other words, when thecontrol device 203 a determines that the received data is the plaintext data (NO at A201), thecontrol device 203 a performs data processing based on the plaintext data without decrypting the plaintext data (A203). In the present example, since “decry” is stored for the bus B on the source side, thecontrol device 205 a decrypts the decrypted-text data received from the vehiculardata communication apparatus 202 to obtain a plaintext data and performs the data processing based on the plaintext data - As described above, the vehicular
data communication apparatus 202 stores “encry” for the combination of the bus A on the data source side and the bus B on the data destination side. Thus, upon receipt of the plaintext data from theexternal tool 205, the vehiculardata communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to thefirst ECU 203. Moreover, the vehiculardata communication apparatus 202 stores “encry” for the combination of the bus B on the data source side and the bus A on the data destination side. Thus, upon receipt of the plaintext data from thefirst ECU 203, the vehiculardata communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to theexternal tool 205. - (2) The Second Situation (the
External Tool 205 and theSecond ECU 204 Perform the Data Communication) - As shown in
FIG. 26 , the vehiculardata communication apparatus 202 performs step B211 and B212, and then, thesecond ECU 204 performs D211 to D213, and then the vehiculardata communication apparatus 202 performs B213 and B214, and then theexternal tool 205 performs A211 to A213. In the present example, the vehiculardata communication apparatus 202 stores “plain” for the combination of the bus A on the data source side and the bus C on the data destination side. Thus, upon receipt of the plaintext data from theexternal tool 205, the vehiculardata communication apparatus 202 transmits the received plaintext data to thesecond ECU 204 without encrypting the received plaintext data. Moreover, the vehiculardata communication apparatus 202 stores “plain” for the combination of the bus C on the data source side and the bus A on the data destination side. Thus, upon receipt of the plaintext data from thesecond ECU 204, the vehiculardata communication apparatus 202 transmits the received plaintext data to theexternal tool 205 without encrypting the received plaintext data. - (3) The Third Situation (the
First ECU 203 and theSecond ECU 204 Perform The Data Communication). - As shown in
FIG. 27 , the vehiculardata communication apparatus 202 performs step B221 and B222, and then, thesecond ECU 204 performs D221 to D223, and then the vehiculardata communication apparatus 202 performs B223 and B224, and then thefirst ECU 203 performs C221 to C223. In the present example, the vehiculardata communication apparatus 202 stores “encry” for the combination of the bus B on the data source side and the bus C on the data destination side. Thus, upon receipt of the plaintext data from thefirst ECU 203, the vehiculardata communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to thesecond ECU 204. Moreover, the vehiculardata communication apparatus 202 stores “plain” for the combination of the bus C on the data source side and the bus B on the data destination side. Thus, upon receipt of the plaintext data from thesecond ECU 204, the vehiculardata communication apparatus 202 transmits the received plaintext data to thefirst ECU 203 without encrypting the received plaintext data. - In the first example, the vehicular
data communication apparatus 202 relays a data among theexternal tool 205, thefirst ECU 203 and thesecond ECU 204. For each combination of a bus connected with a data source node and a bus connected with a data destination node, the encryption information (the encryption table) indicating whether or not the data is to be encrypted is uniformly managed by the vehiculardata communication apparatus 202. Additionally, for each bus connected with the data source node, the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by theexternal tool 205, thefirst ECU 203 and thesecond ECU 204. - Accordingly, to transmit the data, the
external tool 205, thefirst ECU 203 and thesecond ECU 204 are not required to encrypt the data. Thus, theexternal tool 205, thefirst ECU 203 and thesecond ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of theexternal tool 205, thefirst ECU 203 and thesecond ECU 204 to store the decryption table associated with only the data that is transmitted from the vehiculardata communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. For example, it is possible to use a processing capacity (e.g., a memory capacity), which is not unlimited, for a primary function, and it is possible to ensure fulfilling the primary function. It should be noted that if the encryption or the decryption causes the failure to fulfill the primary function (e.g., processing delay), a negative influence may be give on, for example, vehicle control during the vehicle traveling. Therefore, the configuration of the present example is remarkably advantageous in a system in which the ECU serves as a node. Moreover, since the vehiculardata communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication. Specifically, even if an improper external tool is connected to the bus, a data transmitted from the improper external tool is not supported by the encryption of the vehiculardata communication apparatus 202, and thus, it becomes possible to prevent the improper rewriting of the control programs of thefirst ECU 203 and thesecond ECU 204 and the improper reading out of thefirst ECU 203 and thesecond ECU 204. - Moreover, even when multiple nodes transmitting a data needed to be encrypted are connected with the same bus and/or even when multiple nodes transmitting a data unneeded to be encrypted are connected with the same bus, an encryption table and/or an decryption table targeted for respective individual nodes are not required to be set up. Instead, the encryption table and/or the decryption table targeted for respective individual nodes are set up. Therefore, a work for setting up the encryption table and/or the decryption table is simple.
- Although the above illustration is directed to the system in which the
first ECU 203 is connected with the vehiculardata communication apparatus 202 through the bus B, ideas of the above illustration are applicable to a system in which multiple ECUs including thefirst ECU 203 are connected with the vehiculardata communication apparatus 202 through the bus B. Specifically, as shown inFIG. 28 , in the vehiculardata communication system 211, thefirst ECU 203 and athird ECU 207 may be connected with the vehiculardata communication apparatus 202 through the bus B. In this configuration, thethird ECU 207 stores the same decryption table as thefirst ECU 203 stores, so that thethird ECU 207 can performs substantially the same process as thefirst ECU 203. It should be noted that when thefirst ECU 203 and thethird ECU 207 perform the data communication, the encryption table stored in the vehiculardata communication apparatus 202 is not used, because the vehiculardata communication apparatus 202 does not relay the data. The same is applied to cases where thesecond ECU 204 and thefourth ECU 208 are connected with the vehiculardata communication apparatus 202 through the bus C. - A second example of the second embodiment will be described with reference to
FIGS. 29 and 30 . In the second example, for each combination of a data source node and a data destination node, the encryption table is uniformly managed by the vehiculardata communication apparatus 202 relaying a data. For each data source node, the decryption table is uniformly managed by theexternal tool 205, thefirst ECU 203, and thesecond ECU 204. In the second example, for example, the information indicating that the decryption or the encryption is not to be performed is set for a node that transmits and receives a non-regulation message. The information indicating that the decryption or the encryption is to be performed is set for a node that transmits and receives a regulation message. - In a vehicular
data communication system 221, the vehiculardata communication apparatus 202 is connected with thefirst ECU 203 and thesecond ECU 204 through the bus B. The vehiculardata communication apparatus 202 stores the encryption information as the encryption table 202 e for each combination of a data source node and a data destination node. For example, as illustrated inFIG. 29 , for the case where the data source node is theexternal tool 205 and the data destination node is thefirst ECU 203, the stored encryption information indicates that the plaintext data is to be encrypted. For the case where the data source node is theexternal tool 205 and the data destination node is thesecond ECU 204, the stored encryption information indicates that the plaintext data is not to be encrypted For each data source node, thefirst ECU 203 stores the decryption information as the decryption table 203 d. For example, as illustrated inFIG. 29 , for the case where the data source node is theexternal tool 205, the stored decryption information indicates that the encrypted-text data is to be decrypted. Likewise, for each data source node, thesecond ECU 204 stores the decryption information as the decryption table 204 d. For example, as illustrated inFIG. 29 , for the case where the data source node is theexternal tool 205, the stored decryption information indicates that the plaintext data is not to be decrypted. Likewise, for each data source node, theexternal tool 205 stores the decryption information as the decryption table 205 d. For example, as illustrated inFIG. 29 , for the case where the data source node is thefirst ECU 203, the stored decryption information indicates that the encrypted-text data is to be decrypted. For the case where the data source node is thesecond ECU 204, the stored decryption information indicates that the plain-text data is not to be decrypted. - In the second example, the vehicular
data communication apparatus 202 relays a data among theexternal tool 205, thefirst ECU 203 and thesecond ECU 204. - For each combination of a data source node and a data destination node, the vehicular
data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted. Additionally, for each data source node, the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by theexternal tool 205, thefirst ECU 203 and thesecond ECU 204. - Accordingly, the second example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment. Specifically, to transmit the data, the
external tool 205, thefirst ECU 203 and thesecond ECU 204 are not required to encrypt the data. Thus, theexternal tool 205, thefirst ECU 203 and thesecond ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of theexternal tool 205, thefirst ECU 203 and thesecond ECU 204 to store the decryption table associated with only the data that is transmitted from the vehiculardata communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. Moreover, since the vehiculardata communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication. - Moreover, even when multiple nodes transmitting a data needed to be encrypted are connected with the same bus and/or even when multiple nodes transmitting a data unneeded to be encrypted are connected with the same bus, it is possible to appropriately encrypt only the data needed to be encrypted, by setting the encryption tables and/or the decryption tables for respective individual nodes. Additionally, it is possible to flexibly deal with node addition and node deletion.
