US20130219170A1 - Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle - Google Patents

Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle Download PDF

Info

Publication number
US20130219170A1
US20130219170A1 US13/771,696 US201313771696A US2013219170A1 US 20130219170 A1 US20130219170 A1 US 20130219170A1 US 201313771696 A US201313771696 A US 201313771696A US 2013219170 A1 US2013219170 A1 US 2013219170A1
Authority
US
United States
Prior art keywords
authentication
data
vehicular
control device
ecu
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/771,696
Inventor
Hideto NAITOU
Mitsuyoshi Natsume
Yuzo Harata
Shouichirou Hanai
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Denso Corp
Original Assignee
Denso Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2012033945A external-priority patent/JP5900007B2/en
Priority claimed from JP2012067383A external-priority patent/JP5783103B2/en
Application filed by Denso Corp filed Critical Denso Corp
Assigned to DENSO CORPORATION reassignment DENSO CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HANAI, SHOUICHIROU, HARATA, YUZO, NAITOU, HIDETO, NATSUME, MITSUYOSHI
Publication of US20130219170A1 publication Critical patent/US20130219170A1/en
Priority to US14/318,723 priority Critical patent/US9489544B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0471Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying encryption by an intermediary, e.g. receiving clear information at the intermediary and encrypting the received information at the intermediary before forwarding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Definitions

