Charging control device and charging control method

The charging control device addresses authentication issues in Plug & Charge systems by switching between authentication procedures and updating certificates, ensuring secure and reliable charging operations.

JP7878941B2Active Publication Date: 2026-06-23DENSO TEN LTD

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Patents
Current Assignee / Owner
DENSO TEN LTD
Filing Date
2022-06-09
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Inconveniences and authentication issues arise between battery-equipped devices such as electric vehicles and charging equipment due to deficiencies in authentication methods and certificate validity in Plug & Charge (PnC) systems.

Method used

A charging control device with a control unit performs a first authentication procedure and switches to a second authentication procedure, such as EIM, if abnormalities are detected, to ensure valid certificate chains and contracts, using an OEM server to update or replace certificates as needed.

Benefits of technology

Minimizes inconveniences and ensures secure charging operations by adapting authentication methods based on detected abnormalities, preventing repeated issues in Plug & Charge systems.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 0007878941000001
    Figure 0007878941000001
  • Figure 0007878941000002
    Figure 0007878941000002
  • Figure 0007878941000003
    Figure 0007878941000003
Patent Text Reader

Abstract

To suppress inconvenience as much as possible between a device receiving charging and charging equipment in authentication for charging a device equipped with a battery.SOLUTION: A control unit executes carrying out of a first authentication procedure with an external charging device that charges a battery, and performing of setting such that a first authentication procedure or a second authentication procedure in place of the first authentication procedure is performed depending on the type of detected abnormality when an abnormality is detected in the first authentication procedure.SELECTED DRAWING: Figure 1
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to a charging control device and a charging control method.

Background Art

[0002] As vehicles that can be charged from an external power source to a driving battery (hereinafter referred to as electric vehicles), battery electric vehicles (BEV vehicles), plug-in hybrids (PHV) vehicles, etc. are known. Also, as a charging billing method for a driving battery, mainly an external authentication method (External Identification Means (EIM)) and Plug & Charge (PnC) have been proposed. & Charge (Plug and Charge (PnC)) has been proposed.

[0003] In the case of the external authentication method, the user of the vehicle makes a payment for charging using cash, electronic money, a prepaid card, a credit card, etc. at the location where the charger is installed or on the charger itself. On the other hand, with PnC, charging and billing become possible when the plug of the charging equipment installed at the charging stand is connected to the vehicle.

Prior Art Documents

Patent Documents

[0004]

Patent Document 1

Summary of the Invention

Problems to be Solved by the Invention

[0005] However, in the initial stages after the launch of PnC billing and charging services, various issues may arise due to deficiencies in authentication methods between battery-equipped devices such as electric vehicles and charging equipment, the validity of authentication information, and the validity of contracts. Aspects of the disclosed embodiments aim to minimize inconveniences between the device receiving the charge and the charging equipment in authentication for charging battery-equipped devices. [Means for solving the problem]

[0006] Embodiments of the present disclosure are exemplified by a charging control device provided in a device equipped with a battery. The charging control device includes a control unit. This control unit performs a first authentication procedure with an external charging device that charges the battery, and, if an abnormality is detected in the first authentication procedure, sets the device to perform the first authentication procedure or a second authentication procedure in lieu of the first authentication procedure, depending on the type of abnormality detected. [Effects of the Invention]

[0007] In the certification process for charging devices equipped with batteries, any inconvenience between the device receiving the charge and the charging equipment is minimized. [Brief explanation of the drawing]

[0008] [Figure 1] Figure 1 is a diagram illustrating the configuration of the charging system according to this embodiment. [Figure 2] Figure 2 illustrates the relationship between a certificate chain and a certificate authority. [Figure 3] Figure 3 illustrates the hardware configuration of the charging system. [Figure 4] Figure 4 is a sequence diagram illustrating the procedure from the electric vehicle's charging control device to the charging equipment, including the PnC billing process. [Figure 5] Figure 5 shows an example of the process that occurs when an abnormality is detected after an electric vehicle notifies the charging equipment of a V2G ROOT certificate. [Figure 6]Figure 6 shows an example of processing by the electric vehicle's charging control device when the validity of the certificate chain cannot be confirmed at the charging facility. [Figure 7] Figure 7 shows an example of the process when an abnormality is detected when the electric vehicle's charging control device requests a contract certificate from the charging equipment. [Modes for carrying out the invention]

[0009] A charging system and charging control method according to one embodiment will be described below with reference to the drawings. (composition) Figure 1 is a diagram illustrating the configuration of the charging system of this embodiment. This charging system comprises an electric vehicle 1 and an electric vehicle supply equipment (EVSV) 2 that supplies power to the battery (also called a secondary battery or storage battery) of the electric vehicle 1. Note that in Figure 1, Certification authorities CA1, CA2 and intermediate certification authorities (SUB-CA11, SUB-CA12, SUB-CA21, SUB-CA22), and Original Equipment Manufacturer (OEM) service The number 5 is also listed. Certificate authorities CA1 and CA2 are Vehicle to Grid (V2G ROOT). The OEM server 5 issues certificates such as certificates. The OEM server 5 performs the provision of certificates to the electric vehicle 1 by the manufacturer or distributor of the electric vehicle 1.