- The above illustration is directed to the system in which the
first ECU 203 and thesecond ECU 204 are connected with the vehiculardata communication apparatus 202 through the bus B. However, ideas of the above illustration are applicable to a system in which multiple ECUs including thefirst ECU 203 and thesecond ECU 204 are connected with the vehiculardata communication apparatus 202 through multiple buses including the bus B. For example, as illustrated inFIG. 30 , in a vehiculardata communication system 231, thefirst ECU 203 and thesecond ECU 204 are connected with the vehiculardata communication apparatus 202 through the bus B, and additionally, thethird ECU 207 and thefourth ECU 208 are connected with the vehiculardata communication apparatus 202 through the bus C. In this case, the vehiculardata communication apparatus 202 stores the encryption table by designating thethird ECU 207 and thefourth ECU 208 as the data source node and the data destination node. Each of thefirst ECU 203, thesecond ECU 204 and theexternal tool 205 stores the decryption table by designating thethird ECU 207 and thefourth ECU 208 as the data source node. - A third example of the second embodiment will be described with reference to
FIGS. 31 and 32 . In the third example, the vehiculardata communication apparatus 202 for relaying a data uniformly manages the encryption table for each identifier (CAN_ID) indicative of type of a data frame storing a data. For each identifier (CAN_ID) indicative of type of a data frame storing a data, the decryption table is uniformly managed by theexternal tool 205, thefirst ECU 203 and thesecond ECU 204. In the third example, for example, the information indicating that the decryption or the encryption is not to be performed is set for the CAN_ID of the data frame having the regulation message. The information indicating that the decryption or the encryption is not to be performed is set for the CAN_ID of the data frame having the non-regulation message. The CAN_ID refers to information identifying data content or the like, and has 11-bit length in standard format, as illustrated inFIG. 32 . - In a vehicular
data communication system 241, for each CAN_ID indicative of the type of the data frame, the vehiculardata communication apparatus 202 stores the encryption as the encryption table 202 e. For example, as illustrated inFIG. 31 , for the case where the data frame has the CAN_ID “700”, the stored encryption information indicates that the plaintext data is to be encrypted. For the case where the data frame has the CAN_ID “701”, the stored encryption information indicates that the plaintext data is not to be encrypted. - For each CAN_ID indicative of the type of the data frame, the
first ECU 203 stores the decryption information as the decryption table 203 d. For example, as illustrated inFIG. 31 , for the case where the data frame has the CAN_ID “700”, the stored decryption information indicates that the plaintext data is to be decrypted. For the case where the data frame has the CAN_ID “701”, the stored encryption information indicates that the plaintext data is not to be decrypted. Likewise, thesecond ECU 204 stores, for each CAN_ID indicative of the type of the data frame, the decryption information as the decryption table 204 d. Theexternal tool 205 also stores, for each CAN_ID indicative of the type of the data frame, the decryption information as the decryption table 205 d. - In the third example, the vehicular
data communication apparatus 202 relays a data among theexternal tool 205, thefirst ECU 203 and thesecond ECU 204. For each CAN_ID, the vehiculardata communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted. Additionally, for each CAN_ID, the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by theexternal tool 205, thefirst ECU 203 and thesecond ECU 204. - Accordingly, the third example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment. Specifically, to transmit the data, the
external tool 205, thefirst ECU 203 and thesecond ECU 204 are not required to encrypt the data. Thus, theexternal tool 205, thefirst ECU 203 and thesecond ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of theexternal tool 205, thefirst ECU 203 and thesecond ECU 204 to store the decryption table associated with only the data that is transmitted from the vehiculardata communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. Moreover, since the vehiculardata communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication. - Moreover, by setting the encryption tables and the decryption tables for respective individual data frames, it is possible to appropriately encrypt only the data needed to be encrypted, even when the same single node transmits both of the data frame storing the data needed to be encrypted and the data frame storing the data unneeded to be encrypted.
- A fourth example of the second embodiment will be described with reference to
FIG. 33 . In the fourth example, the vehiculardata communication apparatus 202 for relaying a data uniformly manages the encryption table for each data storage area (data field) of a data frame storing a data. For each data storage area (data field) of a data frame storing a data, the decryption table is uniformly managed by theexternal tool 205, thefirst ECU 203 and thesecond ECU 204. In the fourth example, for example, the information indicating that the decryption or the encryption is not to be performed is set for the data storage area of the data frame having the regulation message. The information indicating that the decryption or the encryption is not to be performed is set for the data storage area of the data frame having the non-regulation message. - In a vehicular
data communication system 251, for each data storage area of the data frame, the vehiculardata communication apparatus 202 stores the encryption as the encryption table 202 e. For example, as illustrated inFIG. 33 , for a plaintext data stored in “0 to 4 byte” of the data field of the data frame having “800” as the CAN_ID, the stored encryption information indicates that the plaintext data is to be encrypted. For a plaintext data stored in “5 to 8 byte”, the stored encryption information indicates that the plaintext data is not to be encrypted. - For each data storage area of the data frame, the
first ECU 203 stores the decryption information as the decryption table 203 d. For example, as illustrated inFIG. 33 , for an encrypted-text data stored in “0 to 4 byte” of the data field of the data frame having “800” as the CAN_ID, the stored decryption information indicates that the encrypted-text data is to be decrypted. For a plaintext data stored in “5 to 8 bytes”, the stored decryption information indicates that the plaintext data is not to be decrypted. Likewise, thesecond ECU 204 stores, for each data storage area of the data frame, the decryption information as the decryption table 204 d. Theexternal tool 205 also stores, for each data storage area of the data frame, the decryption information as the decryption table 205 d. - In the fourth example, the vehicular
data communication apparatus 202 relays a data among theexternal tool 205, thefirst ECU 203 and thesecond ECU 204. For each data field (for each data storage area of the data frame), the vehiculardata communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted. Additionally, for each data field (for each data storage area of the data frame), the data destination node uniformly manages the decryption information (the decryption table) indicating whether or not the data is to be decrypted. The data destination node is, for example, theexternal tool 205, thefirst ECU 203 and thesecond ECU 204. - Accordingly, the third example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment. Specifically, to transmit the data, the
external tool 205, thefirst ECU 203 and thesecond ECU 204 are not required to encrypt the data. Thus, theexternal tool 205, thefirst ECU 203 and thesecond ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of theexternal tool 205, thefirst ECU 203 and thesecond ECU 204 to store the decryption table associated with only the data that is transmitted from the vehiculardata communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. Moreover, since the vehiculardata communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication. - Moreover, by setting the encryption tables and the decryption tables for respective individual data storage areas, it is possible to appropriately encrypt only the data needed to be encrypted, even when the node transmits the data frame having both of the data needed to be encrypted and the data unneeded to be encrypted.