  • the present disclosure relates to a vehicular data communication authentication system in which an external tool is connectable to an electronic control unit (ECU).
  • the present disclosure also relates to a vehicular gateway apparatus connected with the vehicular data communication authentication system to partition the external tool from the ECU.
  • the present disclosure also relates to a vehicular data communication system including a vehicular data communication apparatus connected with multiple nodes through a bus.
  • the present disclosure also relates to such a vehicular data communication apparatus.
  • CAN controller area network
  • the CAN provides a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc.
  • a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not provided.
  • a vehicular data communication authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, includes an authentication device, an authentication control device and an authentication maintain device.
  • the authentication device performs authentication of the external tool connected to the bus.
  • the authentication control device determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative. When determining that the result of the authentication of the external tool is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU.
  • the authentication control device When determining that the result of the authentication of the external tool is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU.
  • the authentication maintain device After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
  • a vehicular data communication authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, includes an authentication device, an authentication control device and an authentication maintain device.
  • the authentication device performs authentication of a vehicle state.
  • the authentication control device determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative. When determining that the result of the authentication of the vehicle state is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU.
  • the authentication control device When determining that the result of the authentication of the vehicle state is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU.
  • the authentication maintain device After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which the vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
  • a vehicular gateway apparatus in a vehicular data authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, includes an authentication device, an authentication control device and an authentication maintain device.
  • the authentication device performs authentication of the external tool connected to the bus.
  • the authentication control device determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative. When determining that the result of the authentication of the external tool is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU.
  • the authentication control device When determining that the result of the authentication of the external tool is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU.
  • the authentication maintain device After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device ( 102 e ); a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
  • a vehicular gateway apparatus in a vehicular data authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, includes an authentication device, an authentication control device and an authentication maintain device.
  • the authentication device performs authentication of a vehicle state.
  • the authentication control device determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative. When determining that the result of the authentication of the vehicle state is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU.
  • the authentication control device When determining that the result of the authentication of the vehicle state is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU.
  • the authentication maintain device After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device ( 102 e ); a third period, which is a period during which the vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
  • a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses.
  • the vehicular data communication apparatus includes an encryption information storage device and an encryption control device.
  • the encryption information storage device stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data.
  • the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device.
  • Each node includes an decryption information storage device and a decryption control device. For each bus connected with the data source node, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted.
  • a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses.
  • the vehicular data communication apparatus includes an encryption information storage device and an encryption control device.
  • the encryption information storage device stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data.
  • the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device.
  • Each node includes an decryption information storage device and a decryption control device. For each data source node, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted.
  • the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
  • a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses.
  • the vehicular data communication apparatus includes an encryption information storage device and an encryption control device.
  • the encryption information storage device stores an encryption information indicating whether or not the data is to be encrypted.
  • an encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device.
  • Each node includes an decryption information storage device and a decryption control device. For each identifier indicative of the type of the data frame storing the data, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted.
  • the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
  • a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses.
  • the vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each data storage area of a data frame storing a data, the encryption information storage device stores an encryption information indicating whether or not the data is to be encrypted.
  • the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device.
  • Each node includes an decryption information storage device and a decryption control device. For each data storage area of the data frame storing the data, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted.
  • the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
  • FIG. 1 is a functional block diagram illustrating a data communication authentication system of a first example of a first embodiment
  • FIG. 2 is a sequence diagram illustrating operations
  • FIG. 3 is a sequence diagram illustrating operations performed after those in FIG. 2 ;
  • FIG. 4 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus discards a data request command in response to a negative result of authentication
  • FIG. 5 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus includes a timer for maintaining an authenticated state
  • FIG. 6 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which an authenticated state maintain request is inputted from an external tool;
  • FIG. 7 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which an authenticated state maintain request is inputted from an access target ECU;
  • FIG. 8 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which a vehicle state satisfies a predetermined condition
  • FIG. 9 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which a bus is in a communicating state;
  • FIG. 10 is a functional block diagram illustrating a data communication authentication system of a second example of the first embodiment
  • FIG. 11 is a sequence diagram illustrating operations of the second example of the first embodiment
  • FIG. 12 is a functional block diagram illustrating a data communication authentication system of a third example of the first embodiment
  • FIG. 13 is a sequence diagram illustrating operations of the third example of the first embodiment
  • FIG. 14 is a functional block diagram illustrating a data communication authentication system of a fourth example of the first embodiment
  • FIG. 15 is a sequence diagram illustrating operations of the fourth example of the first embodiment
  • FIG. 16 is a functional block diagram illustrating a data communication authentication system of a fifth example of the first embodiment
  • FIG. 17 is a sequence diagram illustrating operations of the fifth example of the first embodiment.
  • FIG. 18 is a functional block diagram illustrating a data communication authentication system of a sixth example of the first embodiment
  • FIG. 19 is a sequence diagram illustrating operations of the sixth example of the first embodiment.
  • FIG. 20 is a sequence diagram illustrating operations of a seventh example of the first embodiment
  • FIG. 21 is a sequence diagram illustrating operations of an eighth example of the first embodiment.
  • FIG. 22 is a sequence diagram illustrating operations of a ninth example of the first embodiment
  • FIG. 23 is a sequence diagram illustrating operations of a tenth example of the first embodiment
  • FIG. 24 is a functional block diagram illustrating a vehicular data communication system of a first example of a second embodiment
  • FIG. 25 is a sequence diagram illustrating operations in a first situation in accordance with the first example of the second embodiment
  • FIG. 26 is a sequence diagram illustrating operations in a second situation in accordance with the first example of the second embodiment
  • FIG. 27 is a sequence diagram illustrating operations in a third situation in accordance with the first example of the second embodiment
  • FIG. 28 is a block diagram illustrating a encryption table and a decryption table in accordance with the first example of the second embodiment
  • FIG. 29 is a functional block diagram illustrating a vehicular data communication system of a second example of the second embodiment
  • FIG. 30 is a block diagram illustrating a encryption table and a decryption table in accordance with the second example of the second embodiment
  • FIG. 31 is a functional block diagram illustrating a vehicular data communication system of a third example of the second embodiment
  • FIG. 32 is a diagram illustrating a configuration of a data frame
  • FIG. 33 is a functional block diagram illustrating a vehicular data communication system of a fourth example of the second embodiment.
  • a first embodiment will be described with reference to FIGS. 1 to 23 .
  • FIGS. 1 to 9 A first example of the first embodiment will be described with reference to FIGS. 1 to 9 .
  • a vehicular gateway apparatus 102 is connected with a bus 106 so that the gateway apparatus 102 partitions (separates) multiple electronic control units (ECUs) 103 , 104 from an external tool 105 (an operating device) operable by an operator.
  • ECUs electronice control units
  • FIG. 1 two ECUs are illustrated as the multiple ECUs 103 , 104 .
  • a portion of the bus 106 on an ECU side of the gateway apparatus 102 is referred to as an ECU-side bus 106 a . That is, the ECU-side bus 106 a is a bus for transmitting data between the gateway apparatus 102 and the ECUs 103 , 104 .
  • a portion of the bus 106 on an external tool side of the gateway apparatus 102 is referred to as an external-tool-side bus 106 b . That is, the external-tool-side bus 106 b is a bus for transmitting data between the gateway apparatus 102 and the external tool 105 .
  • the ECUs 103 , 104 may include, for example, an engine ECU for controlling operation of the engine, a door lock ECU for controlling operation of door lock mechanism, a navigation ECU for controlling navigation operation, a meter ECU for controlling operation of a meter (indicator), or the like.
  • the number of ECUs may be two, three or more, or may be one.
  • the external-tool-side bus 106 b is provided with a connector 107 to which the external tool 105 is detachably connectable. By being connected to the connector 107 , the external tool 105 is connected to the external-tool-side bus 106 b and becomes able to perform the data communication with the gateway apparatus 102 .
  • the bus 106 adopts a controller area network (CAN) as a data communication method.
  • the CAN communication defines a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc.
  • CRC cyclic redundancy check
  • a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not defined.
  • the gateway apparatus 102 includes a control device 102 a , an ECU-side bus communication device 102 b , an external-tool-side bus communication device 102 c , an authentication device 102 d , an authentication control device 102 e , a communication control device 102 f , a filtering device 102 g , and an authentication maintain device 102 h .
  • the authentication device 102 d can correspond to an example of authentication means or device, and an example of second authentication means or device.
  • the authentication control device 102 e can correspond to an example of authentication control means or device, and an example of authentication control means or device.
  • the communication control device 102 f can correspond to an example of communication control means or device, and an example of communication control means or device.
  • the authentication maintain device 102 h can correspond to an example of authentication maintain means or device, and an example of authentication maintain means or device.
  • the control device 102 a includes a microcomputer. By executing a control program with the microcomputer, the control device 102 a controls operations of the ECU-side bus communication device 102 b , the external-tool-side bus communication device 102 c , the authentication device 102 d , the authentication control device 102 e , the communication control device 102 f , the filtering device 102 g , and the authentication maintain device 102 h .
  • the ECU-side bus communication device 102 b is connected with the ECU-side bus 106 a , and controls communication, such as data transmission and receipt, with the ECUs 103 and 104 .
  • the external-tool-side bus communication device 102 c is connected with the external-tool-side bus 106 b .
  • the external-tool-side bus communication device 102 c controls communications, such as data transmission and receipt, with the external tool 105 .
  • the authentication device 102 d performs authentication of the external tool 105 (a procedure of the authentication will be described later). Based on a result of the authentication of the external tool 105 by the authentication device 102 d , the authentication control device 102 e sets whether the data communication between the external tool 105 and an access target ECU should be permitted or prohibited. Specifically, when the result of the authentication of the external tool 105 is affirmative, the authentication control device 102 e sets an authenticated state and permits the data communication between the external tool 105 and the access target ECU. When the result of the authentication of the external tool 105 is negative (not affirmative), the authentication control device 102 e does not set the authenticated stat and prohibits the data communication between the external tool 105 and the access target ECU
  • the communication control device 102 f sets whether the data communication between the external tool 105 and an access target ECU should be permitted or prohibited.
  • a reason for this exceptional permission is as follows. In a data communication for a vehicle, since it is necessary to always permit a certain part of the data communication, the communication control device 102 f exceptionally permits the data communication for a specified data e.g., the below-described regulation message) between the external tool 105 and the access target ECU.
  • the filtering device 102 g exceptionally permits only for specified data communication.
  • the authentication control device 102 e sets the authenticated state
  • the authentication maintain device 102 h maintains the set authenticated state. That is, when the authentication control device 102 e sets the authenticated state, the authentication maintain device 102 h maintains a period of permitting the data communication between the external tool 105 and the access target ECU.
  • the control device 102 a has an encryption function and a decryption function. Specifically, when the external-tool-side-bus communication device 102 c receives a plaintext command from the external tool 105 , the control device 102 a encrypts and rewrites the received plaintext command into an encrypted-text command. When the ECU-side-bus communication device 102 b receives an encrypted-text command from the ECU 103 or the ECU 104 , the control device 102 a decrypts and rewrites the received encrypted-text command into a plaintext command.
  • the encryption and description may use a public-key cryptography, in which the encryption is performed with a public-key and the description is performed with a private-key. Alternatively, the encryption and description may use a common-key cryptography, in which the encryption and decryption are performed with a common-key.
  • the ECU 103 includes a control device 103 a , a bus communication device 103 b , and a vehicle state input device 103 c .
  • the control device 103 a includes a microcomputer. By executing a control program with the microcomputer, the control device 103 a controls the bus communication device 103 b and the vehicle state input device 103 c .
  • the bus communication device 103 b is connected with the ECU-side bus 106 a and controls communications, such as data transmission and receipt, with the gateway apparatus 102 .
  • the vehicle state input device 103 c receives and inputs a vehicle state from an external device (e.g., various sensors, different ECUs, wireless communication device etc).
  • the vehicle state inputted by the vehicle state input device 103 c may be, for example, a immobilizer state (locked state or unlocked state), an ignition (IG) switch state (on and off), a door state (open state or closed state), or the like.
  • the ECU 104 includes a control device 104 a and a bus communication device 104 b .
  • the control device 104 a includes a microcomputer. By executing a control program with the microcomputer, the control device 104 a controls the bus communication device 104 b .
  • the bus communication device 104 b is connected with the ECU-side bus 106 a and controls communications, such as data transmission and receipt, with the gateway apparatus 102 .
  • the ECU 103 or 104 is the engine ECU for example, the ECU 103 or 104 includes a functional block (not shown) for controlling the operation of the engine in addition to the above-described functional blocks. If the ECU 103 or 104 is the door lock ECU, the ECU 103 or 104 includes a functional block (not shown) for controlling the operation of the door lock mechanism in addition to the above-described functional blocks. The same is applicable to cases where the ECU 103 or 104 is an ECU other than the engine ECU and the door lock ECU. Alternatively, both of the ECU 103 and the ECU 104 receive and input the vehicle states from externals
  • the external tool 105 includes a control device 105 a , a bus communication device 105 b and an input/output interface (IF) 105 c .
  • the control device 105 a includes a microcomputer. By executing a control program with the microcomputer, the control device 105 a controls operations of the bus communication device 105 b and the input/output interface (IF) 105 c .
  • the bus communication device 105 b is connected with the external-tool-side bus 106 b and controls communications, such as data transmission and receipt, with the gateway apparatus 102 .
  • the input/output IF 105 c has a function to accept an input operation from the operator operating the external tool 105 , and has a function to issue a notification by, for example, displaying a data.
  • the operator can rewrite the control program of the access target ECU and read out a data from the access target ECU.
  • the external tool 105 is not limited to a dedicated apparatus for rewriting the control program of the access target ECU and reading out the data from the access target ECU.
  • the external tool 105 may be a cellular phone, a personal digital assistance or the like having the above functions.
  • the control device 105 a of the external tool 105 determines that the external tool 105 is connected to the connector 107 .
  • the control device 105 a transmits an authentication seed request command from the bus communication device 105 b to the gateway apparatus 102 .
  • the control device 102 a of the gateway apparatus 102 determines that the external-tool-side-bus communication device 102 c receives the authentication seed request command from the external tool 105
  • the control device 102 a generates an authentication seed at B 101 (see FIG. 2 ) and transmits the generated authentication seed from the external-tool-side-bus communication device 102 c to the external tool 105 .
  • the authentication seed includes information used in generating the below-described authentication code, and is written in random number.
  • the control device 105 a of the external tool 105 determines that the bus communication device 105 b receives the authentication seed from the gateway apparatus 102 , the control device 105 a generates an authentication code based on the authentication seed (while associating the authentication code with the authentication seed) at A 101 , and the control device 105 a transmits the generated authentication code from the bus communication device 105 b to the gateway apparatus 102 .
  • the authentication code is expressed in random number, like the authentication seed. In the above, it is assumed that the external tool 105 does not possess the authentication seed. However, the external tool 105 may possess the authentication seed. In this configuration, the external tool 105 may generate the authentication code based on the authentication seed possessed by the external tool 105 itself and may transmit the generated authentication code from the bus communication device 105 b to the gateway apparatus 102 .
  • the control device 102 a determines that the external-tool-side-bus communication device 102 c receives the authentication code from the external tool 105 , the control device 102 a performs B 102 . Specifically, at B 102 , the control device 102 a performs cross-check between the authentication seed, which was transmitted to the external tool 105 , and the authentication code received from the external tool 105 , and determines whether or not the result of the authentication of the external tool 105 is affirmative.
  • a proper external tool which is connected to the connector 107 by a proper operator, is equipped with a function to (i) correctly generate an authentication based on the authentication seed received from the gateway apparatus 102 and (ii) transmit the correctly-generated authentication code to the gateway apparatus 102 . Therefore, when the proper operator connects the proper external tool to the connector 107 , there is match between the authentication seed and the authentication code, and the result of the authentication of the external tool 105 becomes affirmative.
  • An improper external tool which may be connected to the connector 107 by a third party having a bad intention, is not equipped with the function to correctly generate the authentication based on the authentication seed received from the gateway apparatus 102 .
  • the improper external tool is unable to correctly generate an authentication code or transmit the authentication code to the gateway apparatus, or may transmit an incorrect authentication code to the gateway apparatus 102 .
  • a third party having a bad intention connects an improper external tool to the connector 107 , there is mismatch between the authentication seed and the authentication code, and the result of the authentication of the external tool 105 becomes not affirmative.
  • the control device 102 a determines that the result of the authentication of the external tool 105 is affirmative and the external tool 105 is a proper external tool (YES at B 103 ), the control device 102 a performs B 104 .
  • the control device 102 a transmits am affirmative authentication result response command, which indicates that the result of the authentication is affirmative, from the external-tool-side-bus communication device 102 c to the external tool 105 , and additionally, the control device 102 a sets the authenticated state, which is a state where the external tool 105 is authenticated.
  • the control device 102 a permits receipt of a data request command from the external tool 105 and permits the data communication. Within a period during which the authenticated state is not set, the control device 102 a prohibits the receipt of the data request command from the external tool 105 and prohibits the data communication.
  • the control device 105 a when the control device 105 a accepts, for example, the input operation from the operator after the control device 105 a determines that the bus communication device 105 b receives the affirmative authentication response command from the gateway apparatus 102 , the control device 105 a transmits the data request command from the bus communication device 105 b to the gateway apparatus in accordance with the input operation.
  • the data request command transmitted from the external tool 105 to the gateway apparatus 102 includes information for identifying the access target ECU 104 , which is a destination of the data request command.
  • the control device 102 a of the gateway apparatus 102 determines that the external-tool-side-bus communication device 102 c receives the data request command from the external tool 105 , the control device 102 a performs B 105 . Specifically, at B 105 , the control device 102 a analyzes the received data request command and determines whether or not it is necessary to perform the authentication of the external tool 105 . For example, by determining whether the data request command is a regulation message (regulation command) or a non-regulation message (non-regulation command), the control device 102 a determines whether or not it is necessary to perform the authentication of the external tool 105 .
  • the law-regulation message is a message that gives obligation to answer in response to the request from the external tool 105 .
  • the regulation message may be a massage that requests a data about, for example, an engine system, or the like.
  • the non-regulation message is a message that does not give obligation to answer in response to the request from the external tool 105 . It should be noted that a determination of whether the data request command is a regulation message or a non-regulation message may correspond to a determination of whether the access target ECU 104 , which is a transmission destination of the data request command, is a regulation ECU or a non-regulation ECU.
  • the control device 102 a determines that the data request command is the non-regulation message and determines that it is necessary perform the authentication of the external tool 105 (YES at B 105 ).
  • the control device performs B 106 .
  • the control device 102 a determines whether the result of the previously-preformed authentication is affirmative or negative.
  • the control device 102 a determines that the result of the previously-preformed authentication is affirmative (YES at B 106 )
  • the process proceeds to B 107 .
  • the control device 102 a determines whether or not it is necessary to encrypt the data request command. Specifically, the control device 102 a determines whether the data request command is the regulation message or the non-regulation message, thereby determining whether or not it is necessary to encrypt the data request command.
  • the control device 102 a determines that the data request command is the non-regulation message and determines that it is necessary to encrypt the data request command (YES at B 107 )
  • the control device 102 a encrypts the data request command (B 108 ) and transmits the encrypted data request command from the ECU-side-bus communication device 102 b to the access target ECU 104 .
  • the control device 102 a determines that the data request command is the regulation message and determines that it is unnecessary to encrypt the data request command (NO at B 107 )
  • the control device 102 a transmits, without encrypting the data request command, the data request command from the ECU-side-bus communication device 102 b to the access target ECU 104 .
  • the control device 104 a determines whether or not it is necessary to decrypt the received data request command (C 101 ). Specifically, when the control device 104 a determines that the data request command received from the vehicular gateway apparatus 102 is the encrypted data request command, the control device 104 a determines that it is necessary to decrypt the data request command (YES at C 101 ). In this case, the control device 104 a decrypts the data request command (C 102 ) and performs data processing according to content of the data request command (C 103 ).
  • the data processing may include rewriting a control program, reading out a data, or the like.
  • the control device 104 a determines that the data request command received from the vehicular gateway apparatus 102 is not encrypted, the control device 104 a determines that it is unnecessary to decrypt the data request command (NO at C 101 ). In this case, the control device 104 a performs the data processing according to the content of the data request command (C 103 ).
  • the control device 104 a determines whether or not it is necessary to encrypt a data response command indicative of the completion of the data processing (C 104 ). For example, when the data request command received from the gateway apparatus 102 is encrypted, the control device 104 a determines that it is necessary to encrypt a data response command indicative of the completion of the data processing. When the data request command received from the gateway apparatus 102 was not encrypted, the control device 104 a determines that it is unnecessary to encrypt the data response command indicative of the completion of the data processing.
  • importance degrees of data response commands may be preset, and the control device 104 a may determines whether or not it is unnecessary to encrypt the data response command indicative of the completion of the data processing, regardless of whether or not the data request command received from the gateway apparatus 102 was encrypted.
  • control device 104 a determines that it is necessary to encrypt the data response command (YES at C 104 )
  • the control device 104 a encrypts the data response command (C 105 ) and transmits the encrypted data response command from the bus communication device 104 b to the vehicular gateway apparatus 102 .
  • the control device 104 a determines that it is unnecessary to encrypt the data response command (NO at C 104 )
  • the control device 104 a transmits, without encrypting the data response command, the data response command from the bus communication device 104 b to the vehicular gateway apparatus 102 .
  • the control device 102 a determines that the ECU-side-bus communication device 102 b receives the data response command from the access target ECU 104 , the control device 102 a determines whether or not it is necessary to decrypt the received data response command (B 109 ). Specifically, when the control device 102 a determines that the data response command received from the access target ECU 104 is encrypted, the control device 102 a determines that it is necessary to decrypt the received data response command (YES at B 109 ).
  • the control device 102 a decrypt the encrypted data response command (B 110 ) and transmits the decrypted data response command from the external-tool-side communication device 102 c to the external tool 105 .
  • the control device 102 a determines that the data response command received from the access target ECU 104 is not encrypted, the control device 102 a determines that it is unnecessary to decrypt the received data response command (NO at B 109 ). In this case, the control device 102 a transmits, without decrypting, the data response command from the external-tool-side communication device 102 c to the external tool 105 .
  • the control device 102 a of vehicular gateway apparatus 102 performs the authentication of the external tool 105 .
  • the control device 102 a specifies the external tool 105 connected to the connector 107 as a proper external tool 105 , and sets the authenticated state (step B 104 ), as illustrated in FIG. 2 .
  • the control device 102 a permits receipt of a data request command regardless of whether the data request command is a regulation message or a non-regulation message.
  • the control device 102 a determines that the result of the authentication of the external tool 105 is negative (NO at B 103 ), the control device 102 a specifies the external tool 105 connected to the connector 107 an improper external tool, and does not set the authenticated state. Therefore, when the control device 102 a determines that an data request command from the external tool 105 is a non-regulation message requiring the authentication, the control device 102 a discards the data request command and rejects the receipt of the data request command to reject the data communication (B 111 ), because the result of the previously-performed authentication is negative and the authenticated state is not set. That is, at B 111 , the control device 102 a rejects the data communication. In this case, the rejection of the receipt of the data request command may include nullifying the data request command without discarding data request command. That is, the rejection of the receipt of the data request command may include prohibiting the processing in line with the content of the data request command.
  • the vehicular gateway apparatus 102 encrypts the data request command received from the external tool 105 .
  • the external tool 105 may have a function to encrypt the data request command, and may encrypt the data request command on an as-needed basis.
  • control device 102 a determines that the result of the authentication is affirmative, the control device 102 a sets the authenticated state to permit the receipt of the data request command from the external tool 105 .
  • a period of maintaining the authenticated state is managed in the following ways.
  • control device 102 a manages the period of maintaining the authenticated state, based on the following first to fourth periods:
  • the control device 102 a sets the authenticated state (B 104 ), starts an authentication maintain timer for counting a predetermined time (B 112 ), and monitors whether or not the authentication maintain timer reaches the predetermined time (B 113 ).
  • the control device 102 a determines that the authentication maintain timer reaches the predetermined time (YES at B 113 )
  • the control device 102 a ends the authenticated state.
  • the period of maintaining the authenticated state is managed by the vehicular gateway apparatus 102 alone.
  • the predetermined time to be counted by the authentication maintain timer may be an initial value set in production, or may be a set value which is set and inputted by the operator operating the external tool 105 .
  • the Second Period (a Period During which the Authenticated State Maintain Request Signal is Inputted from an External).
  • FIG. 6 One example is illustrated in FIG. 6 .
  • the control device 102 a of the vehicular gateway apparatus 102 maintains the authenticated state within a period during which the control device 102 a determines that the authenticated state maintain request command is received by the external-tool-side-bus communication device 102 c .
  • the control device 102 a ends the authenticated state (B 114 ).
  • the external tool 105 leads the control of the period of maintaining the authenticated state.
  • FIG. 7 Another example is illustrated in FIG. 7 .
  • the control device 102 a of the vehicular gateway apparatus 102 transmits an authenticated state notice command from the ECU-side-bus communication device 102 b to the access target ECU 104 , so that the access target ECU 104 transmits the authenticated state maintain request command.
  • the control device 102 a determines that the authenticated state maintain request command from the access target ECU 104 is received by the ECU-side-bus communication device 102 b , the control device 102 a maintains the authenticated state.
  • the control device 102 a Upon determining that the authenticated state end request command from the access target ECU is received by the ECU-side-bus communication device 102 b , the control device 102 a ends the authenticated state (B 114 ). In this example, the access target ECU 104 leads the control of the period of maintaining the authenticated state. It should be noted that the predetermined period during which the external tool 105 or the access target ECU 104 periodically transmits the authenticated state maintain request command to the vehicular gateway apparatus 102 may be an initial value set in production or may be a set value which is set and inputted by the operator operating the external tool 105 .
  • the control device 102 a determines whether or not the vehicle state satisfies a predetermined condition (B 115 ), by receiving the vehicle state from the ECU 104 through the ECU-side-bus communication device 102 b .
  • the predetermined condition may be one of the followings: the immobilizer is in an unlocked state (released state); the ignition switch is off; and the door is in a closed state. That is, when at least one of the above three conditions is satisfied, the control device 102 a determines that the vehicle state satisfies the predetermined condition (YES at B 115 ).
  • the control device 102 a During a period of determining that the vehicle state satisfies the predetermined condition, the control device 102 a maintains the authenticated state. When the control device 102 a determines that the vehicle state becomes failing to satisfy the predetermined condition (NO at B 115 ), the control device 102 a ends the authenticated state. In this case, the vehicular gateway apparatus 102 leads the control of the period of maintaining the authenticated state.
  • the control device 102 a of the vehicular gateway apparatus 102 determines whether or not the bus 106 is in the communicating state (B 116 ). Specifically, when the control device 102 a determines that one of the ECU-side-bus communication device 102 b and the external-tool-bus communication device 102 b is in the communicating state, the control device 102 a determines that the bus 106 is in the communicating state (YES at B 116 ). Within the period during which the control device 102 a determines that the bus is in the communicating state, the control device 102 a maintains the authenticated state.
  • the control device 102 a Upon determining that the bus 106 is changed into a not-communicating state (NO at B 116 ), the control device 102 a ends the authenticated state (B 114 ). In this case, the vehicular gateway apparatus manages the period of maintaining the authenticated state, based on the communicating state of the bus 106 .
  • the vehicular gateway apparatus 102 is connected with the bus 106 so as to partition (separate) the external tool 105 from the ECU 103 and the ECU 104 .
  • the vehicular gateway apparatus 102 performs the authentication of the external tool 105 .
  • the vehicular gateway apparatus 102 sets the authenticated state, so that the vehicular gateway apparatus 102 permits the receipt of a subsequent data request command from the external tool 105 regardless of whether or not the data request command is a non-regulation message requiring the authentication.
  • the vehicular gateway apparatus 102 When the result of the authentication of the external tool 105 is negative, the vehicular gateway apparatus 102 does not set the authenticated state, so that when the vehicular gateway apparatus 102 determines that a subsequent data request command from the external tool 105 is a non-regulation message requiring the authentication, the vehicular gateway apparatus 102 rejects the receipt of the data request command.
  • the period of maintaining the authenticated state is managed, it is possible to avoid unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU after cutting off the connection of the external tool. As a result, it is possible to further enhance the security. Additionally, since the authenticating of the external tool 105 , the setting of the authenticated state, and the maintaining of the authenticated state are collectively performed by the vehicular gateway apparatus 102 , it is possible to achieve the above advantages by adding the vehicular gateway apparatus 102 . Therefore, it is possible to achieve the above advantages while minimizing a change in an existing system.
  • the data communication of a specified data (e.g., regulation message) between external tool 105 and the access target ECU is exceptionally permitted. Therefore, while preventing the harms resulting from the connection of the improper external tool, it is possible to ensure the data communication of the specified data.
  • a specified data e.g., regulation message
  • FIGS. 9 and 10 A second example of the first embodiment will be described with reference to FIGS. 9 and 10 .
  • the vehicular gateway apparatus 102 performs the authentication of the external tool 105 , sets the authenticated state and maintains the authenticated state.
  • one of ECUs has an authentication function, so that the one of ECUs is designated as an authentication ECU.
  • this authentication ECU performs the authentication of the external tool 105 , and the vehicular gateway apparatus 102 sets the authenticated state and maintains the authenticated state.
  • the authentication ECU 103 includes an authentication device 103 d .
  • the authentication device 103 d is provided as a substitute for the authentication device 103 d of the vehicular gateway apparatus 102 of the first example of the first embodiment. That is, the authentication device 103 d has substantially the same function as the authentication device 103 d.
  • the control device 103 a determines that the bus communication device 103 b has received an authentication seed request command from the external tool 105 through the vehicular gateway apparatus 102 , the control device 103 a performs D 101 to D 103 , which correspond to B 101 to B 103 performed by the vehicular gateway apparatus 102 as illustrated in the first example.
  • the control device 103 a determines that a result of the authentication of the external tool 105 is affirmative (YES at D 103 )
  • the control device 103 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, from the bus communication device 103 b to the vehicular gateway apparatus 102 .
  • the control device 102 a of the vehicular gateway apparatus 102 determines that the ECU-side-bus communication device 102 b has received the authentication result affirmative response command from the authentication ECU, the control device 102 a transmits the authentication result affirmative response command to the external tool 105 by using the external-tool-side communication device 102 c . Thereafter, the control device 102 a performs B 104 and B 112 to B 114 , which have already illustrated in the first example. Specifically, the authentication ECU 103 performs the authentication of the external tool 105 , and the vehicular gateway apparatus 102 sets the authenticated state. Thereafter, the vehicular gateway apparatus 102 maintains the authenticated state until the predetermined time has elapsed since the authenticated state was set.
  • the authenticated state is maintained only within the predetermined period after the authenticated state is set.
  • the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication ECU 103 performs the authentication of the external tool 105 and since the vehicular gateway apparatus 102 sets and maintains the authenticated state, the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the authentication ECU 103 and the vehicular gateway apparatus 102 .
  • FIGS. 12 and 13 In the third example, the vehicular gateway apparatus 102 connected with the bus 106 is absent.
  • the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state are preformed by authentication ECU 103 .
  • the authentication ECU 103 includes an authentication device 103 d , an authentication control device 103 e , a communication control device 103 f , a filtering device 103 g , and an authentication maintain device 103 h .
  • the authentication device 103 d , the authentication control device 103 e , the communication control device 103 f , the filtering device 103 g and the authentication maintain device 103 h respectively, have substantially the same function as the authentication device 102 d , the authentication control device 102 e , the communication control device 102 f , the filtering device 102 g and the authentication maintain device 102 h illustrated in the first example.
  • the control device 103 a determines that the bus communication device 103 b has received an authentication seed request command from the external tool 105 through the vehicular gateway apparatus 102 , the control device 103 a performs D 101 to D 103 , which correspond to B 101 to B 103 performed by the vehicular gateway apparatus 102 as illustrated in the first example.
  • the control device 103 a determines that a result of the authentication of the external tool 105 is affirmative (YES at D 103 )
  • the control device 103 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 103 b .
