In the case of transmitting a valuable data to an opposite party, it is generally necessary to authenticate that equipment of the communicating party is legitimate. It is also necessary that the data on a communications path is kept secret from a third party, and protected from tampering or wrongful alteration on the communications path. An automated electronic toll collection (i.e., an electronic toll collection, which will be hereinafter referred to as “ETC”) system on a highway using wireless communications is a typical example that requires such feature of communications security.
The system executes a toll collection for a highway by means of communications between onboard equipment installed in an automobile and roadside equipment provided at a gate of a tollbooth. In this instance, the onboard equipment and the roadside equipment respectively imply user-end equipment and system-end equipment. The onboard equipment is provided with a removable IC card. The IC card has a function of prepaid card, and it is imprinted with information of a cash balance beginning with a given amount (e.g. 10,000 yen).
At a gate of a highway entrance (hereinafter referred to as “entrance gate”), the onboard equipment transmits information of an ID number of the onboard equipment to the roadside equipment, and the roadside equipment transmits to the onboard equipment information of an entry (such as a gate number and time of the entry), which is recorded in the IC card.
At a gate of a highway exit (hereinafter referred to as “exit gate”), on the other hand, the onboard equipment transmits the entry information and cash balance information to another roadside equipment, so that the roadside equipment computes a toll charge of the highway according to the entry information. The roadside equipment revises the cash balance by subtracting the toll charge from the previous cash balance, and transmits the balance information to the onboard equipment. The roadside equipment makes a transaction for unsettled payment, if the cash balance is short of the toll charge.
Settlement for the toll charge of highway with wireless communications in the foregoing manner is intended to reduce traffic congestion at entrance and exit gates. It is anticipated that there are several millions of onboard equipment, and several thousands of roadside equipment in one system.
In order for the system to operate successfully, the following security problems must be cleared, in addition to achieving infallible high-speed wireless communications.
First, the roadside equipment must authenticate that individual onboard equipment is legitimate. It must make an immediate determination of forgery for any communications made with counterfeit onboard equipment or a forged IC card, so as to take a countermeasure such as closing the gate or recording a vehicle license number. On the other hand, it is also necessary for the onboard equipment to authenticate that the roadside equipment is legitimate. Even if someone has attempted to obtain an economical gain by making a communications to the onboard equipment with counterfeit roadside equipment, and rewriting information in an IC card with a toll charge for a shorter section than what it should be, the onboard equipment must be so designed that such attempt shall fail.
Further, the system shall be such that communications between the onboard equipment and the roadside equipment is not intercepted by a third party, and contents of it are protected from being used fraudulently.
The required conditions as described above can be satisfied with an addition of such features generally known as authentication function and cryptographic function to the wireless communications. As one way of realizing the foregoing functions, the onboard equipment and the roadside equipment need to share a secret key cryptographic algorithm and certain secret information. The secret information is generally called a cryptographic key or a decryption key.
It is important to note that there is a quite large number of onboard equipment used in this system. A consideration is given now for a case that secret information of onboard equipment “X” is identical to secret information of onboard equipment “Y”. If there is counterfeit onboard equipment “X′”, which is made by analyzing a content of the onboard equipment “X”, the system is able to prevent an unlawful use of the onboard equipment “X′”by utilizing a negative list for excluding such unlawful use of the equipment “X′”. However, the negative list also excludes a proper use of the legitimate onboard equipment “Y” at the same time. For this reason, the secret information for individual onboard equipment needs to be different from one another.
In this case, the matter of how the roadside equipment obtains the secret information of individual onboard equipment is important. One of the methods is to store information consisting of an ID and secret information for every one of the onboard equipment, in the roadside equipment. However, this method creates a big burden when renewing contents stored in several thousands of the roadside equipment employed in the system. It also has a weakness in security that the secret information for all of the onboard equipment is disclosed, if any one of the roadside equipment is analyzed.
As described, the prior art system for equipment authentication and cryptographic communications, if used for realizing the system security, has a problem that a wrongful analysis of system-end equipment causes a detrimental effect to all of the user-end equipment.
In addition, the ETC authentication system of the prior art, due to a restriction in the system, makes a two-step authentication, in which the roadside equipment verifies the onboard equipment, and the onboard equipment verifies the IC card. That is, the system can make only an indirect authentication of the IC card.
A method of the foregoing authentication will be described further by referring to FIG. 5 and FIG. 6. FIG. 5 depicts an operation of mutual authentication between an IC card and onboard equipment.
In FIG. 5:
(1) An IC card ICC 41 transmits to onboard equipment, or OBE, 42, a certificate of verified IC card key CERT-PICP issued by an ETCS key center and a certificate of individual IC card key CERT-KICC given by an IC card issue center. At the same time, the IC card 41 also transmits to the onboard equipment 42 a random digit R2 generated therein as a challenge data for it to make an authentication of the onboard equipment;
(2) The onboard equipment 42 produces a validation key PICP issued by the IC card issue center from the certificate of verified IC card key CERT-PICP by means of restorable-type signature authentication, Rverify (Pc1, CERT-PICP) using a validation key Pc1 provided by the ETCS key center;
(3) The onboard equipment 42 produces an individual IC card key KICC from the certificate of individual IC card key CERT-KICC by means of restorable-type signature authentication, Rverify (PICC, CERT-KICC) using the PICP;
(4) The onboard equipment 42 generates a session key Ks1 and returns it to the IC card 41, after encrypting it with the individual IC card key KICC produced in the above step, i.e., after making a process of E(KICC, Ks1). In addition, the onboard equipment 42 generates a random digit R1, encrypts R1∥R2, and returns the encrypted result, or E(Ks1, R1∥Rb2) to the IC card 41 as a response to the random digit R2. The IC card 41 compares a decrypted result of it with the originally generated random digit R2 to determine if they match in order to authenticate that the onboard equipment 42 is legitimate, and continues a subsequent transaction. The IC card 41 discontinues the transaction if they do not match;
(5) The onboard equipment 42 encrypts the random digit R1 generated therein with the received random digit R2 using the key Ks1, and transmits a result E(Ks1, R1∥R2) as a challenge to the IC card 41. The IC card 41 decrypts it to produce the random digit R1, encrypts it with a session key Ks2, i.e. a transaction for E(Ks1, R1∥Ks2), and returns it to the onboard equipment 42 as a response; and
(6) The onboard equipment 42 decrypts the encrypted random digit by the session key Ks1, compares the result with the originally generated random digit R1, and continues a subsequent transaction, if they match so that the IC card 41 is verified as being legitimate. The onboard equipment 42 discontinues the transaction if they do not match.
As described, an execution of the above authentication protocol can attain the mutual authentication between the IC card 41 and the onboard equipment 42, as a first step. As a second step, a mutual authentication between the onboard equipment and the roadside equipment will be described.
FIG. 6 depicts an operation of the mutual authentication between the onboard equipment and the roadside equipment.
In FIG. 6:
(1) Onboard equipment, or OBE, 51 encrypts a random digit K using an individual key KOBE, and sends the encrypted data E(KOBE, K) and a certificate of individual onboard equipment key CERT-KOBE to the roadside equipment, or RSE, 52;
(2) The roadside equipment 52 produces OBEID∥KOBE from the certificate of individual onboard equipment key CERT-KOBE with a signature authentication key Pc2 of the ETCS key center, by the following formula;X=c1P+c2Q=OBEID∥KOBE
(3) The onboard equipment 51 sends a challenge data K generated therein to the roadside equipment 52, and authenticates the roadside equipment 52 by confirming that the roadside equipment 52 can properly decrypt it using the individual key KOBE; and
(4) The roadside equipment 52 encrypts the challenge data R2 generated therein with the individual key KOBE, i.e. a transaction for E(KOBE, K∥R2), and authenticates the onboard equipment 51 by confirming that the onboard equipment 51 can decrypt it.
As has been described, the ETC authentication system of the prior art makes a two-step authentication, in which the roadside equipment authenticates the onboard equipment, and the onboard equipment authenticates the IC card, so that the roadside equipment can make only an indirect authentication of the IC card. Accordingly, the prior art system has a problem of not being capable of directly exchanging data between the IC card and the roadside equipment, when the onboard equipment passes under the roadside equipment. It also has another problem that the system is not escapable from becoming complicated and costly because of the two-step authentication.
The present invention is therefore intended to provide an ETC authentication system and a method of the authentication, in which roadside equipment and central processing equipment are capable of making a direct authentication for legitimacy of an IC card.