[0010] As a prerequisite for processing by this charging system, when the electric vehicle 1 is shipped from the manufacturer or distributor, the electric vehicle 1's storage device (for example, the external storage unit 13 in Figure 3) stores a V2G ROOT certificate issued by at least one certification authority CA1. Furthermore, the electric vehicle 1 can update its V2G ROOT certificate by accessing the OEM server 5. The electric vehicle 1 can also obtain a V2G ROOT certificate issued by a certification authority other than CA1 (CA2) by accessing the OEM server 5. Note that the number of certification authorities is not limited to two.

[0011] Meanwhile, the charging equipment 2 stores a V2G ROOT certificate issued by at least one certification authority CA1, and a certificate chain associated with this V2G ROOT certificate. The certificate chain includes, for example, Charge Point Operator SUB-Certificate Authorities 11 (CPO SUB-CA11), CPO SUB-CA12, and EVSV Leaf certificates.

[0012] As the first authentication procedure, in a procedure called PnC, authentication is performed between the charging equipment 2 and the electric vehicle 1 when the plug 2B of the charging equipment 2 is inserted into the connection part (also called the power receiving part) of the electric vehicle 1. After authentication, charging of the electric vehicle 1 and billing for the charging are performed. For PnC, the electric vehicle 1 and the charging equipment 2 each store a V2G ROOT certificate in their respective storage devices. The charging equipment 2 may also refer to the V2G ROOT certificate stored on a computer accessible from the charging equipment 2. PnC can also be called the first billing method.

[0013] In PnC, after the connection between the charging equipment 2 and the electric vehicle 1 via plug 2B, the user's V2G ROOT certificate is notified to the charging equipment 2 (arrow P1). The user's V2G ROOT certificate is then authenticated by the operator's V2G ROOT certificate stored on the charging equipment 2 side. Once this authentication is complete, the operator's certificate chain, which has a hierarchical structure associated with the V2G ROOT certificate, is sent back to the electric vehicle 1 (arrow P2). The communication procedure between arrows P1 and P2 is called the Transport Layer Security (TLS) handshake. The V2G ROOT certificate can be considered the first certificate that ensures the security of communication between the electric vehicle 1 and the charging equipment 2.

[0014] The certificate chain corresponds to the hierarchy of Certificate Authorities (CAs). As shown in Figure 1, each CA1, CA2, etc., is a subordinate CA, which is an intermediate CA (SUB-CA11, SUB-CA12, SUB-CA12). It can have CA21, SUB-CA22, etc. The top-level certification authorities CA1 and CA2 are called ROOT certification authorities and issue V2G ROOT certificates. Also, the certification authority certificates (such as CPO SUB-CA11 certificate) of the lower intermediate certification authorities are signed by the upper-level certification authorities. In the certificate chain of the example in FIG. 1, the CPO SUB-CA11 certificate, CPO SUB-CA12 certificate, and EVSV Leaf certificate are exemplified. In the example of FIG. 1, the certificate chain includes at least one CPO SUB-CA11 certificate, etc., and the EVSV Leaf certificate.

[0015] The electric vehicle 1 can finally authenticate the EVSV Leaf certificate by authenticating the certificate chain in order from the top level to the lower level based on the user's V2G ROOT certificate. When the electric vehicle 1 successfully authenticates the EVSV Leaf certificate, it can obtain the private key used for communication with the charging facility 2, and thereafter communication using the private key is carried out. Thereby, the TLS handshake is completed.

[0016] After the completion of the TLS handshake, V2G communication using the private key is executed. In V2G communication, a request (P3) from the electric vehicle 1 and a response (P4) from the charging facility 2 are transmitted to each other, and charging and billing are carried out. In this V2G communication, in addition to charging, for example, a Contract certificate defining billing details is responded from the charging facility 2 to the electric vehicle 1. The Contract certificate can be said to be the second certificate for the electric vehicle 1 to receive charging from the charging facility 2.

[0017] In addition, in charging the electric vehicle, in addition to the communication by PnC as described above, as a second authentication procedure, a procedure of an external authentication method by presenting an EIM is also possible. The external authentication method is a process of exchanging billing information, for example, by credit card, QR code (registered trademark), RFID, etc. The external authentication method by presenting an EIM can also be said to be the second billing method.

[0018] Figure 2 illustrates the relationship between the certificate chain and the Certificate Authority (CA1). Figure 2 also shows the subordinate Certificate Authorities, SUB-CA11 and SUB-CA12, and the Online Certificate Status Protocol (OCSP) responder, which is the authority's computer that responds to the validity of the certificate.

[0019] In this embodiment, the charging equipment 2 is provided by a charging service company. The charging service company is a business that provides charging services to the electric vehicle 1 using the charging equipment 2. However, the charging service company may be a power company that provides electricity, while the charging equipment 2 may be provided by a business other than a power company. Here, the other business is, for example, a business that receives electricity from a power company and operates the charging equipment 2.

[0020] The charging equipment 2 is provided with a certificate chain from the certification authority CA1 and intermediate certification authorities (SUB-CA11, SUB-CA12, etc.). The number of intermediate certification authorities is not limited to two. The certificate chain includes a V2G ROOT certificate, CPO SUB-CA11 certificate, CPO SUB-CA12 certificate, EVSV Leaf certificate, etc. The certificate chain may be stored in a storage device built into the charging equipment 2. Alternatively, the certificate chain may be stored in a computer to which the charging equipment 2 is connected. The computer storing the certificate chain may be located at the site where the charging equipment 2 is installed, for example, a location called a charging stand or charging station. Alternatively, the computer storing the certificate chain may be stored in a management computer of an operator connected to the site where the charging equipment 2 is installed via a network. The charging equipment 2, in cooperation with such a computer or management computer, can use the certificate chain in V2G communication with the electric vehicle 1 to perform charging and billing for the electric vehicle 1. The electric vehicle 1 illustrated in Figure 1 can access the charging equipment 2 of an operator possessing such a certificate chain and receive charging via PnC. can.

[0021] Certificates issued by a Certificate Authority (CA1) and intermediate Certificate Authorities (SUB-CA11, SUB-CA12, etc.) may be revoked for various reasons. For example, if there is a possibility of a certificate being misused, either CA1 or an intermediate Certificate Authority (SUB-CA11, SUB-CA12, etc.) can invalidate the entire certificate chain by revoking any of the issued certificates. Such revoked certificates are published on the public network, such as the Internet, as a revocation list.

[0022] An OCSP responder is a business entity or the computer of a business entity that verifies the validity of a certificate chain. For example, an OCSP responder verifies the validity of a certificate in response to a verification request from a business entity's computer that possesses a certificate chain, and returns a response to the business entity's computer. Hereafter, the business entity's computer will also be simply referred to as the business entity. An OCSP responder verifies the validity of a certificate by accessing a revocation list on the public network or by accessing databases of a Certificate Authority and an Intermediate Certificate Authority (SUB-CA11, SUB-CA12, etc.).

[0023] Therefore, when charging companies and operators of charging facilities determine that verification of the certificate chain is necessary, or periodically thereafter, they request verification of each certificate from OCSP responders and receive a response regarding the verification results. Through this procedure, charging companies and operators of charging facilities can recognize and understand the validity of the certificate chain.

[0024] Figure 3 is a diagram illustrating the hardware configuration of the charging system. As described above, this charging system is exemplified by an electric vehicle 1 and a charging facility 2 that charges the battery 19 mounted on the electric vehicle 1. The electric vehicle 1 has a charging control device 10 and a battery 19 controlled by the charging control device 10.

[0025] The charging control device 10 includes a CPU 11, a main memory unit 12, and external devices connected to an external interface (I / F), and performs information processing by program. Examples of external devices include an external memory unit 13 and an external communication unit 16A. Furthermore, a power line communication unit 16B is also an example of an external device. The CPU 11 and the main memory unit 12 together can be called the control unit. When the charging control device 10 is installed in a vehicle such as an electric vehicle 1, the control unit is also called an Electronic Control Unit (ECU).

[0026] The CPU 11 executes the computer program deployed in the main memory 12 and provides the functions of the charge control device 10. The main memory 12, also simply called memory, stores the computer program executed by the CPU 11, the data processed by the CPU 11, etc. The CPU 11 is also called a processor.

[0027] The main memory unit 12 includes Dynamic Random Access Memory (DRAM) and Static Random Access Memory. These include Memory (SRAM), Read Only Memory (ROM), etc. Furthermore, the external storage unit 13 For example, it is used as a storage area to supplement the main memory 12 and stores computer programs executed by the CPU 11, data processed by the CPU 11, etc. The external storage unit 13 is a hard disk drive, a solid state drive (SSD), etc.

[0028] The external communication unit 16A exchanges data with other devices on the public network. For example, the CPU 11 communicates with a carrier's computer on the public network through the external communication unit 16A. The external communication unit 16A may be a wireless communication device that accesses a mobile phone network. Alternatively, the external communication unit 16A may be a communication device that accesses a wireless (Local Area Network) LAN.

[0029] The power line communication unit 16B transmits and receives signals with the power line communication unit 26B. In other words, the power line communication unit 16B performs Power Line Communications (PLC) with the charging equipment 2. The power line communication unit 16B may have a CPU, memory, input / output interface, communication interface, etc., internally. In this embodiment, the charging control device 10 communicates with the charging equipment 2 via the external communication unit 16A or the power line communication unit 16B and executes charging requests and billing processes.

[0030] The charging control device 10 may also have a display unit and an operating unit. The display unit may be, for example, a liquid crystal display or an electroluminescent panel. The operating unit may be, for example, a keyboard or a pointing device.

[0031] The configuration of the charging equipment 2 is the same as that of the charging control device 10 of the electric vehicle 1. The charging equipment 2 has a CPU 21, a main memory unit 22, and external devices connected to an external interface (I / F), and performs information processing by program. Examples of external devices include an external memory unit 23, an external communication unit 26A, and an EIM reader 2A. Furthermore, a power line communication unit 26B is also an example of an external device. The configuration of the charging equipment 2, excluding the EIM reader 2A, is the same as that of the charging control device 10 of the electric vehicle 1, so its explanation is omitted.

[0032] EIM Reader 2A includes card readers that read information from IC cards such as credit cards via contact or contactless means, image readers that read QR codes (registered trademark), RFID readers, etc.

[0033] When the plug of the power supply circuit 29 of the electric vehicle 1 is connected to the power circuit that charges the battery 19, the charging control device 10 and the charging equipment 2 communicate with each other, for example, via power line communication units 16B and 26B, and perform TLS authentication and V2G communication. The charging control device 10 and the charging equipment 2 of the electric vehicle 1 authenticate each other via TLS authentication and V2G communication, and perform charging of the battery 19 of the electric vehicle 1 and billing processing for the charging. However, the charging control device 10 and the charging equipment 2 of the electric vehicle 1 may also communicate via external communication units 16A and 26A when the plug of the power supply circuit 29 is connected to the power circuit that charges the battery 19.

[0034] (Processing procedure) Figure 4 is a sequence diagram illustrating the procedure from the charging control device 10 of the electric vehicle 1 to the charging process in PnC between the charging equipment 2 and the electric vehicle 1. The procedure in Figure 4 begins when the plug 2B of the charging equipment 2 is connected to the power receiving unit of the electric vehicle 1. This procedure includes a TLS handshake and V2G communication after the handshake.

[0035] In the TLS handshake, electric vehicle 1 notifies charging station 2 of its V2G ROOT certificate. Charging station 2, in turn, returns a response to the message containing the V2G ROOT certificate received from electric vehicle 1. Through the TLS handshake, the electric vehicle 1 and charging station 2 ultimately share a secret key with each other. Subsequent V2G communication is then performed using this secret key.

[0036] Here, we will illustrate some potential problems that may occur in PnC. Here, we anticipate the possibility of the charging communication session being interrupted during the TLS handshake and subsequent V2G communication. First, we will illustrate some potential problems that may occur during the TLS handshake.

[0037] (1) It is anticipated that the charging equipment 2 will not be able to detect a V2G ROOT certificate identical to the one notified by the electric vehicle 1, and as a result, the communication session will be stopped. This occurs when the certification authority that issued the V2G ROOT certificate held by electric vehicle 1 is different from the certification authority that issued the V2G ROOT certificate held by charging equipment 2 or the computer of the business operator that charging equipment 2 can access. There are multiple certification authorities that issue V2G ROOT certificates. Therefore, it is not guaranteed that charging equipment 2 or the computer of the business operator that charging equipment 2 can access received its V2G ROOT certificate from the same certification authority that issued the V2G ROOT certificate held by electric vehicle 1. In such cases, charging equipment 2 cannot continue the TLS handshake, and the communication session stops. Furthermore, if the V2G ROOT certificate notified by electric vehicle 1 has expired, charging equipment 2 cannot continue the TLS handshake, and the communication session stops.

[0038] (2) If the charging equipment 2 is unable to find a V2G ROOT certificate identical to the one notified by the electric vehicle 1, the following is also assumed: In this case, the charging equipment 2 is assumed to send to the electric vehicle 1 a certificate chain associated with a V2G ROOT certificate different from the one notified by the electric vehicle 1. In this case, the electric vehicle 1 detects an anomaly in the certificate chain sent from the charging equipment 2, and the communication session is terminated.

[0039] (3) It is conceivable that when the charging equipment 2 is offline, an OCSP response cannot be obtained, and the expiration date or validity of the certificate chain cannot be verified. The charging equipment 2 periodically requests the OCSP responder to verify the expiration date or validity of the certificate chain. For example, the expiration date of one of the certificates in the certificate chain associated with the V2G ROOT certificate notified by the electric vehicle 1 may not have been verified. In this case, if the charging equipment 2 or the operator's computer connected to the charging equipment 2 is offline and cannot communicate with the OCSP responder, it will not be able to obtain an OCSP response indicating that the certificate chain has not expired. In such a case, the charging equipment 2 will not be able to continue the TLS handshake, and the communication session will stop.

[0040] Next, we will illustrate some potential problems that may arise in V2G communication. These are problems that occur after the security of communication between the charging control device 10 and the charging equipment 2 has been ensured by the first certificate, the V2G ROOT certificate, and its associated certificate chain. The V2G ROOT certificate can be considered an example of a certificate used to ensure the security of communication between the charging control device 10 and the charging equipment 2.

[0041] (4) In V2G communication, if the Contract certificate is not provided to the electric vehicle 1, it is expected that the communication session will stop. In V2G communication, charging control and billing processing are performed by exchanging messages as shown in Figure 4. For example, electric vehicle 1 sends a ServiceDiscoveryReq to charging equipment 2, and charging equipment 2 replies with a list of services that can be provided to electric vehicle 1 using ServiceDiscoveryRes. Also, electric vehicle 1 sends a ServiceDetailReq to charging equipment 2, and charging equipment 2 notifies electric vehicle 1 of the service details using ServiceDetailRes.

[0042] Furthermore, electric vehicle 1 requests charging equipment 2 via CertificateInstallationReq to issue a certificate of the currently valid contract (Contract certificate). In response, charging equipment 2 sends the Contract certificate back to electric vehicle 1 via CertificateInstallationRes. The Contract certificate is a contract that details the agreement between the power supply provider (referred to as the mobility service provider) and the user of electric vehicle 1. Then, electric vehicle 1 requests charging equipment 2 via PaymentDetailReq, for example, specifying the Contract certificate, to request a method of billing. In response to this request, charging equipment 2 replies to electric vehicle 1 via PaymentDetailRes.

[0043] The contract certificate is issued in advance by the manufacturer and distributor of electric vehicle 1, and It is also possible to request the issuance of a Contract certificate from the mobility service provider that supplies the electricity. However, the example in Figure 4 illustrates the procedure for requesting the issuance of a Contract certificate from the charging equipment 2 when the electric vehicle 1 is receiving a charge. In this case, the electric vehicle 1 presents the charging equipment 2 with a certificate (OEM provisioning certificate) issued by the manufacturer or distributor of the electric vehicle 1. If the charging equipment 2 has a valid Contract certificate associated with the OEM provisioning certificate notified by the electric vehicle 1, it can provide the Contract certificate to the electric vehicle 1.

[0044] However, if the charging equipment 2 or the operator's computer accessible to the charging equipment 2 does not possess a valid Contract certificate associated with the OEM provisioning certificate, the V2G communication session will be terminated. Not possessing a valid Contract certificate means, for example, that the Contract certificate has expired, the electronic signature on the OEM provisioning certificate is invalid, or the electronic signature on the Contract certificate is invalid. In such cases, the charging equipment 2 cannot provide the Contract certificate to the electric vehicle 1, and the communication session will be terminated. Note that AuthorizationRes and AuthorizationReq, illustrated in Figure 4, are defined in ISO-15118, so their explanation is omitted.

[0045] The following is an example of the processing performed by the electric vehicle 1's charging control device 10 to address the problems (1) through (4) described above. Figure 5 shows an example of processing when an abnormality is detected after the electric vehicle 1 notifies the charging equipment 2 of its V2G ROOT certificate. Specifically, Figure 5 shows the processing when an abnormal stop is detected due to the V2G ROOT certificate held by the electric vehicle 1. In such a case, the electric vehicle 1's charging control device 10 performs a validity check of the electric vehicle 1's V2G ROOT certificate (S1). More specifically, the charging control device 10 sends an OCSP request to the OEM server 5, which is the computer of the manufacturer or distributor of the electric vehicle 1, to confirm the validity of the V2G ROOT certificate. Here, the charging control device 10 accesses the OEM server 5 on the network via the external communication unit 16A.

[0046] The charging control device 10 then determines whether the V2G ROOT certificate it holds is valid (S2). If the V2G ROOT certificate held by the charging control device 10 is not valid, the charging control device 10 requests the OEM server 5 to update the V2G ROOT certificate (S3). The abnormality is resolved when the V2G ROOT certificate is updated. Therefore, the OEM server 5 can be considered an example of a network management device capable of issuing the first certificate, the V2G ROOT certificate.

[0047] On the other hand, if the determination in S2 indicates that the V2G ROOT certificate held by the charging control device 10 is valid, the charging control device 10 determines whether or not it has received a certificate chain from the charging equipment 2 (S4). If the determination in S2 indicates that the V2G ROOT certificate held by the charging control device 10 is valid, it can be assumed that the abnormality is due to a mismatch between the V2G ROOT certificate held by the charging control device 10 and the V2G ROOT certificate held by the charging equipment 2. In such a case, if the charging control device 10 has received a certificate chain from the charging equipment, it requests the OEM server 5 to update in order to obtain the V2G ROOT certificate corresponding to the certificate chain (S5).

[0048] In other words, even if there is a mismatch in the V2G ROOT certificates held by the electric vehicle 1 and the charging equipment 2, the charging equipment 2 may send back the certificate chain associated with the V2G ROOT certificate held by the charging equipment 2 to the electric vehicle 1. In this case, the charging control device 10 of the electric vehicle 1 can recognize the certification authority that issued the V2G ROOT certificate corresponding to the certificate chain sent from the charging equipment 2. Then, the electric vehicle 1 receives the V2G certificate corresponding to the certificate chain from the OEM server 5, which is the computer of the manufacturer or distributor of the electric vehicle 1. The anomaly is resolved by obtaining the ROOT certificate. In this case, the certificate chain can be considered an example of information that identifies the V2G ROOT certificate held by the charging equipment 2. Furthermore, the processing in S5 can be considered an example of a process that causes the OEM server 5 to issue a V2G ROOT certificate that is consistent with the V2G ROOT certificate held by the charging equipment 2.

[0049] In the S4 determination, if the charging control device 10 has not received a certificate chain from the charging equipment 2, the charging control device 10 does not have information to immediately resolve the abnormality. In other words, in this case, the abnormality is that the V2G ROOT certificate held by the charging control device 10 and the V2G ROOT certificate held by the charging equipment 2 are inconsistent. Furthermore, in this case, the charging control device 10 cannot obtain information from the charging equipment 2 that identifies the V2G ROOT certificate held by the charging equipment 2.

[0050] In such cases, the charging control device 10 stores the Media Access Control (MAC) address of the charging equipment 2 (S6). This MAC address is the identification information for the charging equipment 2 that is experiencing problems with PnC billing. Therefore, for subsequent charging, the charging control device 10 determines whether the MAC address it has stored matches the MAC address of the charging equipment 2 to be connected to in the next charging session (S7). If the MAC address it has stored matches the MAC address of the charging equipment 2 to be connected to in the next session, the charging control device 10 can determine that there will be problems with PnC billing at the charging equipment 2 to be connected to in the next session. Therefore, the charging control device 10 switches from charging by PnC, which is the first authentication procedure, to charging using an EIM authentication mode (external authentication method) instead (S8). This allows the charging control device 10 to suppress the occurrence of abnormalities in charging by PnC. The EIM authentication mode can be considered a second authentication procedure.

[0051] On the other hand, if the MAC address stored by the charging control device 10 does not match the MAC address of the charging equipment to be connected to next time, the charging control device 10 can perform a charging operation by PnC (S9). From the above, the process in Figure 5 can be said to be an example of a process that sets up the system so that when an abnormality is detected in the first authentication procedure, PnC, an authentication mode by either PnC or a second authentication procedure, EIM, which replaces PnC, is performed depending on the type of abnormality.

[0052] Figure 6 shows an example of processing by the charging control device 10 of the electric vehicle 1 when the validity of the certificate chain cannot be confirmed at the charging equipment 2. In other words, if the certificate chain returned from the charging equipment 2 does not have the result of validity confirmation by OCSP response attached, the charging control device 10 should perform the processing shown in Figure 6.

[0053] In this process, the charging control device 10 verifies whether all certificates in the certificate chain returned from the charging equipment 2 have expired based on the current time of the electric vehicle 1 (S11). Then, the charging control device 10 determines whether all certificates in the certificate chain are valid or not (S12). If all certificates in the certificate chain are valid, the charging control device 10 can continue normal PnC operation (S13).

[0054] On the other hand, if any certificate in the certificate chain has expired, the charging control device 10 cannot continue the TLS handshake using that certificate chain. In this case, the malfunction is attributable to the charging equipment 2, and the charging control device 10 of the electric vehicle 1 cannot resolve it. In other words, the malfunction in this case can be attributed to the fact that the certificate held by the charging equipment 2 is invalid. Therefore, the charging control device 10 stores the MAC address of the charging equipment 2 (S14). This MAC address is the identification information of the charging equipment 2 that is causing problems with PnC billing.

[0055] Then, in subsequent charges, the MAC address stored by the charging control device 10 and the next The charging control device 10 determines whether the MAC address of the charging equipment to be connected to the next time matches (S15). If the MAC address stored in the charging control device 10 matches the MAC address of the charging equipment to be connected to the next time, the charging control device 10 can determine that a problem will occur with PnC billing at the charging equipment to be connected to the next time. Therefore, the charging control device 10 switches from PnC billing as the first authentication procedure to EIM billing mode, which is the second authentication procedure that replaces it (S16). In this way, the charging control device 10 can suppress the occurrence of abnormalities in PnC billing.

[0056] On the other hand, if the MAC address stored by the charging control device 10 does not match the MAC address of the charging equipment to be connected to next time, the charging control device 10 can perform a charging operation by PnC (S17). From the above, the process in Figure 6 can be said to be an example of a process that sets up the system so that when an abnormality is detected in the first authentication procedure, PnC, an authentication mode by either PnC or a second authentication procedure, EIM, which replaces PnC, is performed depending on the type of abnormality.

[0057] Figure 7 shows an example of the process when the charging control device 10 of the electric vehicle 1 requests a Contract certificate from the charging equipment 2 and an abnormality is detected. This is the process after the security of communication between the charging control device 10 and the charging equipment 2 has been ensured by the first certificate, the V2G ROOT certificate and its associated certificate chain, as described in Figure 4. As described in Figure 1, the Contract certificate can be said to be the second certificate for the electric vehicle 1 to receive charge from the charging equipment 2. Furthermore, when the charging control device 10 of the electric vehicle 1 requests a Contract certificate from the charging equipment 2, it means that the charging control device 10 is requesting a Contract certificate for receiving charge from the charging equipment 2. This refers to the case where the person does not possess the document.

[0058] In this case, the charging control device 10 of the electric vehicle 1 requests the charging equipment 2 to install the Contract certificate (S21). The charging control device 10 then determines whether or not it was able to successfully obtain the Contract certificate (S22). If the charging control device 10 successfully obtains the Contract certificate, it proceeds to S25 and continues normal PnC operation.

[0059] On the other hand, charging equipment 2 or the business operator's computer accessible to charging equipment 2 may not hold a valid contract certificate. In this case, charging equipment 2 will notify charging control device 10 of the abnormality. In this case, charging control device 10 will not be able to obtain the contract certificate.

[0060] When an abnormality is reported from the charging equipment 2, the charging control device 10 requests the installation of a Contract certificate from the OEM server 5, which is the computer of the manufacturer or distributor of the electric vehicle 1 (S23). The OEM server 5 can be considered an example of a network management device capable of issuing a second certificate, the Contract certificate. The charging control device 10 then determines whether or not it is possible to install the Contract certificate from the OEM server 5 (S24). If it is possible to install the Contract certificate, the charging control device 10 installs the Contract certificate from the OEM server 5 and continues normal PnC operation (S25).

[0061] On the other hand, if it is not possible to install the Contract certificate, the charging control device 10 stores the certificate ID of the Contract certificate (S26). The certificate ID can be said to be the identification information of the Contract certificate, which is the second certificate.

[0062] One example of a situation where the Contract certificate cannot be installed is when information is not shared between the business issuing the Contract certificate (mobility service provider) and the user. This can be described as a situation where the preparations for issuing the Contract certificate are not yet complete. Therefore, the charging control device 10 will, the next time it connects to the charging equipment 2, determine again whether the Contract certificate identified by the certificate ID stored in S26 is still up-to-date (S27). The process in step 27 is an example of a process that determines whether a valid Contract certificate has been obtained for subsequent charging operations. If the Contract certificate remains unupdated, the charging control device 10 performs a charging operation in EIM authentication mode, which is the second authentication procedure that replaces the first authentication procedure (S28). This allows the charging control device 10 to avoid abnormal charging operations due to the absence or unupdated nature of the Contract certificate. On the other hand, if the Contract certificate has been updated, the charging control device 10 performs a charging operation using PnC, which is the first authentication procedure (S29). From the above, the process in Figure 7 can be described as an example of a process that, when an abnormality is detected in PnC, the first authentication procedure, sets the system to perform an authentication mode using either PnC or EIM, the second authentication procedure that replaces PnC, depending on the type of abnormality.

[0063] (Effects of the embodiment) Many challenges are currently assumed to exist in PnC charging operations. For example, a communication session may stop due to certificate incompatibility between the electric vehicle 1 and the charging equipment 2. Possible causes of such issues include the charging equipment 2 being unable to find the V2G Root certificate held by the vehicle, the charging equipment 2 not supporting the certificate provision service, or the certificate held by the electric vehicle 1 being invalid. In such cases, the communication session stops, and the same issue is likely to occur repeatedly when the electric vehicle 1 reconnects to the same charging equipment 2 unless the root cause of the problem is resolved. According to this embodiment, it is possible to avoid the repeated occurrence of such issues depending on the type of event or problem.

[0064] More specifically, the charging control device 10 of the electric vehicle 1 first performs a PnC charging and billing operation (first authentication procedure) with the charging equipment 2. Then, when an abnormality is detected, the charging control device 10 of the electric vehicle 1 is configured to perform either the first authentication procedure or a second authentication procedure that replaces the first authentication procedure, depending on the type of abnormality. Here, the second authentication procedure is, for example, an authentication procedure using an external authentication method by EIM. As a result, the charging control device 10 can appropriately avoid the occurrence of abnormalities in the next charging depending on the type of abnormality.

[0065] More specifically, if an abnormality occurs due to the first certificate, the V2G ROOT certificate, being invalid, the charging control device 10 will cause the OEM server 5 on the network, which is capable of issuing V2G ROOT certificates, to issue a valid V2G ROOT certificate. Also, if an abnormality occurs due to the V2G ROOT certificate not being compatible with the V2G ROOT certificate held by the charging equipment 2, the charging control device 10 will process the situation as follows.

[0066] First, if the charging control device 10 can obtain information from the charging equipment 2 that identifies the V2G ROOT certificate held by the charging equipment 2, the charging control device 10 will instruct the OEM server 5, which acts as the management device, to issue the V2G ROOT certificate. Here, the information that identifies the certificate is the certificate chain associated with the V2G ROOT certificate held by the charging equipment 2. As a result, once the V2G ROOT certificate held by the charging equipment 2 is obtained, the charging control device 10 can receive the charging process via PnC.

[0067] On the other hand, if the charging control device 10 cannot obtain information from the charging equipment 2 that identifies the V2G ROOT certificate held by the charging equipment 2, the charging control device 10 stores the MAC address, which is the identification information of the charging equipment 2. As a result, the charging control device 10 sets the system so that, in subsequent charging cycles, the authentication mode using EIM is implemented as a second authentication procedure to replace the first authentication procedure, PnC, with respect to the charging equipment 2. Therefore, the charging control device 10 can appropriately avoid the occurrence of abnormalities in subsequent charging cycles, depending on the type of abnormality.

[0068] Furthermore, if the abnormality is caused by an invalid certificate chain held in the charging equipment 2, the charging control device 10 will perform a procedure with the charging equipment 2 that replaces the first authentication procedure, PnC. The system is configured to perform an authentication mode using EIM as the second authentication procedure. Therefore, the charging control device 10 can appropriately avoid the occurrence of an abnormality in the next charging, depending on the type of abnormality.

[0069] Incidentally, the first certificate, the V2G ROOT certificate, is a certificate that ensures the security of communication with the charging equipment 2. After the security of communication with the charging equipment is ensured by the first certificate, the V2G ROOT certificate, the charging control device 10 receives the charging process via V2G communication using the Contract certificate. However, there may be cases where the charging control device 10 does not have a Contract certificate. In this case, the charging control device 10 may request a Contract certificate from the charging equipment 2. However, there may be cases where the charging equipment 2 cannot provide a valid Contract certificate to the charging control device 10. In this case, the charging control device 10 requests a valid Contract certificate from the OEM server 5, which is a network management device capable of issuing Contract certificates. In this way, if the charging control device 10 is able to obtain a valid Contract certificate, it can receive the charging process via PnC.

[0070] However, if the charging control device 10 cannot obtain a valid Contract certificate, it stores the identification information of that Contract certificate and determines whether a valid Contract certificate has been obtained for subsequent charging operations. If a valid Contract certificate has not been obtained, the charging control device 10 performs a second authentication procedure, EIM authentication mode, instead of the first authentication procedure PnC with the charging equipment 2. In this way, the charging control device 10 can appropriately avoid the occurrence of an abnormality in the next charging operation, depending on the type of abnormality.

[0071] (A computer-readable recording medium) A program that enables a computer or other machine or device (hereinafter referred to as "computer, etc.") to perform any of the above functions can be recorded on a recording medium that the computer, etc. can read. By having the computer, etc. read and execute the program on this recording medium, it can be made to provide that function.

[0072] Here, a recording medium that can be read by a computer refers to a recording medium that stores information such as data and programs through electrical, magnetic, optical, mechanical, or chemical means and can be read by a computer. Examples of such recording media that can be removed from a computer include flexible disks, magneto-optical disks, CD-ROMs, CD-R / Ws, DVDs, Blu-ray discs, DATs, 8mm tapes, and memory cards such as flash memory. In addition, recording media that are fixed to a computer include hard disks and ROMs (read-only memory). Furthermore, SSDs (Solid State Drives) can also be used as a recording medium that can be removed from a computer. It can also be used as a recording medium fixed to a surface, etc. [Explanation of symbols]

[0073] 1 electric car 2 Charging equipment 5 OEM Servers 10 Charging control device 11, 21 CPU 12, 22 Main memory 13, 23 External storage unit 16A, 26A external communication section 16B, 26B Power line communication section 19 batteries 29 Power circuit 2A EIM Reader 2B plug

Claims

1. A charging control device provided in a device equipped with a battery, The battery is connected to an external charging device based on PnC (Plug and Charge). The first certification procedure will be carried out, If the anomaly detected in the first authentication procedure is due to the certificate used in the first authentication procedure, the management device that manages the certificate is requested to reissue the certificate, and the first authentication procedure is continued using the reissued certificate. A charging control device comprising a control unit that performs the following: if the abnormality is caused by the charging device and is difficult to resolve by the charging control device, it performs a second authentication procedure using an external authentication method instead of the first authentication procedure.

2. It also includes a storage device for storing certificates, The control unit If the abnormality is caused by the first certificate stored in the storage device being invalid, the first authentication procedure is performed by having a management device on the network capable of issuing the first certificate issue a valid first certificate. The charging control device according to claim 1, wherein if the abnormality is caused by a mismatch between the first certificate and the certificate held by the charging device, and information identifying the certificate held by the charging device can be obtained from the charging device, the device causes the management device to issue the first certificate consistent with the certificate held by the charging device and performs the first authentication procedure.

3. The control unit, The charging control device according to claim 2, wherein if the abnormality is caused by a mismatch between the first certificate and the certificate held by the charging device, and information identifying the certificate held by the charging device cannot be obtained from the charging device, the device stores the identification information of the charging device so that, in subsequent charging, the second authentication procedure, which replaces the first authentication procedure, is performed with the charging device.

4. The control unit, The charging control device according to claim 1, wherein if the abnormality is caused by the certificate held in the charging device being invalid, the device stores the identification information of the charging device so that the second authentication procedure, which replaces the first authentication procedure, is performed with the charging device.

5. The first certificate is a certificate for ensuring the security of communication with the charging device, If the control unit does not have a second certificate for receiving a charge from the charging device after the security of communication with the charging device has been ensured by the first certificate, it requests the management device to issue a second certificate. The charging control device according to claim 2, wherein if the second certificate is obtained from the management device in response to the request, the first authentication procedure is performed with the charging device.

6. The control unit, The charging control device according to claim 5, wherein if the second certificate cannot be obtained from the management device in response to the request, the identification information of the second certificate is stored, and in subsequent charging, it is determined whether or not the second certificate has been obtained, and if the second certificate has not been obtained, the second authentication procedure is performed with the charging device instead of the first authentication procedure.

7. A charging control device installed in a battery-equipped device, The battery is connected to an external charging device based on PnC (Plug and Charge). The first certification procedure will be carried out, If the anomaly detected in the first authentication procedure is due to the certificate used in the first authentication procedure, the management device that manages the certificate is requested to reissue the certificate, and the first authentication procedure is continued using the reissued certificate. A charging control method that, if the abnormality is caused by the charging device and is difficult to resolve by the charging control device, performs a second authentication procedure using an external authentication method instead of the first authentication procedure.

8. The charging control device is If the abnormality is caused by the first certificate stored in the charging control device being invalid, the first authentication procedure is performed by having a management device on the network capable of issuing the first certificate issue a valid first certificate. The charging control method according to claim 7, wherein if the abnormality is caused by a mismatch between the first certificate and the certificate held by the charging device, and information identifying the certificate held by the charging device can be obtained from the charging device, the method further includes having the management device issue the first certificate consistent with the certificate held by the charging device and performing the first authentication procedure.

9. The charging control device is The charging control method according to claim 8, wherein the abnormality is due to a mismatch between the first certificate and the certificate held by the charging device, and information identifying the certificate held by the charging device cannot be obtained from the charging device, the method further includes storing the identification information of the charging device so that, in subsequent charging, the second authentication procedure, which replaces the first authentication procedure, is performed with the charging device.

10. The charging control device is The charging control method according to claim 7, wherein if the abnormality is caused by the certificate held in the charging device being invalid, the method further includes storing the identification information of the charging device so that the second authentication procedure, which replaces the first authentication procedure, is performed with the charging device.

11. The first certificate is a certificate for ensuring the security of communication with the charging device, If the charging control device does not have a second certificate for receiving a charge from the charging device after the security of communication with the charging device has been ensured by the first certificate, it requests the management device to issue a second certificate. The charging control method according to claim 8, wherein if the second certificate is obtained from the management device in response to the request, the first authentication procedure is performed with the charging device.

12. The charging control device is The charging control method according to claim 11, wherein if the second certificate cannot be obtained from the management device in response to the request, the identification information of the second certificate is stored, and in subsequent charging, it is determined whether or not the second certificate has been obtained, and if the second certificate has not been obtained, the second authentication procedure is performed with the charging device instead of the first authentication procedure.