Patent Application
20170134358
The present invention relates to a communications system in which a plurality of communication devices such as an ECU (Electronic Control Unit) are connected to each other via a common communication line, a communication control device for preventing fraudulent information-transmission in this system, and a fraudulent information-transmission preventing method.
Conventionally, a communication protocol of CAN (Controller Area Network) is widely adopted for the communication among a plurality of communication devices mounted in a vehicle. Since a plurality of communication devices are connected to a common CAN bus in the communication protocol of CAN, an arbitration process is performed by respective communication devices and information with a high priority is transmitted in a case where the plurality of communication devices simultaneously transmit information and a collision occurs. In order to perform the arbitration process, each communication device detects a signal level of the CAN bus at the same time as the output of a transmission signal to the CAN bus. In a case where the detected signal level changes from RECESSIVE (recessive value) to DOMINANT (dominant value) regarding the transmission signal the communication device itself outputs, the communication device determines that a communication collision has occurred and stops the transmission process. DOMINANT is superior to RECESSIVE for signals on the CAN bus and therefore electronic equipment which has outputted DOMINANT can continue the transmission process even when the communication collision occurs.
Patent Document 1 proposes an abnormality diagnosis apparatus which makes a diagnosis of abnormality for each branch circuit of a two-wire CAN communication circuit whose branch connection is made. The abnormality diagnosis apparatus comprises: a branch circuit for inspection which is connector-connected to each branch circuit of a CAN communication line; a branch connection circuit including a joint circuit which connects the branch circuit; separation means which separates each branch circuit from the joint circuit; potential measurement means which measures a potential of the branch circuit separated by the separation means; connection means which connects the potential measurement means to the branch circuit; and abnormality determination means which is connected to the potential measurement means and determines abnormality based on the measured potential.
[Patent Document 1] Japanese Patent Laid-Open Publication No. 2010-111295
There is a possibility that malicious equipment is connected to a CAN bus of a vehicle. Possibly, the malicious equipment repeatedly transmits fraudulent information to the CAN bus for example to cause malfunction of the other ECU connected to the CAN bus.
The present invention has been made with the aim of solving the above problems, and it is an object of the present invention to provide a communication system, a communication control device and a fraudulent information-transmission preventing method capable of preventing malfunction etc. of a communication device connected to a common communication line, even when fraudulent information is transmitted to the communication line.
A communication system according to the present invention is a communication system in which a plurality of communication devices are connected to each other via a common communication line, characterized in that the communication device is provided: with authentication-information adding means for adding authentication information to information to be transmitted to the other communication device; and with information transmitting means for outputting to the communication line transmission information to which the authentication information is added by the authentication-information adding means, and transmitting the transmission information to the other communication device, the communication system comprises a communication control device being connected to the communication line and being provided: with obtaining means for obtaining transmission information outputted to the communication line; with authentication-information determining means for determining whether or not authentication information contained in transmission information obtained by the obtaining means is right; and with information discarding means for causing the communication device to discard the transmission information when the authentication-information determining means determines the authentication information is not right, the information discarding means of the communication control device outputs predetermined information to the communication line when the authentication-information determining means determines the authentication information is not right, and the other communication device discards the transmission information transmitted from the communication device when the other communication device receives the predetermined information from the communication line.
The communication system according to the present invention, the information discarding means of the communication control device outputs the predetermined information to the communication line before the information transmitting means of the communication device completes output of all pieces of transmission information to the communication line, and causes the communication device to discard the transmission information.
The communication system according to the present invention, the communication device and the communication control device share key information, the authentication-information adding means of the communication device generates authentication information based on the key information to add the authentication information to the transmission information, and the authentication-information determining means of the communication control device determines the authentication information contained in the transmission information based on the key information.
The communication system according to the present invention, the plurality of communication devices hold different pieces of key information respectively, and the communication control device holds the key information of each communication device.