  • the control device 103 a performs D 104 to D 107 , which correspond to B 104 and B 112 to B 114 performed by the vehicular gateway apparatus 102 of the first example.
  • the authenticated state can be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication ECU 103 performs the authentication of the external tool 105 , sets the authenticated state and maintains the authenticated state, it is possible to omit the vehicular gateway apparatus 102 .
  • the access target ECU 104 may include an authentication control device 104 d and an authentication maintain device 104 g , so that the authentication ECU 103 performs the authentication of the external tool 105 and that the access target ECU 104 sets and maintains the authenticated state. That is, the authentication of the external tool 105 , the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
  • a fourth example of the first embodiment will be described with reference to FIGS. 14 and 15 .
  • the vehicular gateway apparatus 102 is not connected with the bus 106 .
  • the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state are preformed by the access target ECU 104 .
  • the access target ECU 104 includes an authentication device 104 c , an authentication control device 104 d , a communication control device 104 e , a filtering device 104 f , and an authentication maintain device 104 g .
  • the authentication device 104 c , the authentication control device 104 d , the communication control device 104 e , the filtering device 104 f and the authentication maintain device 104 g respectively, have substantially the same functions as the authentication device 102 d , the authentication control device 102 e , the communication control device 102 f , the filtering device 102 g and the authentication maintain device 102 h illustrated in the first example.
  • the control device 104 a of the access target ECU 104 determines that the bus communication device 104 b has received the authentication seed request command from the external tool 105 , the control device 104 a performs C 106 to C 112 , which correspond to D 101 to D 107 performed by the authentication ECU 103 of the third example.
  • the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, after cutting off the connection of the external tool for example, it is possible to enhance the security. Additionally, since the access target ECU 104 performs the authentication of the external tool 105 , sets the authenticated state and maintains the authenticated stat, it is possible to omit the vehicular gateway apparatus 102 .
  • the authentication ECU 103 may include an authentication control device 103 e and an authentication maintain device 103 h , so that the access target ECU 104 performs the authentication of the external tool 105 and that the authentication ECU 103 sets and maintains the authenticated state. That is, the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
  • FIGS. 16 and 17 As shown in FIG. 16 , in the fifth example, a communication device 108 is connected with the ECU-side-bus 106 a . Additionally, a center (sever) 109 communicable with the external tool 105 and the communication device 108 via a wide area communication network are present. The center 109 performs the authentication of the external tool 105 , and the vehicular gateway apparatus 102 sets and maintains the authenticated state.
  • the center 109 includes an authentication device 109 a .
  • the authentication device 109 a is provided as a substitute for the authentication device 102 d of the vehicular gateway apparatus 102 of the first example.
  • the authentication device 109 a has substantially the same function as the authentication device 102 d illustrated in the first example.
  • the center 109 determines that the center 109 has receives the authentication seed request command from the external tool 105 , the center 109 performs E 101 to E 103 , which correspond to B 101 to B 103 performed by the vehicular gateway apparatus 102 illustrated in the first example.
  • the center 109 determines that the result of the authentication of the external tool 105 is affirmative (YES at E 103 )
  • the center 109 transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 and the communication device 108 .
  • the control device 102 a of the vehicular gateway apparatus 102 receives the authentication result affirmative response command from the center 109 through the communication device 108 .
  • the control device 102 a performs B 104 and B 112 to B 114 , which have been already illustrated in the first example.
  • the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the center 109 performs the authentication of the external tool 105 and since the vehicular gateway apparatus 102 sets and maintains the authenticated state, the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the center 109 and the vehicular gateway apparatus 102 .
  • the center 109 which is located outside of the vehicular data communication authentication system 141 , performs the authentication of the external tool 105 , it is possible to perform high-security authentication by, for example, minutely updating the authentication seeds. Therefore, it is possible to further enhance security.
  • FIG. 18 A sixth example of the first embodiment will be described with reference to FIGS. 18 and 19 .
  • a communication device 108 is connected with the ECU-side-bus 106 a .
  • a center (sever) 109 communicable with the external tool 105 and the communication device 108 through a wide area communication network is present.
  • the center 109 performs the authentication of the external tool 105 , and the authentication ECU 103 sets and maintains the authenticated state.
  • the center 109 determines that the center 109 has receives the authentication seed request command from the external tool 105 , the center 109 performs E 101 to E 103 , which correspond to B 101 to B 103 performed by the vehicular gateway apparatus 102 of the first example.
  • the center 109 determines that the result of the authentication of the external tool 105 is affirmative (YES at E 103 )
  • the center 109 transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 and the communication device 108 .
  • the control device 103 a of the authentication ECU 103 receives the authentication result affirmative response command from the center 109 through the communication device 108 .
  • the control device 103 a performs D 104 and D 107 as illustrated in the second example.
  • the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the center 109 performs the authentication of the external tool 105 and since the authentication ECU 103 sets and maintains the authenticated state, the authentication of the external tool 105 , the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the center 109 and the authentication ECU 103 .
  • the center 109 which is located outside of a vehicular data communication authentication system 151 , performs the authentication of the external tool 105 , it is possible to perform high-security authentication by, for example, minutely updating the authentication seeds. Therefore, it is possible to further enhance security.
  • a seventh example will be described with reference to FIG. 20 .
  • the system enables indirect authentication of the external tool 105 by performing the authentication of the vehicle state.
  • the seventh example can be achieved by using the same functional blocks ( FIG. 1 ) as the first example.
  • the control device 102 a of the vehicular gateway apparatus 102 receives the vehicle state from the ECU 103 through the ECU-side-bus communication device 102 b , thereby specifying the vehicle state (B 117 ). Then the control device 102 a determines whether or not the vehicle state satisfies a predetermined condition, thereby performing the authentication of the vehicle state. In this way, the control device 102 a determines whether a result of the authentication of the vehicle state is affirmative or negative (B 118 ). For example, the control device 102 a determines whether or not the immobilizer is in the unlocked state, whether or not the ignition switch is off, and whether or not the door is in the closed state.
  • the vehicle state is a normal state in which the immobilizer is in the released state (unlocked state), the ignition switch is off or the door is in the closed state.
  • the vehicle state is a abnormal state in which the immobilizer is not in the released state; the ignition switch is not off; or the door is not the not-closed state.
  • the result of the authentication of the vehicle state is not affirmative.
  • the control device 102 a determines that the result of the authentication of the vehicle state is affirmative (YES at B 119 )
  • the control device 102 a performs B 104 .
  • the control device 102 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the external-tool-side-bus communication device 102 c .
  • the control device 102 a sets the authenticated state, which is a state where the vehicle state is authenticated. Within a period during which the authenticated state is set, the control device 102 a permits receipt of a data request command from the external tool 105 (permits the data communalization). Within a period during which the authenticated state is not set, the control device 102 a prohibits the receipt of the data request command from the external tool 105 (prohibits the data communalization).
  • the control device 102 a When the authenticated state is set in the above way (B 104 ), the control device 102 a performs B 112 to B 114 as illustrated in the first example.
  • the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authenticating of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state are collectively performed by the vehicular gateway apparatus 102 , it is possible to achieve the above advantages by adding the vehicular gateway apparatus 102 . Therefore, it is possible to achieve the above advantages while minimizing a change in an existing system.
  • the authentication ECU performs the authentication of the vehicle state and the vehicular gateway apparatus 102 sets and maintains the authenticated state.
  • the eighth example can be achieved by using the same functional blocks ( FIG. 10 ) as the second example.
  • the control device 103 a of the authentication ECU 103 receives the vehicle state from an external, thereby specifying the vehicle state (D 108 ). Then the control device 103 a determines whether or not the vehicle state satisfies a predetermined condition, thereby performing the authentication of the vehicle state. In this way, the control device 102 a determines whether a result of the authentication of the vehicle state is affirmative or negative (D 109 ).
  • the control device 103 a determines that the result of the he authentication of the vehicle state is affirmative (YES at D 110 ), the control device 103 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, from the bus communication device 103 b to the vehicular gateway apparatus 102 .
  • the control device 102 a of the vehicular gateway apparatus 102 determines that the authentication result affirmative response command from the authentication ECU 103 is received by the ECU-side-bus communication device 102 b , the control device 102 a transmits the authentication result affirmative response command to the external tool 105 by using the external-tool-side communication device 102 c . Thereafter, the control device 102 a performs B 104 , and B 112 to B 114 as illustrated in the first example. In other words, the authentication ECU 103 performs the authentication of the vehicle state, and the vehicular gateway apparatus 102 sets the authenticated state, and maintains the authenticated state only within the predetermined period after the authenticated state was set.
  • the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security.
  • a ninth example will be described with reference to FIG. 22 .
  • the authentication ECU 103 performs the authentication of the vehicle state, sets the authenticated state, and maintains the authenticated state.
  • the ninth example can be achieved by using the same functional blocks ( FIG. 12 ) as the third example.
  • the control device 103 a of the authentication ECU 103 receives the vehicle state from an external and performs D 108 to D 110 as illustrated in the seventh example.
  • the control device 103 a determines that the result of the authentication of the vehicle state is affirmative (YES at D 110 )
  • the control device 103 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 103 b .
  • the control device 103 a performs D 104 to D 107 as illustrated in the third example.
  • the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security.
  • the access target ECU 104 may include an authentication control device 104 d and an authentication maintain device 104 g , so that the authentication ECU 103 performs the authentication of the vehicle state and that the access target ECU 104 sets and maintains the authenticated state.
  • the authentication of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
  • a tenth example will be described with reference to FIG. 23 .
  • the access target ECU 104 performs the authentication of the vehicle state, sets the authenticated state, and maintains the authenticated state.
  • the tenth example can be achieved by using the same functional blocks ( FIG. 14 ) as the fourth example.
  • the control device 104 a of the access target ECU 104 receives the vehicle state from the ECU 103 through the bus communication device 104 b , thereby specifying the vehicle state (C 13 ). Then the control device 104 a determines whether or not the vehicle state satisfies the predetermined condition, thereby performing the authentication of the vehicle state and determining whether or not a result of the authentication is affirmative or negative (C 14 ). When the result of the authentication is affirmative (YES at C 14 ), the control device 104 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 104 b .
  • the control device 104 a performs C 109 to C 112 as illustrated in the fourth example.
  • the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105 , the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security.
  • the authentication ECU 103 may include an authentication control device 103 e and an authentication maintain device 103 h , so that the access target ECU 104 performs the authentication of the vehicle state and that the authentication ECU 103 sets and maintains the authenticated state. That is, the authentication of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
  • the above-illustrated examples do not limit examples of the first embodiment.
  • the first embodiment can be modified and extended in various ways.
  • the authenticated state may be set.
  • the vehicle state to be authenticate is not limited to the state (locked state, released stated) of the immobilizer, the state (on, off) of the initiation switch, and the state of the door (open state, closed state). Any state can be adopted as long as the state enable a determination as to whether or not a proper operator connects a proper external tool or an improper operator connects an improper external tool.
  • the determination may be used by using a single one of the states or by using a combination of the states.
  • the filtering device 102 g of the vehicular gateway apparatus 102 , the filtering device 103 g of the authentication ECU 103 , and the filtering device 104 f of the access target ECU 104 may be omissible.
  • a vehicular data communication apparatus 202 is connected with a bus so as to partition (separate) multiple ECUs including a first ECU 203 and a second ECU 204 from an external tool 205 .
  • Each of the ECUs and the external tool 205 serves as a node.
  • the external tool 205 is operable by an operator.
  • a bus connecting the vehicular data communication apparatus 202 and the external tool 205 is called a bus A. That is, the bus A is a bus for data transmission between the vehicular data communication apparatus 202 and the external tool 205 .
  • a bus connecting the vehicular data communication apparatus 202 and the first ECU 203 is called a bus B. That is, the bus B is a bus for data transmission between the vehicular data communication apparatus 202 and the first ECU 203 .
  • a bus connecting the vehicular data communication apparatus 202 and the second ECU 204 is called a bus C. That is, the bus C is a bus for data transmission between the vehicular data communication apparatus 202 and the second ECU 204 .
  • a connector 206 to which the external tool 205 is connectable, is provided on an external tool side of the bus A.
  • the external tool 205 becomes able to communicate with the vehicular data communication apparatus 202 .
  • the bus A, the bust B and the bus C adopt a control device area network (CAN) as a data communication method.
  • the CAN communication defines a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc.
  • CRC cyclic redundancy check
  • a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not defined.
  • the vehicular data communication apparatus 202 includes a control device 202 a (which can correspond to an example of encryption control device and means), an ECU-side-bus communication device 202 b , an external-tool-side-bus communication device 202 c , an encryption device 202 d , and an encryption table 202 e (which can correspond to an encryption information storage device or means).
  • the control device 202 a includes a microcomputer. By executing a control program with the microcomputer, the control device 202 a controls operations of the ECU-side-bus communication device 202 b , the external-tool-side-bus communication device 202 c and the encryption device 202 d .
  • the ECU-side bus communication device 202 b is connected with the bus B and the bus C, and controls data transmission and receipt between the first ECU 203 and the second ECU 204 .
  • the external-tool-side bus communication device 202 c is connected with the bus A. In a state where the external tool 205 is connected to the connector 206 , the external-tool-side bus communication device 202 c controls communications, such as data transmission and receipt, with the external tool 205 .
  • the encryption device 202 d references the encryption table 202 e to encrypt and rewrite a plaintext data into an encrypted-text data.
  • the plaintext data to be encrypted may be (i) a plaintext data which the external-tool-side bus communication device 202 c receives from the external tool 205 , and (ii) a plaintext data which the ECU-side-bus communication device 202 b receives from the first ECU 203 or the second ECU 204 .
  • the encryption table 202 e stores an encryption information. For example, as illustrated in FIG.
  • the encryption table 202 e stores the encryption information (“encr” in FIG. 24 ) indicating that the plaintext is to be encrypted.
  • the encryption table 202 e stores the encryption information (“plain” in FIG. 24 ) indicating that the plaintext is not to be encrypted.
  • the first ECU 203 includes a control device 203 a (which can correspond to an example of decryption control device and means), a bus communication device 203 b , a decryption device 203 c , and a decryption table 203 d (which can correspond to an example of decryption information storage device and means).
  • the control device 203 a includes a microcomputer. By executing a control program with the microcomputer, the control device 203 a controls the bus communication device 203 b and the decryption device 203 c .
  • the bus communication device 203 b is connected with the bus B and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202 .
  • the decryption device 203 c decrypts an encrypted-text data received from the vehicular data communication apparatus 202 , by rewriting the encrypted-text data into a plain text data when the bus communication device 203 b receives the encrypted-text data from the vehicular data communication apparatus 202 .
  • the decryption table 203 d stores decryption information. For example, as illustrated in FIG. 24 , for the case where the bus connected with the data source node is the bus A, the decryption table 203 d stores “decry” indicating that the encrypted-text data is to be decrypted. For the case where the bus connected with the source node is the bus C, the decryption table 203 d stores “plain” indicating that the plain-text data is not to be decrypted.
  • the second ECU 204 has substantially the same configuration as the first ECU 203 .
  • the second ECU 204 includes a control device 204 a (which can correspond to an example of decryption control device and means), a bus communication device 204 b , a decryption device 204 c , and a decryption table 204 d (which can correspond to an example of decryption information storage device and means).
  • the control device 204 a includes a microcomputer. By executing a control program with the microcomputer, the control device 204 a controls the bus communication device 204 b and the decryption device 204 c .
  • the bus communication device 204 b is connected with the bus C and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202 .
  • the decryption device 204 c decrypts an encrypted-text data by rewriting the encrypted-text data into a plain text data when the bus communication device 204 b receives the encrypted-text data from the vehicular data communication apparatus 202 .
  • the decryption table 204 d stores decryption information. For example, as illustrated in FIG. 24 , for the case where the bus connected with the data source node is the bust A, the information “plain” indicating that the plain-text data is not encrypted is stored. For the case where the bus connected with the data source node is the bus C, “the information decry” indicating that the encrypted-text data is to be decrypted is stored.
  • the external tool 205 includes a control device 205 a (which can correspond to a decryption control device and means), a bus communication device 205 b , a decryption device 205 c , a decryption table 205 d (which can correspond to a decryption information storage device and means), an input/output interface (IF) 205 e .
  • the control device 205 a includes a microcomputer. By executing a control program with the microcomputer, the control device 205 a controls operations of the bus communication device 205 b , the decryption device 205 c , and the input/output interface (IF) 205 e .
  • the bus communication device 205 b is connected with the bus A and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202 .
  • the decryption device 205 c decrypts an encrypted-text data by rewriting the encrypted-text data into a plain text data when the bus communication device 205 b receives the encrypted-text data from the vehicular data communication apparatus 202 .
  • the decryption table 205 d stores decryption information for each data bus connected with the data source node. For example, as illustrated in FIG. 24 , for the case where the bus connected with the data source node is the bus B, the information “decry” indicating that the encrypted-text data is to be decrypted is stored. For the case where the bus connected with the data source node is the bus C, the information “plain” indicating that the plain-text data is not decrypted is stored.
  • the input/output IF 205 e has a function to accept an input operation from the operator operating the external tool 205 , and has a function to issue a notification by, for example, displaying a data. Specifically, by connecting the external tool 205 to the connector 206 and performing the input operation to the external tool 205 , the operator can rewrite the control program of an access target ECU and read out a data from the access target ECU.
  • the external tool 205 is not limited to a dedicated node for rewriting the control program of the access target ECU and reading out the data from the access target ECU but the external tool 205 may be a cellular phone, a personal digital assistance or the like having the above functions.
  • the encryption and decryption may use a public-key cryptography, in which the encryption is performed with a public-key and the decryption is performed with a private-key.
  • the encryption and decryption may use a common-key cryptography, in which the encryption and decryption are performed with a common-key.
  • Various ECUs may be used as the first ECU 203 and the second ECU 204 .
  • the first ECU 203 or the second ECU 204 may be one of an engine ECU for controlling an engine, a door lock ECU for controlling operations of a door lock mechanism, a navigation ECU for controlling navigation operations, a meter ECU for controlling operations of a meter (indicator), and the like.
  • the first ECU 203 or the second ECU 204 when the first ECU 203 or the second ECU 204 is the engine ECU, the first ECU 203 or the second ECU 204 includes a functional block for controlling the engine in addition to the above-described functional blocks.
  • the number of ECUs is two. However, the number of ECUs may be one, or more than two.
  • the encryption table and the decryption table are set up based on, for example, the following. Let us assume that the data transmitting through the bus can be classified into a regulation message (i.e., the message that gives obligation to answer in response to the request) and a non-regulation message (i.e., the message that does not give obligation to answer in response to the request).
  • the encryption table and the decryption table are set up, so that (i) the information indicating that the encryption or decryption is not to be performed is set for the bus connected with the node that transmits and receives the regulation message, and (ii) the information indicating that the encryption or decryption is to be performed is set for the bus connected with the node that transmits and receives the non-regulation message.
  • a first situation is that the external tool 205 and the first ECU 203 perform the data communication.
  • a second situation is that the external tool 205 and the second ECU 204 perform the data communication.
  • a third situation is that the first ECU 203 and the second ECU 204 perform the data communication.
  • the processes illustrated in FIG. 25 are performed by the external tool 205 , the first ECU 203 , and the vehicular data communication apparatus 202 .
  • the plain-text data is transmitted from the external tool 205 to the first ECU 203 (data destination node).
  • the control device 202 a of the vehicular data communication apparatus 202 determines that the plain-text data is received by the external-tool-side-bus communication device 202 c , the control device 202 a determines whether or not it is necessary to encrypt the received plain-text data (B 201 ).
  • the control device 202 a determines that it is necessary to encrypt the received plain-text data (YES at B 201 )
  • the control device 202 a encrypts the plaintext data by using the encryption device 202 d (B 202 ), and transmits the encrypted-text data to the first ECU 203 by using the ECU-side-bus communication device 202 b .
  • the control device 202 a determines that it is not necessary to encrypt the plaintext data (NO at B 201 )
  • the control device 202 a transmits the plaintext data to the first ECU 203 by using the ECU-side-bus communication device 202 b , without encrypting the plaintext data by using the encryption device 202 d .
  • the control device 202 a since “encry” is stored for a combination of the bus A connected with the source and the bus B connected with the destination, the control device 202 a encrypts the plaintext data received from the external tool 205 , and transmits the encrypted-text data to the first ECU 203 .
  • the control device 203 a of the first ECU 203 determines that the bus communication device 203 b has received the data, which is addressed to the first ECU 203 , from the vehicular data communication apparatus 202 , the control device 203 a performs C 201 .
  • the control device 203 a determines whether or not it is necessary to decrypt the received data.
  • control device 203 a determines that it is necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the encrypted-text data (YES at C 201 ), the control device 203 a decrypts the encrypted-text data (C 202 ) and performs data processing based on the decrypted data.
  • the control device 203 a determines that it is not necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the plaintext data (NO at C 201 ), the control device 203 a performs data processing based on the plaintext data without decrypting the plaintext data (C 203 ).
  • the control device 203 a since “decry” is stored for the bus A connected with the data source node, the control device 203 a decrypts the encrypted-text data received from the vehicular data communication apparatus 202 , and performs the data processing based on the plaintext data. Thereafter, the control device 203 a transmits a plaintext data to the vehicular data communication apparatus 202 by using the bus communication device 203 b.
  • the control device 202 a of the vehicular data communication apparatus 202 determines that the external-tool-side-bus communication device 202 c has received the plain-text data, which is addressed to the external tool 205 , from the external tool 205 , the control device 202 a performs B 203 .
  • the control device 202 a determines whether or not it is necessary to encrypt the received plain-text data (B 203 ).
  • the control device 202 a determines that it is necessary to encrypt the received plain-text data (YES at B 203 )
  • the control device 202 a encrypts the plaintext data by using the encryption device 202 d (B 204 ), and transmits the encrypted-text data to the external tool 205 by using the external-tool-side-bus communication device 202 c .
  • the control device 202 a determines that it is not necessary to encrypt the received plain-text data (NO at B 203 )
  • the control device 202 a transmits the plaintext data to the external tool 205 by using the external-tool-side-bus communication device 202 c , without encrypting the plaintext data by using the encryption device 202 d .
  • the control device 202 a since “encry” is stored for a combination of the bus B on a source side and the bus A on a destination side, the control device 202 a encrypts the plaintext data received from the first ECU 203 , and transmits the encrypted-text data to the external tool 205 .
  • the control device 205 a of the external tool 205 determines that the bus communication device 205 b has received the data, which is addressed to the external tool 205 , from the vehicular data communication apparatus 202 , the control device 205 a performs A 201 .
  • the control device 205 a determines whether or not it is necessary to decrypt the received data.
  • control device 205 a determines that it is necessary to decrypt the received data, in other words, when the control device 205 a determines that the received data is the encrypted-text data (YES at A 201 ), the control device 205 a decrypts the encrypted-text data (A 202 ) and performs data processing based on the decrypted data (A 203 ).
  • the control device 205 a determines that it is not necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the plaintext data (NO at A 201 ), the control device 203 a performs data processing based on the plaintext data without decrypting the plaintext data (A 203 ).
  • the control device 205 a decrypts the decrypted-text data received from the vehicular data communication apparatus 202 to obtain a plaintext data and performs the data processing based on the plaintext data
  • the vehicular data communication apparatus 202 stores “encry” for the combination of the bus A on the data source side and the bus B on the data destination side.
  • the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the first ECU 203 .
  • the vehicular data communication apparatus 202 stores “encry” for the combination of the bus B on the data source side and the bus A on the data destination side.
  • the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the external tool 205 .
  • the vehicular data communication apparatus 202 performs step B 211 and B 212 , and then, the second ECU 204 performs D 211 to D 213 , and then the vehicular data communication apparatus 202 performs B 213 and B 214 , and then the external tool 205 performs A 211 to A 213 .
  • the vehicular data communication apparatus 202 stores “plain” for the combination of the bus A on the data source side and the bus C on the data destination side.
  • the vehicular data communication apparatus 202 transmits the received plaintext data to the second ECU 204 without encrypting the received plaintext data.
  • the vehicular data communication apparatus 202 stores “plain” for the combination of the bus C on the data source side and the bus A on the data destination side. Thus, upon receipt of the plaintext data from the second ECU 204 , the vehicular data communication apparatus 202 transmits the received plaintext data to the external tool 205 without encrypting the received plaintext data.
  • the vehicular data communication apparatus 202 performs step B 221 and B 222 , and then, the second ECU 204 performs D 221 to D 223 , and then the vehicular data communication apparatus 202 performs B 223 and B 224 , and then the first ECU 203 performs C 221 to C 223 .
  • the vehicular data communication apparatus 202 stores “encry” for the combination of the bus B on the data source side and the bus C on the data destination side.
  • the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the second ECU 204 . Moreover, the vehicular data communication apparatus 202 stores “plain” for the combination of the bus C on the data source side and the bus B on the data destination side. Thus, upon receipt of the plaintext data from the second ECU 204 , the vehicular data communication apparatus 202 transmits the received plaintext data to the first ECU 203 without encrypting the received plaintext data.
  • the vehicular data communication apparatus 202 relays a data among the external tool 205 , the first ECU 203 and the second ECU 204 .
  • the encryption information (the encryption table) indicating whether or not the data is to be encrypted is uniformly managed by the vehicular data communication apparatus 202 .
  • the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205 , the first ECU 203 and the second ECU 204 .
  • the external tool 205 , the first ECU 203 and the second ECU 204 are not required to encrypt the data.
  • the external tool 205 , the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data.
  • a processing capacity e.g., a memory capacity
  • it is possible to use a processing capacity e.g., a memory capacity
  • a negative influence may be give on, for example, vehicle control during the vehicle traveling. Therefore, the configuration of the present example is remarkably advantageous in a system in which the ECU serves as a node.
  • the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.
  • an encryption table and/or an decryption table targeted for respective individual nodes are not required to be set up. Instead, the encryption table and/or the decryption table targeted for respective individual nodes are set up. Therefore, a work for setting up the encryption table and/or the decryption table is simple.
  • the above illustration is directed to the system in which the first ECU 203 is connected with the vehicular data communication apparatus 202 through the bus B
  • ideas of the above illustration are applicable to a system in which multiple ECUs including the first ECU 203 are connected with the vehicular data communication apparatus 202 through the bus B.
  • the first ECU 203 and a third ECU 207 may be connected with the vehicular data communication apparatus 202 through the bus B.
  • the third ECU 207 stores the same decryption table as the first ECU 203 stores, so that the third ECU 207 can performs substantially the same process as the first ECU 203 .
  • the encryption table stored in the vehicular data communication apparatus 202 is not used, because the vehicular data communication apparatus 202 does not relay the data.
  • the same is applied to cases where the second ECU 204 and the fourth ECU 208 are connected with the vehicular data communication apparatus 202 through the bus C.
  • the encryption table is uniformly managed by the vehicular data communication apparatus 202 relaying a data.
  • the decryption table is uniformly managed by the external tool 205 , the first ECU 203 , and the second ECU 204 .
  • the information indicating that the decryption or the encryption is not to be performed is set for a node that transmits and receives a non-regulation message.
  • the information indicating that the decryption or the encryption is to be performed is set for a node that transmits and receives a regulation message.
  • the vehicular data communication apparatus 202 is connected with the first ECU 203 and the second ECU 204 through the bus B.
  • the vehicular data communication apparatus 202 stores the encryption information as the encryption table 202 e for each combination of a data source node and a data destination node. For example, as illustrated in FIG. 29 , for the case where the data source node is the external tool 205 and the data destination node is the first ECU 203 , the stored encryption information indicates that the plaintext data is to be encrypted.
  • the stored encryption information indicates that the plaintext data is not to be encrypted
  • the first ECU 203 stores the decryption information as the decryption table 203 d .
  • the stored decryption information indicates that the encrypted-text data is to be decrypted.
  • the second ECU 204 stores the decryption information as the decryption table 204 d . For example, as illustrated in FIG. 29 , for the case where the data source node is the external tool 205 , the stored decryption information indicates that the encrypted-text data is to be decrypted.
  • the second ECU 204 stores the decryption information as the decryption table 204 d . For example, as illustrated in FIG.
  • the stored decryption information indicates that the plaintext data is not to be decrypted.
  • the external tool 205 stores the decryption information as the decryption table 205 d .
  • the stored decryption information indicates that the encrypted-text data is to be decrypted.
  • the stored decryption information indicates that the plain-text data is not to be decrypted.
  • the vehicular data communication apparatus 202 relays a data among the external tool 205 , the first ECU 203 and the second ECU 204 .
  • the vehicular data communication apparatus 202 For each combination of a data source node and a data destination node, the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted. Additionally, for each data source node, the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205 , the first ECU 203 and the second ECU 204 .
  • the second example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment.
  • the external tool 205 , the first ECU 203 and the second ECU 204 are not required to encrypt the data.
  • the external tool 205 , the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data.
  • the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.
  • the above illustration is directed to the system in which the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through the bus B.
  • ideas of the above illustration are applicable to a system in which multiple ECUs including the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through multiple buses including the bus B.
  • the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through the bus B, and additionally, the third ECU 207 and the fourth ECU 208 are connected with the vehicular data communication apparatus 202 through the bus C.
  • the vehicular data communication apparatus 202 stores the encryption table by designating the third ECU 207 and the fourth ECU 208 as the data source node and the data destination node.
  • Each of the first ECU 203 , the second ECU 204 and the external tool 205 stores the decryption table by designating the third ECU 207 and the fourth ECU 208 as the data source node.
  • the vehicular data communication apparatus 202 for relaying a data uniformly manages the encryption table for each identifier (CAN_ID) indicative of type of a data frame storing a data.
  • CAN_ID identifier indicative of type of a data frame storing a data
  • the decryption table is uniformly managed by the external tool 205 , the first ECU 203 and the second ECU 204 .
  • the information indicating that the decryption or the encryption is not to be performed is set for the CAN_ID of the data frame having the regulation message.
  • the information indicating that the decryption or the encryption is not to be performed is set for the CAN_ID of the data frame having the non-regulation message.
  • the CAN_ID refers to information identifying data content or the like, and has 11-bit length in standard format, as illustrated in FIG. 32 .
  • the vehicular data communication apparatus 202 stores the encryption as the encryption table 202 e .
  • the stored encryption information indicates that the plaintext data is to be encrypted.
  • the stored encryption information indicates that the plaintext data is not to be encrypted.
  • the first ECU 203 For each CAN_ID indicative of the type of the data frame, the first ECU 203 stores the decryption information as the decryption table 203 d .
  • the stored decryption information indicates that the plaintext data is to be decrypted.
  • the stored encryption information indicates that the plaintext data is not to be decrypted.
  • the second ECU 204 stores, for each CAN_ID indicative of the type of the data frame, the decryption information as the decryption table 204 d .
  • the external tool 205 also stores, for each CAN_ID indicative of the type of the data frame, the decryption information as the decryption table 205 d.
  • the vehicular data communication apparatus 202 relays a data among the external tool 205 , the first ECU 203 and the second ECU 204 .
  • the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted.
  • the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205 , the first ECU 203 and the second ECU 204 .
  • the third example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment.
  • the external tool 205 , the first ECU 203 and the second ECU 204 are not required to encrypt the data.
  • the external tool 205 , the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data.
  • the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.
  • the vehicular data communication apparatus 202 for relaying a data uniformly manages the encryption table for each data storage area (data field) of a data frame storing a data.
  • the decryption table is uniformly managed by the external tool 205 , the first ECU 203 and the second ECU 204 .
  • the information indicating that the decryption or the encryption is not to be performed is set for the data storage area of the data frame having the regulation message.
  • the information indicating that the decryption or the encryption is not to be performed is set for the data storage area of the data frame having the non-regulation message.
  • the vehicular data communication apparatus 202 stores the encryption as the encryption table 202 e .
  • the stored encryption information indicates that the plaintext data is to be encrypted.
  • the stored encryption information indicates that the plaintext data is not to be encrypted.
  • the first ECU 203 For each data storage area of the data frame, the first ECU 203 stores the decryption information as the decryption table 203 d .
  • the stored decryption information indicates that the encrypted-text data is to be decrypted.
  • the second ECU 204 stores, for each data storage area of the data frame, the decryption information as the decryption table 204 d .
  • the external tool 205 also stores, for each data storage area of the data frame, the decryption information as the decryption table 205 d.
  • the vehicular data communication apparatus 202 relays a data among the external tool 205 , the first ECU 203 and the second ECU 204 .
  • the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted.
  • the data destination node uniformly manages the decryption information (the decryption table) indicating whether or not the data is to be decrypted.
  • the data destination node is, for example, the external tool 205 , the first ECU 203 and the second ECU 204 .
  • the third example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment.
  • the external tool 205 , the first ECU 203 and the second ECU 204 are not required to encrypt the data.
  • the external tool 205 , the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data.
  • the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.
  • the second embodiment is not limited to the above-illustrated examples, and can be modified and extended in, for example, the following way. Two or more of the first to fourth examples may be combined.
  • the system may employ the tow or more of: a configuration in which the encryption information and the decryption information are managed on a bus-by-bus basis; a configuration in which the encryption information and the decryption information are managed on a node-by-node basis; a configuration in which the encryption information and the decryption information are managed on a CAN_ID-by-CAN_ID basis; and a configuration in which the encryption information and the decryption information are managed on a data-field-by-data-field basis.
  • the vehicular data communication apparatus 202 is not limited to a dedicated apparatus for encrypting a data by determining whether or not to encrypt the data.
  • the vehicular data communication apparatus 202 is not limited to a dedicated apparatus for encrypting a data by determining whether or not to encrypt the data.
  • an ECU having a high processing capacity may be provided in the system, so that, while fulfilling its primary function, the ECU encrypts a data by determining whether or not to encrypt the data.