- The second embodiment is not limited to the above-illustrated examples, and can be modified and extended in, for example, the following way. Two or more of the first to fourth examples may be combined. Specifically, the system may employ the tow or more of: a configuration in which the encryption information and the decryption information are managed on a bus-by-bus basis; a configuration in which the encryption information and the decryption information are managed on a node-by-node basis; a configuration in which the encryption information and the decryption information are managed on a CAN_ID-by-CAN_ID basis; and a configuration in which the encryption information and the decryption information are managed on a data-field-by-data-field basis. Some of the multiple ECUs may have some of the functions of the vehicular
data communication apparatus 202. Specifically, the vehiculardata communication apparatus 202 is not limited to a dedicated apparatus for encrypting a data by determining whether or not to encrypt the data. For example, an ECU having a high processing capacity may be provided in the system, so that, while fulfilling its primary function, the ECU encrypts a data by determining whether or not to encrypt the data. - The present disclosure is not limited the above embodiments and modifications thereof. That is, the above embodiments and modifications thereof may be modified in various ways without departing from the sprit and scope of the present disclosure.
Claims (26)
1. A vehicular data communication authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, the vehicular data communication authentication system comprising:
an authentication device that performs authentication of the external tool connected to the bus;
an authentication control device that:
determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative;
when determining that the result of the authentication of the external tool is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU; and
when determining that the result of the authentication of the external tool is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and
an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of:
a first period, which is a predetermined period of time elapsed since the authenticated state was set;
a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device;
a third period, which is a period during which a vehicle state satisfies a predetermined condition; and
a fourth period, which is a period during which the bus is in a communicating state.
2. The vehicular data communication authentication system according to claim 1 , further comprising:
a vehicular gateway apparatus that partitions the external tool from the ECUs,
wherein:
the authentication device, the authentication control device and the authentication maintain device are provided in the vehicular gateway apparatus.
3. The vehicular data communication authentication system according to claim 1 , further comprising:
a vehicular gateway apparatus that partitions the external tool from the ECUs,
wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU;
the authentication device is provided in the vehicular gateway apparatus; and
the authentication control device and the authentication maintain device are provided in the authentication ECU.
4. The vehicular data communication authentication system according to claim 1 , wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU;
the authentication device is provided in the authentication ECU; and
the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
5. The vehicular data communication authentication system according to claim 1 , wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU; and
the authentication device, the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
6. The vehicular data communication authentication system according to claim 1 , further comprising:
a center that is communicable with the external tool; and
a vehicular gateway apparatus that partitions the external tool from the ECUs,
wherein:
the authentication device is provided in the center; and
the authentication control device and the authentication maintain device are provided in the vehicular gateway apparatus.
7. The vehicular data communication authentication system according to claim 1 , further comprising:
a center that is communicable with the external tool,
wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU;
the authentication device is provided in the center; and
the authentication control device and the authentication maintain device are provided in the authentication ECU.
8. The vehicular data communication authentication system according to claim 1 , further comprising:
a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU only for a specified data.
9. A vehicular data communication authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, the vehicular data communication authentication system comprising:
an authentication device that performs authentication of a vehicle state;
an authentication control device that:
determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative;
when determining that the result of the authentication of the vehicle state is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU; and
when determining that the result of the authentication of the vehicle state is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and
an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of:
a first period, which is a predetermined period of time elapsed since the authenticated state was set;
a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device;
a third period, which is a period during which a vehicle state satisfies a predetermined condition; and
a fourth period, which is a period during which the bus is in a communicating state.
10. The vehicular data communication authentication system according to claim 9 , further comprising
a vehicular gateway apparatus that partitions the external tool from the ECUs,
wherein:
the authentication device, the authentication control device and the authentication maintain device are provided in the vehicular gateway apparatus.
11. The vehicular data communication authentication system according to claim 9 , further comprising
a vehicular gateway apparatus that partitions the external tool from the ECUs,
wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU;
the authentication device is provided in the vehicular gateway apparatus; and
the authentication control device and the authentication maintain device are provided in the authentication ECU.
12. The vehicular data communication authentication system according to claim 9 , wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU;
the authentication device is provided in the authentication ECU; and
the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
13. The vehicular data communication authentication system according to claim 9 , wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU; and
the authentication device, the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
14. The vehicular data communication authentication system according to claim 9 , further comprising:
a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU only for a specified data.
15. A vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, the vehicular gateway apparatus comprising:
an authentication device that performs authentication of the external tool connected to the bus;
an authentication control device that:
determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative;
when determining that the result of the authentication of the external tool is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU, and
when determining that the result of the authentication of the external tool is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and
an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of:
a first period, which is a predetermined period of time elapsed since the authenticated state was set;
a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device;
a third period, which is a period during which a vehicle state satisfies a predetermined condition; and
a fourth period, which is a period during which the bus is in a communicating state.
16. The vehicular gateway apparatus according to claim 15 , further comprising:
a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU only for a specified data.
17. A vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, the vehicular gateway apparatus comprising:
an authentication device that performs authentication of a vehicle state;
an authentication control device that:
determines whether or not a result of authentication of the vehicle state preformed by the authentication device is affirmative;
when determining that the result of authentication of the vehicle state is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU; and
when determining that the result of authentication of the vehicle state is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and
an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of:
a first period, which is a predetermined period of time elapsed since the authenticated state was set;
a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device;
a third period, which is a period during which a vehicle state satisfies a predetermined condition; and
a fourth period, which is a period during which the bus is in a communicating state.
18. The vehicular gateway apparatus according to claim 17 , further comprising:
a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU for only a specified data.
19. A vehicular data communication system comprising:
a vehicular data communication apparatus connected with a plurality of nodes through buses;
wherein the vehicular data communication apparatus includes:
an encryption information storage device that, for each combination of one bus connected with a data source node and another bus connected with a data destination node, stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data; and
an encryption control device that, in cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device,
wherein each node includes:
an decryption information storage device that, for each bus connected with the data source node, stores a decryption information indicating whether or not the data is to be decrypted; and
a decryption control device that, in cases where the node receives the data from the vehicular data communication apparatus, determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
20. A vehicular data communication system comprising:
a vehicular data communication apparatus connected with a plurality of nodes through buses,
wherein the vehicular data communication apparatus includes
an encryption information storage device that, for each combination of a data source node and a data destination node, stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data; and
an encryption control device that, in cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device,
wherein each node includes:
an decryption information storage device that, for each data source node, stores a decryption information indicating whether or not the data is to be decrypted; and
a decryption control device that, in cases where the node receives the data from the vehicular data communication apparatus, determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
21. A vehicular data communication system comprising:
a vehicular data communication apparatus connected with a plurality of nodes through buses,
wherein the vehicular data communication apparatus includes:
an encryption information storage device that, for each identifier indicative of class a data frame storing a data, stores an encryption information indicating whether or not the data is to be encrypted; and
an encryption control device that, in cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device,
wherein each node includes:
an decryption information storage device that, for each identifier indicative of the type of the data frame storing the data, stores a decryption information indicating whether or not the data is to be decrypted; and
a decryption control device that, in cases where the node receives the data from the vehicular data communication apparatus, determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
22. A vehicular data communication system comprising:
a vehicular data communication apparatus connected with a plurality of nodes through buses,
wherein the vehicular data communication apparatus includes:
an encryption information storage device that, for each data storage area of a data frame storing a data, stores an encryption information indicating whether or not the data is to be encrypted; and
an encryption control device that, in cases where the vehicular data communication apparatus receives a data from a first node through a first bus and transmits the received data to a second node through a second bus, determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device,
wherein each node includes:
an decryption information storage device that, for each data storage area of the data frame storing the data, stores a decryption information indicating whether or not the data is to be decrypted; and
a decryption control device that, in cases where the node receives the data from the vehicular data communication apparatus, determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
23. The vehicular data communication system according to claim 19 , wherein:
in cases where the vehicular data communication apparatus receives the data from the first node through the first bus and transmits the received data to the second node through the first bus, the encryption control device transmits the received data, which is the data received from the first node through the first bus, to the second node through the first bus without encrypting the received data.
24. The vehicular data communication system according to claim 19 , wherein:
the plurality of nodes includes an external tool and at least one electronic control unit mounted in a vehicle.
25. The vehicular data communication system according to claim 19 , wherein:
the plurality of nodes includes a plurality of electronic control units mounted in a vehicle.