A communication control device according to the present invention is a communication control device connected to a common communication line to which a plurality of communication devices are connected, comprising: obtaining means for obtaining transmission information outputted to the communication line; authentication-information determination means for determining whether or not authentication information contained in the transmission information obtained by the obtaining means is right; and information discarding means for causing the communication device to discard the transmission information when the authentication-information determining means determines the authentication information is not right, wherein the information discarding means outputs predetermined information to the communication line when the authentication-information determining means determines the authentication information is not right.
A fraudulent information-transmission preventing method according to the present invention is a fraudulent information-transmission preventing method of preventing fraudulent information-transmission to a common communication line by a communication system in which a plurality of communication devices are connected to each other via the communication line, comprising: the communication device adding authentication information to information to be transmitted to the other communication device and outputting the information to the communication line; a communication control device obtaining transmission information outputted to the communication line; the communication control device determining whether or not authentication information contained in the obtained transmission information is right; the communication control device outputting predetermined information to the communication line when the communication control device determines the authentication information is not right; and the other communication device discarding the transmission information transmitted from the communication device when the other communication device receives the predetermined information from the communication line.
In the present invention, the plurality of communication device and the communication control device are connected to the common communication line. Each communication device adds authentication information to transmission information and outputs the information to the communication line to transmit the information to the other communication device. Note that in the present invention the communication device which receives information from the other communication device does not need to determine right or wrong of authentication information contained in the received information.
The communication control device monitors transmission of information to the communication line, obtains transmitted information when the information is transmitted, and determines right or wrong of authentication information contained in the obtained information. When the authentication information is right, the communication control device does not need to perform any process for this information transmission. When the authentication information is not right, there is a possibility that the transmitted information is fraudulent information transmitted by malicious equipment, and therefore, the communication control device causes the communication device to discard the transmitted information.
This can prevent fraudulent information from being received by each communication device, without determining right or wrong of authentication information by each communication device.
Moreover, in the present invention, in order to cause the communication device to discard transmission information the communication control device outputs predetermined information to the communication line before the communication device completes output of all pieces of transmission information to the communication line. For this reason, the transmission information is not normal information and each communication device stops reception of this information so that the transmission information is discarded.
Moreover, in the present invention the communication device and the communication control device share key information, generate authentication information and determine it. For this reason, malicious equipment not holding key information cannot generate authentication information and then the communication control device can more reliably prevent fraudulent information-transmission.
Moreover, in the present invention the plurality of communication devices in the communication system hold different pieces of key information respectively. This can reduce a negative effect such as leakage of key information. Each communication device does not need to determine authentication information contained in transmission information of the other communication device, therefore it does not need to hold key information of the other communication device. To the contrary, the communication control device holds key information for all communication devices which should discard transmission information. The communication control device determines right or wrong of authentication information contained in the transmission information, using the key information corresponding to the communication device which is a transmission source of information.
According to the present invention, the communication control device determines right or wrong of transmission information based on authentication information to which the communication device adds to the transmission information, and the communication control device causes the communication device to discard this information when the transmission information is not right. Accordingly, even when malicious equipment fraudulently transmits information to the common communication line, the communication control device causes the communication device to discard the transmitted information to prevent malfunction of the communication device.
The storage section 32 is constructed from a non-volatile memory device such as a flash memory or an EEPROM (Electrically Erasable Programmable ROM). The storage section 32 stores programs to be executed by the processing section 31 and various data which are necessary for processes to be executed based on the programs. Note that the programs and data stored in the storage section 32 differ for each ECU 3. In this Embodiment, the storage section 32 stores key information 32a used for generation process of authentication information to be performed by the processing section 31. Although the plurality of ECUs 3 are connected to the CAN bus in this Embodiment, the key information 32a which each ECU 3 stores in the storage section 32 may differ from each other.
The CAN communication section 33 communicates with the other ECUs 3 or the monitoring device 5 via the CAN bus according to the communications protocol of CAN. The CAN communication section 33 converts information for transmission provided from the processing section 31 to a transmission signal according to the communication protocol of CAN and outputs the converted signal to the CAN bus to transmit the information to the other ECUs 3 or to the monitoring device 5. The CAN communication section 33 samples a potential of the CAN bus to obtain a signal outputted by the other ECU 3 or the monitoring device 5 and converts this signal to binary information according to the communication protocol of CAN to receive information and then provide the received information to the processing section 31.