Abstract

A vehicular data communication system is disclosed. The vehicular data communication system includes an authentication device for authenticating an external tool connected to a bus, an authentication control device for determining whether an external tool is authenticated by the authentication device and for setting an authenticated state to permit a data communication between the external tool and an access target ECU on the bus upon determining that the external tool is authenticated by the authentication device, and an authentication maintain device for maintaining the authenticated state within a predetermined period after the authenticated state is set by the authentication control device.

Description

    CROSS REFERENCE TO RELATED APPLICATION
  • The present application is based on Japanese Patent Applications No. 2012-33945 filed on Feb. 20, 2012 and 2012-67383 filed on Mar. 23, 2012, disclosures of which are incorporated herein by reference.
  • TECHNICAL FIELD
  • The present disclosure relates to a vehicular data communication authentication system in which an external tool is connectable to an electronic control unit (ECU). The present disclosure also relates to a vehicular gateway apparatus connected with the vehicular data communication authentication system to partition the external tool from the ECU. The present disclosure also relates to a vehicular data communication system including a vehicular data communication apparatus connected with multiple nodes through a bus. The present disclosure also relates to such a vehicular data communication apparatus.
  • BACKGROUND
  • It is known that a data communication between electronic control units (ECUs) serving as nodes is performed through a bus, and that a data communication between an ECU and an external tool is performed through a bus. When the data communication is performed between the external tool and the ECU, it becomes possible to access to the ECU by connecting the external tool to the bus, and it becomes possible to rewrite a control program of the ECU and read out a data from the ECU (see Patent Document 1 for example).
    • Patent Document 1: JP 2004-192277A
  • Specifications of data communication standards and connection interfaces between an external tool and a bus are open to the public. Thus, not only a proper worker can connect a proper external tool to the bus but also a third party having a bad intention can connect an improper external tool to the bus. If the improper external tool is connected to the bus, the vehicle may be subject to attack such as the improper rewriting of the control program of the ECU, the improper reading out of the data from the ECU (so called a masquerading), or the like. The controller area network (CAN) is a data communication standard between the external tool and the ECU. In the CAN, since a data frame is broadcasted, wiretapping and analysis are relatively easy. Additionally, the CAN provides a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc. However, in the CAN, a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not provided.
  • Because of the above, protection measures against the improper connection of the external tool to the bus are desired.
  • Further, enhancement of security in data communication between ECUs and between the external tool and the ECU is desired. Although it may be possible to enhance the security by providing a node with a data encryption function, this leads to various difficulties such as configuration complication, processing load increase, and the like.
  • SUMMARY
  • In view of the foregoing, it is an object of the present disclosure to provide a vehicular data communication authentication system and a vehicular gateway apparatus that can prevent damages resulting from a connection of an improper external tool and can enhance security even if the improper external tool is connected to a bus connected with an ECU.
  • It is also an object of the present disclosure to provide a vehicular data communication system and a vehicular data communication apparatus that can enhance security in data communication while minimizing node load even if a node does not have a data encryption function.
  • According to a first example of embodiments, a vehicular data communication authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of the external tool connected to the bus. The authentication control device determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative. When determining that the result of the authentication of the external tool is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the external tool is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
  • According to a second example of embodiments, a vehicular data communication authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of a vehicle state. The authentication control device determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative. When determining that the result of the authentication of the vehicle state is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the vehicle state is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device; a third period, which is a period during which the vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
  • According to a third example of embodiments, a vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of the external tool connected to the bus. The authentication control device determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative. When determining that the result of the authentication of the external tool is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the external tool is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device (102 e); a third period, which is a period during which a vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
  • According to a fourth example of embodiments, a vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, includes an authentication device, an authentication control device and an authentication maintain device. The authentication device performs authentication of a vehicle state. The authentication control device determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative. When determining that the result of the authentication of the vehicle state is affirmative, the authentication control device sets an authenticated state and permits a data communication between the external tool and the access target ECU. When determining that the result of the authentication of the vehicle state is not affirmative, the authentication control device does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU. After the authenticated state is set by the authentication control device, the authentication maintain device maintains the authenticated state within one of: a first period, which is a predetermined period of time elapsed since the authenticated state was set; a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device (102 e); a third period, which is a period during which the vehicle state satisfies a predetermined condition; and a fourth period, which is a period during which the bus is in a communicating state.
  • According to the above vehicular data communication authentication systems and the vehicular gateway apparatuses, even if an improper external tool is connected to a bus connected with an ECU, it is possible to prevent damages resulting from a connection of the improper external tool and it is possible to enhance security.
  • According to a fifth example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each combination of one bus connected with a data source node and another bus connected with a data destination node, the encryption information storage device stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data. in cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each bus connected with the data source node, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
  • According to a sixth example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each combination of a data source node and a data destination node, the encryption information storage device stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data. In cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each data source node, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
  • According to a seventh example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each identifier indicative of class a data frame storing a data, the encryption information storage device stores an encryption information indicating whether or not the data is to be encrypted. In cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, an encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each identifier indicative of the type of the data frame storing the data, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
  • According to an eighth example of embodiments, a vehicular data communication system includes a vehicular data communication apparatus connected with nodes through buses. The vehicular data communication apparatus includes an encryption information storage device and an encryption control device. For each data storage area of a data frame storing a data, the encryption information storage device stores an encryption information indicating whether or not the data is to be encrypted. In cases where the vehicular data communication apparatus receives a data from a first node through a first bus and transmits the received data to a second node through a second bus, the encryption control device determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device. Each node includes an decryption information storage device and a decryption control device. For each data storage area of the data frame storing the data, the decryption information storage device stores a decryption information indicating whether or not the data is to be decrypted. In cases where the node receives the data from the vehicular data communication apparatus, the decryption control device determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
  • According to the vehicular data communication systems and the vehicular data communication apparatuses, it is possible to enhance security in data communication while minimizing node load even if a node does not have a data encryption function.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description made with reference to the accompanying drawings. In the drawings:
  • FIG. 1 is a functional block diagram illustrating a data communication authentication system of a first example of a first embodiment;
  • FIG. 2 is a sequence diagram illustrating operations;
  • FIG. 3 is a sequence diagram illustrating operations performed after those in FIG. 2;
  • FIG. 4 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus discards a data request command in response to a negative result of authentication;
  • FIG. 5 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus includes a timer for maintaining an authenticated state;
  • FIG. 6 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which an authenticated state maintain request is inputted from an external tool;
  • FIG. 7 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which an authenticated state maintain request is inputted from an access target ECU;
  • FIG. 8 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which a vehicle state satisfies a predetermined condition;
  • FIG. 9 is a sequence diagram illustrating operations in cases where a vehicular gateway apparatus maintains an authenticated state within a period during which a bus is in a communicating state;
  • FIG. 10 is a functional block diagram illustrating a data communication authentication system of a second example of the first embodiment;
  • FIG. 11 is a sequence diagram illustrating operations of the second example of the first embodiment;
  • FIG. 12 is a functional block diagram illustrating a data communication authentication system of a third example of the first embodiment;
  • FIG. 13 is a sequence diagram illustrating operations of the third example of the first embodiment;
  • FIG. 14 is a functional block diagram illustrating a data communication authentication system of a fourth example of the first embodiment;
  • FIG. 15 is a sequence diagram illustrating operations of the fourth example of the first embodiment;
  • FIG. 16 is a functional block diagram illustrating a data communication authentication system of a fifth example of the first embodiment;
  • FIG. 17 is a sequence diagram illustrating operations of the fifth example of the first embodiment;
  • FIG. 18 is a functional block diagram illustrating a data communication authentication system of a sixth example of the first embodiment;
  • FIG. 19 is a sequence diagram illustrating operations of the sixth example of the first embodiment;
  • FIG. 20 is a sequence diagram illustrating operations of a seventh example of the first embodiment;
  • FIG. 21 is a sequence diagram illustrating operations of an eighth example of the first embodiment;
  • FIG. 22 is a sequence diagram illustrating operations of a ninth example of the first embodiment;
  • FIG. 23 is a sequence diagram illustrating operations of a tenth example of the first embodiment;
  • FIG. 24 is a functional block diagram illustrating a vehicular data communication system of a first example of a second embodiment;
  • FIG. 25 is a sequence diagram illustrating operations in a first situation in accordance with the first example of the second embodiment;
  • FIG. 26 is a sequence diagram illustrating operations in a second situation in accordance with the first example of the second embodiment;
  • FIG. 27 is a sequence diagram illustrating operations in a third situation in accordance with the first example of the second embodiment;
  • FIG. 28 is a block diagram illustrating a encryption table and a decryption table in accordance with the first example of the second embodiment;
  • FIG. 29 is a functional block diagram illustrating a vehicular data communication system of a second example of the second embodiment;
  • FIG. 30 is a block diagram illustrating a encryption table and a decryption table in accordance with the second example of the second embodiment;
  • FIG. 31 is a functional block diagram illustrating a vehicular data communication system of a third example of the second embodiment;
  • FIG. 32 is a diagram illustrating a configuration of a data frame; and
  • FIG. 33 is a functional block diagram illustrating a vehicular data communication system of a fourth example of the second embodiment.
  • DETAILED DESCRIPTION
  • Embodiments will be described with reference to the drawings. Throughout the below-embodiments, like reference numerals are used to refer to like parts.
  • First Embodiment
  • A first embodiment will be described with reference to FIGS. 1 to 23.
  • First Example of First Embodiment
  • A first example of the first embodiment will be described with reference to FIGS. 1 to 9.
  • As shown in FIG. 1, in a vehicular data communication authentication system 101, a vehicular gateway apparatus 102 is connected with a bus 106 so that the gateway apparatus 102 partitions (separates) multiple electronic control units (ECUs) 103, 104 from an external tool 105 (an operating device) operable by an operator. In FIG. 1, two ECUs are illustrated as the multiple ECUs 103, 104. In the present embodiment, a portion of the bus 106 on an ECU side of the gateway apparatus 102 is referred to as an ECU-side bus 106 a. That is, the ECU-side bus 106 a is a bus for transmitting data between the gateway apparatus 102 and the ECUs 103, 104. A portion of the bus 106 on an external tool side of the gateway apparatus 102 is referred to as an external-tool-side bus 106 b. That is, the external-tool-side bus 106 b is a bus for transmitting data between the gateway apparatus 102 and the external tool 105.
  • The ECUs 103, 104 may include, for example, an engine ECU for controlling operation of the engine, a door lock ECU for controlling operation of door lock mechanism, a navigation ECU for controlling navigation operation, a meter ECU for controlling operation of a meter (indicator), or the like. The number of ECUs may be two, three or more, or may be one. The external-tool-side bus 106 b is provided with a connector 107 to which the external tool 105 is detachably connectable. By being connected to the connector 107, the external tool 105 is connected to the external-tool-side bus 106 b and becomes able to perform the data communication with the gateway apparatus 102.
  • The bus 106 adopts a controller area network (CAN) as a data communication method. The CAN communication defines a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc. However, in the CAN communication, a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not defined.
  • The gateway apparatus 102 includes a control device 102 a, an ECU-side bus communication device 102 b, an external-tool-side bus communication device 102 c, an authentication device 102 d, an authentication control device 102 e, a communication control device 102 f, a filtering device 102 g, and an authentication maintain device 102 h. The authentication device 102 d can correspond to an example of authentication means or device, and an example of second authentication means or device. The authentication control device 102 e can correspond to an example of authentication control means or device, and an example of authentication control means or device. The communication control device 102 f can correspond to an example of communication control means or device, and an example of communication control means or device. The authentication maintain device 102 h can correspond to an example of authentication maintain means or device, and an example of authentication maintain means or device.
  • The control device 102 a includes a microcomputer. By executing a control program with the microcomputer, the control device 102 a controls operations of the ECU-side bus communication device 102 b, the external-tool-side bus communication device 102 c, the authentication device 102 d, the authentication control device 102 e, the communication control device 102 f, the filtering device 102 g, and the authentication maintain device 102 h. The ECU-side bus communication device 102 b is connected with the ECU-side bus 106 a, and controls communication, such as data transmission and receipt, with the ECUs 103 and 104. The external-tool-side bus communication device 102 c is connected with the external-tool-side bus 106 b. In a state where the external tool 105 is connected to the connector 107, the external-tool-side bus communication device 102 c controls communications, such as data transmission and receipt, with the external tool 105.
  • In the situation where the external tool 105 is connected to the connector 107, the authentication device 102 d performs authentication of the external tool 105 (a procedure of the authentication will be described later). Based on a result of the authentication of the external tool 105 by the authentication device 102 d, the authentication control device 102 e sets whether the data communication between the external tool 105 and an access target ECU should be permitted or prohibited. Specifically, when the result of the authentication of the external tool 105 is affirmative, the authentication control device 102 e sets an authenticated state and permits the data communication between the external tool 105 and the access target ECU. When the result of the authentication of the external tool 105 is negative (not affirmative), the authentication control device 102 e does not set the authenticated stat and prohibits the data communication between the external tool 105 and the access target ECU
  • Regardless of whether the result of the authentication of the external tool 105 performed by the authentication device 102 d is affirmative or not, the communication control device 102 f sets whether the data communication between the external tool 105 and an access target ECU should be permitted or prohibited. A reason for this exceptional permission is as follows. In a data communication for a vehicle, since it is necessary to always permit a certain part of the data communication, the communication control device 102 f exceptionally permits the data communication for a specified data e.g., the below-described regulation message) between the external tool 105 and the access target ECU. In a situation where the authentication control device 102 e or the communication control device 102 f prohibits the data communication between the external tool 105 and the access target ECU, the filtering device 102 g exceptionally permits only for specified data communication. When the authentication control device 102 e sets the authenticated state, the authentication maintain device 102 h maintains the set authenticated state. That is, when the authentication control device 102 e sets the authenticated state, the authentication maintain device 102 h maintains a period of permitting the data communication between the external tool 105 and the access target ECU.
  • The control device 102 a has an encryption function and a decryption function. Specifically, when the external-tool-side-bus communication device 102 c receives a plaintext command from the external tool 105, the control device 102 a encrypts and rewrites the received plaintext command into an encrypted-text command. When the ECU-side-bus communication device 102 b receives an encrypted-text command from the ECU 103 or the ECU 104, the control device 102 a decrypts and rewrites the received encrypted-text command into a plaintext command. The encryption and description may use a public-key cryptography, in which the encryption is performed with a public-key and the description is performed with a private-key. Alternatively, the encryption and description may use a common-key cryptography, in which the encryption and decryption are performed with a common-key.
  • The ECU 103 includes a control device 103 a, a bus communication device 103 b, and a vehicle state input device 103 c. The control device 103 a includes a microcomputer. By executing a control program with the microcomputer, the control device 103 a controls the bus communication device 103 b and the vehicle state input device 103 c. The bus communication device 103 b is connected with the ECU-side bus 106 a and controls communications, such as data transmission and receipt, with the gateway apparatus 102. The vehicle state input device 103 c receives and inputs a vehicle state from an external device (e.g., various sensors, different ECUs, wireless communication device etc). The vehicle state inputted by the vehicle state input device 103 c may be, for example, a immobilizer state (locked state or unlocked state), an ignition (IG) switch state (on and off), a door state (open state or closed state), or the like.
  • The ECU 104 includes a control device 104 a and a bus communication device 104 b. The control device 104 a includes a microcomputer. By executing a control program with the microcomputer, the control device 104 a controls the bus communication device 104 b. The bus communication device 104 b is connected with the ECU-side bus 106 a and controls communications, such as data transmission and receipt, with the gateway apparatus 102.
  • It should be noted that if the ECU 103 or 104 is the engine ECU for example, the ECU 103 or 104 includes a functional block (not shown) for controlling the operation of the engine in addition to the above-described functional blocks. If the ECU 103 or 104 is the door lock ECU, the ECU 103 or 104 includes a functional block (not shown) for controlling the operation of the door lock mechanism in addition to the above-described functional blocks. The same is applicable to cases where the ECU 103 or 104 is an ECU other than the engine ECU and the door lock ECU. Alternatively, both of the ECU 103 and the ECU 104 receive and input the vehicle states from externals
  • The external tool 105 includes a control device 105 a, a bus communication device 105 b and an input/output interface (IF) 105 c. The control device 105 a includes a microcomputer. By executing a control program with the microcomputer, the control device 105 a controls operations of the bus communication device 105 b and the input/output interface (IF) 105 c. The bus communication device 105 b is connected with the external-tool-side bus 106 b and controls communications, such as data transmission and receipt, with the gateway apparatus 102. The input/output IF 105 c has a function to accept an input operation from the operator operating the external tool 105, and has a function to issue a notification by, for example, displaying a data.
  • Specifically, by connecting the external tool 105 to the connector 107 and by performing the input operation to the external tool 105, the operator can rewrite the control program of the access target ECU and read out a data from the access target ECU. The external tool 105 is not limited to a dedicated apparatus for rewriting the control program of the access target ECU and reading out the data from the access target ECU. For example, the external tool 105 may be a cellular phone, a personal digital assistance or the like having the above functions.
  • Operations will be described with reference to FIGS. 2 to 9. Now, it is assumed that the ECU 104 is the access target ECU and that the external tool 105 transmits a data request command to the access target ECU 104 in order to rewrite the control program of the access target ECU 104 or read out a data from the access target ECU 104.
  • When the control device 105 a of the external tool 105 determines that the external tool 105 is connected to the connector 107, the control device 105 a transmits an authentication seed request command from the bus communication device 105 b to the gateway apparatus 102. When the control device 102 a of the gateway apparatus 102 determines that the external-tool-side-bus communication device 102 c receives the authentication seed request command from the external tool 105, the control device 102 a generates an authentication seed at B101 (see FIG. 2) and transmits the generated authentication seed from the external-tool-side-bus communication device 102 c to the external tool 105. The authentication seed includes information used in generating the below-described authentication code, and is written in random number.
  • When the control device 105 a of the external tool 105 determines that the bus communication device 105 b receives the authentication seed from the gateway apparatus 102, the control device 105 a generates an authentication code based on the authentication seed (while associating the authentication code with the authentication seed) at A101, and the control device 105 a transmits the generated authentication code from the bus communication device 105 b to the gateway apparatus 102. The authentication code is expressed in random number, like the authentication seed. In the above, it is assumed that the external tool 105 does not possess the authentication seed. However, the external tool 105 may possess the authentication seed. In this configuration, the external tool 105 may generate the authentication code based on the authentication seed possessed by the external tool 105 itself and may transmit the generated authentication code from the bus communication device 105 b to the gateway apparatus 102.
  • In the gateway apparatus 102, when the control device 102 a determines that the external-tool-side-bus communication device 102 c receives the authentication code from the external tool 105, the control device 102 a performs B102. Specifically, at B102, the control device 102 a performs cross-check between the authentication seed, which was transmitted to the external tool 105, and the authentication code received from the external tool 105, and determines whether or not the result of the authentication of the external tool 105 is affirmative.
  • More specifically, a proper external tool, which is connected to the connector 107 by a proper operator, is equipped with a function to (i) correctly generate an authentication based on the authentication seed received from the gateway apparatus 102 and (ii) transmit the correctly-generated authentication code to the gateway apparatus 102. Therefore, when the proper operator connects the proper external tool to the connector 107, there is match between the authentication seed and the authentication code, and the result of the authentication of the external tool 105 becomes affirmative.
  • An improper external tool, which may be connected to the connector 107 by a third party having a bad intention, is not equipped with the function to correctly generate the authentication based on the authentication seed received from the gateway apparatus 102. Thus, the improper external tool is unable to correctly generate an authentication code or transmit the authentication code to the gateway apparatus, or may transmit an incorrect authentication code to the gateway apparatus 102. As a result, when a third party having a bad intention connects an improper external tool to the connector 107, there is mismatch between the authentication seed and the authentication code, and the result of the authentication of the external tool 105 becomes not affirmative.
  • In the gateway apparatus 102, when the control device 102 a determines that the result of the authentication of the external tool 105 is affirmative and the external tool 105 is a proper external tool (YES at B103), the control device 102 a performs B104. At B104, the control device 102 a transmits am affirmative authentication result response command, which indicates that the result of the authentication is affirmative, from the external-tool-side-bus communication device 102 c to the external tool 105, and additionally, the control device 102 a sets the authenticated state, which is a state where the external tool 105 is authenticated. Within a period during which the authenticated state is set, the control device 102 a permits receipt of a data request command from the external tool 105 and permits the data communication. Within a period during which the authenticated state is not set, the control device 102 a prohibits the receipt of the data request command from the external tool 105 and prohibits the data communication.
  • In the external tool 105, when the control device 105 a accepts, for example, the input operation from the operator after the control device 105 a determines that the bus communication device 105 b receives the affirmative authentication response command from the gateway apparatus 102, the control device 105 a transmits the data request command from the bus communication device 105 b to the gateway apparatus in accordance with the input operation. It should be noted that the data request command transmitted from the external tool 105 to the gateway apparatus 102 includes information for identifying the access target ECU 104, which is a destination of the data request command.
  • The control device 102 a of the gateway apparatus 102 determines that the external-tool-side-bus communication device 102 c receives the data request command from the external tool 105, the control device 102 a performs B105. Specifically, at B105, the control device 102 a analyzes the received data request command and determines whether or not it is necessary to perform the authentication of the external tool 105. For example, by determining whether the data request command is a regulation message (regulation command) or a non-regulation message (non-regulation command), the control device 102 a determines whether or not it is necessary to perform the authentication of the external tool 105. The law-regulation message is a message that gives obligation to answer in response to the request from the external tool 105. For example, the regulation message may be a massage that requests a data about, for example, an engine system, or the like. The non-regulation message is a message that does not give obligation to answer in response to the request from the external tool 105. It should be noted that a determination of whether the data request command is a regulation message or a non-regulation message may correspond to a determination of whether the access target ECU 104, which is a transmission destination of the data request command, is a regulation ECU or a non-regulation ECU.
  • When the control device 102 a determines that the data request command is the non-regulation message and determines that it is necessary perform the authentication of the external tool 105 (YES at B105), the control device performs B106. At B106, the control device 102 a determines whether the result of the previously-preformed authentication is affirmative or negative. When the control device 102 a determines that the result of the previously-preformed authentication is affirmative (YES at B106), the process proceeds to B107. At B107, the control device 102 a determines whether or not it is necessary to encrypt the data request command. Specifically, the control device 102 a determines whether the data request command is the regulation message or the non-regulation message, thereby determining whether or not it is necessary to encrypt the data request command.
  • When the control device 102 a determines that the data request command is the non-regulation message and determines that it is necessary to encrypt the data request command (YES at B107), the control device 102 a encrypts the data request command (B108) and transmits the encrypted data request command from the ECU-side-bus communication device 102 b to the access target ECU 104. When the control device 102 a determines that the data request command is the regulation message and determines that it is unnecessary to encrypt the data request command (NO at B107), the control device 102 a transmits, without encrypting the data request command, the data request command from the ECU-side-bus communication device 102 b to the access target ECU 104.
  • As shown in FIG. 3, in the access target ECU 104, when the control device 104 a determines that the bus communication device 104 b receives the data request command from the vehicular gateway apparatus 102, the control device 104 a determines whether or not it is necessary to decrypt the received data request command (C101). Specifically, when the control device 104 a determines that the data request command received from the vehicular gateway apparatus 102 is the encrypted data request command, the control device 104 a determines that it is necessary to decrypt the data request command (YES at C101). In this case, the control device 104 a decrypts the data request command (C102) and performs data processing according to content of the data request command (C103). The data processing may include rewriting a control program, reading out a data, or the like. When the control device 104 a determines that the data request command received from the vehicular gateway apparatus 102 is not encrypted, the control device 104 a determines that it is unnecessary to decrypt the data request command (NO at C101). In this case, the control device 104 a performs the data processing according to the content of the data request command (C103).
  • Upon completion of the data processing, the control device 104 a determines whether or not it is necessary to encrypt a data response command indicative of the completion of the data processing (C104). For example, when the data request command received from the gateway apparatus 102 is encrypted, the control device 104 a determines that it is necessary to encrypt a data response command indicative of the completion of the data processing. When the data request command received from the gateway apparatus 102 was not encrypted, the control device 104 a determines that it is unnecessary to encrypt the data response command indicative of the completion of the data processing. Alternatively, importance degrees of data response commands may be preset, and the control device 104 a may determines whether or not it is unnecessary to encrypt the data response command indicative of the completion of the data processing, regardless of whether or not the data request command received from the gateway apparatus 102 was encrypted.
  • When the control device 104 a determines that it is necessary to encrypt the data response command (YES at C104), the control device 104 a encrypts the data response command (C105) and transmits the encrypted data response command from the bus communication device 104 b to the vehicular gateway apparatus 102. When the control device 104 a determines that it is unnecessary to encrypt the data response command (NO at C104), the control device 104 a transmits, without encrypting the data response command, the data response command from the bus communication device 104 b to the vehicular gateway apparatus 102.