26. The vehicular data communication in the vehicular data communication system recited in claim 19 .
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/318,723 US9489544B2 (en) | 2012-02-20 | 2014-06-30 | Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2012-33945 | 2012-02-20 | ||
JP2012033945A JP5900007B2 (en) | 2012-02-20 | 2012-02-20 | VEHICLE DATA COMMUNICATION AUTHENTICATION SYSTEM AND VEHICLE GATEWAY DEVICE |
JP2012067383A JP5783103B2 (en) | 2012-03-23 | 2012-03-23 | VEHICLE DATA COMMUNICATION SYSTEM AND VEHICLE DATA COMMUNICATION DEVICE |
JP2012-67383 | 2012-03-23 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/318,723 Division US9489544B2 (en) | 2012-02-20 | 2014-06-30 | Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle |
Publications (1)
Publication Number | Publication Date |
---|---|
US20130219170A1 true US20130219170A1 (en) | 2013-08-22 |
Family
ID=48915333
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/771,696 Abandoned US20130219170A1 (en) | 2012-02-20 | 2013-02-20 | Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle |
US14/318,723 Active US9489544B2 (en) | 2012-02-20 | 2014-06-30 | Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/318,723 Active US9489544B2 (en) | 2012-02-20 | 2014-06-30 | Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle |
Country Status (2)
Country | Link |
---|---|
US (2) | US20130219170A1 (en) |
DE (1) | DE102013101508A1 (en) |
Cited By (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150020152A1 (en) * | 2012-03-29 | 2015-01-15 | Arilou Information Security Technologies Ltd. | Security system and method for protecting a vehicle electronic system |
WO2015056089A1 (en) * | 2013-10-18 | 2015-04-23 | Toyota Jidosha Kabushiki Kaisha | Communication system and communication method |
US20150135271A1 (en) * | 2013-11-11 | 2015-05-14 | GM Global Technology Operations LLC | Device and method to enforce security tagging of embedded network communications |
US9038132B2 (en) * | 2011-09-28 | 2015-05-19 | Denso Corporation | Bus monitoring security device and bus monitoring security system |
CN104717202A (en) * | 2013-12-13 | 2015-06-17 | 现代自动车株式会社 | Method and apparatus for enhancing security in an in-vehicle communication network |
WO2015139799A1 (en) * | 2014-03-20 | 2015-09-24 | Audi Ag | Control device in a motor vehicle, a motor vehicle, and a method for operating a control device |
US20150326529A1 (en) * | 2013-03-11 | 2015-11-12 | Hitachi Automotive Systems, Ltd. | Gateway device, and service providing system |
US20160053696A1 (en) * | 2013-04-01 | 2016-02-25 | Thermo King Corporation | System and method for preventing unauthorized modification to engine control software or an engine control system |
WO2016096307A1 (en) * | 2014-12-17 | 2016-06-23 | Bayerische Motoren Werke Aktiengesellschaft | Secure and user-specific data use in motor vehicles |
US9489544B2 (en) | 2012-02-20 | 2016-11-08 | Denso Corporation | Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle |
CN106452866A (en) * | 2016-10-10 | 2017-02-22 | 上海畅星软件有限公司 | Vehicle-mounted electronic equipment interconnecting gateway device based on IoT (Internet of Things) technology and communication method |
CN106464566A (en) * | 2014-06-16 | 2017-02-22 | 株式会社理光 | Network system, communication control method, and storage medium |
US20170070488A1 (en) * | 2015-09-09 | 2017-03-09 | Hyundai Motor Company | Method, apparatus and system for dynamically controlling secure vehicle communication based on ignition |
US20180026963A1 (en) * | 2016-07-22 | 2018-01-25 | Samsung Electronics Co., Ltd | Authorized control of an embedded system using end-to-end secure element communication |
JP2018026669A (en) * | 2016-08-09 | 2018-02-15 | Kddi株式会社 | Management system, key generation device, on-vehicle computer, management method, and computer program |
US10095859B2 (en) * | 2014-02-28 | 2018-10-09 | Hitachi Automotive Systems, Ltd. | Authentication system and car onboard control device |
EP3386163A1 (en) * | 2017-04-05 | 2018-10-10 | STMicroelectronics (Grenoble 2) SAS | Apparatus for use in a can system |
US20190152411A1 (en) * | 2017-11-20 | 2019-05-23 | Ford Global Technologies, Llc | Systems and methods for vehicle diagnostic tester coordination |
US10353692B2 (en) * | 2015-06-01 | 2019-07-16 | Opensynergy Gmbh | Method for updating a control unit for an automotive vehicle, control unit for an automotive vehicle, and computer program product |
US10389549B2 (en) * | 2014-10-28 | 2019-08-20 | Chery Automobile Co., Ltd. | Method and apparatus for message transmission |
US10445139B2 (en) * | 2014-04-09 | 2019-10-15 | Hitachi, Ltd. | Control system in which communication between devices is controlled based on execution condition being satisfied, gateway device used in the control system, and control method for the control system |
US20190349394A1 (en) * | 2017-12-01 | 2019-11-14 | Panasonic Intellectual Property Corporation Of America | Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and in-vehicle network monitoring method |
US10599854B2 (en) | 2014-08-26 | 2020-03-24 | Denso Corporation | Vehicular data conversion apparatus and vehicular data output method |
CN111460477A (en) * | 2020-03-30 | 2020-07-28 | 北京经纬恒润科技有限公司 | ECU security authentication method and device |
US10970398B2 (en) | 2016-08-10 | 2021-04-06 | Kddi Corporation | Data provision system, data security device, data provision method, and computer program |
US10977875B2 (en) | 2017-11-20 | 2021-04-13 | Ford Global Technologies, Llc | Systems and methods for vehicle diagnostic tester coordination |
US20210157573A1 (en) * | 2018-08-10 | 2021-05-27 | Denso Corporation | Vehicle electronic control system, progress screen display control method and computer program product |
US20210224188A1 (en) * | 2020-01-20 | 2021-07-22 | Continental Automotive Gmbh | Communication gateway for communicating data frames for a motor vehicle |
US11088997B2 (en) * | 2016-03-31 | 2021-08-10 | Byd Company Limited | Secure communication method and apparatus for vehicle, multimedia system for vehicle, and vehicle |
US11212109B2 (en) | 2016-08-10 | 2021-12-28 | Kddi Corporation | Data provision system, data security device, data provision method, and computer program |
US11218309B2 (en) * | 2018-03-27 | 2022-01-04 | Toyota Jidosha Kabushiki Kaisha | Vehicle communication system and vehicle communication method |
US20220161828A1 (en) * | 2019-03-19 | 2022-05-26 | Autovisor Pte. Ltd | System and method for protecting electronic vehicle control systems against hacking |
US20220224519A1 (en) * | 2019-03-25 | 2022-07-14 | Micron Technology, Inc. | Secure communication for a key replacement |
US11467821B2 (en) | 2018-08-10 | 2022-10-11 | Denso Corporation | Vehicle master device, installation instruction determination method and computer program product |
US11604637B2 (en) | 2018-08-10 | 2023-03-14 | Denso Corporation | Electronic control unit, vehicle electronic control system, difference data consistency determination method and computer program product |
US11656771B2 (en) | 2018-08-10 | 2023-05-23 | Denso Corporation | Electronic control unit, vehicle electronic control system, activation execution control method and computer program product |
US11669323B2 (en) | 2018-08-10 | 2023-06-06 | Denso Corporation | Vehicle electronic control system, program update notification control method and computer program product |
US11671498B2 (en) | 2018-08-10 | 2023-06-06 | Denso Corporation | Vehicle master device, update data verification method and computer program product |
US11683197B2 (en) | 2018-08-10 | 2023-06-20 | Denso Corporation | Vehicle master device, update data distribution control method, computer program product and data structure of specification data |
