This application is based upon and claims the benefit of priority from prior Japanese Patent Application No. 2012-108548, filed on May 10, 2012, the entire contents of which are incorporated herein by reference.
The present invention relates to an electronic key registration system that registers an electronic key to a communication subject.
In an electronic key system for a vehicle, an electronic key is registered to a controller that is installed in the vehicle. An electronic key includes, for example, a key ID or encryption key that is registered in advance to the controller. Japanese Laid-Open Patent Publication Nos. 7-61328, 2003-148018, and 2004-107959 describe examples of electronic key registration system.
The inventors of the present invention are attempting to improve technology for reducing or obviating unauthorized registration of electronic keys and unauthorized rewriting of electronic key information registered to the controller.
It is an object of the present invention to provide an electronic key registration system that reduces or obviates unauthorized registration of electronic keys and unauthorized rewriting of electronic key information registered to the controller.
One aspect of the present invention is an electronic key registration system that registers a key ID and an encryption key of an electronic key to a controller installed in a communication subject that communicates with the electronic key through wireless connection. The electronic key registration system includes a monitoring unit that monitors whether or not registration of the electronic key is attempted in a certain permissible period. A registration invalidation unit prohibits registration of the electronic key to the communication subject when the permissible period expires.
Other aspects and advantages of the present invention will become apparent from the following description, taken in conjunction with the accompanying drawings, illustrating by way of example the principles of the invention.
The invention, together with objects and advantages thereof, may best be understood by reference to the following description of the presently preferred embodiments together with the accompanying drawings in which:
An electronic key registration system according to one embodiment of the present invention will now be described.
Referring to
A verification ECU 4 receives and verifies the electronic key ID. The verification ECU 4 is connected to a bus 7 in the vehicle 1. A body ECU 5, which manages the power supplied to electronic components of the vehicle 1, and an engine ECU 6, which controls the engine, may be connected to the bus 7. The verification ECU 4 includes a memory 4a. The memory 4a stores the electronic key IDs of registered electronic keys, encryption keys Kcr (key-1, key-2, and so on), an in-vehicle device ID (vehicle ID) that is an ID unique to the vehicle 1, and the like. The encryption keys Kcr are associated with the electronic key IDs. For example, when a plurality of electronic keys are registered to the vehicle 1, multiple sets of the electronic key IDs and the encryption keys Kcr are stored in the memory 4a. The verification ECU 4 is connected to one or more communication devices. In the example of
The electronic key 2 includes a key controller 11 that controls the electronic key 2. The key controller 11 includes a memory 11a that stores the electronic key ID, the in-vehicle device ID, and an encryption key Kcr. The key controller 11 is connected to an LF receiver 12 that receives LF radio waves, a UHF transmitter 13 that transmits UHF radio waves, and an LF transmitter 14 that transmits LF radio waves.
When the vehicle 1 is parked (e.g., vehicle doors locked and engine stopped), the vehicle exterior LF transmitter 8 transmits wake signals Swk in predetermined intervals to the vehicle exterior communication area located several meters from the vehicle 1 and performs vehicle exterior smart communication. When the electronic key 2 is in the vehicle exterior communication area, the wake signal Swk activates the electronic key 2. Then, the electronic key 2 transmits an acknowledgement signal Sack1 to the vehicle 1 from the UHF transmitter 13. When the UHF receiver 9 of the vehicle 1 receives the acknowledgement signal Sack1, the verification ECU 4 transmits an in-vehicle device ID signal Svi from the vehicle exterior LF transmitter 8. Upon receipt of the in-vehicle device ID signal Svi, the electronic key 2 verifies the in-vehicle device ID. When the electronic key 2 accomplishes verification of the vehicle device ID, the electronic key 2 transmits an acknowledgement signal Sack2 to the vehicle 1.