  • In the vehicular gateway apparatus 102, the control device 102 a determines that the ECU-side-bus communication device 102 b receives the data response command from the access target ECU 104, the control device 102 a determines whether or not it is necessary to decrypt the received data response command (B109). Specifically, when the control device 102 a determines that the data response command received from the access target ECU 104 is encrypted, the control device 102 a determines that it is necessary to decrypt the received data response command (YES at B109). In this case, the control device 102 a decrypt the encrypted data response command (B110) and transmits the decrypted data response command from the external-tool-side communication device 102 c to the external tool 105. When the control device 102 a determines that the data response command received from the access target ECU 104 is not encrypted, the control device 102 a determines that it is unnecessary to decrypt the received data response command (NO at B109). In this case, the control device 102 a transmits, without decrypting, the data response command from the external-tool-side communication device 102 c to the external tool 105.
  • As described above, in response to connecting the external tool 105, the control device 102 a of vehicular gateway apparatus 102 performs the authentication of the external tool 105. When a result of the authentication of the external tool 105 is affirmative (YES at B103), the control device 102 a specifies the external tool 105 connected to the connector 107 as a proper external tool 105, and sets the authenticated state (step B104), as illustrated in FIG. 2. Thereafter, the control device 102 a permits receipt of a data request command regardless of whether the data request command is a regulation message or a non-regulation message.
  • As illustrated in FIG. 4, when the control device 102 a determines that the result of the authentication of the external tool 105 is negative (NO at B103), the control device 102 a specifies the external tool 105 connected to the connector 107 an improper external tool, and does not set the authenticated state. Therefore, when the control device 102 a determines that an data request command from the external tool 105 is a non-regulation message requiring the authentication, the control device 102 a discards the data request command and rejects the receipt of the data request command to reject the data communication (B111), because the result of the previously-performed authentication is negative and the authenticated state is not set. That is, at B111, the control device 102 a rejects the data communication. In this case, the rejection of the receipt of the data request command may include nullifying the data request command without discarding data request command. That is, the rejection of the receipt of the data request command may include prohibiting the processing in line with the content of the data request command.
  • The above illustration is directed to a situation where, on an as-needed basis, the vehicular gateway apparatus 102 encrypts the data request command received from the external tool 105. Alternatively, the external tool 105 may have a function to encrypt the data request command, and may encrypt the data request command on an as-needed basis.
  • As described above, when the control device 102 a determines that the result of the authentication is affirmative, the control device 102 a sets the authenticated state to permit the receipt of the data request command from the external tool 105. A period of maintaining the authenticated state is managed in the following ways.
  • Specifically, the control device 102 a manages the period of maintaining the authenticated state, based on the following first to fourth periods:
  • (1) A first period from a time when the authenticated state was set to a time a predetermined time has elapsed.
  • (2) A second period during which an authenticated state maintain request signal is inputted from an external.
  • (3) A third period during which a vehicle state satisfies a predetermined condition.
  • (4) A fourth period during which the bus 106 is in a communicating state.
  • In the following, the first to fourth periods will be illustrated.
  • (1) The First Period (from a Time when the Authenticated State was Set to a Time a Predetermined Time has Elapsed).
  • As shown in FIG. 5, in the vehicular gateway apparatus 102, the control device 102 a sets the authenticated state (B104), starts an authentication maintain timer for counting a predetermined time (B112), and monitors whether or not the authentication maintain timer reaches the predetermined time (B113). When the control device 102 a determines that the authentication maintain timer reaches the predetermined time (YES at B113), the control device 102 a ends the authenticated state. In this example, the period of maintaining the authenticated state is managed by the vehicular gateway apparatus 102 alone. The predetermined time to be counted by the authentication maintain timer may be an initial value set in production, or may be a set value which is set and inputted by the operator operating the external tool 105.
  • (2) The Second Period (a Period During which the Authenticated State Maintain Request Signal is Inputted from an External).
  • One example is illustrated in FIG. 6. In FIG. 6, after the authenticated state is set (B104), the control device 102 a of the vehicular gateway apparatus 102 maintains the authenticated state within a period during which the control device 102 a determines that the authenticated state maintain request command is received by the external-tool-side-bus communication device 102 c. Upon determining that an authenticated state end request command is received by the external-tool-side-bus communication device 102 c, the control device 102 a ends the authenticated state (B114). In this example, the external tool 105 leads the control of the period of maintaining the authenticated state.
  • Another example is illustrated in FIG. 7. In FIG. 7, after setting the authenticated state (B104), the control device 102 a of the vehicular gateway apparatus 102 transmits an authenticated state notice command from the ECU-side-bus communication device 102 b to the access target ECU 104, so that the access target ECU 104 transmits the authenticated state maintain request command. Within the period during which the control device 102 a determines that the authenticated state maintain request command from the access target ECU 104 is received by the ECU-side-bus communication device 102 b, the control device 102 a maintains the authenticated state. Upon determining that the authenticated state end request command from the access target ECU is received by the ECU-side-bus communication device 102 b, the control device 102 a ends the authenticated state (B114). In this example, the access target ECU 104 leads the control of the period of maintaining the authenticated state. It should be noted that the predetermined period during which the external tool 105 or the access target ECU 104 periodically transmits the authenticated state maintain request command to the vehicular gateway apparatus 102 may be an initial value set in production or may be a set value which is set and inputted by the operator operating the external tool 105.
  • (3) The Third Period (a Period During which the Vehicle State Satisfies the Predetermined Condition)
  • As shown in FIG. 8, in the vehicular gateway apparatus 102, after setting the authenticated state (B104), the control device 102 a determines whether or not the vehicle state satisfies a predetermined condition (B115), by receiving the vehicle state from the ECU 104 through the ECU-side-bus communication device 102 b. For example, the predetermined condition may be one of the followings: the immobilizer is in an unlocked state (released state); the ignition switch is off; and the door is in a closed state. That is, when at least one of the above three conditions is satisfied, the control device 102 a determines that the vehicle state satisfies the predetermined condition (YES at B115). During a period of determining that the vehicle state satisfies the predetermined condition, the control device 102 a maintains the authenticated state. When the control device 102 a determines that the vehicle state becomes failing to satisfy the predetermined condition (NO at B115), the control device 102 a ends the authenticated state. In this case, the vehicular gateway apparatus 102 leads the control of the period of maintaining the authenticated state.
  • (4) The Fourth Period (the Period During which the Bus 106 is in the Communicating State)
  • As shown in FIG. 9, after setting the authenticated state (B104), the control device 102 a of the vehicular gateway apparatus 102 determines whether or not the bus 106 is in the communicating state (B116). Specifically, when the control device 102 a determines that one of the ECU-side-bus communication device 102 b and the external-tool-bus communication device 102 b is in the communicating state, the control device 102 a determines that the bus 106 is in the communicating state (YES at B116). Within the period during which the control device 102 a determines that the bus is in the communicating state, the control device 102 a maintains the authenticated state. Upon determining that the bus 106 is changed into a not-communicating state (NO at B116), the control device 102 a ends the authenticated state (B114). In this case, the vehicular gateway apparatus manages the period of maintaining the authenticated state, based on the communicating state of the bus 106.
  • As described above, in the present example of the first embodiment, the vehicular gateway apparatus 102 is connected with the bus 106 so as to partition (separate) the external tool 105 from the ECU 103 and the ECU 104. When the external tool 105 is connected, the vehicular gateway apparatus 102 performs the authentication of the external tool 105. When a result of the authentication of the external tool 105 is affirmative, the vehicular gateway apparatus 102 sets the authenticated state, so that the vehicular gateway apparatus 102 permits the receipt of a subsequent data request command from the external tool 105 regardless of whether or not the data request command is a non-regulation message requiring the authentication. When the result of the authentication of the external tool 105 is negative, the vehicular gateway apparatus 102 does not set the authenticated state, so that when the vehicular gateway apparatus 102 determines that a subsequent data request command from the external tool 105 is a non-regulation message requiring the authentication, the vehicular gateway apparatus 102 rejects the receipt of the data request command.
  • According to the above configuration, even in cases where an improper external tool is connected to the bus 106, the harms resulting from the connection of the improper external tool can be prevented. As a result, it is possible to enhance security. To achieve this advantage, it is unnecessary to change specifications of data communication between the external tool 105 and the ECUs 103, 104.
  • Additionally, since the period of maintaining the authenticated state is managed, it is possible to avoid unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU after cutting off the connection of the external tool. As a result, it is possible to further enhance the security. Additionally, since the authenticating of the external tool 105, the setting of the authenticated state, and the maintaining of the authenticated state are collectively performed by the vehicular gateway apparatus 102, it is possible to achieve the above advantages by adding the vehicular gateway apparatus 102. Therefore, it is possible to achieve the above advantages while minimizing a change in an existing system.
  • Additionally, during the period of prohibiting the data communication between the external tool 105 and the access target ECU, the data communication of a specified data (e.g., regulation message) between external tool 105 and the access target ECU is exceptionally permitted. Therefore, while preventing the harms resulting from the connection of the improper external tool, it is possible to ensure the data communication of the specified data.
  • Second Example of First Embodiment
  • A second example of the first embodiment will be described with reference to FIGS. 9 and 10.
  • In the first example of the first embodiment, the vehicular gateway apparatus 102 performs the authentication of the external tool 105, sets the authenticated state and maintains the authenticated state. In an vehicular data communication authentication system 121 of the second example, one of ECUs has an authentication function, so that the one of ECUs is designated as an authentication ECU.
  • Additionally, this authentication ECU performs the authentication of the external tool 105, and the vehicular gateway apparatus 102 sets the authenticated state and maintains the authenticated state.
  • As shown in FIG. 9, in a vehicular data communication authentication system 111, the authentication ECU 103 includes an authentication device 103 d. The authentication device 103 d is provided as a substitute for the authentication device 103 d of the vehicular gateway apparatus 102 of the first example of the first embodiment. That is, the authentication device 103 d has substantially the same function as the authentication device 103 d.
  • As shown in FIG. 10, in the authentication ECU 103, when the control device 103 a determines that the bus communication device 103 b has received an authentication seed request command from the external tool 105 through the vehicular gateway apparatus 102, the control device 103 a performs D101 to D103, which correspond to B101 to B103 performed by the vehicular gateway apparatus 102 as illustrated in the first example. When the control device 103 a determines that a result of the authentication of the external tool 105 is affirmative (YES at D103), the control device 103 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, from the bus communication device 103 b to the vehicular gateway apparatus 102.
  • When the control device 102 a of the vehicular gateway apparatus 102 determines that the ECU-side-bus communication device 102 b has received the authentication result affirmative response command from the authentication ECU, the control device 102 a transmits the authentication result affirmative response command to the external tool 105 by using the external-tool-side communication device 102 c. Thereafter, the control device 102 a performs B104 and B112 to B114, which have already illustrated in the first example. Specifically, the authentication ECU 103 performs the authentication of the external tool 105, and the vehicular gateway apparatus 102 sets the authenticated state. Thereafter, the vehicular gateway apparatus 102 maintains the authenticated state until the predetermined time has elapsed since the authenticated state was set. In the above illustration, the authenticated state is maintained only within the predetermined period after the authenticated state is set. However, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • In the second example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication ECU 103 performs the authentication of the external tool 105 and since the vehicular gateway apparatus 102 sets and maintains the authenticated state, the authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the authentication ECU 103 and the vehicular gateway apparatus 102.
  • Third Example of First Embodiment
  • A third example of the first embodiment will be described with reference to
  • FIGS. 12 and 13. In the third example, the vehicular gateway apparatus 102 connected with the bus 106 is absent. The authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state are preformed by authentication ECU 103.
  • Specifically, as shown in FIG. 12, in a vehicular data communication authentication system 131, the authentication ECU 103 includes an authentication device 103 d, an authentication control device 103 e, a communication control device 103 f, a filtering device 103 g, and an authentication maintain device 103 h. The authentication device 103 d, the authentication control device 103 e, the communication control device 103 f, the filtering device 103 g and the authentication maintain device 103 h, respectively, have substantially the same function as the authentication device 102 d, the authentication control device 102 e, the communication control device 102 f, the filtering device 102 g and the authentication maintain device 102 h illustrated in the first example.
  • As shown in FIG. 13, in the authentication ECU 103, the control device 103 a determines that the bus communication device 103 b has received an authentication seed request command from the external tool 105 through the vehicular gateway apparatus 102, the control device 103 a performs D101 to D103, which correspond to B101 to B103 performed by the vehicular gateway apparatus 102 as illustrated in the first example. When the control device 103 a determines that a result of the authentication of the external tool 105 is affirmative (YES at D103), the control device 103 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 103 b. Additionally, the control device 103 a performs D104 to D107, which correspond to B104 and B112 to B114 performed by the vehicular gateway apparatus 102 of the first example. In the present example also, as is the cases in the first example, the authenticated state can be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • In the third example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication ECU 103 performs the authentication of the external tool 105, sets the authenticated state and maintains the authenticated state, it is possible to omit the vehicular gateway apparatus 102. In the present example, the access target ECU 104 may include an authentication control device 104 d and an authentication maintain device 104 g, so that the authentication ECU 103 performs the authentication of the external tool 105 and that the access target ECU 104 sets and maintains the authenticated state. That is, the authentication of the external tool 105, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
  • Fourth Example of First Embodiment
  • A fourth example of the first embodiment will be described with reference to FIGS. 14 and 15. In the fourth example of the first embodiment, the vehicular gateway apparatus 102 is not connected with the bus 106. The authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state are preformed by the access target ECU 104.
  • Specifically, as shown in FIG. 14, in a vehicular data communication authentication system 131, the access target ECU 104 includes an authentication device 104 c, an authentication control device 104 d, a communication control device 104 e, a filtering device 104 f, and an authentication maintain device 104 g. The authentication device 104 c, the authentication control device 104 d, the communication control device 104 e, the filtering device 104 f and the authentication maintain device 104 g, respectively, have substantially the same functions as the authentication device 102 d, the authentication control device 102 e, the communication control device 102 f, the filtering device 102 g and the authentication maintain device 102 h illustrated in the first example.
  • As shown in FIG. 15, when the control device 104 a of the access target ECU 104 determines that the bus communication device 104 b has received the authentication seed request command from the external tool 105, the control device 104 a performs C106 to C112, which correspond to D101 to D107 performed by the authentication ECU 103 of the third example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state. In the fourth example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, after cutting off the connection of the external tool for example, it is possible to enhance the security. Additionally, since the access target ECU 104 performs the authentication of the external tool 105, sets the authenticated state and maintains the authenticated stat, it is possible to omit the vehicular gateway apparatus 102. In the present example, the authentication ECU 103 may include an authentication control device 103 e and an authentication maintain device 103 h, so that the access target ECU 104 performs the authentication of the external tool 105 and that the authentication ECU 103 sets and maintains the authenticated state. That is, the authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
  • Fifth Example of First Embodiment
  • A fifth example of the first embodiment will be described with reference to
  • FIGS. 16 and 17. As shown in FIG. 16, in the fifth example, a communication device 108 is connected with the ECU-side-bus 106 a. Additionally, a center (sever) 109 communicable with the external tool 105 and the communication device 108 via a wide area communication network are present. The center 109 performs the authentication of the external tool 105, and the vehicular gateway apparatus 102 sets and maintains the authenticated state.
  • Specifically, in a vehicular data communication authentication system 141, the center 109 includes an authentication device 109 a. The authentication device 109 a is provided as a substitute for the authentication device 102 d of the vehicular gateway apparatus 102 of the first example. The authentication device 109 a has substantially the same function as the authentication device 102 d illustrated in the first example.
  • As shown in FIG. 17, when the center 109 determines that the center 109 has receives the authentication seed request command from the external tool 105, the center 109 performs E101 to E103, which correspond to B101 to B103 performed by the vehicular gateway apparatus 102 illustrated in the first example. When the center 109 determines that the result of the authentication of the external tool 105 is affirmative (YES at E103), the center 109 transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 and the communication device 108.
  • The control device 102 a of the vehicular gateway apparatus 102 receives the authentication result affirmative response command from the center 109 through the communication device 108. When determining that the control device 102 a receives the authentication result affirmative response command from the communication device 108, the control device 102 a performs B104 and B112 to B114, which have been already illustrated in the first example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the center 109 performs the authentication of the external tool 105 and since the vehicular gateway apparatus 102 sets and maintains the authenticated state, the authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the center 109 and the vehicular gateway apparatus 102. Additionally, since the center 109, which is located outside of the vehicular data communication authentication system 141, performs the authentication of the external tool 105, it is possible to perform high-security authentication by, for example, minutely updating the authentication seeds. Therefore, it is possible to further enhance security.
  • Sixth Example of First Embodiment
  • A sixth example of the first embodiment will be described with reference to FIGS. 18 and 19. As shown FIG. 18, in the sixth example, a communication device 108 is connected with the ECU-side-bus 106 a. Additionally, a center (sever) 109 communicable with the external tool 105 and the communication device 108 through a wide area communication network is present. The center 109 performs the authentication of the external tool 105, and the authentication ECU 103 sets and maintains the authenticated state.
  • As shown in FIG. 19, when the center 109 determines that the center 109 has receives the authentication seed request command from the external tool 105, the center 109 performs E101 to E103, which correspond to B101 to B103 performed by the vehicular gateway apparatus 102 of the first example. When the center 109 determines that the result of the authentication of the external tool 105 is affirmative (YES at E103), the center 109 transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 and the communication device 108.
  • The control device 103 a of the authentication ECU 103 receives the authentication result affirmative response command from the center 109 through the communication device 108. When determining that the control device 103 a receives the authentication result affirmative response command from the communication device 108, the control device 103 a performs D104 and D107 as illustrated in the second example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the center 109 performs the authentication of the external tool 105 and since the authentication ECU 103 sets and maintains the authenticated state, the authentication of the external tool 105, the setting of the authenticated state and the maintaining of the authenticated state are decentrally performed by the center 109 and the authentication ECU 103. Additionally, since the center 109, which is located outside of a vehicular data communication authentication system 151, performs the authentication of the external tool 105, it is possible to perform high-security authentication by, for example, minutely updating the authentication seeds. Therefore, it is possible to further enhance security.
  • Seventh Example of First Embodiment
  • A seventh example will be described with reference to FIG. 20. In the seventh example, even in cases where it is impossible to directly perform the authentication of the external tool 105, the system enables indirect authentication of the external tool 105 by performing the authentication of the vehicle state. The seventh example can be achieved by using the same functional blocks (FIG. 1) as the first example.
  • As shown in FIG. 20, the control device 102 a of the vehicular gateway apparatus 102 receives the vehicle state from the ECU 103 through the ECU-side-bus communication device 102 b, thereby specifying the vehicle state (B117). Then the control device 102 a determines whether or not the vehicle state satisfies a predetermined condition, thereby performing the authentication of the vehicle state. In this way, the control device 102 a determines whether a result of the authentication of the vehicle state is affirmative or negative (B118). For example, the control device 102 a determines whether or not the immobilizer is in the unlocked state, whether or not the ignition switch is off, and whether or not the door is in the closed state.
  • Specifically, when a proper worker connects a proper external tool to the connector 107, the vehicle state is a normal state in which the immobilizer is in the released state (unlocked state), the ignition switch is off or the door is in the closed state. Thus, in the above situation, it is determined that the result of the authentication of the vehicle state is affirmative. However, when a third party having a bad intention connects a improper external tool to the connector 107, the vehicle state is a abnormal state in which the immobilizer is not in the released state; the ignition switch is not off; or the door is not the not-closed state. Thus, in the above situation, it is determined that the result of the authentication of the vehicle state is not affirmative.
  • In the gateway apparatus 102, when the control device 102 a determines that the result of the authentication of the vehicle state is affirmative (YES at B119), the control device 102 a performs B104. At B104, the control device 102 a transmits an authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the external-tool-side-bus communication device 102 c. Additionally, the control device 102 a sets the authenticated state, which is a state where the vehicle state is authenticated. Within a period during which the authenticated state is set, the control device 102 a permits receipt of a data request command from the external tool 105 (permits the data communalization). Within a period during which the authenticated state is not set, the control device 102 a prohibits the receipt of the data request command from the external tool 105 (prohibits the data communalization).
  • When the authenticated state is set in the above way (B104), the control device 102 a performs B112 to B114 as illustrated in the first example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authenticating of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state are collectively performed by the vehicular gateway apparatus 102, it is possible to achieve the above advantages by adding the vehicular gateway apparatus 102. Therefore, it is possible to achieve the above advantages while minimizing a change in an existing system.
  • Eighth Example of First Embodiment
  • An eighth example will be described with reference to FIG. 21. In the eighth example, the authentication ECU performs the authentication of the vehicle state and the vehicular gateway apparatus 102 sets and maintains the authenticated state.
  • The eighth example can be achieved by using the same functional blocks (FIG. 10) as the second example.
  • As shown in FIG. 21, the control device 103 a of the authentication ECU 103 receives the vehicle state from an external, thereby specifying the vehicle state (D108). Then the control device 103 a determines whether or not the vehicle state satisfies a predetermined condition, thereby performing the authentication of the vehicle state. In this way, the control device 102 a determines whether a result of the authentication of the vehicle state is affirmative or negative (D109). The control device 103 a determines that the result of the he authentication of the vehicle state is affirmative (YES at D110), the control device 103 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, from the bus communication device 103 b to the vehicular gateway apparatus 102.
  • When the control device 102 a of the vehicular gateway apparatus 102 determines that the authentication result affirmative response command from the authentication ECU 103 is received by the ECU-side-bus communication device 102 b, the control device 102 a transmits the authentication result affirmative response command to the external tool 105 by using the external-tool-side communication device 102 c. Thereafter, the control device 102 a performs B104, and B112 to B114 as illustrated in the first example. In other words, the authentication ECU 103 performs the authentication of the vehicle state, and the vehicular gateway apparatus 102 sets the authenticated state, and maintains the authenticated state only within the predetermined period after the authenticated state was set. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security.
  • Ninth Example of First Embodiment
  • A ninth example will be described with reference to FIG. 22. In the ninth example, the authentication ECU 103 performs the authentication of the vehicle state, sets the authenticated state, and maintains the authenticated state. The ninth example can be achieved by using the same functional blocks (FIG. 12) as the third example.
  • As shown in FIG. 22, the control device 103 a of the authentication ECU 103 receives the vehicle state from an external and performs D108 to D110 as illustrated in the seventh example. When the control device 103 a determines that the result of the authentication of the vehicle state is affirmative (YES at D110), the control device 103 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 103 b. Thereafter, the control device 103 a performs D104 to D107 as illustrated in the third example. In the present example also, as is the cases inn the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state. In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security. Additionally, since the authentication of the vehicle state, the setting of the authenticated state and the maintaining of the authenticated state are preformed by the authentication ECU 103, it is possible to omit the vehicular gateway apparatus 102. Alternatively, the access target ECU 104 may include an authentication control device 104 d and an authentication maintain device 104 g, so that the authentication ECU 103 performs the authentication of the vehicle state and that the access target ECU 104 sets and maintains the authenticated state. In other words, the authentication of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
  • Tenth Example of First Embodiment
  • A tenth example will be described with reference to FIG. 23. In the tenth example, the access target ECU 104 performs the authentication of the vehicle state, sets the authenticated state, and maintains the authenticated state. The tenth example can be achieved by using the same functional blocks (FIG. 14) as the fourth example.
  • As shown in FIG. 23, the control device 104 a of the access target ECU 104 receives the vehicle state from the ECU 103 through the bus communication device 104 b, thereby specifying the vehicle state (C13). Then the control device 104 a determines whether or not the vehicle state satisfies the predetermined condition, thereby performing the authentication of the vehicle state and determining whether or not a result of the authentication is affirmative or negative (C14). When the result of the authentication is affirmative (YES at C14), the control device 104 a transmits the authentication result affirmative response command, which indicates that the result of the authentication is affirmative, to the external tool 105 by using the bus communication device 104 b. Then the control device 104 a performs C109 to C112 as illustrated in the fourth example. In the present example also, as is the cases in the first example, the authenticated state may be maintained, for example, only within: a period during which the authenticated state maintain request signal is inputted from the external such as the external tool 105, the authentication ECU 103 or the like; a period during which the vehicle state satisfies the predetermined condition; or a period during which the bus 106 is in the communicating state.
  • In the present example, the period of maintaining the authenticated state is managed in a manner similar to that in the first example. Therefore, after cutting off the connection of the external tool for example, it is possible to avoid the unnecessary extension of the period of permitting the data communication between the external tool 105 and the access target ECU. As a result, it is possible to enhance the security.
  • Additionally, since the authentication of the vehicle state, the setting of the authenticated state and the maintaining of the authenticated state are preformed by the access target ECU 104, it is possible to omit the vehicular gateway apparatus 102. Alternatively, the authentication ECU 103 may include an authentication control device 103 e and an authentication maintain device 103 h, so that the access target ECU 104 performs the authentication of the vehicle state and that the authentication ECU 103 sets and maintains the authenticated state. That is, the authentication of the vehicle state, the setting of the authenticated state, and the maintaining of the authenticated state may be decentrally performed by multiple ECUs.
  • Other Examples of First Embodiment
  • The above-illustrated examples do not limit examples of the first embodiment. The first embodiment can be modified and extended in various ways. For example, when (i) the result of the authentication of the external tool 105 is affirmative and (ii) the result of the authentication of the vehicle state is affirmative, the authenticated state may be set. The vehicle state to be authenticate is not limited to the state (locked state, released stated) of the immobilizer, the state (on, off) of the initiation switch, and the state of the door (open state, closed state). Any state can be adopted as long as the state enable a determination as to whether or not a proper operator connects a proper external tool or an improper operator connects an improper external tool. Further, the determination may be used by using a single one of the states or by using a combination of the states. The filtering device 102 g of the vehicular gateway apparatus 102, the filtering device 103 g of the authentication ECU 103, and the filtering device 104 f of the access target ECU 104 may be omissible.
  • Second Embodiment
  • A first example of the embodiment will be described with reference to FIGS. 24 to 27. As shown in FIG. 24, in a vehicular data communication system 201, a vehicular data communication apparatus 202 is connected with a bus so as to partition (separate) multiple ECUs including a first ECU 203 and a second ECU 204 from an external tool 205. Each of the ECUs and the external tool 205 serves as a node.
  • The external tool 205 is operable by an operator. A bus connecting the vehicular data communication apparatus 202 and the external tool 205 is called a bus A. That is, the bus A is a bus for data transmission between the vehicular data communication apparatus 202 and the external tool 205. A bus connecting the vehicular data communication apparatus 202 and the first ECU 203 is called a bus B. That is, the bus B is a bus for data transmission between the vehicular data communication apparatus 202 and the first ECU 203. A bus connecting the vehicular data communication apparatus 202 and the second ECU 204 is called a bus C. That is, the bus C is a bus for data transmission between the vehicular data communication apparatus 202 and the second ECU 204. A connector 206, to which the external tool 205 is connectable, is provided on an external tool side of the bus A. When the external tool 205 is connected to the connector 206, the external tool 205 becomes able to communicate with the vehicular data communication apparatus 202.