US11709666B2 (en) | 2018-07-25 | 2023-07-25 | Denso Corporation | Electronic control system for vehicle, program update approval determination method and program update approval determination program |
US11783302B2 (en) * | 2020-05-07 | 2023-10-10 | Blackberry Limited | Authorization of vehicle repairs |
US11822366B2 (en) | 2018-08-10 | 2023-11-21 | Denso Corporation | Electronic control unit, vehicle electronic control system, rewrite execution method, rewrite execution program, and data structure of specification data |
US11876898B2 (en) | 2018-08-10 | 2024-01-16 | Denso Corporation | Vehicle master device, security access key management method, security access key management program and data structure of specification data |
US11907697B2 (en) | 2018-08-10 | 2024-02-20 | Denso Corporation | Vehicle electronic control system, center device, vehicle master device, display control information transmission control method, display control information reception control method, display control information transmission control program, and display control information reception control program |
US11928459B2 (en) | 2018-08-10 | 2024-03-12 | Denso Corporation | Electronic control unit, retry point specifying method and computer program product for specifying retry point |
US11926270B2 (en) | 2018-08-10 | 2024-03-12 | Denso Corporation | Display control device, rewrite progress display control method and computer program product |
US11934823B2 (en) | 2018-07-25 | 2024-03-19 | Denso Corporation | Electronic control system for vehicle, program update approval determination method and program update approval determination program |
Families Citing this family (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8918251B2 (en) * | 2013-02-14 | 2014-12-23 | Stephan A Tarnutzer | CAN based vehicle immobilizer |
ES2952400T3 (en) | 2014-07-28 | 2023-10-31 | Mylaps B V | Transponder module and access module to activate and configure said transponder module |
EP2981028B1 (en) * | 2014-07-28 | 2020-05-06 | MyLaps B.V. | Transponder module and access module for activating and configuring such transponder module over a CAN bus |
US9351025B1 (en) * | 2015-04-17 | 2016-05-24 | Rovi Guides, Inc. | Systems and methods for providing automatic content recognition to verify affiliate programming |
CN105083169A (en) * | 2015-07-25 | 2015-11-25 | 上海修源网络科技有限公司 | Communication frame of electric automobile controller and electric automobile controller |
US11210871B2 (en) | 2015-08-05 | 2021-12-28 | EZ Lynk SEZC | System and method for remote emissions control unit monitoring and reprogramming |
US11430273B2 (en) | 2015-08-05 | 2022-08-30 | EZ Lynk SEZC | Apparatus and method for remote ELD monitoring and ECU reprogramming |
US10621796B2 (en) | 2015-08-05 | 2020-04-14 | EZ Lynk SEZC | System and method for real time wireless ECU monitoring and reprogramming |
US10614640B2 (en) | 2015-08-05 | 2020-04-07 | EZ Lynk SEZC | System and method for real time wireless ECU monitoring and reprogramming |
JP6502832B2 (en) * | 2015-11-13 | 2019-04-17 | 株式会社東芝 | Inspection apparatus, communication system, mobile unit and inspection method |
US10285051B2 (en) * | 2016-09-20 | 2019-05-07 | 2236008 Ontario Inc. | In-vehicle networking |
TWI638561B (en) * | 2016-12-23 | 2018-10-11 | 財團法人工業技術研究院 | Control system and control method |
US10180682B2 (en) | 2017-02-23 | 2019-01-15 | The Directv Group, Inc. | Shared control of vehicle functions |
US10491392B2 (en) * | 2017-03-01 | 2019-11-26 | Ford Global Technologies, Llc | End-to-end vehicle secure ECU unlock in a semi-offline environment |
GB201806465D0 (en) | 2018-04-20 | 2018-06-06 | Nordic Semiconductor Asa | Memory-access controll |
IT201800005466A1 (en) * | 2018-05-17 | 2019-11-17 | METHOD AND DEVICE FOR WRITING SOFTWARE OBJECTS IN AN ELECTRONIC CONTROL UNIT OF AN INTERNAL COMBUSTION ENGINE | |
GB201810653D0 (en) * | 2018-06-28 | 2018-08-15 | Nordic Semiconductor Asa | Secure peripheral interconnect |
GB201810659D0 (en) | 2018-06-28 | 2018-08-15 | Nordic Semiconductor Asa | Secure-Aware Bus System |
GB201810662D0 (en) | 2018-06-28 | 2018-08-15 | Nordic Semiconductor Asa | Peripheral Access On A Secure-Aware Bus System |
JP2020167607A (en) * | 2019-03-29 | 2020-10-08 | マツダ株式会社 | Automobile arithmetic system and reception data processing method |
KR20220000537A (en) * | 2020-06-26 | 2022-01-04 | 현대자동차주식회사 | System and method for transmitting and receiving data based on vehicle network |
US20220398149A1 (en) * | 2021-06-15 | 2022-12-15 | Toyota Motor North America, Inc. | Minimizing transport fuzzing reactions |
CN117413303A (en) * | 2022-03-01 | 2024-01-16 | 时代电服科技有限公司 | Vehicle authentication method, device, control equipment and power exchange station |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4980913A (en) * | 1988-04-19 | 1990-12-25 | Vindicator Corporation | Security system network |
US6484082B1 (en) * | 2000-05-24 | 2002-11-19 | General Motors Corporation | In-vehicle network management using virtual networks |
US20040128673A1 (en) * | 2002-12-17 | 2004-07-01 | Systemauto, Inc. | System, method and computer program product for sharing information in distributed framework |
US6801942B1 (en) * | 2000-09-15 | 2004-10-05 | Robert Bosch Gmbh | Apparatus, method and system for remotely accessing and/or controlling can node arrangements, including vehicle electronic control units, during vehicle operation |
US20050251604A1 (en) * | 2004-04-01 | 2005-11-10 | Gerig Michael L | Method and protocol for diagnostics of arbitrarily complex networks of devices |
US20060106508A1 (en) * | 2004-11-12 | 2006-05-18 | Spx Corporation | Remote display of diagnostic data apparatus and method |
US20070083303A1 (en) * | 2005-10-11 | 2007-04-12 | Snap-On Incorporated | Marketplace for vehicle original equipment manufacturer information |
US20070217614A1 (en) * | 2002-11-15 | 2007-09-20 | Matsushita Electric Industrial Co., Ltd | Program update method and server |
US20070244611A1 (en) * | 2006-04-14 | 2007-10-18 | Brozovich Roy S | Vehicle diagnostic tool with packet and voice over packet communications and systems incorporating such a tool |
US7941253B1 (en) * | 2007-11-27 | 2011-05-10 | Brunswick Corporation | Marine propulsion drive-by-wire control system with shared isolated bus |
US20120140861A1 (en) * | 2010-12-01 | 2012-06-07 | GM Global Technology Operations LLC | Data Sensor Coordination Using Time Synchronization in a Multi-Bus Controller Area Network System |
US8705527B1 (en) * | 2011-01-14 | 2014-04-22 | Cisco Technology, Inc. | System and method for internal networking, data optimization and dynamic frequency selection in a vehicular environment |
Family Cites Families (54)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7484008B1 (en) * | 1999-10-06 | 2009-01-27 | Borgia/Cummins, Llc | Apparatus for vehicle internetworks |
AU784850B2 (en) * | 2000-01-14 | 2006-07-06 | Panasonic Corporation | Authentication communication device and authentication communication system |
DE10008974B4 (en) * | 2000-02-25 | 2005-12-29 | Bayerische Motoren Werke Ag | signature methods |
JP2002232438A (en) * | 2001-01-30 | 2002-08-16 | Sumitomo Electric Ind Ltd | Gateway and network system |
US7149206B2 (en) * | 2001-02-08 | 2006-12-12 | Electronic Data Systems Corporation | System and method for managing wireless vehicular communications |
US6694235B2 (en) * | 2001-07-06 | 2004-02-17 | Denso Corporation | Vehicular relay device, in-vehicle communication system, failure diagnostic system, vehicle management device, server device and detection and diagnostic program |
GB2385951A (en) | 2001-09-21 | 2003-09-03 | Sun Microsystems Inc | Data encryption and decryption |
US20030147534A1 (en) * | 2002-02-06 | 2003-08-07 | Ablay Sewim F. | Method and apparatus for in-vehicle device authentication and secure data delivery in a distributed vehicle network |