Then, the verification ECU 4 transmits a challenge Sch to the electronic key 2 from the vehicle exterior LF transmitter 8 to perform challenge-response verification. The challenge Sch includes a challenge code and a key number. The challenge code is changed for each transmission. The key number indicates the number of the electronic key 2 in order of registration to the vehicle 1. Upon receipt of the challenge Sch, the electronic key 2 first performs key number verification. When the key number is verified, the electronic key 2 performs a calculation with the received challenge code and the encryption key Kcr of the electronic key 2 to generate a response code. The electronic key 2 then transmits a response Srs, including the response code and the electronic key ID of the electronic key 2, to the vehicle 1 from, for example, the UHF transmitter 13. In the same manner as the electronic key 2, upon receipt of the response Srs from the electronic key 2, the verification ECU 4 of the vehicle 1 performs a calculation with the received challenge code and the encryption key Kcr of the electronic key 2 to generate a response code. Then, the verification ECU 4 uses the generated response code to verify the response code received from the electronic key 2 (response verification). Further, the verification ECU 4 determines whether or not the electronic key ID from the electronic key 2 is correct (electronic key ID verification). When the response verification and the electronic key ID verification are both accomplished, the verification ECU 4 determines that smart verification (vehicle external smart verification) has been accomplished and permits or performs locking or unlocking of the vehicle doors with the body ECU 5.
When, for example, a courtesy switch (not shown) detects the entrance of a driver into the vehicle 1, the verification ECU 4 transmits a wake signal Swk to the vehicle interior communication area from the vehicle interior LF transmitter 8 and starts in-vehicle smart communication. Preferably, the vehicle interior communication area is formed to extend throughout the entire interior of the vehicle 1. The electronic key 2 that has received the wake signal Swk in the vehicle 1 performs vehicle interior smart verification with the verification ECU 4. When vehicle interior smart verification is accomplished, the verification ECU 4 permits power and engine-related operations with an engine switch 15.
The immobilizer system performs wireless communication between the vehicle 1 and the electronic key 2 within a short distance (e.g., communication distance of approximately ten centimeters) to verify the electronic key 2. The electronic key 2 may be driven by induced power generated from immobilizer system radio waves (e.g., LF radio waves) transmitted from the vehicle 1. This allows the electronic key 2 to perform immobilizer system communication without a power supply. The short-distance wireless communication may be performed, for example, in compliance with a communication standard such as the near-field communication (NFC) standard.
An electronic key registration system 16 that registers the electronic key 2 to the vehicle 1 will now be described. As shown in
Referring to
The initial registration will now be described with reference to
The information center 20 includes an in-vehicle device database 21 and an electronic key database 22. The in-vehicle device database 21 stores the in-vehicle device ID in association with an electronic key for each vehicle 1 (verification ECU 4). The electronic key database 22 stores an electronic key ID, an encryption key Kcr, and a SEED code in association with one another for each electronic key 2.
In the SEED registration technique, the electronic key 2a transmits the SEED code SC-1 to generate an encryption key Kcr “key-1” that is to be registered for the initially registered electronic key 2a. For example, the verification ECU 4 registers an electronic key ID “ID-1” that is received from the electronic key 2a. The verification ECU 4 performs a computation with the SEED code SC-1 received from the electronic key 2a and the encryption key generation logic f to generate the encryption key “key-1”. Then, the verification ECU 4 registers the generated encryption key “key-i” to the vehicle 1. After the SEED code SC-1 is transmitted to the vehicle 1, the SEED code SC-1 is deleted from the memory 11a of the electronic key 2a. The electronic key 2a receives an in-vehicle ID “ID-A” from the vehicle 1 and stores the in-vehicle ID in the memory 11a during the initial registration. When the registration of the electronic key 2a is completed, the verification ECU 4 switches an initial registration flag from “permit” to “prohibit” thereby prohibiting subsequent initial registration.
After the registration of the electronic key 2a to the vehicle 1 is completed, the in-vehicle device database 21 and the electronic key database 22, which are managed by the information center 20, are updated. For an initial registration, the registration tool 19 is not connected to the information center 20 in real time. Thus, after the initial registration is completed, the registration tool 19 is connected to the information center 20 at a certain time to update the in-vehicle device database 21 and the electronic key database 22.
The additional registration will now be described with reference to
When online registration is performed, the registration tool 19 accesses the information center 20, obtains various types of data required to register the additional electronic key 2b to the vehicle 1, and registers the additional electronic key 2b to the vehicle 1 using the obtained data. In this case, an in-vehicle device center key Kvc used for the additional registration of the electronic key 2b is registered to the memory 4a of the verification ECU 4. The vehicle 1 and the information center 20 both use the in-vehicle device center key Kvc, which is an encryption key, during key registration. Each verification ECU 4 (vehicle 1) is assigned with a different in-vehicle device center key Kvc. The in-vehicle device center key Kvc is an encryption key that is in compliance with, for example, the Advanced Encryption Standard (AES).
In the example of
During online registration, when the verification ECU 4 receives an additional registration command for the electronic key 2b from the registration tool 19, the verification ECU 4 obtains the electronic key ID “ID-2” from the electronic key 2b and stores the electronic key ID in the memory 4a. Further, the verification ECU 4 sends a SEED generation request to the information center 20 through the registration tool 19 to request for the generation of the SEED code for the electronic key 2b that is the registration subject. The SEED generation request includes the electronic key ID “ID-2” received from the electronic key 2b and the in-vehicle device ID “ID-A” assigned to the vehicle 1. The information center 20 refers to the in-vehicle device database 21, locates the encryption key “key-2” corresponding to the electronic key ID “ID-2”, and performs a computation using “key-2” and “key-A” to generate the SEED code of “SC-A2”. The information center 20 provides the generated SEED code “SC-A2” to the verification ECU 4 through the registration tool 19. The verification ECU 4 performs a decoding computation with the SEED code “SC-A2” obtained from the information center 20 and the in-vehicle device center key “key-A” held by the verification ECU 4 to generate the encryption key “key-2”. Then, the verification ECU 4 stores the encryption key “key-2” in the memory 4a. Further, the electronic key 2b stores the in-vehicle device ID “ID-A” received from the vehicle during the additional registration in the memory 11a.
The information center 20 stores the electronic key ID “ID-2” for the additionally registered electronic key 2b included in the SEED generation request. In this regard, the SEED generation request is received from the registration tool 19 on the key ID row in the in-vehicle device database 21. Further, after sending the SEED code “SC-A2” to the registration tool 19, the information center 20 stores the encryption key “key-2” for the electronic key 2b on the encryption key row in the in-vehicle device database 21.
During offline registration, the registration tool 19 registers the electronic key 2b to the vehicle 1 without accessing the information center 20. A SEED code “SC-A3”, which is encoded with the in-vehicle device center key Kvc, is stored in advance in the memory 11a of the electronic key 2b used for offline registration. Further, a serviceman sends a physical order, which includes the in-vehicle device ID, to the information center 20 in advance. Then, the serviceman or dealer receives the additional electronic key 2b from the information center 20 in response.
Further, during offline registration, when receiving an additional registration command for the electronic key 2b from the registration tool 19, the verification ECU 4 obtains the electronic key ID of “ID-3” and the SEED code of “SC-A3” from the additional electronic key 2b. The verification ECU 4 stores the electronic key ID of “ID-3” obtained from the electronic key 2b in the memory 11a. The verification ECU 4 also performs a decoding computation with the SEED code “SC-A3”, that is obtained from the electronic key 2b, and the in-vehicle device center key “key-A”, that is held by the verification ECU 4, to generate an encryption key “key-3”. The verification ECU 4 then stores the encryption key “key-3” in the memory 4a.
The electronic key registration system 16 includes a monitoring unit and a registration invalidation unit. The monitoring unit monitors whether or not electronic key registration has been attempted during a certain permissible period. The registration invalidation unit prohibits registration of the electronic key 2 to the vehicle 1 when the permissible period ends. The monitoring unit measures an elapsed time Tx from when the electronic key 2 or the verification ECU 4 is manufactured to monitor whether the elapsed time Tx measured when electronic key registration is attempted is in the permissible period. In accordance with the monitoring result of the monitoring unit, the registration invalidation unit prohibits registration with the electronic key 2 when the measured elapsed time Tx is not in the permissible period. In the example of
The verification ECU 4 includes a monitoring unit 23 that monitors the elapsed time Tx from when the verification ECU 4 is manufactured. Further, the verification ECU 4 includes a registration invalidation unit 25 that validates or invalidates key registration in accordance with the monitoring result of the monitoring unit 23.
The monitoring unit 23 may hold a threshold R that indicates the permissible registration period during which registration of the electronic key 2 to the verification ECU 4 is permitted. The monitoring unit 23 may include a timer 24 that measures the elapsed time Tx from when the verification ECU 4 is manufactured. The monitoring unit 23 monitors whether or not the elapsed time measured by the timer 24 has exceeded the threshold R. When manufacturing of the verification ECU 4 is completed and the timer 24 receives a count start signal from an external device, the timer 24 starts to measure time. In the preferred example, the monitoring unit 23 includes a first threshold Ra, which indicates the permissible period for initial registration, and a second threshold Rb, which indicates the permissible period for additional registration. In the preferred example, the first threshold Ra is set for a relatively short permissible registration period, and the second threshold Rb (>Ra) is set for a relatively long permissible registration period. The monitoring unit 23 provides the registration invalidation unit 25 with an initial registration invalidation request when the elapsed time Tx exceeds the first threshold Ra. Further, the monitoring unit 23 provides the registration invalidation unit 25 with an additional registration invalidation request when the elapsed time Tx exceeds the second threshold Rb. In one example, the threshold R (Ra and Rb) is at least one value indicating when the permissible registration period ends. The threshold R (Ra and Rb) indicating the permissible registration period may be stored in the memory 4a.
When an initial registration invalidation request is received from the monitoring unit 23, the registration invalidation unit 25 invalidates an initial registration performed by the verification ECU 4. In the present example, the registration invalidation unit switches the initial registration flag from “permit” to “prohibit” thereby prohibiting the initial registration. Further, when an additional registration invalidation request is received from the monitoring unit 23, the registration invalidation unit 25 invalidates an additional registration performed by the verification ECU 4. In the present example, the registration invalidation unit switches the initial registration flag from “permit” to “prohibit” thereby prohibiting the additional registration.
The key controller 11 of the electronic key 2 also includes a monitoring unit 26 and a registration invalidation unit 28 like the verification ECU 4. The monitoring unit 26 may hold a threshold K that indicates the permissible registration period. The monitoring unit 26 may include a timer 27 that measures the elapsed time Tx from when the electronic key 2 is manufactured. The monitoring unit 26 compares the elapsed time Tx, which is measured by the timer 27, with the threshold K. When the elapsed time Tx exceeds a first threshold Ka, the monitoring unit 26 provides the registration invalidation unit 28 with an initial registration invalidation request when the elapsed time Tx is greater than the first threshold Ka. Further, the monitoring unit 26 provides the registration invalidation unit 28 with an additional registration invalidation request when the elapsed time Tx exceeds a second threshold Kb (>Ka). In one example, the threshold K (Ka and Kb) includes at least one value that indicates when the permissible registration period ends. The threshold R (Ra and Rb) that indicates the permissible registration period may be stored in the memory 11a.
When an initial registration invalidation request is received from the monitoring unit 26, the registration invalidation unit 28 invalidates an initial registration performed by the electronic key 2. For example, when registration of the electronic key 2 is invalidated, the electronic key 2 does not perform initial registration even when an initial registration request is received from the verification ECU 4. Further, when an additional registration invalidation request is received from the monitoring unit 26, the registration invalidation unit 28 invalidates an additional registration performed by the electronic key 2. For example, when registration of the electronic key 2 is invalidated, the electronic key 2 does not perform additional registration even when an additional registration request is received from the verification ECU 4. The initial registration request and the additional registration request may each be, for example, a command from the verification ECU 4 to the electronic key 2 requesting for the electronic key ID or the like.
An initial registration of an electronic key will now be described.
Referring to
The monitoring unit 26 of the electronic key 2 monitors the elapsed time Tx measured by the timer 27. When the elapsed time Tx exceeds the first threshold Ka, the monitoring unit 26 provides the registration invalidation unit 28 with an initial registration invalidation request. When receiving the initial registration invalidation request from the monitoring unit 26, the registration invalidation unit 28 prohibits initial registration with the electronic key 2 (registration unit 18). In this case, the electronic key 2 does not perform an initial registration even when an initial registration request is received from the verification ECU 4.
Further, when the elapsed time Tx exceeds the second threshold Kb, the monitoring unit 26 provides the registration invalidation unit 28 with an additional registration invalidation request. When receiving the additional registration invalidation request from the monitoring unit 26, the registration invalidation unit 28 prohibits additional registration with the electronic key 2 (registration unit 18). In this case, the electronic key 2 does not perform an additional registration even when an additional registration request is received from the verification ECU 4.
An example shown in
The monitoring unit 23 of the verification ECU 4 measures the elapsed time Tx from when the vehicle 1 is manufactured with the timer 24. When the elapsed time Tx exceeds the first threshold Ra, the monitoring unit 23 provides the registration invalidation unit 25 with the initial registration invalidation request. When receiving the initial registration invalidation request from the monitoring unit 23, the registration invalidation unit 25 switches the initial registration flag from “permit” to “prohibit” and prohibits initial registration with the verification ECU 4 (registration unit 17). In this case, the verification ECU 4 does not perform initial registration even when an initial registration request is received from the registration tool 19.
When the elapsed time Tx exceeds the second threshold value Rb, the monitoring unit 23 provides the registration invalidation unit 25 with the additional registration invalidation request. When receiving the additional registration invalidation request from the monitoring unit 23, the registration invalidation unit 25 switches the additional registration flag from “permit” to “prohibit” and prohibits additional registration with the verification ECU 4 (registration unit 17). In this case, the verification ECU 4 does not perform additional registration even when an additional registration request is received from the registration tool 19.
The thresholds R and K may be referred to as time period values indicating the time period during which the key ID of the electronic key 2 may be registered. The monitoring units and the registration invalidation units may be referred to as time-limited registration circuits that permit registration of an electronic key for only a limited time period.
The above embodiment has the advantages described below.
(1) The registration of the electronic key 2 to the verification ECU 4 is only during the permissible period for key registration. When the permissible period expires, the electronic key 2 cannot be registered to the verification ECU 4. This reduces or obviates unauthorized registration of the electronic key 2. Further, the registration of a correct electronic key is performed, for example, on a manufacturing line before the electronic key and the vehicle is shipped out of a factory. Thus, there would be no inconveniences caused by the setting of the permissible period.
(2) The initial registration of the electronic key 2 is performed in accordance with the SEED code technique that provides a time limit to the registration. For example, during electronic key registration, the electronic key 2 sends a SEED code, generated by encoding an encryption key, to the verification ECU 4. The verification ECU 4 registers the encryption key generated by decoding the SEED code. The encryption key is not sent to the verification ECU 4 from the electronic key 2. Thus, the SEED code technique has a high level of confidentiality. This reduces or obviates unauthorized registration of the electronic key 2.
(3) The elapsed time Tx is measured from when the electronic key 2 or the verification ECU 4 is manufactured. When the elapsed time Tx exceeds the thresholds K and R, electronic key registration is prohibited. Since the elapsed time Tx is measured with high accuracy, the timing for prohibiting electronic key registration is optimally set with high accuracy.
(4) The initial registration thresholds Ka and Ra and the additional registration thresholds Kb and Rb may be set separately. Thus, the permissible period for initial registration may differ from the permissible period for additional registration.
(5) The electronic key 2 and the verification ECU 4 each include a monitoring unit and a registration invalidation unit. Thus, even when the electronic key 2 or the verification ECU 4 is stolen, the stolen electronic key 2 or stolen verification ECU 4 cannot be registered after the permissible period expires. This hinders unauthorized use of the stolen electronic key 2 or stolen verification ECU 4.
(6) The registration invalidation units 25 and 28 set flags prohibiting electronic key registration based on the elapsed time Tx measured by the timers 24 and 27 from when the electronic key 2 and the verification ECU 4 are manufactured. This allows for accurate switching to a condition prohibiting electronic key registration.
It should be apparent to those skilled in the art that the present invention may be embodied in many other specific forms without departing from the spirit or scope of the invention. Particularly, it should be understood that the present invention may be embodied in the following forms.
The elapsed time Tx from manufacturing does not have to be measured by the timers 24 and 27. Instead, an initial value may be decremented from the present time. Referring to
A monitoring unit may recognize when registration is performed from a time signal provided by an external device. In this case, the timers 24 and 27 may be omitted. This reduces power consumption for driving timers.
The determination of whether or not a key registration is performed during a permissible period does not have to be based on the measurements of the timers 24 and 27 or the manufacturing data Dtm.
In the preferred example, the measurement of the elapsed time Tx starts from when the electronic key 2 or the verification ECU 4 is manufactured. Instead, the measurement of the elapsed time Tx may start from a different incident.
As long as the encryption key generation code is generated by encrypting the encryption key Kcr, the encryption key generation code is not limited to a SEED code.
The encryption communication used for ID verification is not limited to challenge response verification, and different encryption verifications may be employed.
In the preferred example, the threshold K and the threshold R are different values. However, the threshold K and the threshold R may be the same value.
In the preferred example, the threshold K takes a different value for initial registration and additional registration but may take the same value. The same applies for the threshold R.
The invalidation unit may be arranged in only one of the verification ECU 4 and the electronic key 2.
The invalidation unit may be arranged in a plurality of ECUs in the vehicle, such as the verification ECU 4 and a steering wheel lock ECU.
In the preferred example, the key registration registers both of the electronic key ID and the encryption key Kcr. However, the key registration may register only one of the electronic key ID and the encryption key Kcr.
The communication between the vehicle 1 and the registration tool 19 does not have to be performed through wired connection and may be performed through a wireless connection.
Registration invalidation does not have to be achieved by switching the initial registration flag or the additional registration flag of the verification ECU 4 or by disabling registration with the electronic key 2. Registration invalidation may be achieved through other schemes.
The vehicle 1 and the electronic key 2 do not have to communicate with the information center 20 through the registration tool 19. For example, the vehicle 1 and the electronic key 2 may be provided with a network communication function so that the vehicle 1 and the electronic key 2 directly communicate with the information center 20.
The electronic key registration system 16 does not have to use a SEED code to perform registration. The registration may be performed in any manner as long as the electronic key 2 may be registered to the verification ECU 4 (vehicle 1).
The electronic key registration system 16 does not have to use the registration tool 19 and may be configured by, for example, the vehicle 1, the electronic key 2, and the information center 20.
The electronic key registration system 16 is not limited to a system that performs both initial registration and additional registration. The electronic key registration system 16 may be a system that performs only one of initial registration and additional registration.
The electronic key registration system 16 is not limited to the vehicle 1 and is applicable to other devices and apparatuses.
The controller is not limited to the verification ECU 4 and may be another ECU such as a steering wheel lock ECU that manages the operation of an electric steering wheel lock.
A plurality of keys may be registered during initial registration.
Online registration does not have to be performed as illustrated in the above embodiment. For example, the electronic key ID may be registered to the electronic key 2 via the vehicle 1 from the registration tool 19.
The encryption key Kcr does not have to be stored in advance in the electronic key 2. For example, a center key associated with the electronic key and the information center 20 may be registered to the electronic key 2 and the information center 20, and the encryption key Kcr may be encoded with the center key for transmission.
The present examples and embodiments are to be considered as illustrative and not restrictive, and the invention is not to be limited to the details given herein, but may be modified within the scope and equivalence of the appended claims.
Number | Date | Country | Kind |
---|---|---|---|
2012-108548 | May 2012 | JP | national |