  • The bus A, the bust B and the bus C adopt a control device area network (CAN) as a data communication method. The CAN communication defines a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc. However, in the CAN communication, a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not defined.
  • The vehicular data communication apparatus 202 includes a control device 202 a (which can correspond to an example of encryption control device and means), an ECU-side-bus communication device 202 b, an external-tool-side-bus communication device 202 c, an encryption device 202 d, and an encryption table 202 e (which can correspond to an encryption information storage device or means). The control device 202 a includes a microcomputer. By executing a control program with the microcomputer, the control device 202 a controls operations of the ECU-side-bus communication device 202 b, the external-tool-side-bus communication device 202 c and the encryption device 202 d. The ECU-side bus communication device 202 b is connected with the bus B and the bus C, and controls data transmission and receipt between the first ECU 203 and the second ECU 204. The external-tool-side bus communication device 202 c is connected with the bus A. In a state where the external tool 205 is connected to the connector 206, the external-tool-side bus communication device 202 c controls communications, such as data transmission and receipt, with the external tool 205.
  • By referencing the encryption table 202 e, the encryption device 202 d references the encryption table 202 e to encrypt and rewrite a plaintext data into an encrypted-text data. In the above, the plaintext data to be encrypted may be (i) a plaintext data which the external-tool-side bus communication device 202 c receives from the external tool 205, and (ii) a plaintext data which the ECU-side-bus communication device 202 b receives from the first ECU 203 or the second ECU 204. For each combination of a bus connected with a data source node and a bus connected with a data destination node, the encryption table 202 e stores an encryption information. For example, as illustrated in FIG. 24, for the case where the bus connected with the data source node is the bus A and the bus connected with the data destination node is the bus B, the encryption table 202 e stores the encryption information (“encr” in FIG. 24) indicating that the plaintext is to be encrypted. For the case where the bus connected with the data source node is the bus A and the bus connected with the data destination node is the bus C, the encryption table 202 e stores the encryption information (“plain” in FIG. 24) indicating that the plaintext is not to be encrypted.
  • The first ECU 203 includes a control device 203 a (which can correspond to an example of decryption control device and means), a bus communication device 203 b, a decryption device 203 c, and a decryption table 203 d (which can correspond to an example of decryption information storage device and means). The control device 203 a includes a microcomputer. By executing a control program with the microcomputer, the control device 203 a controls the bus communication device 203 b and the decryption device 203 c. The bus communication device 203 b is connected with the bus B and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202.
  • The decryption device 203 c decrypts an encrypted-text data received from the vehicular data communication apparatus 202, by rewriting the encrypted-text data into a plain text data when the bus communication device 203 b receives the encrypted-text data from the vehicular data communication apparatus 202. For each bus connected with a data source node, the decryption table 203 d stores decryption information. For example, as illustrated in FIG. 24, for the case where the bus connected with the data source node is the bus A, the decryption table 203 d stores “decry” indicating that the encrypted-text data is to be decrypted. For the case where the bus connected with the source node is the bus C, the decryption table 203 d stores “plain” indicating that the plain-text data is not to be decrypted.
  • The second ECU 204 has substantially the same configuration as the first ECU 203. The second ECU 204 includes a control device 204 a (which can correspond to an example of decryption control device and means), a bus communication device 204 b, a decryption device 204 c, and a decryption table 204 d (which can correspond to an example of decryption information storage device and means). The control device 204 a includes a microcomputer. By executing a control program with the microcomputer, the control device 204 a controls the bus communication device 204 b and the decryption device 204 c. The bus communication device 204 b is connected with the bus C and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202.
  • The decryption device 204 c decrypts an encrypted-text data by rewriting the encrypted-text data into a plain text data when the bus communication device 204 b receives the encrypted-text data from the vehicular data communication apparatus 202. For each bus connected with the data source node, the decryption table 204 d stores decryption information. For example, as illustrated in FIG. 24, for the case where the bus connected with the data source node is the bust A, the information “plain” indicating that the plain-text data is not encrypted is stored. For the case where the bus connected with the data source node is the bus C, “the information decry” indicating that the encrypted-text data is to be decrypted is stored.
  • The external tool 205 includes a control device 205 a (which can correspond to a decryption control device and means), a bus communication device 205 b, a decryption device 205 c, a decryption table 205 d (which can correspond to a decryption information storage device and means), an input/output interface (IF) 205 e. The control device 205 a includes a microcomputer. By executing a control program with the microcomputer, the control device 205 a controls operations of the bus communication device 205 b, the decryption device 205 c, and the input/output interface (IF) 205 e. The bus communication device 205 b is connected with the bus A and controls communication, such as data transmission and receipt, with the vehicular data communication apparatus 202.
  • The decryption device 205 c decrypts an encrypted-text data by rewriting the encrypted-text data into a plain text data when the bus communication device 205 b receives the encrypted-text data from the vehicular data communication apparatus 202. The decryption table 205 d stores decryption information for each data bus connected with the data source node. For example, as illustrated in FIG. 24, for the case where the bus connected with the data source node is the bus B, the information “decry” indicating that the encrypted-text data is to be decrypted is stored. For the case where the bus connected with the data source node is the bus C, the information “plain” indicating that the plain-text data is not decrypted is stored.
  • The input/output IF 205 e has a function to accept an input operation from the operator operating the external tool 205, and has a function to issue a notification by, for example, displaying a data. Specifically, by connecting the external tool 205 to the connector 206 and performing the input operation to the external tool 205, the operator can rewrite the control program of an access target ECU and read out a data from the access target ECU. The external tool 205 is not limited to a dedicated node for rewriting the control program of the access target ECU and reading out the data from the access target ECU but the external tool 205 may be a cellular phone, a personal digital assistance or the like having the above functions.
  • The encryption and decryption may use a public-key cryptography, in which the encryption is performed with a public-key and the decryption is performed with a private-key. Alternatively, the encryption and decryption may use a common-key cryptography, in which the encryption and decryption are performed with a common-key. Various ECUs may be used as the first ECU 203 and the second ECU 204. For example, the first ECU 203 or the second ECU 204 may be one of an engine ECU for controlling an engine, a door lock ECU for controlling operations of a door lock mechanism, a navigation ECU for controlling navigation operations, a meter ECU for controlling operations of a meter (indicator), and the like. For example, when the first ECU 203 or the second ECU 204 is the engine ECU, the first ECU 203 or the second ECU 204 includes a functional block for controlling the engine in addition to the above-described functional blocks. In the example shown in FIG. 24, the number of ECUs is two. However, the number of ECUs may be one, or more than two.
  • The encryption table and the decryption table are set up based on, for example, the following. Let us assume that the data transmitting through the bus can be classified into a regulation message (i.e., the message that gives obligation to answer in response to the request) and a non-regulation message (i.e., the message that does not give obligation to answer in response to the request). In this case, the encryption table and the decryption table are set up, so that (i) the information indicating that the encryption or decryption is not to be performed is set for the bus connected with the node that transmits and receives the regulation message, and (ii) the information indicating that the encryption or decryption is to be performed is set for the bus connected with the node that transmits and receives the non-regulation message.
  • Operations will be described with reference to FIGS. 25 to 28. In the following, three situations are illustrated. A first situation is that the external tool 205 and the first ECU 203 perform the data communication. A second situation is that the external tool 205 and the second ECU 204 perform the data communication. A third situation is that the first ECU 203 and the second ECU 204 perform the data communication.
  • (1) The First Situation (the External Tool 205 and the First ECU 203 Perform The Data Communication)
  • In this situation, the processes illustrated in FIG. 25 are performed by the external tool 205, the first ECU 203, and the vehicular data communication apparatus 202. As illustrated in FIG. 25, when the external tool 205 is connected to the connector 206, the plain-text data is transmitted from the external tool 205 to the first ECU 203 (data destination node). In this case, when the control device 202 a of the vehicular data communication apparatus 202 determines that the plain-text data is received by the external-tool-side-bus communication device 202 c, the control device 202 a determines whether or not it is necessary to encrypt the received plain-text data (B201). When the control device 202 a determines that it is necessary to encrypt the received plain-text data (YES at B201), the control device 202 a encrypts the plaintext data by using the encryption device 202 d (B202), and transmits the encrypted-text data to the first ECU 203 by using the ECU-side-bus communication device 202 b. When the control device 202 a determines that it is not necessary to encrypt the plaintext data (NO at B201), the control device 202 a transmits the plaintext data to the first ECU 203 by using the ECU-side-bus communication device 202 b, without encrypting the plaintext data by using the encryption device 202 d. In the present example, since “encry” is stored for a combination of the bus A connected with the source and the bus B connected with the destination, the control device 202 a encrypts the plaintext data received from the external tool 205, and transmits the encrypted-text data to the first ECU 203.
  • When the control device 203 a of the first ECU 203 determines that the bus communication device 203 b has received the data, which is addressed to the first ECU 203, from the vehicular data communication apparatus 202, the control device 203 a performs C201. At C201, by referencing the decryption table 203 d, the control device 203 a determines whether or not it is necessary to decrypt the received data. When the control device 203 a determines that it is necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the encrypted-text data (YES at C201), the control device 203 a decrypts the encrypted-text data (C202) and performs data processing based on the decrypted data. When the control device 203 a determines that it is not necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the plaintext data (NO at C201), the control device 203 a performs data processing based on the plaintext data without decrypting the plaintext data (C203). In the present example, since “decry” is stored for the bus A connected with the data source node, the control device 203 a decrypts the encrypted-text data received from the vehicular data communication apparatus 202, and performs the data processing based on the plaintext data. Thereafter, the control device 203 a transmits a plaintext data to the vehicular data communication apparatus 202 by using the bus communication device 203 b.
  • When the control device 202 a of the vehicular data communication apparatus 202 determines that the external-tool-side-bus communication device 202 c has received the plain-text data, which is addressed to the external tool 205, from the external tool 205, the control device 202 a performs B203. At B203, by referencing the encryption table 202 e, the control device 202 a determines whether or not it is necessary to encrypt the received plain-text data (B203). When the control device 202 a determines that it is necessary to encrypt the received plain-text data (YES at B203), the control device 202 a encrypts the plaintext data by using the encryption device 202 d (B204), and transmits the encrypted-text data to the external tool 205 by using the external-tool-side-bus communication device 202 c. When the control device 202 a determines that it is not necessary to encrypt the received plain-text data (NO at B203), the control device 202 a transmits the plaintext data to the external tool 205 by using the external-tool-side-bus communication device 202 c, without encrypting the plaintext data by using the encryption device 202 d. In the present example, since “encry” is stored for a combination of the bus B on a source side and the bus A on a destination side, the control device 202 a encrypts the plaintext data received from the first ECU 203, and transmits the encrypted-text data to the external tool 205.
  • When the control device 205 a of the external tool 205 determines that the bus communication device 205 b has received the data, which is addressed to the external tool 205, from the vehicular data communication apparatus 202, the control device 205 a performs A201. At A201, by referencing the decryption table 205 d, the control device 205 a determines whether or not it is necessary to decrypt the received data. When the control device 205 a determines that it is necessary to decrypt the received data, in other words, when the control device 205 a determines that the received data is the encrypted-text data (YES at A201), the control device 205 a decrypts the encrypted-text data (A202) and performs data processing based on the decrypted data (A203). When the control device 205 a determines that it is not necessary to decrypt the received data, in other words, when the control device 203 a determines that the received data is the plaintext data (NO at A201), the control device 203 a performs data processing based on the plaintext data without decrypting the plaintext data (A203). In the present example, since “decry” is stored for the bus B on the source side, the control device 205 a decrypts the decrypted-text data received from the vehicular data communication apparatus 202 to obtain a plaintext data and performs the data processing based on the plaintext data
  • As described above, the vehicular data communication apparatus 202 stores “encry” for the combination of the bus A on the data source side and the bus B on the data destination side. Thus, upon receipt of the plaintext data from the external tool 205, the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the first ECU 203. Moreover, the vehicular data communication apparatus 202 stores “encry” for the combination of the bus B on the data source side and the bus A on the data destination side. Thus, upon receipt of the plaintext data from the first ECU 203, the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the external tool 205.
  • (2) The Second Situation (the External Tool 205 and the Second ECU 204 Perform the Data Communication)
  • As shown in FIG. 26, the vehicular data communication apparatus 202 performs step B211 and B212, and then, the second ECU 204 performs D211 to D213, and then the vehicular data communication apparatus 202 performs B213 and B214, and then the external tool 205 performs A211 to A213. In the present example, the vehicular data communication apparatus 202 stores “plain” for the combination of the bus A on the data source side and the bus C on the data destination side. Thus, upon receipt of the plaintext data from the external tool 205, the vehicular data communication apparatus 202 transmits the received plaintext data to the second ECU 204 without encrypting the received plaintext data. Moreover, the vehicular data communication apparatus 202 stores “plain” for the combination of the bus C on the data source side and the bus A on the data destination side. Thus, upon receipt of the plaintext data from the second ECU 204, the vehicular data communication apparatus 202 transmits the received plaintext data to the external tool 205 without encrypting the received plaintext data.
  • (3) The Third Situation (the First ECU 203 and the Second ECU 204 Perform The Data Communication).
  • As shown in FIG. 27, the vehicular data communication apparatus 202 performs step B221 and B222, and then, the second ECU 204 performs D221 to D223, and then the vehicular data communication apparatus 202 performs B223 and B224, and then the first ECU 203 performs C221 to C223. In the present example, the vehicular data communication apparatus 202 stores “encry” for the combination of the bus B on the data source side and the bus C on the data destination side. Thus, upon receipt of the plaintext data from the first ECU 203, the vehicular data communication apparatus 202 encrypts the received plaintext data into a decrypted-text data and transmits the decrypted-text data to the second ECU 204. Moreover, the vehicular data communication apparatus 202 stores “plain” for the combination of the bus C on the data source side and the bus B on the data destination side. Thus, upon receipt of the plaintext data from the second ECU 204, the vehicular data communication apparatus 202 transmits the received plaintext data to the first ECU 203 without encrypting the received plaintext data.
  • In the first example, the vehicular data communication apparatus 202 relays a data among the external tool 205, the first ECU 203 and the second ECU 204. For each combination of a bus connected with a data source node and a bus connected with a data destination node, the encryption information (the encryption table) indicating whether or not the data is to be encrypted is uniformly managed by the vehicular data communication apparatus 202. Additionally, for each bus connected with the data source node, the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205, the first ECU 203 and the second ECU 204.
  • Accordingly, to transmit the data, the external tool 205, the first ECU 203 and the second ECU 204 are not required to encrypt the data. Thus, the external tool 205, the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of the external tool 205, the first ECU 203 and the second ECU 204 to store the decryption table associated with only the data that is transmitted from the vehicular data communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. For example, it is possible to use a processing capacity (e.g., a memory capacity), which is not unlimited, for a primary function, and it is possible to ensure fulfilling the primary function. It should be noted that if the encryption or the decryption causes the failure to fulfill the primary function (e.g., processing delay), a negative influence may be give on, for example, vehicle control during the vehicle traveling. Therefore, the configuration of the present example is remarkably advantageous in a system in which the ECU serves as a node. Moreover, since the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication. Specifically, even if an improper external tool is connected to the bus, a data transmitted from the improper external tool is not supported by the encryption of the vehicular data communication apparatus 202, and thus, it becomes possible to prevent the improper rewriting of the control programs of the first ECU 203 and the second ECU 204 and the improper reading out of the first ECU 203 and the second ECU 204.
  • Moreover, even when multiple nodes transmitting a data needed to be encrypted are connected with the same bus and/or even when multiple nodes transmitting a data unneeded to be encrypted are connected with the same bus, an encryption table and/or an decryption table targeted for respective individual nodes are not required to be set up. Instead, the encryption table and/or the decryption table targeted for respective individual nodes are set up. Therefore, a work for setting up the encryption table and/or the decryption table is simple.
  • Although the above illustration is directed to the system in which the first ECU 203 is connected with the vehicular data communication apparatus 202 through the bus B, ideas of the above illustration are applicable to a system in which multiple ECUs including the first ECU 203 are connected with the vehicular data communication apparatus 202 through the bus B. Specifically, as shown in FIG. 28, in the vehicular data communication system 211, the first ECU 203 and a third ECU 207 may be connected with the vehicular data communication apparatus 202 through the bus B. In this configuration, the third ECU 207 stores the same decryption table as the first ECU 203 stores, so that the third ECU 207 can performs substantially the same process as the first ECU 203. It should be noted that when the first ECU 203 and the third ECU 207 perform the data communication, the encryption table stored in the vehicular data communication apparatus 202 is not used, because the vehicular data communication apparatus 202 does not relay the data. The same is applied to cases where the second ECU 204 and the fourth ECU 208 are connected with the vehicular data communication apparatus 202 through the bus C.
  • Second Example of Second Embodiment
  • A second example of the second embodiment will be described with reference to FIGS. 29 and 30. In the second example, for each combination of a data source node and a data destination node, the encryption table is uniformly managed by the vehicular data communication apparatus 202 relaying a data. For each data source node, the decryption table is uniformly managed by the external tool 205, the first ECU 203, and the second ECU 204. In the second example, for example, the information indicating that the decryption or the encryption is not to be performed is set for a node that transmits and receives a non-regulation message. The information indicating that the decryption or the encryption is to be performed is set for a node that transmits and receives a regulation message.
  • In a vehicular data communication system 221, the vehicular data communication apparatus 202 is connected with the first ECU 203 and the second ECU 204 through the bus B. The vehicular data communication apparatus 202 stores the encryption information as the encryption table 202 e for each combination of a data source node and a data destination node. For example, as illustrated in FIG. 29, for the case where the data source node is the external tool 205 and the data destination node is the first ECU 203, the stored encryption information indicates that the plaintext data is to be encrypted. For the case where the data source node is the external tool 205 and the data destination node is the second ECU 204, the stored encryption information indicates that the plaintext data is not to be encrypted For each data source node, the first ECU 203 stores the decryption information as the decryption table 203 d. For example, as illustrated in FIG. 29, for the case where the data source node is the external tool 205, the stored decryption information indicates that the encrypted-text data is to be decrypted. Likewise, for each data source node, the second ECU 204 stores the decryption information as the decryption table 204 d. For example, as illustrated in FIG. 29, for the case where the data source node is the external tool 205, the stored decryption information indicates that the plaintext data is not to be decrypted. Likewise, for each data source node, the external tool 205 stores the decryption information as the decryption table 205 d. For example, as illustrated in FIG. 29, for the case where the data source node is the first ECU 203, the stored decryption information indicates that the encrypted-text data is to be decrypted. For the case where the data source node is the second ECU 204, the stored decryption information indicates that the plain-text data is not to be decrypted.
  • In the second example, the vehicular data communication apparatus 202 relays a data among the external tool 205, the first ECU 203 and the second ECU 204.
  • For each combination of a data source node and a data destination node, the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted. Additionally, for each data source node, the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205, the first ECU 203 and the second ECU 204.
  • Accordingly, the second example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment. Specifically, to transmit the data, the external tool 205, the first ECU 203 and the second ECU 204 are not required to encrypt the data. Thus, the external tool 205, the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of the external tool 205, the first ECU 203 and the second ECU 204 to store the decryption table associated with only the data that is transmitted from the vehicular data communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. Moreover, since the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.
  • Moreover, even when multiple nodes transmitting a data needed to be encrypted are connected with the same bus and/or even when multiple nodes transmitting a data unneeded to be encrypted are connected with the same bus, it is possible to appropriately encrypt only the data needed to be encrypted, by setting the encryption tables and/or the decryption tables for respective individual nodes. Additionally, it is possible to flexibly deal with node addition and node deletion.
  • The above illustration is directed to the system in which the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through the bus B. However, ideas of the above illustration are applicable to a system in which multiple ECUs including the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through multiple buses including the bus B. For example, as illustrated in FIG. 30, in a vehicular data communication system 231, the first ECU 203 and the second ECU 204 are connected with the vehicular data communication apparatus 202 through the bus B, and additionally, the third ECU 207 and the fourth ECU 208 are connected with the vehicular data communication apparatus 202 through the bus C. In this case, the vehicular data communication apparatus 202 stores the encryption table by designating the third ECU 207 and the fourth ECU 208 as the data source node and the data destination node. Each of the first ECU 203, the second ECU 204 and the external tool 205 stores the decryption table by designating the third ECU 207 and the fourth ECU 208 as the data source node.
  • Third Example of Second Embodiment
  • A third example of the second embodiment will be described with reference to FIGS. 31 and 32. In the third example, the vehicular data communication apparatus 202 for relaying a data uniformly manages the encryption table for each identifier (CAN_ID) indicative of type of a data frame storing a data. For each identifier (CAN_ID) indicative of type of a data frame storing a data, the decryption table is uniformly managed by the external tool 205, the first ECU 203 and the second ECU 204. In the third example, for example, the information indicating that the decryption or the encryption is not to be performed is set for the CAN_ID of the data frame having the regulation message. The information indicating that the decryption or the encryption is not to be performed is set for the CAN_ID of the data frame having the non-regulation message. The CAN_ID refers to information identifying data content or the like, and has 11-bit length in standard format, as illustrated in FIG. 32.
  • In a vehicular data communication system 241, for each CAN_ID indicative of the type of the data frame, the vehicular data communication apparatus 202 stores the encryption as the encryption table 202 e. For example, as illustrated in FIG. 31, for the case where the data frame has the CAN_ID “700”, the stored encryption information indicates that the plaintext data is to be encrypted. For the case where the data frame has the CAN_ID “701”, the stored encryption information indicates that the plaintext data is not to be encrypted.
  • For each CAN_ID indicative of the type of the data frame, the first ECU 203 stores the decryption information as the decryption table 203 d. For example, as illustrated in FIG. 31, for the case where the data frame has the CAN_ID “700”, the stored decryption information indicates that the plaintext data is to be decrypted. For the case where the data frame has the CAN_ID “701”, the stored encryption information indicates that the plaintext data is not to be decrypted. Likewise, the second ECU 204 stores, for each CAN_ID indicative of the type of the data frame, the decryption information as the decryption table 204 d. The external tool 205 also stores, for each CAN_ID indicative of the type of the data frame, the decryption information as the decryption table 205 d.
  • In the third example, the vehicular data communication apparatus 202 relays a data among the external tool 205, the first ECU 203 and the second ECU 204. For each CAN_ID, the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted. Additionally, for each CAN_ID, the decryption information (the decryption table) indicating whether or not the data is to be decrypted is uniformly managed by the external tool 205, the first ECU 203 and the second ECU 204.
  • Accordingly, the third example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment. Specifically, to transmit the data, the external tool 205, the first ECU 203 and the second ECU 204 are not required to encrypt the data. Thus, the external tool 205, the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of the external tool 205, the first ECU 203 and the second ECU 204 to store the decryption table associated with only the data that is transmitted from the vehicular data communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. Moreover, since the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.
  • Moreover, by setting the encryption tables and the decryption tables for respective individual data frames, it is possible to appropriately encrypt only the data needed to be encrypted, even when the same single node transmits both of the data frame storing the data needed to be encrypted and the data frame storing the data unneeded to be encrypted.
  • Fourth Example of Second Embodiment
  • A fourth example of the second embodiment will be described with reference to FIG. 33. In the fourth example, the vehicular data communication apparatus 202 for relaying a data uniformly manages the encryption table for each data storage area (data field) of a data frame storing a data. For each data storage area (data field) of a data frame storing a data, the decryption table is uniformly managed by the external tool 205, the first ECU 203 and the second ECU 204. In the fourth example, for example, the information indicating that the decryption or the encryption is not to be performed is set for the data storage area of the data frame having the regulation message. The information indicating that the decryption or the encryption is not to be performed is set for the data storage area of the data frame having the non-regulation message.
  • In a vehicular data communication system 251, for each data storage area of the data frame, the vehicular data communication apparatus 202 stores the encryption as the encryption table 202 e. For example, as illustrated in FIG. 33, for a plaintext data stored in “0 to 4 byte” of the data field of the data frame having “800” as the CAN_ID, the stored encryption information indicates that the plaintext data is to be encrypted. For a plaintext data stored in “5 to 8 byte”, the stored encryption information indicates that the plaintext data is not to be encrypted.
  • For each data storage area of the data frame, the first ECU 203 stores the decryption information as the decryption table 203 d. For example, as illustrated in FIG. 33, for an encrypted-text data stored in “0 to 4 byte” of the data field of the data frame having “800” as the CAN_ID, the stored decryption information indicates that the encrypted-text data is to be decrypted. For a plaintext data stored in “5 to 8 bytes”, the stored decryption information indicates that the plaintext data is not to be decrypted. Likewise, the second ECU 204 stores, for each data storage area of the data frame, the decryption information as the decryption table 204 d. The external tool 205 also stores, for each data storage area of the data frame, the decryption information as the decryption table 205 d.
  • In the fourth example, the vehicular data communication apparatus 202 relays a data among the external tool 205, the first ECU 203 and the second ECU 204. For each data field (for each data storage area of the data frame), the vehicular data communication apparatus 202 uniformly manages the encryption information (the encryption table) indicating whether or not the data is to be encrypted. Additionally, for each data field (for each data storage area of the data frame), the data destination node uniformly manages the decryption information (the decryption table) indicating whether or not the data is to be decrypted. The data destination node is, for example, the external tool 205, the first ECU 203 and the second ECU 204.
  • Accordingly, the third example of the second embodiment can provide substantially the same advantages as the first example of the second embodiment. Specifically, to transmit the data, the external tool 205, the first ECU 203 and the second ECU 204 are not required to encrypt the data. Thus, the external tool 205, the first ECU 203 and the second ECU 204 can transmit the data without encrypting the data. Additionally, it is sufficient for each of the external tool 205, the first ECU 203 and the second ECU 204 to store the decryption table associated with only the data that is transmitted from the vehicular data communication apparatus 202 to the each. Therefore, a configuration complication and a processing increase resulting from the encryption and the decryption can be prevented. Moreover, since the vehicular data communication apparatus 202 performs the data encryption, it is possible to enhance the security in data communication.
  • Moreover, by setting the encryption tables and the decryption tables for respective individual data storage areas, it is possible to appropriately encrypt only the data needed to be encrypted, even when the node transmits the data frame having both of the data needed to be encrypted and the data unneeded to be encrypted.
  • Other Examples of Second Embodiment
  • The second embodiment is not limited to the above-illustrated examples, and can be modified and extended in, for example, the following way. Two or more of the first to fourth examples may be combined. Specifically, the system may employ the tow or more of: a configuration in which the encryption information and the decryption information are managed on a bus-by-bus basis; a configuration in which the encryption information and the decryption information are managed on a node-by-node basis; a configuration in which the encryption information and the decryption information are managed on a CAN_ID-by-CAN_ID basis; and a configuration in which the encryption information and the decryption information are managed on a data-field-by-data-field basis. Some of the multiple ECUs may have some of the functions of the vehicular data communication apparatus 202. Specifically, the vehicular data communication apparatus 202 is not limited to a dedicated apparatus for encrypting a data by determining whether or not to encrypt the data. For example, an ECU having a high processing capacity may be provided in the system, so that, while fulfilling its primary function, the ECU encrypts a data by determining whether or not to encrypt the data.
  • The present disclosure is not limited the above embodiments and modifications thereof. That is, the above embodiments and modifications thereof may be modified in various ways without departing from the sprit and scope of the present disclosure.