US8226473B2 (en) * | 2002-04-10 | 2012-07-24 | Wms Gaming Inc. | Gaming software authentication |
JP2003324459A (en) | 2002-04-26 | 2003-11-14 | Sumitomo Electric Ind Ltd | Communication system |
DE10250195A1 (en) * | 2002-10-28 | 2004-05-13 | OCé PRINTING SYSTEMS GMBH | Method and arrangement for authenticating an operating unit and transmitting authentication information to the operating unit |
JP2004179772A (en) | 2002-11-25 | 2004-06-24 | Sumitomo Electric Ind Ltd | On-vehicle gateway apparatus and on-vehicle communication system |
JP2004192277A (en) | 2002-12-10 | 2004-07-08 | Sumitomo Electric Ind Ltd | Vehicle diagnostic system and vehicle |
US7962954B2 (en) * | 2003-01-15 | 2011-06-14 | Cisco Technology, Inc. | Authenticating multiple network elements that access a network through a single network switch port |
JP2004224284A (en) | 2003-01-27 | 2004-08-12 | Mitsubishi Motors Corp | Web server |
ATE492085T1 (en) * | 2003-01-28 | 2011-01-15 | Cellport Systems Inc | A SYSTEM AND METHOD FOR CONTROLLING APPLICATIONS' ACCESS TO PROTECTED RESOURCES WITHIN A SECURE VEHICLE TELEMATICS SYSTEM |
JP4576997B2 (en) | 2004-04-28 | 2010-11-10 | 株式会社デンソー | Communication system, key distribution device, cryptographic processing device |
EP1741019A1 (en) | 2004-04-29 | 2007-01-10 | Bayerische Motoren Werke Aktiengesellschaft | Authentication of control units in a vehicle |
JP2006053620A (en) | 2004-08-10 | 2006-02-23 | Hitachi Omron Terminal Solutions Corp | Download system for on-vehicle terminal |
JP4428207B2 (en) * | 2004-11-10 | 2010-03-10 | トヨタ自動車株式会社 | Vehicle control device |
JP4541118B2 (en) | 2004-12-08 | 2010-09-08 | 株式会社日本自動車部品総合研究所 | Vehicle information collection system, terminal, and vehicle side device |
US8065498B2 (en) * | 2005-01-07 | 2011-11-22 | Panasonic Corporation | Backup system, recording/reproduction device, backup device, backup method, program, and integrated circuit |
JP4692318B2 (en) * | 2005-04-20 | 2011-06-01 | 株式会社デンソー | Electronic control unit |
US8800042B2 (en) * | 2005-05-16 | 2014-08-05 | Hewlett-Packard Development Company, L.P. | Secure web application development and execution environment |
US20070121641A1 (en) * | 2005-10-21 | 2007-05-31 | Hovey Matthew N | Method and system for network services with a mobile vehicle |
JP2007145200A (en) * | 2005-11-28 | 2007-06-14 | Fujitsu Ten Ltd | Authentication device for vehicle and authentication method for vehicle |
US7711118B2 (en) * | 2005-12-28 | 2010-05-04 | Industrial Technology Research Institute | Security system |
JP4529931B2 (en) * | 2006-03-29 | 2010-08-25 | 株式会社デンソー | Engine start control device |
US7623875B2 (en) * | 2006-04-24 | 2009-11-24 | Gm Global Technology Operations, Inc. | System and method for preventing unauthorized wireless communications which attempt to provide input to or elicit output from a mobile device |
JP2008059450A (en) * | 2006-09-01 | 2008-03-13 | Denso Corp | Vehicle information rewriting system |
DE102007022100B4 (en) * | 2007-05-11 | 2009-12-03 | Agco Gmbh | Motor vehicle control unit data transmission system and method |
US20090007250A1 (en) * | 2007-06-27 | 2009-01-01 | Microsoft Corporation | Client authentication distributor |
US8181031B2 (en) * | 2007-08-01 | 2012-05-15 | International Business Machines Corporation | Biometric authentication device and system |
JP2009043168A (en) * | 2007-08-10 | 2009-02-26 | Yamaha Marine Co Ltd | Equipment authentication control method, equipment authentication controller and ship |
US9613467B2 (en) * | 2007-10-30 | 2017-04-04 | Bosch Automotive Service Solutions Inc. | Method of updating and configuring a scan tool |
JP4909875B2 (en) * | 2007-11-27 | 2012-04-04 | アラクサラネットワークス株式会社 | Packet relay device |
US20090300365A1 (en) * | 2008-05-30 | 2009-12-03 | Robert Karmes | Vehicle Diagnostic System Security with Memory Card |
US20110083161A1 (en) * | 2008-06-04 | 2011-04-07 | Takayuki Ishida | Vehicle, maintenance device, maintenance service system, and maintenance service method |
US20090319287A1 (en) * | 2008-06-24 | 2009-12-24 | Ayman Hammad | Authentication segmentation |
JP4618344B2 (en) * | 2008-07-29 | 2011-01-26 | コニカミノルタビジネステクノロジーズ株式会社 | Authentication device, authentication system, authentication method, authentication program, and recording medium |
JP5081102B2 (en) * | 2008-08-22 | 2012-11-21 | ヤマハ発動機株式会社 | Ship theft deterrent device and ship equipped with the same |
JP2010062883A (en) | 2008-09-04 | 2010-03-18 | Hitachi Automotive Systems Ltd | Vehicle operation verification system and onboard gateway device |
JP5173891B2 (en) * | 2009-03-02 | 2013-04-03 | 株式会社東海理化電機製作所 | Secret key registration system and secret key registration method |
JP2010231650A (en) * | 2009-03-27 | 2010-10-14 | Fujitsu Ltd | Terminal apparatus, data providing system, data providing method and computer program |
JP5326897B2 (en) * | 2009-07-17 | 2013-10-30 | 株式会社デンソー | Communications system |
JP4957785B2 (en) * | 2009-12-24 | 2012-06-20 | 株式会社デンソー | Abnormality notification system and abnormality notification device |
US8392698B2 (en) * | 2010-04-16 | 2013-03-05 | Cisco Technology, Inc. | System and method for providing prefixes indicative of mobility properties in a network environment |
JP5170177B2 (en) * | 2010-06-30 | 2013-03-27 | トヨタ自動車株式会社 | Vehicle anti-theft device |
WO2012167343A1 (en) * | 2010-10-28 | 2012-12-13 | Gestion André & Paquerette Ltée | Device and method for managing an electronic control unit of a vehicle |
JP5395036B2 (en) * | 2010-11-12 | 2014-01-22 | 日立オートモティブシステムズ株式会社 | In-vehicle network system |
DE102012212962A1 (en) * | 2011-07-28 | 2013-01-31 | Denso Corporation | Gateway and in-vehicle network system |
US9280653B2 (en) * | 2011-10-28 | 2016-03-08 | GM Global Technology Operations LLC | Security access method for automotive electronic control units |
US20130204513A1 (en) * | 2012-02-08 | 2013-08-08 | Bendix Commercial Vehicle Systems Llc | Protect information stored in ecu from unintentional writing and overwriting |
DE102013101508A1 (en) | 2012-02-20 | 2013-08-22 | Denso Corporation | A data communication authentication system for a vehicle, a network coupling device for a vehicle, a data communication system for a vehicle, and a data communication device for a vehicle |
-
2013
- 2013-02-15 DE DE102013101508A patent/DE102013101508A1/en active Pending
- 2013-02-20 US US13/771,696 patent/US20130219170A1/en not_active Abandoned
-
2014
- 2014-06-30 US US14/318,723 patent/US9489544B2/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4980913A (en) * | 1988-04-19 | 1990-12-25 | Vindicator Corporation | Security system network |
US6484082B1 (en) * | 2000-05-24 | 2002-11-19 | General Motors Corporation | In-vehicle network management using virtual networks |
US6801942B1 (en) * | 2000-09-15 | 2004-10-05 | Robert Bosch Gmbh | Apparatus, method and system for remotely accessing and/or controlling can node arrangements, including vehicle electronic control units, during vehicle operation |
US20070217614A1 (en) * | 2002-11-15 | 2007-09-20 | Matsushita Electric Industrial Co., Ltd | Program update method and server |
US20040128673A1 (en) * | 2002-12-17 | 2004-07-01 | Systemauto, Inc. | System, method and computer program product for sharing information in distributed framework |
US20050251604A1 (en) * | 2004-04-01 | 2005-11-10 | Gerig Michael L | Method and protocol for diagnostics of arbitrarily complex networks of devices |
US20060106508A1 (en) * | 2004-11-12 | 2006-05-18 | Spx Corporation | Remote display of diagnostic data apparatus and method |
US20070083303A1 (en) * | 2005-10-11 | 2007-04-12 | Snap-On Incorporated | Marketplace for vehicle original equipment manufacturer information |