In this Embodiment, the processing section 31 of the ECU 3 is provided with an authentication-information generation section 41 and a transmission-frame generation section 42 and the like. The authentication-information generation section 41 and the transmission-frame generation section 42 may be configured as a function block of hardware or as a function block of software. The authentication-information generation section 41 generates authentication information using information to be transmitted to the other ECUs 3 and the key information 32a stored in the storage section 32. The transmission-frame generation section 42 generates a transmission frame (message) suitable for communication in this Embodiment based on information to be transmitted to the other ECUs 3 and authentication information generated by the authentication-information generation section 41. The transmission-frame generation section 42 provides the generated transmission frame to the CAN communication section 33 to transmit information to the other ECUs 3.
The storage section 52 is constructed from a non-volatile memory device such as a flash memory or an EEPROM which is data-rewritable. In this Embodiment, the storage section 52 stores a key-information table 52a containing key information of all ECUs 3 connected to the CAN bus.
The CAN communication section 53 communicates with the ECU 3 via the CAN bus according to the communications protocol of CAN. The CAN communication section 53 converts information for transmission provided from the processing section 51 to a transmission signal according to the communication protocol of CAN and outputs the converted signal to the CAN bus to transmit the information to the ECU 3. The CAN communication section 53 samples a potential of the CAN bus to obtain a signal outputted by the ECU 3 and converts this signal to binary information according to the communication protocol of CAN to receive information and then provide the received information to the processing section 51.
In this Embodiment, the processing section 51 of the monitoring device 5 is provided with an authentication-information determination section 61 and a transmission-information discard processing section 62 and the like. The authentication-information determination section 61 and the transmission-information discard processing section 62 may be configured as a function block of hardware or as a function block of software. The authentication-information determination section 61 determines whether or not authentication information contained in a transmission frame transmitted by the ECU 3 is right. The transmission-information discard processing section 62 causes each ECU 3 to discard this transmission frame when a fraudulent transmission frame is detected.
The communication system according to this Embodiment has a function for monitoring fraudulent information-transmission to the CAN bus.
The CRC field, the ACK field and the EOF are the same as those used in the conventional CAN protocol, therefore, the detail thereof is omitted. The CRC field stores information for detecting an error. The ACK field is a field for a reception response by the ECU 3 which receives this frame. The EOF is a specific bit string indicating an end of a field.
The frame according to this Embodiment is compatible with the conventional CAN protocol, but contains authentication information in a part thereof. The authentication information is information used for the monitoring device 5 to determine whether or not the frame is valid. The authentication-information generation section 41 of the ECU 3 encrypts a CAN header and data contained in a transmission frame using the key information 32a stored in the storage section 32 to generate authentication information. In this Embodiment, a message authentication code (MAC) of 256 bits is generated based on the key information 32a of about 512 bits by using an algorithm of an HMAC (SHA-256), for example. The transmission-frame generation section 42 of the ECU 3 adds the MAC of 256 bits generated by the authentication-information generation section 41 to a transmission frame as authentication information and then provides the transmission frame with the CAN communication section 33 to transmit the frame to the other ECUs 3.
Note that in this Embodiment the EUC 3 which receives a frame shown in
The CAN communication section 33 of the ECU 3 outputs information of a plurality of bits which constitutes a transmission frame to the CAN bus in sequence from a CAN header side to an EOF side. The monitoring device 5 sequentially obtains information outputted to the CAN bus and when the monitoring device 5 obtains the information up to the CRC field of the transmission frame, the monitoring device 5 detects an error based on the information of the CRC field. When the transmission frame contains no error, the authentication-information determination section 61 of the monitoring device 5 determines right or wrong of authentication information contained in the transmission frame. The authentication-information determination section 61 obtains an ID from the received CAN header, refers to the key-information table 52a of the storage section 52 and obtains key information corresponding to the ID. The authentication-information determination section 61 generates authentication information based on the obtained key information, the received CAN header and data field, according to the same algorithm as the authentication-information generation section 41 of the ECU 3. The authentication-information determination section 61 compares the authentication information generated by itself with the authentication information contained in the transmission frame transmitted to the CAN bus, and determines that this transmission frame is valid when both pieces of authentication information coincide with each other. When both pieces of authentication information do not coincide with each other, the authentication-information determination section 61 determines that this transmission frame is not valid. Note that the authentication-information determination section 61 completes the determination process between output of a final bit of the CRC field of the transmission frame to the CAN bus and output of a final bit of the EOF to the CAN bus.
When the authentication-information determination section 61 determines that the transmission frame outputted to the CAN bus is not valid, the transmission-information discard processing section 62 of the monitoring device 5 causes the ECUs 3 connected to the CAN bus to discard this transmission frame. The transmission-information discard processing section 62 transmits an error frame to the CAN bus during the output period of the EOF of this transmission frame. Based on this error frame, all EUCs 3 connected to the CAN bus discard the fraudulent frame during reception.
The following explains the process to be performed by the ECU 3 and the monitoring device 5 of the communication system according to this Embodiment, using a flowchart.
The CAN communication section 33 of the ECU 3 starts transmission from the CAN header of the transmission frame. The CAN communication section 33 obtains 1 bit from a not-transmitted portion of the transmission frame to output a signal corresponding to the 1 bit to the CAN bus (step S6). The CAN communication section 33 determines whether or not an interruption factor in interrupting the transmission process has occurred such as a transmission stop due to the arbitration, for example (step S7). When the interruption factor has occurred (S7: YES), the CAN communication section 33 performs an error process and the like (step S8) to terminate the information-transmission process. When the interruption factor has not occurred (S7: NO), the CAN communication section 33 determines whether or not output is completed for all bits of the provided transmission frame (step S9). When the output is not completed for all bits (S9: NO), the CAN communication section 33 returns the process to step S6 and outputs a next bit of the transmission frame. When the output is completed for all bits (S9: YES), the CAN communication section 33 terminate the information-transmission process.
The processing section 51 determines the CRC field based on the information (transmission frame) provided from the CAN communication section 53 (step S24). The processing section 51 compares a value of a CRC calculated based on the CAN header to the authentication information of the transmission frame with a value of a CRC stored in the CRC field of the transmission frame to determine whether or not the transmission frame contains an error (step S25). When the transmission frame contains an error (S25: YES), the processing section 51 terminates the process. Note that when the transmission frame is determined to contain an error based on the CRC field, the other ECUs 3 are determined in the same way and this transmission frame is discarded by each ECU 3.
When the transmission frame contains no error (S25: NO), the authentication-information determination section 61 of the processing section 51 obtains an ID contained in the CAN header of the transmission frame (step S26). The authentication-information determination section 61 refers to the key-information table 52a of the storage section 52 based on the obtained ID to obtain key information corresponding to the ID (step S27). The authentication-information generation section 61 generates authentication information based on the CAN header and the data field of the obtained transmission frame as well as on the key information obtained at step S27, according to a predetermined algorithm (step S28). The authentication-information determination section 61 obtains authentication information from the transmission frame (step S29) and determines whether or not the obtained authentication information coincides with the authentication information generated at step S28 (step S30). When both pieces of authentication information coincide with each other (S30: YES), the processing section 51 terminates the process. When both pieces of authentication information do not coincide with each other (S30: NO), the transmission-information discard processing section 62 of the processing section 51 outputs an error frame to the CAN bus by the CAN communication section 53 (step S31) and terminates the process.
Then, the CAN communication section 33 obtains 1 bit of an EOF of the transmission frame outputted to the CAN bus (step S42). The CAN communication section 33 determines whether or not the obtained 1 bit is not the EOF but an error frame outputted by the monitoring device 5 (step S43). When the obtained 1 bit is the error frame (S43: YES), the CAN communication section 33 discards the frame received before (step S44) and terminates the reception process.
When the obtained 1 bit is not the error frame (S43: NO), the CAN communication section 33 determines whether or not reception of the EOF is completed (step S45). When the reception of the EOF is not completed (S45: NO), the CAN communication section 33 returns the process to step S42 and continues the reception of the EOF. When the reception of the EOF is completed (S45: YES), the processing section 31 obtains necessary data from a data field of the frame received by the CAN communication section 33 (step S46), performs a process according to the obtained data (step S47) and terminates the process.
The communication system according to this Embodiment having the above configuration connects the plurality of ECUs 3 and the monitoring device 5 to the common CAN bus. Each ECU 3 outputs to the CAN bus by the CAN communication section 33 a transmission frame in which authentication information is added to data to be transmitted to the other ECUs 3, to transmit information to the other ECUs 3. Note that in this Embodiment the EUC 3 which receives a frame from the other ECU 3 does not need to determine right or wrong of authentication information contained in the received frame. The monitoring device 5 monitors the transmission of a frame to the CAN bus, obtains the frame when the frame is transmitted, and determines right or wrong of authentication information contained in the obtained frame. When the authentication information is right, the monitoring device 5 does not need to perform any process for this frame. When the authentication information is not right, there is a possibility that the transmission frame is a fraudulent frame transmitted by the malicious equipment 100, therefore, the monitoring device 5 causes the EUCs 3 to discard this transmission frame. This can prevent a fraudulent frame from being received by each ECU 3, without determining right or wrong of authentication information by each ECU 3.
In this Embodiment, in order to cause each ECU 3 to discard a transmission frame, the monitoring device 5 outputs an error frame to the CAN bus before a final bit of an EOF of the transmission frame is outputted to the CAN bus. For this reason, each ECU 3 stops reception of this transmission frame and discards the transmission frame.
In this Embodiment, the monitoring device 5 and the ECUs 3 share key information, generate authentication information and determine it. For this reason, malicious equipment 100 not holding key information cannot generate authentication information and then the monitoring device 5 can more reliably prevent transmission of a fraudulent frame.
In this Embodiment, the plurality of ECUs 3 connected to the CAN bus hold different pieces of key information, respectively. This can reduce a negative effect such as leakage of key information. Each EUC 3 does not need to determine right or wrong of authentication information contained in a transmission frame of the other ECU 3, therefore each ECU 3 does not need to hold key information of the other ECUs 3. To the contrary, the monitoring device 5 holds key information for all EUCs 3 and manages key information in the storage section 52 as the key-information table 52a. The monitoring device 5 can determine the ECU 3 which is a transmission source based on an ID contained in a transmission frame and read corresponding key information from the key-information table 52a to determine right or wrong of authentication information contained in the transmission frame.
Note that although in this Embodiment the ECUs 3 and the monitoring device 5 communicate with each other according to the CAN protocol, it is not limited to such a configuration and the ECUs 3 and the monitoring device 5 may communicate with each other according to a protocol other than the CAN protocol. Moreover, although in this Embodiment the communication system mounted in the vehicle 1 is explained as an example, the communication system is not limited to be mounted in the vehicle 1 and may be mounted in a movable body such as an airplane or a ship. For example, the communication system may be arranged in a factory, an office or a school etc. instead of the movable body. Moreover, the configuration of a frame illustrated in this Embodiment is one example and is not limited to this. Moreover, the monitoring device 5 is not arranged in the communication system but any one of the ECUs 3 may have a monitoring function of the monitoring device 5 according to this Embodiment. A method of sharing key information among the ECUs 3 and the monitoring device 5 may be adopted in any method. Moreover, a cryptographic process performed by the ECUs 3 and the monitoring device 5 using key information may be performed according to any algorithm. Moreover, although the processing section 51 performs the generation process of authentication information and the discard process of a transmission frame and the like, it is not limited to this and the CAN communication section 53 may perform a part or all of the processes.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2014-144038 | Jul 2014 | JP | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2015/068452 | 6/26/2015 | WO | 00 |