Claims (26)

What is claimed is:
1. A vehicular data communication authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, the vehicular data communication authentication system comprising:
an authentication device that performs authentication of the external tool connected to the bus;
an authentication control device that:
determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative;
when determining that the result of the authentication of the external tool is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU; and
when determining that the result of the authentication of the external tool is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and
an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of:
a first period, which is a predetermined period of time elapsed since the authenticated state was set;
a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device;
a third period, which is a period during which a vehicle state satisfies a predetermined condition; and
a fourth period, which is a period during which the bus is in a communicating state.
2. The vehicular data communication authentication system according to claim 1, further comprising:
a vehicular gateway apparatus that partitions the external tool from the ECUs,
wherein:
the authentication device, the authentication control device and the authentication maintain device are provided in the vehicular gateway apparatus.
3. The vehicular data communication authentication system according to claim 1, further comprising:
a vehicular gateway apparatus that partitions the external tool from the ECUs,
wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU;
the authentication device is provided in the vehicular gateway apparatus; and
the authentication control device and the authentication maintain device are provided in the authentication ECU.
4. The vehicular data communication authentication system according to claim 1, wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU;
the authentication device is provided in the authentication ECU; and
the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
5. The vehicular data communication authentication system according to claim 1, wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU; and
the authentication device, the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
6. The vehicular data communication authentication system according to claim 1, further comprising:
a center that is communicable with the external tool; and
a vehicular gateway apparatus that partitions the external tool from the ECUs,
wherein:
the authentication device is provided in the center; and
the authentication control device and the authentication maintain device are provided in the vehicular gateway apparatus.
7. The vehicular data communication authentication system according to claim 1, further comprising:
a center that is communicable with the external tool,
wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU;
the authentication device is provided in the center; and
the authentication control device and the authentication maintain device are provided in the authentication ECU.
8. The vehicular data communication authentication system according to claim 1, further comprising:
a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU only for a specified data.
9. A vehicular data communication authentication system in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU, the vehicular data communication authentication system comprising:
an authentication device that performs authentication of a vehicle state;
an authentication control device that:
determines whether or not a result of the authentication of the vehicle state preformed by the authentication device is affirmative;
when determining that the result of the authentication of the vehicle state is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU; and
when determining that the result of the authentication of the vehicle state is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and
an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of:
a first period, which is a predetermined period of time elapsed since the authenticated state was set;
a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device;
a third period, which is a period during which a vehicle state satisfies a predetermined condition; and
a fourth period, which is a period during which the bus is in a communicating state.
10. The vehicular data communication authentication system according to claim 9, further comprising
a vehicular gateway apparatus that partitions the external tool from the ECUs,
wherein:
the authentication device, the authentication control device and the authentication maintain device are provided in the vehicular gateway apparatus.
11. The vehicular data communication authentication system according to claim 9, further comprising
a vehicular gateway apparatus that partitions the external tool from the ECUs,
wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU;
the authentication device is provided in the vehicular gateway apparatus; and
the authentication control device and the authentication maintain device are provided in the authentication ECU.
12. The vehicular data communication authentication system according to claim 9, wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU;
the authentication device is provided in the authentication ECU; and
the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
13. The vehicular data communication authentication system according to claim 9, wherein:
the ECUs include an authentication ECU, which is provided separately from the access target ECU; and
the authentication device, the authentication control device and the authentication maintain device are provided in each of the ECUs including the authentication ECU and the access target ECU.
14. The vehicular data communication authentication system according to claim 9, further comprising:
a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU only for a specified data.
15. A vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units (ECUs) including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, the vehicular gateway apparatus comprising:
an authentication device that performs authentication of the external tool connected to the bus;
an authentication control device that:
determines whether or not a result of the authentication of the external tool preformed by the authentication device is affirmative;
when determining that the result of the authentication of the external tool is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU, and
when determining that the result of the authentication of the external tool is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and
an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of:
a first period, which is a predetermined period of time elapsed since the authenticated state was set;
a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device;
a third period, which is a period during which a vehicle state satisfies a predetermined condition; and
a fourth period, which is a period during which the bus is in a communicating state.
16. The vehicular gateway apparatus according to claim 15, further comprising:
a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU only for a specified data.
17. A vehicular gateway apparatus in a vehicular data authentication system, in which an external tool is connectable to a bus connected with electronic control units including an access target ECU and in which the vehicular gateway apparatus partitions the external tool from the ECUs, the vehicular gateway apparatus comprising:
an authentication device that performs authentication of a vehicle state;
an authentication control device that:
determines whether or not a result of authentication of the vehicle state preformed by the authentication device is affirmative;
when determining that the result of authentication of the vehicle state is affirmative, sets an authenticated state and permits a data communication between the external tool and the access target ECU; and
when determining that the result of authentication of the vehicle state is not affirmative, does not set the authenticated state and prohibits the data communication between the external tool and the access target ECU; and
an authentication maintain device that, after the authenticated state is set by the authentication control device, maintains the authenticated state within one of:
a first period, which is a predetermined period of time elapsed since the authenticated state was set;
a second period, which is a period during which an authenticated state maintain request is inputted to the authentication control device;
a third period, which is a period during which a vehicle state satisfies a predetermined condition; and
a fourth period, which is a period during which the bus is in a communicating state.
18. The vehicular gateway apparatus according to claim 17, further comprising:
a communication control device that, in a situation where the authenticated state is not set by the authentication device, permits the data communication between the external tool and the access target ECU for only a specified data.
19. A vehicular data communication system comprising:
a vehicular data communication apparatus connected with a plurality of nodes through buses;
wherein the vehicular data communication apparatus includes:
an encryption information storage device that, for each combination of one bus connected with a data source node and another bus connected with a data destination node, stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data; and
an encryption control device that, in cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device,
wherein each node includes:
an decryption information storage device that, for each bus connected with the data source node, stores a decryption information indicating whether or not the data is to be decrypted; and
a decryption control device that, in cases where the node receives the data from the vehicular data communication apparatus, determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
20. A vehicular data communication system comprising:
a vehicular data communication apparatus connected with a plurality of nodes through buses,
wherein the vehicular data communication apparatus includes
an encryption information storage device that, for each combination of a data source node and a data destination node, stores an encryption information indicating whether or not a data is to be encrypted, wherein the data source node is one node being a source of the data and the data destination node is another node being a destination of the data; and
an encryption control device that, in cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device,
wherein each node includes:
an decryption information storage device that, for each data source node, stores a decryption information indicating whether or not the data is to be decrypted; and
a decryption control device that, in cases where the node receives the data from the vehicular data communication apparatus, determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
21. A vehicular data communication system comprising:
a vehicular data communication apparatus connected with a plurality of nodes through buses,
wherein the vehicular data communication apparatus includes:
an encryption information storage device that, for each identifier indicative of class a data frame storing a data, stores an encryption information indicating whether or not the data is to be encrypted; and
an encryption control device that, in cases where the vehicular data communication apparatus receives the data from a first node through a first bus and transmits the received data to a second node through a second bus, determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device,
wherein each node includes:
an decryption information storage device that, for each identifier indicative of the type of the data frame storing the data, stores a decryption information indicating whether or not the data is to be decrypted; and
a decryption control device that, in cases where the node receives the data from the vehicular data communication apparatus, determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
22. A vehicular data communication system comprising:
a vehicular data communication apparatus connected with a plurality of nodes through buses,
wherein the vehicular data communication apparatus includes:
an encryption information storage device that, for each data storage area of a data frame storing a data, stores an encryption information indicating whether or not the data is to be encrypted; and
an encryption control device that, in cases where the vehicular data communication apparatus receives a data from a first node through a first bus and transmits the received data to a second node through a second bus, determines whether to (i) encrypt the received data and transmit the encrypted data to the second node through the second bus or (ii) transmit the received data to the second node through the second bus without encrypting the received data, based on the encryption information stored in the encryption information storage device,
wherein each node includes:
an decryption information storage device that, for each data storage area of the data frame storing the data, stores a decryption information indicating whether or not the data is to be decrypted; and
a decryption control device that, in cases where the node receives the data from the vehicular data communication apparatus, determines whether to (i) decrypt and process the received data or (ii) process the received data without decrypting the received data, based on the decryption information stored in the decryption information storage device.
23. The vehicular data communication system according to claim 19, wherein:
in cases where the vehicular data communication apparatus receives the data from the first node through the first bus and transmits the received data to the second node through the first bus, the encryption control device transmits the received data, which is the data received from the first node through the first bus, to the second node through the first bus without encrypting the received data.
24. The vehicular data communication system according to claim 19, wherein:
the plurality of nodes includes an external tool and at least one electronic control unit mounted in a vehicle.
25. The vehicular data communication system according to claim 19, wherein:
the plurality of nodes includes a plurality of electronic control units mounted in a vehicle.
26. The vehicular data communication in the vehicular data communication system recited in claim 19.
US13/771,696 2012-02-20 2013-02-20 Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle Abandoned US20130219170A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/318,723 US9489544B2 (en) 2012-02-20 2014-06-30 Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2012-33945 2012-02-20
JP2012033945A JP5900007B2 (en) 2012-02-20 2012-02-20 VEHICLE DATA COMMUNICATION AUTHENTICATION SYSTEM AND VEHICLE GATEWAY DEVICE
JP2012067383A JP5783103B2 (en) 2012-03-23 2012-03-23 VEHICLE DATA COMMUNICATION SYSTEM AND VEHICLE DATA COMMUNICATION DEVICE
JP2012-67383 2012-03-23

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/318,723 Division US9489544B2 (en) 2012-02-20 2014-06-30 Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle

Publications (1)

Publication Number Publication Date
US20130219170A1 true US20130219170A1 (en) 2013-08-22

Family

ID=48915333

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/771,696 Abandoned US20130219170A1 (en) 2012-02-20 2013-02-20 Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle
US14/318,723 Active US9489544B2 (en) 2012-02-20 2014-06-30 Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle

Family Applications After (1)

Application Number Title Priority Date Filing Date
US14/318,723 Active US9489544B2 (en) 2012-02-20 2014-06-30 Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle

Country Status (2)

Country Link
US (2) US20130219170A1 (en)
DE (1) DE102013101508A1 (en)

Cited By (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150020152A1 (en) * 2012-03-29 2015-01-15 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
WO2015056089A1 (en) * 2013-10-18 2015-04-23 Toyota Jidosha Kabushiki Kaisha Communication system and communication method
US20150135271A1 (en) * 2013-11-11 2015-05-14 GM Global Technology Operations LLC Device and method to enforce security tagging of embedded network communications
US9038132B2 (en) * 2011-09-28 2015-05-19 Denso Corporation Bus monitoring security device and bus monitoring security system
CN104717202A (en) * 2013-12-13 2015-06-17 现代自动车株式会社 Method and apparatus for enhancing security in an in-vehicle communication network
WO2015139799A1 (en) * 2014-03-20 2015-09-24 Audi Ag Control device in a motor vehicle, a motor vehicle, and a method for operating a control device
US20150326529A1 (en) * 2013-03-11 2015-11-12 Hitachi Automotive Systems, Ltd. Gateway device, and service providing system
US20160053696A1 (en) * 2013-04-01 2016-02-25 Thermo King Corporation System and method for preventing unauthorized modification to engine control software or an engine control system
WO2016096307A1 (en) * 2014-12-17 2016-06-23 Bayerische Motoren Werke Aktiengesellschaft Secure and user-specific data use in motor vehicles
US9489544B2 (en) 2012-02-20 2016-11-08 Denso Corporation Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle
CN106452866A (en) * 2016-10-10 2017-02-22 上海畅星软件有限公司 Vehicle-mounted electronic equipment interconnecting gateway device based on IoT (Internet of Things) technology and communication method
CN106464566A (en) * 2014-06-16 2017-02-22 株式会社理光 Network system, communication control method, and storage medium
US20170070488A1 (en) * 2015-09-09 2017-03-09 Hyundai Motor Company Method, apparatus and system for dynamically controlling secure vehicle communication based on ignition
US20180026963A1 (en) * 2016-07-22 2018-01-25 Samsung Electronics Co., Ltd Authorized control of an embedded system using end-to-end secure element communication
JP2018026669A (en) * 2016-08-09 2018-02-15 Kddi株式会社 Management system, key generation device, on-vehicle computer, management method, and computer program
US10095859B2 (en) * 2014-02-28 2018-10-09 Hitachi Automotive Systems, Ltd. Authentication system and car onboard control device
EP3386163A1 (en) * 2017-04-05 2018-10-10 STMicroelectronics (Grenoble 2) SAS Apparatus for use in a can system
US20190152411A1 (en) * 2017-11-20 2019-05-23 Ford Global Technologies, Llc Systems and methods for vehicle diagnostic tester coordination
US10353692B2 (en) * 2015-06-01 2019-07-16 Opensynergy Gmbh Method for updating a control unit for an automotive vehicle, control unit for an automotive vehicle, and computer program product
US10389549B2 (en) * 2014-10-28 2019-08-20 Chery Automobile Co., Ltd. Method and apparatus for message transmission
US10445139B2 (en) * 2014-04-09 2019-10-15 Hitachi, Ltd. Control system in which communication between devices is controlled based on execution condition being satisfied, gateway device used in the control system, and control method for the control system
US20190349394A1 (en) * 2017-12-01 2019-11-14 Panasonic Intellectual Property Corporation Of America Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and in-vehicle network monitoring method
US10599854B2 (en) 2014-08-26 2020-03-24 Denso Corporation Vehicular data conversion apparatus and vehicular data output method
CN111460477A (en) * 2020-03-30 2020-07-28 北京经纬恒润科技有限公司 ECU security authentication method and device
US10970398B2 (en) 2016-08-10 2021-04-06 Kddi Corporation Data provision system, data security device, data provision method, and computer program
US10977875B2 (en) 2017-11-20 2021-04-13 Ford Global Technologies, Llc Systems and methods for vehicle diagnostic tester coordination
US20210157573A1 (en) * 2018-08-10 2021-05-27 Denso Corporation Vehicle electronic control system, progress screen display control method and computer program product
US20210224188A1 (en) * 2020-01-20 2021-07-22 Continental Automotive Gmbh Communication gateway for communicating data frames for a motor vehicle
US11088997B2 (en) * 2016-03-31 2021-08-10 Byd Company Limited Secure communication method and apparatus for vehicle, multimedia system for vehicle, and vehicle
US11212109B2 (en) 2016-08-10 2021-12-28 Kddi Corporation Data provision system, data security device, data provision method, and computer program
US11218309B2 (en) * 2018-03-27 2022-01-04 Toyota Jidosha Kabushiki Kaisha Vehicle communication system and vehicle communication method
US20220161828A1 (en) * 2019-03-19 2022-05-26 Autovisor Pte. Ltd System and method for protecting electronic vehicle control systems against hacking
US20220224519A1 (en) * 2019-03-25 2022-07-14 Micron Technology, Inc. Secure communication for a key replacement
US11467821B2 (en) 2018-08-10 2022-10-11 Denso Corporation Vehicle master device, installation instruction determination method and computer program product
US11604637B2 (en) 2018-08-10 2023-03-14 Denso Corporation Electronic control unit, vehicle electronic control system, difference data consistency determination method and computer program product
US11656771B2 (en) 2018-08-10 2023-05-23 Denso Corporation Electronic control unit, vehicle electronic control system, activation execution control method and computer program product
US11669323B2 (en) 2018-08-10 2023-06-06 Denso Corporation Vehicle electronic control system, program update notification control method and computer program product
US11671498B2 (en) 2018-08-10 2023-06-06 Denso Corporation Vehicle master device, update data verification method and computer program product
US11683197B2 (en) 2018-08-10 2023-06-20 Denso Corporation Vehicle master device, update data distribution control method, computer program product and data structure of specification data
US11709666B2 (en) 2018-07-25 2023-07-25 Denso Corporation Electronic control system for vehicle, program update approval determination method and program update approval determination program
US11783302B2 (en) * 2020-05-07 2023-10-10 Blackberry Limited Authorization of vehicle repairs
US11822366B2 (en) 2018-08-10 2023-11-21 Denso Corporation Electronic control unit, vehicle electronic control system, rewrite execution method, rewrite execution program, and data structure of specification data
US11876898B2 (en) 2018-08-10 2024-01-16 Denso Corporation Vehicle master device, security access key management method, security access key management program and data structure of specification data
US11907697B2 (en) 2018-08-10 2024-02-20 Denso Corporation Vehicle electronic control system, center device, vehicle master device, display control information transmission control method, display control information reception control method, display control information transmission control program, and display control information reception control program
US11928459B2 (en) 2018-08-10 2024-03-12 Denso Corporation Electronic control unit, retry point specifying method and computer program product for specifying retry point
US11926270B2 (en) 2018-08-10 2024-03-12 Denso Corporation Display control device, rewrite progress display control method and computer program product
US11934823B2 (en) 2018-07-25 2024-03-19 Denso Corporation Electronic control system for vehicle, program update approval determination method and program update approval determination program

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8918251B2 (en) * 2013-02-14 2014-12-23 Stephan A Tarnutzer CAN based vehicle immobilizer
ES2952400T3 (en) 2014-07-28 2023-10-31 Mylaps B V Transponder module and access module to activate and configure said transponder module
EP2981028B1 (en) * 2014-07-28 2020-05-06 MyLaps B.V. Transponder module and access module for activating and configuring such transponder module over a CAN bus
US9351025B1 (en) * 2015-04-17 2016-05-24 Rovi Guides, Inc. Systems and methods for providing automatic content recognition to verify affiliate programming
CN105083169A (en) * 2015-07-25 2015-11-25 上海修源网络科技有限公司 Communication frame of electric automobile controller and electric automobile controller
US11210871B2 (en) 2015-08-05 2021-12-28 EZ Lynk SEZC System and method for remote emissions control unit monitoring and reprogramming
US11430273B2 (en) 2015-08-05 2022-08-30 EZ Lynk SEZC Apparatus and method for remote ELD monitoring and ECU reprogramming
US10621796B2 (en) 2015-08-05 2020-04-14 EZ Lynk SEZC System and method for real time wireless ECU monitoring and reprogramming
US10614640B2 (en) 2015-08-05 2020-04-07 EZ Lynk SEZC System and method for real time wireless ECU monitoring and reprogramming
JP6502832B2 (en) * 2015-11-13 2019-04-17 株式会社東芝 Inspection apparatus, communication system, mobile unit and inspection method
US10285051B2 (en) * 2016-09-20 2019-05-07 2236008 Ontario Inc. In-vehicle networking
TWI638561B (en) * 2016-12-23 2018-10-11 財團法人工業技術研究院 Control system and control method
US10180682B2 (en) 2017-02-23 2019-01-15 The Directv Group, Inc. Shared control of vehicle functions
US10491392B2 (en) * 2017-03-01 2019-11-26 Ford Global Technologies, Llc End-to-end vehicle secure ECU unlock in a semi-offline environment
GB201806465D0 (en) 2018-04-20 2018-06-06 Nordic Semiconductor Asa Memory-access controll
IT201800005466A1 (en) * 2018-05-17 2019-11-17 METHOD AND DEVICE FOR WRITING SOFTWARE OBJECTS IN AN ELECTRONIC CONTROL UNIT OF AN INTERNAL COMBUSTION ENGINE
GB201810653D0 (en) * 2018-06-28 2018-08-15 Nordic Semiconductor Asa Secure peripheral interconnect
GB201810659D0 (en) 2018-06-28 2018-08-15 Nordic Semiconductor Asa Secure-Aware Bus System
GB201810662D0 (en) 2018-06-28 2018-08-15 Nordic Semiconductor Asa Peripheral Access On A Secure-Aware Bus System
JP2020167607A (en) * 2019-03-29 2020-10-08 マツダ株式会社 Automobile arithmetic system and reception data processing method
KR20220000537A (en) * 2020-06-26 2022-01-04 현대자동차주식회사 System and method for transmitting and receiving data based on vehicle network
US20220398149A1 (en) * 2021-06-15 2022-12-15 Toyota Motor North America, Inc. Minimizing transport fuzzing reactions
CN117413303A (en) * 2022-03-01 2024-01-16 时代电服科技有限公司 Vehicle authentication method, device, control equipment and power exchange station