US20070244611A1 (en) * | 2006-04-14 | 2007-10-18 | Brozovich Roy S | Vehicle diagnostic tool with packet and voice over packet communications and systems incorporating such a tool |
US7941253B1 (en) * | 2007-11-27 | 2011-05-10 | Brunswick Corporation | Marine propulsion drive-by-wire control system with shared isolated bus |
US20120140861A1 (en) * | 2010-12-01 | 2012-06-07 | GM Global Technology Operations LLC | Data Sensor Coordination Using Time Synchronization in a Multi-Bus Controller Area Network System |
US8705527B1 (en) * | 2011-01-14 | 2014-04-22 | Cisco Technology, Inc. | System and method for internal networking, data optimization and dynamic frequency selection in a vehicular environment |
Non-Patent Citations (1)
Title |
---|
Chung, "Isolating System Faults on Vehicular Network Gateways Using Virtualization", 2010 IEEE/IFIP 8gh International conference on Embedded and Ubiquitous Computing, 11-13 December 2010, pp. 791-796. * |
Cited By (73)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9038132B2 (en) * | 2011-09-28 | 2015-05-19 | Denso Corporation | Bus monitoring security device and bus monitoring security system |
US9489544B2 (en) | 2012-02-20 | 2016-11-08 | Denso Corporation | Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle |
US10002258B2 (en) | 2012-03-29 | 2018-06-19 | Arilou Information Security Technologies Ltd. | Security system and method for protecting a vehicle electronic system |
US11651088B2 (en) | 2012-03-29 | 2023-05-16 | Sheelds Cyber Ltd. | Protecting a vehicle bus using timing-based rules |
US9881165B2 (en) * | 2012-03-29 | 2018-01-30 | Arilou Information Security Technologies Ltd. | Security system and method for protecting a vehicle electronic system |
US20150020152A1 (en) * | 2012-03-29 | 2015-01-15 | Arilou Information Security Technologies Ltd. | Security system and method for protecting a vehicle electronic system |
US10534922B2 (en) | 2012-03-29 | 2020-01-14 | Arilou Information Security Technologies Ltd. | Security system and method for protecting a vehicle electronic system |
US11120149B2 (en) | 2012-03-29 | 2021-09-14 | Arilou Information Security Technologies Ltd. | Security system and method for protecting a vehicle electronic system |
US9965636B2 (en) | 2012-03-29 | 2018-05-08 | Arilou Information Security Technologies Ltd. | Security system and method for protecting a vehicle electronic system |
US11709950B2 (en) | 2012-03-29 | 2023-07-25 | Sheelds Cyber Ltd. | Security system and method for protecting a vehicle electronic system |
US9906492B2 (en) * | 2013-03-11 | 2018-02-27 | Hitachi Automotive Systems, Ltd. | Gateway device, and service providing system |
US20150326529A1 (en) * | 2013-03-11 | 2015-11-12 | Hitachi Automotive Systems, Ltd. | Gateway device, and service providing system |
US9803610B2 (en) * | 2013-04-01 | 2017-10-31 | Thermo King Corporation | System and method for preventing unauthorized modification to engine control software or an engine control system |
US9920733B2 (en) | 2013-04-01 | 2018-03-20 | Thermo King Corporation | System and method for preventing unauthorized modification to engine control software or an engine control system |
US20160053696A1 (en) * | 2013-04-01 | 2016-02-25 | Thermo King Corporation | System and method for preventing unauthorized modification to engine control software or an engine control system |
WO2015056089A1 (en) * | 2013-10-18 | 2015-04-23 | Toyota Jidosha Kabushiki Kaisha | Communication system and communication method |
US20150135271A1 (en) * | 2013-11-11 | 2015-05-14 | GM Global Technology Operations LLC | Device and method to enforce security tagging of embedded network communications |
US20150172306A1 (en) * | 2013-12-13 | 2015-06-18 | Hyundai Motor Company | Method and apparatus for enhancing security in an in-vehicle communication network |
CN104717202A (en) * | 2013-12-13 | 2015-06-17 | 现代自动车株式会社 | Method and apparatus for enhancing security in an in-vehicle communication network |
US10095859B2 (en) * | 2014-02-28 | 2018-10-09 | Hitachi Automotive Systems, Ltd. | Authentication system and car onboard control device |
US9852093B2 (en) | 2014-03-20 | 2017-12-26 | Audi Ag | Control device in a motor vehicle, a motor vehicle, and a method for operating a control device |
WO2015139799A1 (en) * | 2014-03-20 | 2015-09-24 | Audi Ag | Control device in a motor vehicle, a motor vehicle, and a method for operating a control device |
US10445139B2 (en) * | 2014-04-09 | 2019-10-15 | Hitachi, Ltd. | Control system in which communication between devices is controlled based on execution condition being satisfied, gateway device used in the control system, and control method for the control system |
EP3157203A4 (en) * | 2014-06-16 | 2017-07-26 | Ricoh Company, Ltd. | Network system, communication control method, and storage medium |
CN106464566A (en) * | 2014-06-16 | 2017-02-22 | 株式会社理光 | Network system, communication control method, and storage medium |
RU2659489C1 (en) * | 2014-06-16 | 2018-07-02 | Рикох Компани, Лтд. | Network system, communication control method and data storage medium |
US10599854B2 (en) | 2014-08-26 | 2020-03-24 | Denso Corporation | Vehicular data conversion apparatus and vehicular data output method |
US10389549B2 (en) * | 2014-10-28 | 2019-08-20 | Chery Automobile Co., Ltd. | Method and apparatus for message transmission |
WO2016096307A1 (en) * | 2014-12-17 | 2016-06-23 | Bayerische Motoren Werke Aktiengesellschaft | Secure and user-specific data use in motor vehicles |
US10353692B2 (en) * | 2015-06-01 | 2019-07-16 | Opensynergy Gmbh | Method for updating a control unit for an automotive vehicle, control unit for an automotive vehicle, and computer program product |
US20170070488A1 (en) * | 2015-09-09 | 2017-03-09 | Hyundai Motor Company | Method, apparatus and system for dynamically controlling secure vehicle communication based on ignition |
US9992178B2 (en) * | 2015-09-09 | 2018-06-05 | Hyundai Motor Company | Method, apparatus and system for dynamically controlling secure vehicle communication based on ignition |
US11088997B2 (en) * | 2016-03-31 | 2021-08-10 | Byd Company Limited | Secure communication method and apparatus for vehicle, multimedia system for vehicle, and vehicle |
US20180026963A1 (en) * | 2016-07-22 | 2018-01-25 | Samsung Electronics Co., Ltd | Authorized control of an embedded system using end-to-end secure element communication |
US10686776B2 (en) * | 2016-07-22 | 2020-06-16 | Samsung Electronics Co., Ltd. | Authorized control of an embedded system using end-to-end secure element communication |
WO2018029891A1 (en) * | 2016-08-09 | 2018-02-15 | Kddi株式会社 | Management system, key-generating device, on-board computer, management method, and computer program |
US11212087B2 (en) | 2016-08-09 | 2021-12-28 | Kddi Corporation | Management system, key generation device, in-vehicle computer, management method, and computer program |
JP2018026669A (en) * | 2016-08-09 | 2018-02-15 | Kddi株式会社 | Management system, key generation device, on-vehicle computer, management method, and computer program |
US10970398B2 (en) | 2016-08-10 | 2021-04-06 | Kddi Corporation | Data provision system, data security device, data provision method, and computer program |
US11212109B2 (en) | 2016-08-10 | 2021-12-28 | Kddi Corporation | Data provision system, data security device, data provision method, and computer program |
CN106452866A (en) * | 2016-10-10 | 2017-02-22 | 上海畅星软件有限公司 | Vehicle-mounted electronic equipment interconnecting gateway device based on IoT (Internet of Things) technology and communication method |
US10862874B2 (en) | 2017-04-05 | 2020-12-08 | Stmicroelectronics (Grenoble 2) Sas | Apparatus for use in a can system |
EP3386163A1 (en) * | 2017-04-05 | 2018-10-10 | STMicroelectronics (Grenoble 2) SAS | Apparatus for use in a can system |
CN108696411A (en) * | 2017-04-05 | 2018-10-23 | 意法半导体(格勒诺布尔2)公司 | Device for being used in CAN system |
US11606341B2 (en) | 2017-04-05 | 2023-03-14 | Stmicroelectronics (Grenoble 2) Sas | Apparatus for use in a can system |
US10977875B2 (en) | 2017-11-20 | 2021-04-13 | Ford Global Technologies, Llc | Systems and methods for vehicle diagnostic tester coordination |
US20190152411A1 (en) * | 2017-11-20 | 2019-05-23 | Ford Global Technologies, Llc | Systems and methods for vehicle diagnostic tester coordination |
US10486626B2 (en) * | 2017-11-20 | 2019-11-26 | Ford Global Technologies, Llc | Systems and methods for vehicle diagnostic tester coordination |
US20190349394A1 (en) * | 2017-12-01 | 2019-11-14 | Panasonic Intellectual Property Corporation Of America | Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and in-vehicle network monitoring method |
US11128657B2 (en) * | 2017-12-01 | 2021-09-21 | Panasonic Intellectual Property Corporation Of America | Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and in-vehicle network monitoring method |
US11838314B2 (en) | 2017-12-01 | 2023-12-05 | Panasonic Intellectual Property Corporation Of America | Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and in-vehicle network monitoring method |
US11218309B2 (en) * | 2018-03-27 | 2022-01-04 | Toyota Jidosha Kabushiki Kaisha | Vehicle communication system and vehicle communication method |
US11934823B2 (en) | 2018-07-25 | 2024-03-19 | Denso Corporation | Electronic control system for vehicle, program update approval determination method and program update approval determination program |
US11709666B2 (en) | 2018-07-25 | 2023-07-25 | Denso Corporation | Electronic control system for vehicle, program update approval determination method and program update approval determination program |
US11671498B2 (en) | 2018-08-10 | 2023-06-06 | Denso Corporation | Vehicle master device, update data verification method and computer program product |
US20210157573A1 (en) * | 2018-08-10 | 2021-05-27 | Denso Corporation | Vehicle electronic control system, progress screen display control method and computer program product |
US11604637B2 (en) | 2018-08-10 | 2023-03-14 | Denso Corporation | Electronic control unit, vehicle electronic control system, difference data consistency determination method and computer program product |
US11926270B2 (en) | 2018-08-10 | 2024-03-12 | Denso Corporation | Display control device, rewrite progress display control method and computer program product |
US11467821B2 (en) | 2018-08-10 | 2022-10-11 | Denso Corporation | Vehicle master device, installation instruction determination method and computer program product |
US11656771B2 (en) | 2018-08-10 | 2023-05-23 | Denso Corporation | Electronic control unit, vehicle electronic control system, activation execution control method and computer program product |
US11669323B2 (en) | 2018-08-10 | 2023-06-06 | Denso Corporation | Vehicle electronic control system, program update notification control method and computer program product |
US11928459B2 (en) | 2018-08-10 | 2024-03-12 | Denso Corporation | Electronic control unit, retry point specifying method and computer program product for specifying retry point |
US11683197B2 (en) | 2018-08-10 | 2023-06-20 | Denso Corporation | Vehicle master device, update data distribution control method, computer program product and data structure of specification data |
US11907697B2 (en) | 2018-08-10 | 2024-02-20 | Denso Corporation | Vehicle electronic control system, center device, vehicle master device, display control information transmission control method, display control information reception control method, display control information transmission control program, and display control information reception control program |
US11876898B2 (en) | 2018-08-10 | 2024-01-16 | Denso Corporation | Vehicle master device, security access key management method, security access key management program and data structure of specification data |
US11822366B2 (en) | 2018-08-10 | 2023-11-21 | Denso Corporation | Electronic control unit, vehicle electronic control system, rewrite execution method, rewrite execution program, and data structure of specification data |
US20220161828A1 (en) * | 2019-03-19 | 2022-05-26 | Autovisor Pte. Ltd | System and method for protecting electronic vehicle control systems against hacking |
US20220224519A1 (en) * | 2019-03-25 | 2022-07-14 | Micron Technology, Inc. | Secure communication for a key replacement |
US11646873B2 (en) * | 2019-03-25 | 2023-05-09 | Micron Technology, Inc. | Secure communication for a key replacement |
US11599459B2 (en) * | 2020-01-20 | 2023-03-07 | Continental Automotive Gmbh | Communication gateway for communicating data frames for a motor vehicle |
US20210224188A1 (en) * | 2020-01-20 | 2021-07-22 | Continental Automotive Gmbh | Communication gateway for communicating data frames for a motor vehicle |
CN111460477A (en) * | 2020-03-30 | 2020-07-28 | 北京经纬恒润科技有限公司 | ECU security authentication method and device |
US11783302B2 (en) * | 2020-05-07 | 2023-10-10 | Blackberry Limited | Authorization of vehicle repairs |
Also Published As
Publication number | Publication date |
---|---|
US9489544B2 (en) | 2016-11-08 |
DE102013101508A1 (en) | 2013-08-22 |
US20140317729A1 (en) | 2014-10-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9489544B2 (en) | Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle | |
US11529914B2 (en) | Gateway device, vehicle network system, and transfer method | |
JP5783103B2 (en) | VEHICLE DATA COMMUNICATION SYSTEM AND VEHICLE DATA COMMUNICATION DEVICE | |
JP5900007B2 (en) | VEHICLE DATA COMMUNICATION AUTHENTICATION SYSTEM AND VEHICLE GATEWAY DEVICE | |
JP6525824B2 (en) | Relay device | |
WO2016204081A1 (en) | Vehicle-mounted relay device, vehicle-mounted communication system and relay program | |
US20180124180A1 (en) | Communication system and communication method | |
US11386201B2 (en) | Data bus protection device and method | |
US10321492B2 (en) | Wireless communication apparatus and wireless communication system | |
JP6704458B2 (en) | In-vehicle processor | |
JP7412506B2 (en) | Fraud detection rule update method, fraud detection electronic control unit and in-vehicle network system | |
CN111699706A (en) | Master-slave system for communication over bluetooth low energy connections | |
JP2016163265A (en) | Key management system, key management method, and computer program | |
CN113632419A (en) | Device and method for generating and authenticating at least one data packet to be transmitted in a BUs system (BU), in particular of a motor vehicle | |
CN110312232B (en) | Vehicle communication system and vehicle communication method | |
EP3713190B1 (en) | Secure bridging of controller area network buses | |
JP6203798B2 (en) | In-vehicle control system, vehicle, management device, in-vehicle computer, data sharing method, and computer program | |
CN111294771A (en) | In-vehicle device, system for implementing in-vehicle communication and related method | |
US11526461B2 (en) | Enhanced secure onboard communication for CAN | |
US20200210168A1 (en) | Systems and methods for utilizing encryption in microcontrollers for fota | |
JP2023513295A (en) | Communication device and method for cryptographically securing communications | |
JP2018019218A (en) | Electronic control device | |
JP6681755B2 (en) | Vehicle communication network device and communication method | |
US11934338B2 (en) | Enhanced secure onboard communication for CAN | |
CN107104868B (en) | Vehicle-mounted network encrypted communication method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: DENSO CORPORATION, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:NAITOU, HIDETO;NATSUME, MITSUYOSHI;HARATA, YUZO;AND OTHERS;REEL/FRAME:029958/0291 Effective date: 20130220 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |