Communication method and vehicle communication system
The method addresses communication failures by transitioning from a single common key to an intermediate mode using both old and new keys, ensuring secure and reliable communication during key updates in vehicle networks.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- NISSAN MOTOR CO LTD
- Filing Date
- 2024-12-23
- Publication Date
- 2026-07-02
AI Technical Summary
Communication failures occur between electronic control units in vehicles due to time differences in switching common keys during key updates, leading to unauthorized access and security breaches.
A communication method that transitions from using a single pre-written common key to an intermediate mode where both old and new keys are used, followed by a full transition to using only the new key once all units are updated, ensuring seamless key switching without failures.
This method effectively suppresses communication failures during common key switching by allowing simultaneous authentication with both old and new keys, ensuring secure and reliable communication among electronic control units.
Smart Images

Figure JP2024045408_02072026_PF_FP_ABST
Abstract
Description
Communication Method and Vehicle Communication System ,
[0007] ,
[0006] , ,
[0005] ,
[0001] The present invention relates to a communication method and a vehicle communication system.
[0002] In recent years, various electronic control units (ECUs (Electronic Control Unit)) have been installed in automobiles. These electronic control units are connected to each other via an in-vehicle network such as a CAN (Controller Area Network), and can cooperate with each other by communicating with each other. High security is required for the in-vehicle network in order to prevent unauthorized access to the electronic control units.
[0003] Patent Document 1 discloses an electronic control system. In this electronic control system, a master-side key communication control unit shares, at a first timing, an unvalidated key that is a key used for message authentication and is not yet valid, with a plurality of communication destinations via a communication network. A master-side key storage unit stores an unvalidated key and a validated key that is a valid key. An activation instruction control unit transmits, at a second timing after the first timing, an activation instruction for validating the unvalidated key for use in message authentication, to a plurality of communication destinations simultaneously via the communication network. A master-side key activation unit activates the unvalidated key when the activation instruction control unit transmits the activation instruction.
[0004] Japanese Patent Application Laid-Open No. 2019-161605
[0005] However, when switching the common key, a time difference may occur in the switching of the common key due to problems such as differences in startup times in each electronic control unit and the order in which the gateway transfers messages. For this reason, communication failures may occur instantaneously between an electronic control unit using an old common key and an electronic control unit using a new common key.
[0006] An object of the present invention is to provide a communication method and a vehicle communication system that can suppress communication failures between electronic control units when switching a common key.
[0007] A communication method according to one aspect of the present invention is performed by each of the multiple electronic control devices in a vehicle communication system in which multiple electronic control devices connected to a network within a vehicle communicate using a shared common key. This communication method includes communicating using only a first common key pre-written in memory, and then transitioning to an intermediate mode in which communication uses both the first and second common keys when a newly shared second common key is written to memory in place of the first common key.
[0008] According to one aspect of the present invention, communication problems that occur between electronic control devices when switching a common key can be suppressed.
[0009] Figure 1 is a block diagram showing the configuration of the vehicle communication system according to this embodiment. Figure 2 is a diagram showing the processing during reception and transmission in the three key modes. Figure 3 is a first sequence chart showing the flow of the communication method of this embodiment. Figure 4 is a second sequence chart showing the flow of the communication method of this embodiment. Figure 5 is a third sequence chart showing the flow of the communication method of this embodiment. Figure 6 is a diagram illustrating whether transmission and reception are possible in the three key modes.
[0010] The vehicle communication system and communication method according to this embodiment will be described below with reference to the drawings.
[0011] As shown in Figure 1, the vehicle communication system 10 is a system mounted on a vehicle, in which multiple electronic control units connected to a network within the vehicle communicate with each other. Specifically, the vehicle includes a gateway 20, a first electronic control unit (ECU) 30A, a second electronic control unit 30B, and a third electronic control unit 30C. The gateway 20 and the first to third electronic control units 30A, 30B, and 30C are connected to a communication bus and constitute a network.
[0012] In the following explanation, the network is assumed to be a CAN (Controller Area Network). However, the in-vehicle network may be a network conforming to a communication protocol other than CAN, such as Ethernet®.
[0013] The gateway 20 transfers data between the electronic control units 30A, 30B, and 30C, and also transfers data between the external device 50 and the first to third electronic control units 30A, 30B, and 30C. The gateway 20 is implemented using an electronic control unit. A communication bus is connected to the gateway 20. The gateway 20 can also connect to an external device 50, such as a vehicle diagnostic device. The external device 50 can communicate with the first to third electronic control units 30A, 30B, and 30C via the communication bus.
[0014] The first to third electronic control units 30A, 30B, and 30C shown in Figure 1 represent some of the multiple electronic control units installed in a vehicle. Vehicles are equipped with various electronic control units according to their function or application. Examples of electronic control units installed in a vehicle include electronic control units that control the operation of the powertrain, including the engine, electronic control units that control the transmission, and electronic control units that control electrical components. Other examples include electronic control units that perform control related to the navigation system, and electronic control units that perform control related to safe driving and automated driving. Sensors and in-vehicle equipment are connected to each electronic control unit, and each electronic control unit controls the in-vehicle equipment based on the sensor detection values and the vehicle's status.
[0015] The configuration of the first electronic control unit 30A will be explained below, using the first electronic control unit 30A as an example. The configurations of the other electronic control units 30B and 30C are the same as those of the first electronic control unit 30A.
[0016] The first electronic control unit 30A comprises a controller 31 and a communication circuit 37. The controller 31 is composed of a microcomputer equipped with a CPU, memory, input / output interface, etc. The CPU reads various computer programs stored in memory and executes various instructions contained in the programs. By executing the programs, the controller 31 functions as one of the multiple information processing circuits provided by the first electronic control unit 30A. In this embodiment, an example is shown in which the multiple information processing circuits provided by the first electronic control unit 30A are realized by software. Of course, it is also possible to configure the information processing circuits by preparing dedicated hardware to execute each of the information processing processes shown below. Alternatively, the multiple information processing circuits may be configured with individual hardware.
[0017] The controller 31 includes a frame generation unit 32, a key verification unit 33, a key storage unit 34, and a key mode control unit 35 as multiple information processing circuits. In addition to these components, the controller 31 also includes a function unit related to vehicle control, but its description is omitted in this embodiment.
[0018] The frame generation unit 32 generates data to be sent to the recipient (hereinafter referred to as "transmission data") using a common key written in the key storage unit 34. The transmission data is structured as a frame. The frame generation unit 32 calculates an encryption authentication code based on the frame containing the message to be sent to the recipient and the common key written in the key storage unit 34. The frame generation unit 32 generates a transmission frame to be sent to the recipient by appending the encryption authentication code to the end of the frame. As an algorithm for generating the encryption authentication code, for example, the MAC (Message Authentication Code) algorithm can be used, but is not limited to this. When calculating the encryption authentication code, the frame generation unit 32 reads a common key corresponding to the key mode from the key storage unit 34. The frame generation unit 32 transmits the generated transmission frame via the communication circuit 37. The frame generation unit 32 may also use counter information that is incremented each time a transmission frame is sent when generating a transmission frame.
[0019] The key verification unit 33 verifies the legitimacy of data received from the network (hereinafter referred to as "received data") using the common key written in the key storage unit 34. The received data is transmitted data sent by the sender and is structured as a frame. Specifically, the key verification unit 33 decomposes the received frame and extracts the frame containing the message and the cryptographic authentication code. The key verification unit 33 also calculates the cryptographic authentication code based on the extracted frame and the common key written in the key storage unit 34. The method for generating the cryptographic authentication code is the same as the method for generating the cryptographic authentication code in the frame generation unit 32. If the cryptographic authentication code extracted from the received frame matches the calculated cryptographic authentication code, the key verification unit 33 determines that the authentication of the received frame was successful. In this case, the key verification unit 33 receives the received frame as a legitimate received frame transmitted from another electronic control device that shares the same common key. On the other hand, the key verification unit 33 determines that a received frame has been tampered with if the cryptographic authentication code extracted from the received frame does not match the calculated cryptographic authentication code. In this case, the key verification unit 33 reports an error or destroys the received frame. In verifying the legitimacy of the received frame, the key verification unit 33 reads a common key corresponding to the key mode from the key storage unit 34. The frame generation unit 32 may also use counter information when verifying the legitimacy of the received frame.
[0020] The key storage unit 34 is a memory in which a common key used by the frame generation unit 32 and the key verification unit 33 is written. By sharing the same common key among the first to third electronic control units 30A, 30B, and 30C, it is possible to verify that the received frame has not been tampered with. This common key is switched to a newly shared common key at a certain time. For example, in a vehicle manufacturing plant, the same common key (initial key) is used for all vehicles manufactured during assembly, but before the vehicles are shipped, the initial key is replaced with a vehicle-specific common key. Hereinafter, the initially used common key will be referred to as the first common key, and the new shared common key that replaces the first common key will be referred to as the second common key.
[0021] The key mode control unit 35 switches the key mode that indicates the common key used for communication. The key modes include a first mode α, an intermediate mode β, and a second mode γ.
[0022] The first mode α is a mode in which communication is performed using the first common key Ka. As shown in Figure 2, in the first mode α, the frame generation unit 32 and the key verification unit 33 send and receive frames using the first common key Ka written in the key storage unit 34. Specifically, the frame generation unit 32 calculates an encryption authentication code using the first common key Ka and generates a transmission frame by adding the encryption authentication code. The key verification unit 33 calculates an encryption authentication code using the first common key Ka, and if the authentication of the received frame is successful using the encryption authentication code, it receives the received frame.
[0023] Intermediate mode β is a mode in which communication is performed using the first and second common keys Ka and Kb. As shown in Figure 2, in intermediate mode β, the frame generation unit 32 and the key verification unit 33 send and receive frames using the first and second common keys Ka and Kb written in the key storage unit 34. Specifically, the frame generation unit 32 calculates an encryption authentication code using the first common key Ka and generates a first transmission frame by adding the encryption authentication code, and calculates an encryption authentication code using the second common key Kb and generates a second transmission frame by adding the encryption authentication code. Meanwhile, the key verification unit 33 calculates encryption authentication codes using the first and second common keys Ka and Kb, respectively. The key verification unit 33 receives the received frame if the authentication of the received frame is successful using one of the two encryption authentication codes.
[0024] The second mode γ is a mode in which communication is performed using the second common key Kb. As shown in Figure 2, in the second mode γ, the frame generation unit 32 and the key verification unit 33 send and receive frames using the second common key Kb written in the key storage unit 34. Specifically, the frame generation unit 32 calculates an encryption authentication code using the second common key Kb and generates a transmission frame by adding the encryption authentication code. The key verification unit 33 calculates an encryption authentication code using the second common key Kb, and if the authentication of the received frame is successful using the encryption authentication code, it receives the received frame.
[0025] The key mode control unit 35 selects the first mode α if only the first common key Ka is written to the key storage unit 34. On the other hand, the key mode control unit 35 transitions from the first mode α to the intermediate mode β when the second common key Kb is newly written to the key storage unit 34. Then, the key mode control unit 35 transitions from the intermediate mode β to the second mode γ when the second common key Kb is written to all of the first to third electronic control units 30A, 30B, and 30C connected to the network.
[0026] The communication circuit 37 is a circuit for the first electronic control unit 30A to communicate with other electronic control units (second and third electronic control units 30B and 30C). The communication circuit 37 transmits the transmission frame generated by the frame generation unit 32 to the destination. The communication circuit 37 also outputs the received frame received from the network to the key verification unit 33.
[0027] Referring to Figures 3 to 5, the communication method according to this embodiment will be described. First, it is assumed that the first common key Ka is written to the key storage unit 34 of each electronic control device 30A, 30B, and 30C. That is, the first to third electronic control devices 30A, 30B, and 30C share the first common key with each other. At this time, the key mode control unit 35 of each electronic control device 30A, 30B, and 30C has selected the first mode α.
[0028] When the first electronic control unit 30A in first mode α transmits a frame to the second electronic control unit 30B in first mode α, the first electronic control unit 30A transmits the frame using the first common key Ka (S10). At this time, since the first common key Ka is also written to the second electronic control unit 30B, the second electronic control unit 30B receives the frame transmitted from the first electronic control unit 30A as a valid frame. The same applies when the second electronic control unit 30B transmits a frame to the first electronic control unit 30A (S11).
[0029] Similarly, when the first electronic control unit 30A in first mode α transmits a frame to the third electronic control unit 30C in first mode α, the first electronic control unit 30A transmits the frame using the first common key Ka (S12). At this time, since the first common key Ka is also written to the third electronic control unit 30C, the third electronic control unit 30C receives the frame transmitted from the first electronic control unit 30A as a valid frame. The same applies when the third electronic control unit 30C transmits a frame to the first electronic control unit 30A (S13).
[0030] When an instruction to write the second common key Kb is transmitted from the external device 50 to the first electronic control unit 30A (S20), the first electronic control unit 30A writes the second common key Kb to the key storage unit 34 (S21). Once the writing of the second common key Kb is complete, the first electronic control unit 30A sends a write response for the second common key Kb to the external device 50 (S22). The first electronic control unit 30A also switches the key mode from the first mode α to the intermediate mode β (S23). Meanwhile, the gateway 20 detects that the writing of the second common key Kb has been successful in the first electronic control unit 30A based on the write response for the second common key Kb transmitted from the first electronic control unit 30A to the external device 50 (S24).
[0031] When the first electronic control unit 30A in intermediate mode β transmits a frame to the second electronic control unit 30B in first mode α, the first electronic control unit 30A transmits a frame (first transmission frame) using the first common key Ka (S30) and a frame (second transmission frame) using the second common key Kb (S31). Since the first common key Ka is written to the second electronic control unit 30B, the second electronic control unit 30B successfully authenticates the frame generated using the first common key Ka from the two frames transmitted from the first electronic control unit 30A. Therefore, the second electronic control unit 30B receives the frame generated using the first common key Ka, transmitted by the first electronic control unit 30A, as a valid frame.
[0032] Furthermore, when the second electronic control unit 30B in first mode α transmits a frame to the first electronic control unit 30A in intermediate mode β, the second electronic control unit 30B transmits the frame using the first common key Ka (S32). Since the first and second common keys Ka are written to the first electronic control unit 30B, the first electronic control unit 30B verifies the legitimacy of the frame transmitted from the first electronic control unit 30A using the first and second common keys Ka, respectively. At this time, the first electronic control unit 30B successfully authenticates the frame using the first common key Ka. As a result, the first electronic control unit 30A receives the frame transmitted by the second electronic control unit 30B as a legitimate frame.
[0033] Next, when an instruction to write the second common key Kb is transmitted from the external device 50 to the second electronic control unit 30B (S40), the second electronic control unit 30B writes the second common key Kb to the key storage unit 34 (S41). Once the writing of the second common key Kb is complete, the second electronic control unit 30B sends a write response for the second common key Kb to the external device 50 (S42). Then, the second electronic control unit 30B switches the key mode from the first mode α to the intermediate mode β (S43). Meanwhile, the gateway 20 detects that the writing of the second common key Kb has been successful in the second electronic control unit 30B based on the write response for the second common key Kb transmitted from the second electronic control unit 30B to the external device 50 (S44).
[0034] As shown in Figure 4, when the first electronic control unit 30A in intermediate mode β transmits a frame to the second electronic control unit 30B in intermediate mode β, the first electronic control unit 30A transmits a frame using the first common key Ka (S50) and a frame using the second common key Kb (S51). Since the first and second common keys Ka and Kb are written to the second electronic control unit 30B, the second electronic control unit 30B successfully authenticates each of the two frames transmitted from the first electronic control unit 30A. Therefore, the second electronic control unit 30B receives the two frames transmitted by the first electronic control unit 30A, which were generated using the first and second common keys Ka and Kb, as valid frames.
[0035] The same applies when the second electronic control unit 30B in intermediate mode β transmits a frame to the first electronic control unit 30A in intermediate mode β (S52, S53).
[0036] Next, when the first electronic control unit 30A in intermediate mode β transmits a frame to the third electronic control unit 30C in first mode α, the first electronic control unit 30A transmits a frame using the first common key Ka (S54) and a frame using the second common key Kb (S55). Since the first common key Ka is written to the third electronic control unit 30C, the third electronic control unit 30C successfully authenticates the frame generated using the first common key Ka from the two frames transmitted by the first electronic control unit 30A. Therefore, the third electronic control unit 30C receives the frame generated using the first common key Ka, transmitted by the first electronic control unit 30A, as a valid frame.
[0037] Furthermore, when the third electronic control unit 30C in first mode α transmits a frame to the first electronic control unit 30A in intermediate mode β, the third electronic control unit 30C transmits the frame using the first common key Ka (S56). Since the first and second common keys Ka are written to the first electronic control unit 30B, the first electronic control unit 30B verifies the legitimacy of the frame transmitted from the third electronic control unit 30C using the first and second common keys Ka, respectively. At this time, the first electronic control unit 30A successfully authenticates the frame using the first common key Ka. As a result, the first electronic control unit 30A receives the frame transmitted by the third electronic control unit 30C as a legitimate frame.
[0038] Finally, when an instruction to write the second common key Kb is transmitted from the external device 50 to the third electronic control unit 30C (S60), the third electronic control unit 30C writes the second common key Kb to the key storage unit 34 (S61). Once the writing of the second common key Kb is complete, the third electronic control unit 30C sends a write response for the second common key Kb to the external device 50 (S62). Then, the third electronic control unit 30C switches the key mode from the first mode α to the intermediate mode β (S63). Meanwhile, the gateway 20 detects that the writing of the second common key Kb has been successful in the third electronic control unit 30C based on the write response for the second common key Kb transmitted from the third electronic control unit 30C to the external device 50 (S64).
[0039] Next, the gateway 20 transmits a mode transition instruction from intermediate mode β to second mode γ to the first to third electronic control units 30A, 30B, and 30C, provided that the writing of the second common key Kb is successful in all electronic control units 30A, 30B, and 30C. Specifically, the gateway 20 transmits a mode transition instruction from intermediate mode β to second mode γ to the first electronic control unit 30A (S70). Each electronic control unit 30A transitions its key mode from intermediate mode β to second mode γ (S71).
[0040] As shown in Figure 5, consider the case where the first electronic control unit 30A in second mode γ transmits a frame to the second electronic control unit 30B in intermediate mode β. The first electronic control unit 30A transmits the frame using the second common key Kb (S80). Since the first and second common keys Ka are written to the second electronic control unit 30B, the second electronic control unit 30B verifies the legitimacy of the frame transmitted from the first electronic control unit 30A using the first and second common keys Ka, respectively. At this time, the second electronic control unit 30B successfully authenticates the frame using the second common key Kb. As a result, the second electronic control unit 30B receives the frame transmitted by the first electronic control unit 30A as a legitimate frame.
[0041] Furthermore, when the second electronic control unit 30B in intermediate mode β transmits a frame to the first electronic control unit 30A in second mode γ, the second electronic control unit 30B transmits a frame using the first common key Ka (S82) and also transmits a frame using the second common key Kb (S83). At this time, since the second common key Kb is written to the first electronic control unit 30A, the first electronic control unit 30A successfully authenticates the frame generated using the second common key Kb from the two frames transmitted from the second electronic control unit 30B. Therefore, the first electronic control unit 30A receives the frame generated using the second common key Kb, transmitted by the second electronic control unit 30B, as a valid frame.
[0042] The gateway 20 transmits an instruction to the second electronic control unit 30B to transition from intermediate mode β to second mode γ (S90). The second electronic control unit 30B transitions from intermediate mode β to second mode γ (S91). Similarly, the gateway 20 transmits an instruction to the third electronic control unit 30C to transition from intermediate mode β to second mode γ (S95). The third electronic control unit 30C transitions from intermediate mode β to second mode γ (S96).
[0043] When all the electronic control units 30A, 30B, and 30C shift to the second mode γ by such a procedure, the second common key is written in all the electronic control units 30A, 30B, and 30C. As a result, each of the electronic control units 30A, 30B, and 30C can communicate normally with the other electronic control units 30A, 30B, and 30C.
[0044] In the vehicle communication system and communication method of the present embodiment, each of the electronic control units 30A, 30B, and 30C communicates using the first common key Ka pre-written in the key storage unit 34, and when a second common key Kb newly shared instead of the first common key Ka is written in the key storage unit 34, it shifts to an intermediate mode β in which it communicates using both the first and second common keys Ka and Kb. Here, in the intermediate mode β, each of the electronic control units 30A, 30B, and 30C transmits a first transmission frame created using the first common key Ka and a second transmission frame created using the second common key Kb to other electronic control units. Also, each of the electronic control units 30A, 30B, and 30C processes the received data as legitimate data from other electronic control units when it can authenticate the validity of the received frame received from the network using at least one of the first and second common keys Ka and Kb.
[0045] According to this configuration, when switching from the first common key Ka to the second common key Kb, it shifts to the intermediate mode β. As shown in FIG. 6, according to the intermediate mode β, communication is possible not only between the electronic control units in the same intermediate mode β but also with the electronic control units using the first common key Ka (first mode α). As a result, it is possible to suppress the occurrence of communication failures between the electronic control units when switching the common key.
[0046] Also, in the vehicle communication system and communication method of the present embodiment, each of the electronic control units 30A, 30B, and 30C ends the intermediate mode β on the condition that the second common key Kb is written in all of the first to third electronic control units 30A, 30B, and 30C, and communicates with other electronic control units using only the second common key Kb.
[0047] According to this configuration, when the second common key Kb is shared among all of the first to third electronic control units 30A, 30B, and 30C, the transition is made from the intermediate mode β to the second mode γ. As shown in FIG. 6, due to the existence of the intermediate mode β, communication becomes possible not only between the electronic control units in the same intermediate mode β but also with the electronic control units using the second common key Kb (second mode γ). Thereby, it is possible to suppress the occurrence of communication failures between the electronic control units when switching the common key.
[0048] In the vehicle communication system and communication method of the present embodiment, each of the electronic control units 30A, 30B, and 30C determines that the second common key Kb is shared among all of the first to third electronic control units 30A, 30B, and 30C based on an instruction from the gateway 20.
[0049] The gateway 20 can detect a write response transmitted from each of the electronic control units 30A, 30B, and 30C to the external device 50. For this reason, the gateway 20 can determine that the second common key Kb has been written in all of the first to third electronic control units 30A, 30B, and 30C. Therefore, each of the electronic control units 30A, 30B, and 30C can appropriately determine that the second common key Kb has been written in all of the first to third electronic control units 30A, 30B, and 30C by referring to the instruction from the gateway 20.
[0050] Note that the method by which each of the electronic control units 30A, 30B, and 30C determines that the second common key Kb has been written in all of the first to third electronic control units 30A, 30B, and 30C is not limited to this.
[0051] For example, each electronic control unit 30A, 30B, and 30C may receive the processing result (write response) of another electronic control unit in response to a write instruction for the second common key Kb, or an instruction from another electronic control unit. This allows each electronic control unit 30A, 30B, and 30C to appropriately determine, based on the processing result (write response) of another electronic control unit in response to a write instruction for the second common key Kb, or an instruction from another electronic control unit, that the second common key Kb has been shared among all of the first to third electronic control units 30A, 30B, and 30C.
[0052] Furthermore, if the external device 50 receives write responses from all of the first to third electronic control units 30A, 30B, and 30C, it may send an instruction to all of the first to third electronic control units 30A, 30B, and 30C that the second common key Kb has been shared among them. This allows the external device 50 to appropriately determine that the second common key Kb has been shared among all of the first to third electronic control units 30A, 30B, and 30C.
[0053] Furthermore, when the second common key Kb is written to all of the first to third electronic control units 30A, 30B, and 30C, communication using the second common key Kb is performed in all of the first to third electronic control units 30A, 30B, and 30C. Therefore, each electronic control unit 30A, 30B, and 30C can appropriately determine that the second common key Kb has been shared in all of the first to third electronic control units 30A, 30B, and 30C by referring to the frames of the first to third electronic control units 30A, 30B, and 30C.
[0054] As described above, embodiments of the present invention have been presented, but the statements and drawings that constitute part of this disclosure should not be understood as limiting the invention. Various alternative embodiments, examples, and operational techniques will become apparent to those skilled in the art from this disclosure.
[0055] 10: Vehicle communication system, 20: Gateway, 30A: First electronic control unit, 30B: Second electronic control unit, 30C: Third electronic control unit, 31: Controller, 32: Frame generation unit, 33: Key verification unit, 34: Key storage unit, 35: Key mode control unit, 37: Communication circuit
Claims
1. A vehicle communication system in which multiple electronic control devices connected to a network within a vehicle communicate using a shared common key, wherein each of the multiple electronic control devices performs a communication method, the method comprising: communicating using only a first common key pre-written in memory; and transitioning to an intermediate mode in which communication uses both the first and second common keys when a newly shared second common key is written to the memory in place of the first common key, wherein the intermediate mode includes: transmitting first transmission data generated using the first common key and second transmission data generated using the second common key when transmitting transmission data to another electronic control device connected to the network; and processing the received data as legitimate received data from another electronic control device connected to the network when receiving data from the network, provided that authentication of the received data is successful using at least one of the first and second common keys.
2. The communication method according to claim 1, which includes terminating the intermediate mode and communicating using only the second common key when it is determined that the second common key has been written to all of the plurality of electronic control devices.
3. The communication method according to claim 2, which determines that the second common key has been written in all of the plurality of electronic control devices based on the processing result of the other electronic control device in response to the instruction to write the second common key, or an instruction from the other electronic control device.
4. The communication method according to claim 2, wherein it determines that the second common key has been written to all of the plurality of electronic control devices based on instructions from an external device provided outside the vehicle and connected to the network.
5. The communication method according to claim 2, which determines that the second common key has been written to all of the plurality of electronic control devices when it is determined that communication using the second common key is being performed in all of the plurality of electronic control devices.
6. The communication method according to claim 2, wherein the plurality of electronic control devices include a gateway that manages communication in the network, and the method determines, based on instructions from the gateway, that the second common key has been written to all of the plurality of electronic control devices.
7. A vehicle communication system in which a plurality of electronic control devices connected to a network within a vehicle communicate using a common key, wherein each of the plurality of electronic control devices comprises a communication circuit connected to the network and a controller having a memory on which the common key is written, the controller comprises a first mode in which it communicates using only a first common key pre-written in the memory and an intermediate mode in which it communicates using both the first and second common keys when a second common key to be newly shared is written to the memory in place of the first common key, and in the intermediate mode, when the controller transmits transmission data to another electronic control device connected to the network, it transmits first transmission data generated using the first common key and second transmission data generated using the second common key, respectively, and when it receives received data from the network, it processes the received data as legitimate received data from another electronic control device connected to the network, provided that authentication of the received data using at least one of the first and second common keys is successful.