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4980913A (en) * 1988-04-19 1990-12-25 Vindicator Corporation Security system network
US6484082B1 (en) * 2000-05-24 2002-11-19 General Motors Corporation In-vehicle network management using virtual networks
US20040128673A1 (en) * 2002-12-17 2004-07-01 Systemauto, Inc. System, method and computer program product for sharing information in distributed framework
US6801942B1 (en) * 2000-09-15 2004-10-05 Robert Bosch Gmbh Apparatus, method and system for remotely accessing and/or controlling can node arrangements, including vehicle electronic control units, during vehicle operation
US20050251604A1 (en) * 2004-04-01 2005-11-10 Gerig Michael L Method and protocol for diagnostics of arbitrarily complex networks of devices
US20060106508A1 (en) * 2004-11-12 2006-05-18 Spx Corporation Remote display of diagnostic data apparatus and method
US20070083303A1 (en) * 2005-10-11 2007-04-12 Snap-On Incorporated Marketplace for vehicle original equipment manufacturer information
US20070217614A1 (en) * 2002-11-15 2007-09-20 Matsushita Electric Industrial Co., Ltd Program update method and server
US20070244611A1 (en) * 2006-04-14 2007-10-18 Brozovich Roy S Vehicle diagnostic tool with packet and voice over packet communications and systems incorporating such a tool
US7941253B1 (en) * 2007-11-27 2011-05-10 Brunswick Corporation Marine propulsion drive-by-wire control system with shared isolated bus
US20120140861A1 (en) * 2010-12-01 2012-06-07 GM Global Technology Operations LLC Data Sensor Coordination Using Time Synchronization in a Multi-Bus Controller Area Network System
US8705527B1 (en) * 2011-01-14 2014-04-22 Cisco Technology, Inc. System and method for internal networking, data optimization and dynamic frequency selection in a vehicular environment

Family Cites Families (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7484008B1 (en) * 1999-10-06 2009-01-27 Borgia/Cummins, Llc Apparatus for vehicle internetworks
AU784850B2 (en) * 2000-01-14 2006-07-06 Panasonic Corporation Authentication communication device and authentication communication system
DE10008974B4 (en) * 2000-02-25 2005-12-29 Bayerische Motoren Werke Ag signature methods
JP2002232438A (en) * 2001-01-30 2002-08-16 Sumitomo Electric Ind Ltd Gateway and network system
US7149206B2 (en) * 2001-02-08 2006-12-12 Electronic Data Systems Corporation System and method for managing wireless vehicular communications
US6694235B2 (en) * 2001-07-06 2004-02-17 Denso Corporation Vehicular relay device, in-vehicle communication system, failure diagnostic system, vehicle management device, server device and detection and diagnostic program
GB2385951A (en) 2001-09-21 2003-09-03 Sun Microsystems Inc Data encryption and decryption
US20030147534A1 (en) * 2002-02-06 2003-08-07 Ablay Sewim F. Method and apparatus for in-vehicle device authentication and secure data delivery in a distributed vehicle network
US8226473B2 (en) * 2002-04-10 2012-07-24 Wms Gaming Inc. Gaming software authentication
JP2003324459A (en) 2002-04-26 2003-11-14 Sumitomo Electric Ind Ltd Communication system
DE10250195A1 (en) * 2002-10-28 2004-05-13 OCé PRINTING SYSTEMS GMBH Method and arrangement for authenticating an operating unit and transmitting authentication information to the operating unit
JP2004179772A (en) 2002-11-25 2004-06-24 Sumitomo Electric Ind Ltd On-vehicle gateway apparatus and on-vehicle communication system
JP2004192277A (en) 2002-12-10 2004-07-08 Sumitomo Electric Ind Ltd Vehicle diagnostic system and vehicle
US7962954B2 (en) * 2003-01-15 2011-06-14 Cisco Technology, Inc. Authenticating multiple network elements that access a network through a single network switch port
JP2004224284A (en) 2003-01-27 2004-08-12 Mitsubishi Motors Corp Web server
ATE492085T1 (en) * 2003-01-28 2011-01-15 Cellport Systems Inc A SYSTEM AND METHOD FOR CONTROLLING APPLICATIONS' ACCESS TO PROTECTED RESOURCES WITHIN A SECURE VEHICLE TELEMATICS SYSTEM
JP4576997B2 (en) 2004-04-28 2010-11-10 株式会社デンソー Communication system, key distribution device, cryptographic processing device
EP1741019A1 (en) 2004-04-29 2007-01-10 Bayerische Motoren Werke Aktiengesellschaft Authentication of control units in a vehicle
JP2006053620A (en) 2004-08-10 2006-02-23 Hitachi Omron Terminal Solutions Corp Download system for on-vehicle terminal
JP4428207B2 (en) * 2004-11-10 2010-03-10 トヨタ自動車株式会社 Vehicle control device
JP4541118B2 (en) 2004-12-08 2010-09-08 株式会社日本自動車部品総合研究所 Vehicle information collection system, terminal, and vehicle side device
US8065498B2 (en) * 2005-01-07 2011-11-22 Panasonic Corporation Backup system, recording/reproduction device, backup device, backup method, program, and integrated circuit
JP4692318B2 (en) * 2005-04-20 2011-06-01 株式会社デンソー Electronic control unit
US8800042B2 (en) * 2005-05-16 2014-08-05 Hewlett-Packard Development Company, L.P. Secure web application development and execution environment
US20070121641A1 (en) * 2005-10-21 2007-05-31 Hovey Matthew N Method and system for network services with a mobile vehicle
JP2007145200A (en) * 2005-11-28 2007-06-14 Fujitsu Ten Ltd Authentication device for vehicle and authentication method for vehicle
US7711118B2 (en) * 2005-12-28 2010-05-04 Industrial Technology Research Institute Security system
JP4529931B2 (en) * 2006-03-29 2010-08-25 株式会社デンソー Engine start control device
US7623875B2 (en) * 2006-04-24 2009-11-24 Gm Global Technology Operations, Inc. System and method for preventing unauthorized wireless communications which attempt to provide input to or elicit output from a mobile device
JP2008059450A (en) * 2006-09-01 2008-03-13 Denso Corp Vehicle information rewriting system
DE102007022100B4 (en) * 2007-05-11 2009-12-03 Agco Gmbh Motor vehicle control unit data transmission system and method
US20090007250A1 (en) * 2007-06-27 2009-01-01 Microsoft Corporation Client authentication distributor
US8181031B2 (en) * 2007-08-01 2012-05-15 International Business Machines Corporation Biometric authentication device and system
JP2009043168A (en) * 2007-08-10 2009-02-26 Yamaha Marine Co Ltd Equipment authentication control method, equipment authentication controller and ship
US9613467B2 (en) * 2007-10-30 2017-04-04 Bosch Automotive Service Solutions Inc. Method of updating and configuring a scan tool
JP4909875B2 (en) * 2007-11-27 2012-04-04 アラクサラネットワークス株式会社 Packet relay device
US20090300365A1 (en) * 2008-05-30 2009-12-03 Robert Karmes Vehicle Diagnostic System Security with Memory Card
US20110083161A1 (en) * 2008-06-04 2011-04-07 Takayuki Ishida Vehicle, maintenance device, maintenance service system, and maintenance service method
US20090319287A1 (en) * 2008-06-24 2009-12-24 Ayman Hammad Authentication segmentation
JP4618344B2 (en) * 2008-07-29 2011-01-26 コニカミノルタビジネステクノロジーズ株式会社 Authentication device, authentication system, authentication method, authentication program, and recording medium
JP5081102B2 (en) * 2008-08-22 2012-11-21 ヤマハ発動機株式会社 Ship theft deterrent device and ship equipped with the same
JP2010062883A (en) 2008-09-04 2010-03-18 Hitachi Automotive Systems Ltd Vehicle operation verification system and onboard gateway device
JP5173891B2 (en) * 2009-03-02 2013-04-03 株式会社東海理化電機製作所 Secret key registration system and secret key registration method
JP2010231650A (en) * 2009-03-27 2010-10-14 Fujitsu Ltd Terminal apparatus, data providing system, data providing method and computer program
JP5326897B2 (en) * 2009-07-17 2013-10-30 株式会社デンソー Communications system
JP4957785B2 (en) * 2009-12-24 2012-06-20 株式会社デンソー Abnormality notification system and abnormality notification device
US8392698B2 (en) * 2010-04-16 2013-03-05 Cisco Technology, Inc. System and method for providing prefixes indicative of mobility properties in a network environment
JP5170177B2 (en) * 2010-06-30 2013-03-27 トヨタ自動車株式会社 Vehicle anti-theft device
WO2012167343A1 (en) * 2010-10-28 2012-12-13 Gestion André & Paquerette Ltée Device and method for managing an electronic control unit of a vehicle
JP5395036B2 (en) * 2010-11-12 2014-01-22 日立オートモティブシステムズ株式会社 In-vehicle network system
DE102012212962A1 (en) * 2011-07-28 2013-01-31 Denso Corporation Gateway and in-vehicle network system
US9280653B2 (en) * 2011-10-28 2016-03-08 GM Global Technology Operations LLC Security access method for automotive electronic control units
US20130204513A1 (en) * 2012-02-08 2013-08-08 Bendix Commercial Vehicle Systems Llc Protect information stored in ecu from unintentional writing and overwriting
DE102013101508A1 (en) 2012-02-20 2013-08-22 Denso Corporation A data communication authentication system for a vehicle, a network coupling device for a vehicle, a data communication system for a vehicle, and a data communication device for a vehicle

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4980913A (en) * 1988-04-19 1990-12-25 Vindicator Corporation Security system network
US6484082B1 (en) * 2000-05-24 2002-11-19 General Motors Corporation In-vehicle network management using virtual networks
US6801942B1 (en) * 2000-09-15 2004-10-05 Robert Bosch Gmbh Apparatus, method and system for remotely accessing and/or controlling can node arrangements, including vehicle electronic control units, during vehicle operation
US20070217614A1 (en) * 2002-11-15 2007-09-20 Matsushita Electric Industrial Co., Ltd Program update method and server
US20040128673A1 (en) * 2002-12-17 2004-07-01 Systemauto, Inc. System, method and computer program product for sharing information in distributed framework
US20050251604A1 (en) * 2004-04-01 2005-11-10 Gerig Michael L Method and protocol for diagnostics of arbitrarily complex networks of devices
US20060106508A1 (en) * 2004-11-12 2006-05-18 Spx Corporation Remote display of diagnostic data apparatus and method
US20070083303A1 (en) * 2005-10-11 2007-04-12 Snap-On Incorporated Marketplace for vehicle original equipment manufacturer information
US20070244611A1 (en) * 2006-04-14 2007-10-18 Brozovich Roy S Vehicle diagnostic tool with packet and voice over packet communications and systems incorporating such a tool
US7941253B1 (en) * 2007-11-27 2011-05-10 Brunswick Corporation Marine propulsion drive-by-wire control system with shared isolated bus
US20120140861A1 (en) * 2010-12-01 2012-06-07 GM Global Technology Operations LLC Data Sensor Coordination Using Time Synchronization in a Multi-Bus Controller Area Network System
US8705527B1 (en) * 2011-01-14 2014-04-22 Cisco Technology, Inc. System and method for internal networking, data optimization and dynamic frequency selection in a vehicular environment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Chung, "Isolating System Faults on Vehicular Network Gateways Using Virtualization", 2010 IEEE/IFIP 8gh International conference on Embedded and Ubiquitous Computing, 11-13 December 2010, pp. 791-796. *

Cited By (73)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9038132B2 (en) * 2011-09-28 2015-05-19 Denso Corporation Bus monitoring security device and bus monitoring security system
US9489544B2 (en) 2012-02-20 2016-11-08 Denso Corporation Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle
US10002258B2 (en) 2012-03-29 2018-06-19 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
US11651088B2 (en) 2012-03-29 2023-05-16 Sheelds Cyber Ltd. Protecting a vehicle bus using timing-based rules
US9881165B2 (en) * 2012-03-29 2018-01-30 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
US20150020152A1 (en) * 2012-03-29 2015-01-15 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
US10534922B2 (en) 2012-03-29 2020-01-14 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
US11120149B2 (en) 2012-03-29 2021-09-14 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
US9965636B2 (en) 2012-03-29 2018-05-08 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
US11709950B2 (en) 2012-03-29 2023-07-25 Sheelds Cyber Ltd. Security system and method for protecting a vehicle electronic system
US9906492B2 (en) * 2013-03-11 2018-02-27 Hitachi Automotive Systems, Ltd. Gateway device, and service providing system
US20150326529A1 (en) * 2013-03-11 2015-11-12 Hitachi Automotive Systems, Ltd. Gateway device, and service providing system
US9803610B2 (en) * 2013-04-01 2017-10-31 Thermo King Corporation System and method for preventing unauthorized modification to engine control software or an engine control system
US9920733B2 (en) 2013-04-01 2018-03-20 Thermo King Corporation System and method for preventing unauthorized modification to engine control software or an engine control system
US20160053696A1 (en) * 2013-04-01 2016-02-25 Thermo King Corporation System and method for preventing unauthorized modification to engine control software or an engine control system
WO2015056089A1 (en) * 2013-10-18 2015-04-23 Toyota Jidosha Kabushiki Kaisha Communication system and communication method
US20150135271A1 (en) * 2013-11-11 2015-05-14 GM Global Technology Operations LLC Device and method to enforce security tagging of embedded network communications
US20150172306A1 (en) * 2013-12-13 2015-06-18 Hyundai Motor Company Method and apparatus for enhancing security in an in-vehicle communication network
CN104717202A (en) * 2013-12-13 2015-06-17 现代自动车株式会社 Method and apparatus for enhancing security in an in-vehicle communication network
US10095859B2 (en) * 2014-02-28 2018-10-09 Hitachi Automotive Systems, Ltd. Authentication system and car onboard control device
US9852093B2 (en) 2014-03-20 2017-12-26 Audi Ag Control device in a motor vehicle, a motor vehicle, and a method for operating a control device
WO2015139799A1 (en) * 2014-03-20 2015-09-24 Audi Ag Control device in a motor vehicle, a motor vehicle, and a method for operating a control device
US10445139B2 (en) * 2014-04-09 2019-10-15 Hitachi, Ltd. Control system in which communication between devices is controlled based on execution condition being satisfied, gateway device used in the control system, and control method for the control system
EP3157203A4 (en) * 2014-06-16 2017-07-26 Ricoh Company, Ltd. Network system, communication control method, and storage medium
CN106464566A (en) * 2014-06-16 2017-02-22 株式会社理光 Network system, communication control method, and storage medium
RU2659489C1 (en) * 2014-06-16 2018-07-02 Рикох Компани, Лтд. Network system, communication control method and data storage medium
US10599854B2 (en) 2014-08-26 2020-03-24 Denso Corporation Vehicular data conversion apparatus and vehicular data output method
US10389549B2 (en) * 2014-10-28 2019-08-20 Chery Automobile Co., Ltd. Method and apparatus for message transmission
WO2016096307A1 (en) * 2014-12-17 2016-06-23 Bayerische Motoren Werke Aktiengesellschaft Secure and user-specific data use in motor vehicles
US10353692B2 (en) * 2015-06-01 2019-07-16 Opensynergy Gmbh Method for updating a control unit for an automotive vehicle, control unit for an automotive vehicle, and computer program product
US20170070488A1 (en) * 2015-09-09 2017-03-09 Hyundai Motor Company Method, apparatus and system for dynamically controlling secure vehicle communication based on ignition
US9992178B2 (en) * 2015-09-09 2018-06-05 Hyundai Motor Company Method, apparatus and system for dynamically controlling secure vehicle communication based on ignition
US11088997B2 (en) * 2016-03-31 2021-08-10 Byd Company Limited Secure communication method and apparatus for vehicle, multimedia system for vehicle, and vehicle
US20180026963A1 (en) * 2016-07-22 2018-01-25 Samsung Electronics Co., Ltd Authorized control of an embedded system using end-to-end secure element communication
US10686776B2 (en) * 2016-07-22 2020-06-16 Samsung Electronics Co., Ltd. Authorized control of an embedded system using end-to-end secure element communication
WO2018029891A1 (en) * 2016-08-09 2018-02-15 Kddi株式会社 Management system, key-generating device, on-board computer, management method, and computer program
US11212087B2 (en) 2016-08-09 2021-12-28 Kddi Corporation Management system, key generation device, in-vehicle computer, management method, and computer program
JP2018026669A (en) * 2016-08-09 2018-02-15 Kddi株式会社 Management system, key generation device, on-vehicle computer, management method, and computer program
US10970398B2 (en) 2016-08-10 2021-04-06 Kddi Corporation Data provision system, data security device, data provision method, and computer program
US11212109B2 (en) 2016-08-10 2021-12-28 Kddi Corporation Data provision system, data security device, data provision method, and computer program
CN106452866A (en) * 2016-10-10 2017-02-22 上海畅星软件有限公司 Vehicle-mounted electronic equipment interconnecting gateway device based on IoT (Internet of Things) technology and communication method
US10862874B2 (en) 2017-04-05 2020-12-08 Stmicroelectronics (Grenoble 2) Sas Apparatus for use in a can system
EP3386163A1 (en) * 2017-04-05 2018-10-10 STMicroelectronics (Grenoble 2) SAS Apparatus for use in a can system
CN108696411A (en) * 2017-04-05 2018-10-23 意法半导体(格勒诺布尔2)公司 Device for being used in CAN system
US11606341B2 (en) 2017-04-05 2023-03-14 Stmicroelectronics (Grenoble 2) Sas Apparatus for use in a can system
US10977875B2 (en) 2017-11-20 2021-04-13 Ford Global Technologies, Llc Systems and methods for vehicle diagnostic tester coordination
US20190152411A1 (en) * 2017-11-20 2019-05-23 Ford Global Technologies, Llc Systems and methods for vehicle diagnostic tester coordination
US10486626B2 (en) * 2017-11-20 2019-11-26 Ford Global Technologies, Llc Systems and methods for vehicle diagnostic tester coordination
US20190349394A1 (en) * 2017-12-01 2019-11-14 Panasonic Intellectual Property Corporation Of America Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and in-vehicle network monitoring method
US11128657B2 (en) * 2017-12-01 2021-09-21 Panasonic Intellectual Property Corporation Of America Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and in-vehicle network monitoring method
US11838314B2 (en) 2017-12-01 2023-12-05 Panasonic Intellectual Property Corporation Of America Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and in-vehicle network monitoring method
US11218309B2 (en) * 2018-03-27 2022-01-04 Toyota Jidosha Kabushiki Kaisha Vehicle communication system and vehicle communication method
US11934823B2 (en) 2018-07-25 2024-03-19 Denso Corporation Electronic control system for vehicle, program update approval determination method and program update approval determination program
US11709666B2 (en) 2018-07-25 2023-07-25 Denso Corporation Electronic control system for vehicle, program update approval determination method and program update approval determination program
US11671498B2 (en) 2018-08-10 2023-06-06 Denso Corporation Vehicle master device, update data verification method and computer program product
US20210157573A1 (en) * 2018-08-10 2021-05-27 Denso Corporation Vehicle electronic control system, progress screen display control method and computer program product
US11604637B2 (en) 2018-08-10 2023-03-14 Denso Corporation Electronic control unit, vehicle electronic control system, difference data consistency determination method and computer program product
US11926270B2 (en) 2018-08-10 2024-03-12 Denso Corporation Display control device, rewrite progress display control method and computer program product
US11467821B2 (en) 2018-08-10 2022-10-11 Denso Corporation Vehicle master device, installation instruction determination method and computer program product
US11656771B2 (en) 2018-08-10 2023-05-23 Denso Corporation Electronic control unit, vehicle electronic control system, activation execution control method and computer program product
US11669323B2 (en) 2018-08-10 2023-06-06 Denso Corporation Vehicle electronic control system, program update notification control method and computer program product
US11928459B2 (en) 2018-08-10 2024-03-12 Denso Corporation Electronic control unit, retry point specifying method and computer program product for specifying retry point
US11683197B2 (en) 2018-08-10 2023-06-20 Denso Corporation Vehicle master device, update data distribution control method, computer program product and data structure of specification data
US11907697B2 (en) 2018-08-10 2024-02-20 Denso Corporation Vehicle electronic control system, center device, vehicle master device, display control information transmission control method, display control information reception control method, display control information transmission control program, and display control information reception control program
US11876898B2 (en) 2018-08-10 2024-01-16 Denso Corporation Vehicle master device, security access key management method, security access key management program and data structure of specification data
US11822366B2 (en) 2018-08-10 2023-11-21 Denso Corporation Electronic control unit, vehicle electronic control system, rewrite execution method, rewrite execution program, and data structure of specification data
US20220161828A1 (en) * 2019-03-19 2022-05-26 Autovisor Pte. Ltd System and method for protecting electronic vehicle control systems against hacking
US20220224519A1 (en) * 2019-03-25 2022-07-14 Micron Technology, Inc. Secure communication for a key replacement
US11646873B2 (en) * 2019-03-25 2023-05-09 Micron Technology, Inc. Secure communication for a key replacement
US11599459B2 (en) * 2020-01-20 2023-03-07 Continental Automotive Gmbh Communication gateway for communicating data frames for a motor vehicle
US20210224188A1 (en) * 2020-01-20 2021-07-22 Continental Automotive Gmbh Communication gateway for communicating data frames for a motor vehicle
CN111460477A (en) * 2020-03-30 2020-07-28 北京经纬恒润科技有限公司 ECU security authentication method and device
US11783302B2 (en) * 2020-05-07 2023-10-10 Blackberry Limited Authorization of vehicle repairs

Also Published As

Publication number Publication date
US9489544B2 (en) 2016-11-08
DE102013101508A1 (en) 2013-08-22
US20140317729A1 (en) 2014-10-23

Similar Documents

Publication Publication Date Title
US9489544B2 (en) Data communication authentication system for vehicle gateway apparatus for vehicle data communication system for vehicle and data communication apparatus for vehicle
US11529914B2 (en) Gateway device, vehicle network system, and transfer method
JP5783103B2 (en) VEHICLE DATA COMMUNICATION SYSTEM AND VEHICLE DATA COMMUNICATION DEVICE
JP5900007B2 (en) VEHICLE DATA COMMUNICATION AUTHENTICATION SYSTEM AND VEHICLE GATEWAY DEVICE
JP6525824B2 (en) Relay device
WO2016204081A1 (en) Vehicle-mounted relay device, vehicle-mounted communication system and relay program
US20180124180A1 (en) Communication system and communication method
US11386201B2 (en) Data bus protection device and method
US10321492B2 (en) Wireless communication apparatus and wireless communication system
JP6704458B2 (en) In-vehicle processor
JP7412506B2 (en) Fraud detection rule update method, fraud detection electronic control unit and in-vehicle network system
CN111699706A (en) Master-slave system for communication over bluetooth low energy connections
JP2016163265A (en) Key management system, key management method, and computer program
CN113632419A (en) Device and method for generating and authenticating at least one data packet to be transmitted in a BUs system (BU), in particular of a motor vehicle
CN110312232B (en) Vehicle communication system and vehicle communication method
EP3713190B1 (en) Secure bridging of controller area network buses
JP6203798B2 (en) In-vehicle control system, vehicle, management device, in-vehicle computer, data sharing method, and computer program
CN111294771A (en) In-vehicle device, system for implementing in-vehicle communication and related method
US11526461B2 (en) Enhanced secure onboard communication for CAN
US20200210168A1 (en) Systems and methods for utilizing encryption in microcontrollers for fota
JP2023513295A (en) Communication device and method for cryptographically securing communications
JP2018019218A (en) Electronic control device
JP6681755B2 (en) Vehicle communication network device and communication method
US11934338B2 (en) Enhanced secure onboard communication for CAN
CN107104868B (en) Vehicle-mounted network encrypted communication method and device

Legal Events

Date Code Title Description
AS Assignment

Owner name: DENSO CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:NAITOU, HIDETO;NATSUME, MITSUYOSHI;HARATA, YUZO;AND OTHERS;REEL/FRAME:029958/0291

Effective date: 20130220

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION