Technical field of the invention

The present invention relates in general to the field of telematic traffic services. In particular the present invention relates to an on- board device for a vehicle, suitable for use in a system which supports a telematic traffic service.

Prior art

Systems which support traffic telematic services are known. These services comprise both services for the user (such as payment of tolls for access to road/motorway stretches, payment of car park fees, etc.) and administrator services (such as control of access to restricted-traffic urban zones, monitoring of traffic along a road/motorway stretch, etc.).

These systems generally comprise an on-board device (also known as "OBU", i.e. "On Board Unit") suitable for installation onboard a vehicle, and a plurality of road-side devices (also known as "RSU", i.e. "Road Side Units") suitable for installation on the road side, on gateways or at access points, or at toll stations.

Generally, both the on-board device and the road-side devices are provided with respective radiofrequency communication stages (typically, DSRC, i.e. "Dedicated Short Range Communication" stages) which allow the on-board device to exchange information with the road-side devices. These radiofrequency communication stages typically use radiofrequency carriers, for example within the frequency range 5-6 GHz.

Each on-board device typically has an associated unique identification code OBU-ID, with which it is configured via software during manufacture. Moreover, when an on-board device is assigned to a user, it may be configured with information about the user (for example, personal details) and information about the vehicle (number plate, etc.). The configuration of an on-board device generally involves also the loading of the software applications which provide the telematic traffic services supported by the device.

After an on-board device has been configured and installed on- board, it may be necessary to modify its configuration, for example in order to update or activate the software applications already present, or load new applications, or remove or disable those applications which are no longer of interest for the user. This is for example the case where a user wishes to activate temporarily a toll payment service in a foreign country. In this case, the configuration of the user's on-board device must be modified by loading and activating temporarily a software application able to support this service.

Moreover, after an on-board device has been configured and installed on-board, it may be necessary to carry out checks on operation thereof and diagnostic tests, such as a check of the charge level of its battery. It might also be necessary to check the configuration information (relating to the user and/or to the vehicle) stored by the on-board device.

All the aforementioned operations require access to the on-board device in order to perform writing or reading of its memory and are generally carried out by means of equipment provided with radiofrequency communication stages able to communicate with the communication stage present in the on-board device. This equipment is generally present at the operating centres managed by the company which provides the telematic traffic service or by the company which manages the road or the motorway along which the telematic traffic service is provided. If a user therefore wishes to modify the configuration of his/her on-board device or check operation thereof, generally he/she must go to one of these operating centres.

US 2014/0316685 describes an onboard device for a system supporting traffic telematic services, which comprises a near-range communication module for communication with a first external communication device (for example, the mobile phone of the user), a far-range communication module (for example, DSRC) for communication with second external devices (for example, the roadside devices of the system) and a non-volatile memory which is accessible by both the communication modules. The near-range communication module may be for example a passive NFC tag. This is supplied by the user's mobile phone during communication and in this way may access the non-volatile memory, and in so doing can supply power to it, even when the rest of the on-board device is not in an operative condition. The contents of the non-volatile memory may therefore be read and/or written by means of the connection between the user's mobile phone and the near-range communication module, irrespective as to whether the rest of the on-board device is in operating mode or not. It is thus possible to modify the configuration of the on-board device, for example writing configuration data in the non-volatile memory, via the user's mobile phone. Similarly it is possible to read the contents of the non-volatile memory via the user's mobile phone.

Short description of the invention

The Applicant has noticed that the on-board device described by US 2014/0316685 has a number of drawbacks.

Firstly, the Applicant has noticed that the near-range communication module included in this device, since it has direct access to the non-volatile memory of the device both during reading and during writing, disadvantageously reduces the security of the onboard device. The short-range and near-field technologies (such as NFC technology) generally have mechanisms for authentication and protection of the connection which are not particularly secure, the security of the connection being mainly based on the fact of having a coverage range of only a few centimetres. If, therefore, for example, a third party should come into possession of the on-board device of a user, he/she could access the on-board device using his/her own mobile phone (or another device equipped with NFC reader), and thus modify the configuration thereof, or read information stored there and use it to clone the on-board device (i.e. copy it onto another on-board device).

Moreover, the direct access to the non-volatile memory by the near-range communication module disadvantageously could result in inefficient use of the computational and storage resources of the onboard device. The user could in fact decide, for example, to write configuration data in the memory (or, similarly, read configuration data from the memory) not knowing that, precisely in that moment, the on-board device is engaged in another priority activity, for example an exchange of data with one of the road-side devices. In this case, the configuration data writing operation started by the user, while being lower priority, could disadvantageously deprive the higher priority activity of computational resources, with the risk of slowing down or even stopping execution thereof.

In view of the above, the object of the present invention is to provide an on-board device for a motor vehicle, which is suitable for use in a system supporting a telematic traffic service and which solves the aforementioned problems.

In particular, the object of the present invention is to provide an on-board device for a motor vehicle, which is suitable for use in a system supporting a telematic traffic service, which is more secure and which uses more efficiently its associated computational and storage resources.

According to embodiments of the present invention, this object is achieved by an on-board device for a vehicle, which comprises a radiofrequency communication stage for communication with the road-side devices, a short-range communication stage for communication with an electronic device (for example a mobile phone) situated in the vicinity thereof, two memories and a data processing unit cooperating with both the communication stages. A first memory acts as a central operating memory accessible by the data processing unit alone and stores at least one first encryption key. A second memory is directly accessible instead by the short- range communication stage, is electrically connected thereto or integrated therein and stores first data relating to the on-board device. The short-range communication stage is configured to transmit to the electronic device this first data, also in power down mode or in the event of malfunctioning of the radiofrequency communication stage. The short-range communication stage is moreover configured to receive encrypted second data from the electronic device and store it temporarily in the second memory. The data processing unit is configured to decrypt, upon reception of a wake-up signal, this encrypted second data using the encryption key stored in the first central operating memory and to store the second data in the first central operating memory.

The on-board device is advantageously secure since, at the moment of reception of data from the electronic device via the short- range communication stage, the data to be decrypted and the encryption key which is needed to decrypt it are stored in two physically separate memories, one of which (namely that which stores the key) is accessible only by the data processing unit, i.e. cannot be directly accessed by the short-range communication stage. Despite the fact, therefore, that the short-range communication stage allows an unprotected connection to be established between electronic device and on-board device, the onboard device is advantageously more secure. The on-board device allows moreover more efficient use of its computational and storage resources, since the transfer of the data into the first central operating memory and the subsequent processing thereof are triggered upon reception of the wake-up signal in the data processing unit. This allows implementation of the mechanisms for managing the priority of the various operations which involve the data processing unit and the first central operating memory of the on-board device, whereby, for example, for the activity of processing data received from the short-range communication stage, the data processing unit receives wake-up signals after completing execution of the higher priority activities (for example, the data exchange activities between radiofrequency communication stage and road-side devices).

According to a first aspect, the present invention provides an on- board device for a vehicle, the on-board device being suitable for use in a system which provides a telematic traffic service, the on-board device comprising:

a radiofrequency communication stage configured to communicate with a road-side device of said system;

- a short-range communication stage configured to communicate with an electronic device located in the vicinity thereof;

a data processing unit cooperating with the radiofrequency communication stage and with the short-range communication stage,

- a first central operating memory accessible by the data processing unit, wherein the first central operating memory stores at least one encryption key;

a second memory electrically connected to or integrated in the short-range communication stage and directly accessible by the short-range communication stage, wherein the second memory stores first data relating to the on-board device, wherein the short-range communication stage is configured to transmit to the electronic device the first data, also in power down mode or in the event of malfunctioning of the radiofrequency communication stage and is moreover configured to receive from the electronic device encrypted second data and store it temporarily in the second memory, and

wherein the data processing unit is configured, upon reception of a wake-up signal, to decrypt the encrypted second data using the at least one encryption key stored in the first central operating memory and to store the second data in the first central operating memory.

Preferably, the first central operating memory is implemented inside in the data processing unit.

Alternatively, the first central operating memory is implemented outside the data processing unit, and the first central operating memory stores a hardware identifier UID ₂ o of the data processing unit in a non-modifiable and non-erasable manner.

Preferably, the device also comprises a hardware encryption interface between the first central operating memory and the data processing unit.

Preferably, the short-range communication stage is configured to send said wake-up signal to the data processing unit.

In addition or alternatively, the device also comprises a button manually accessible from the outside of the device, the button being configured so that, when pressed, said wake-up signal is sent to the data processing unit.

Preferably, the first data is stored in the second memory, encrypted with a private key of an asymmetric encryption mechanism, and the short-range communication stage is configured to transmit the first data to the electronic device, encrypted with said private key. The first data made available for reading and encrypted with private key in the second memory preferably comprises tag data of the on-board device, including in particular its unique identification code OBU-ID.

According to an advantageous variant, the short-range communication stage is configured to receive said first data from a central server via the electronic device and the short-range communication stage in a form encrypted with said private key, and to store directly in a permanent manner the encrypted first data in the second memory, without requesting any action of the data processing unit.

According to another variant, the short-range communication stage is configured to receive the first data from a central server via the electronic device and the short-range communication stage in a form not yet encrypted with said private key, the first central operating memory also stores said private key and the data processing unit is configured to encrypt said first data with said encrypted key and to store permanently the encrypted first data in the second memory.

Preferably the second memory also stores its hardware identifier UID-I 60, the hardware identifier UIDi ₆ o being stored both unencrypted and encrypted with the private key together with the first data, and the short-range communication stage is configured to transmit to the electronic device the hardware identifier UIDi ₆ o unencrypted and the hardware identifier UID ₆ o also encrypted with the private key together with the first data, for further authentication of the first data by the electronic device.

Preferably, the second data is received by the short-range communication stage in a form encrypted with a symmetric key identical to the encryption key stored in the first central operating memory.

According to a first variant, the data processing unit is configured, upon reception of said wake-up signal, to transfer firstly the encrypted second data from the second memory to the first central operating memory and then decrypt it using the encryption key stored in the first central operating memory.

According to another variant, the data processing unit is configured, upon reception of said wake-up signal, to decrypt firstly the encrypted second data using the encryption key stored in the first central operating memory and then transfer the decrypted second data into the first central operating memory.

Preferably, the encrypted second data is received in separate encrypted blocks and the data processing unit is configured to start decryption of the encrypted second data only after receiving, in the second memory, all the separate encrypted blocks.

Preferably, the data processing unit is configured to read third data stored in the first central operating memory, to encrypt the third data using said encryption key stored in the first central operating memory and to forward the encrypted third data to the short-range communication stage, the short-range communication stage being configured to transmit the encrypted third data to a central server via the electronic device.

Preferably, the second memory stores, together with said first data, also a unique identification code OBU-ID of the on-board device, the unique identification code OBU-ID of the device being stored both unencrypted and encrypted with the symmetric key, the short-range communication stage being configured to transmit to the central server via the electronic device also said unique identification code OBU-ID both unencrypted and encrypted with the symmetric key, so as to allow the central server to perform authentication of the device and decrypting of said third data.

According to a second aspect, the present invention provides a system for providing a telematic traffic service, the system comprising a plurality of road-side devices, an electronic device and an on-board device for a vehicle, the on-board device being configured to communicate both with the plurality of road-side devices and with the electronic device, the on-board device being as described above. Brief description of the drawings

The present invention will become clearer from the following description, provided by way of a non-limiting example, to be read with reference to the accompanying drawings, in which:

- Figure 1 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to an embodiment of the present invention; and

- Figure 2 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to another embodiment of the present invention. Detailed description of embodiments of the invention

Figure 1 shows in schematic form a system for providing a telematic traffic service, comprising an on-board device according to embodiments of the present invention. This telematic traffic service may be a service for the users (such as payment of tolls for access to road/motorway stretches, payment of car park fees, etc.) or a service for the administrator (such as control of access to restricted-traffic urban zones, monitoring of traffic along a road/motorway stretch, etc.).

The system comprises an on-board device 100, electronic device 210, a plurality of road-side devices (for the sake of simplicity not shown in Figure 1 ), a communications network 600 and central server 700 which communicates with the electronic device 210 via the communications network 600.

The on-board device 100 is preferably suitable for installation onboard a vehicle (for the sake of simplicity not shown in Figure 1 ), for example a motor vehicle. The road-side devices are instead configured to be installed in a fixed position, for example along a road side, on an overpass or on an access gateway (for example to a car park, an urban zone, a road or motorway section, etc.).

As will be described in greater detail below, the on-board device 100 is configured to communicate via radio both with the road-side devices and with the electronic device 210.

In particular, as shown in Figure 1 , the on-board device 100 preferably comprises a battery 1 10, a data processing unit 120, a first memory 130, a radiofrequency communication stage 140, a short- range communication stage 150 and a second memory 160. The onboard device 100 may comprise other components (for example GNSS components for satellite positioning) which will not be described in greater detail hereinbelow since they are not useful for the purposes of the present description.

The battery 1 10 is preferably electrically connected directly or indirectly to each of the other components of the on-board device 100 (in particular to the data processing unit 120, to the first memory 130, to the radiofrequency stage 140 and to the short-range communication stage 150), so as to power them if and when necessary.

The first memory 130 is preferably electrically connected to the data processing unit 120. The first memory 130 may be implemented on the outside or on the inside of the data processing unit 120. In any case, the first memory 130 is accessible by the data processing unit 120 alone (in particular it is not directly accessible by the short-range communication stage 150).

In the event of being realized externally, the first memory 130 preferably stores a hardware identifier UID ₂ o of the data processing unit 120 (preferably, its silicon number) in a non-modifiable and nonerasable manner. This hardware identifier UID ₂ o is used by the processing unit 120 to check the authenticity of the data read from the first memory 130. This advantageously makes it possible to prevent the contents of the central operating memory of one onboard device from being cloned and transferred onto another on- board device.

By way of a further security measure, if the first memory 130 is implemented outside the data processing unit 120, an interface (not shown in the drawings) is provided between the unit 120 and the memory 130, said interface being configured to perform hardware encryption of the data which the unit 120 writes into the memory 130 and hardware decryption of the data which the unit 120 reads from the memory 130. The data stored in the memory 130 is thus advantageously protected at the hardware level. The first memory 130 is therefore a non-volatile memory which acts as a secure central operating memory of the on-board device 100.

Preferably, the first memory 130 stores the unique identification code OBU-ID of the on-board device 100 and, optionally, information about the user who is owner of the vehicle and about the vehicle itself (for example number plate and/or toll class of vehicle). The first memory 130 also preferably stores the software applications which provide the telematic traffic services for the user and/or for the administrator supported by the on-board device 100 and the data generated by communication of the on-board device 100 with the road-side devices of the system via the radiofrequency communication stage 140 (for example, data relating to the position of the vehicle or transit thereof through an access way).

The radiofrequency communication stage 140 is preferably configured to establish radio links with the road-side devices. For example, the radiofrequency stage 140 may be implemented using DSRC (Dedicated Short Range Communications) technology which, as is known, comprises radio channels and authentication, encoding and decoding procedures which have been specifically developed for telematic traffic services and uses frequency bands in the range of 5.7 - 5.9 GHz.

The short-range communication stage 150 is preferably configured to support short-range radio links (maximum 10 cm) with the electronic device 210.

The electronic device 210 may belong to the same user who has been assigned the on-board device 100 or may belong to third parties (for example, the administrator of the road or motorway infrastructure along which the telematic traffic service supported by the on-board device 100 is provided, the telematic traffic service administrator, or the body or authority responsible for monitoring traffic offences). The electronic device 210 is also preferably provided with cabled or wireless connectivity (for example WiFi or cellular network) to the communications network 600. For example, the electronic device 210 may be a smartphone, a tablet or a generic commercial or specially designed reader. Preferably, the electronic device 210 is also provided with a user interface 200 comprising input and/or output elements comprising for example pushbuttons, cursors, touchscreen, etc. The electronic device 210 also comprises a short-range communication stage compatible with the short-range communication stage 150 of the on-board device 100.

Preferably, the short-range communication stage 150 (and therefore also the corresponding short-range communication stage of the electronic device 210) is implemented using near-field technology, such as RFID (Radio-Frequency IDentification) technology with short range (i.e. radius less than 10 cm). Of the various RFID technologies it is possible to use, for example, NFC (Near Field Communication) technology which, as is known, operates at the frequency of 13.56 MHz and may reach a maximum transmission speed of 424 kbit/s. Preferably, the short-range communication stage included in the electronic device 210 is configured as initiator, while the short-range communication stage 150 is configured as target. In other words, the short-range communication stage 150 is configured to receive from the short-range communication stage included in the electronic device 210 a radio carrier, from which it extracts its own power supply.

The configuration of the short-range communication stage 150 as reader is advantageous, since it allows the electronic complexity and software of the on-board unit to be reduced. It also allows the short- range communication stage 150 to operate (and therefore communicate with the corresponding short-range communication stage included in the electronic device 210) also when the battery 1 10 of the on-board device 100 is completely discharged, or when the remainder of the on-board device (in particular the data processing unit 120, the first memory 130 and the radiofrequency stage 140) is damaged or in any case not functioning.

The second memory 160 may be electrically connected to the short-range communication stage 150. Alternatively, the second memory 160 may be integrated in the short-range communication stage 150. In both cases, the second memory 160 is directly accessible by the short-range communication stage 150 which may carry out on it both write operations and read operations also without involving the processing unit 120, as will be described in greater detail hereinbelow. The second memory 160 is preferably a nonvolatile memory able to retain the data even when not electrically powered. For example, the second memory 16 may be a memory of the E ² PROM type.

The second memory 160 preferably permanently stores a set of basic data relating to the on-board device 100, comprising a unique identification code OBU-ID of the on-board device 100 and, optionally, information about the user and/or the vehicle. The second memory 160 moreover is suitable for storing in a temporary or transient manner data sent by the central server 700 and destined for the data processing unit 120 and/or for the first memory 130, as will be described in greater detail hereinbelow.

In order to establish a radio link between the on-board device 100 and the electronic device 210, the two devices are moved close to each other (at a distance of less than 10 cm). The communications protocol via which the short-range communication stage 150 and the corresponding short-range stage included in the electronic device 210 operate thus establishes automatically a radio link. The radio link thus established is preferably a two-way point-to-point link which allows a two-way exchange of data between on-board device 100 and electronic device 210.

In particular, by means of the short-range radio link between electronic device 210 and on-board device 100, the short-range communication stage 150 may transmit to the electronic device 210 data read from the second memory 160 or other components of the on-board device 100, thus allowing the reading of this data from the on-board device 100 via the electronic device 210.

Optionally, the data read may be displayed in the form of texts or graphics on the user interface 200 of the electronic device 210. In addition or alternatively, the data read may be transmitted from the electronic device 210 to the central server 700 via the communications network 600.

These read operations may allow the user of the electronic device 210 (who may be the user who has been assigned the on-board device 1 10 or the personnel of the provider of the telematic traffic service supported by the on-board device 100) to carry out for example diagnostic checks or operational tests of the on-board device 100 (for example, checking of the charged level of its battery 1 10) or checking of the configuration information about the user and/or the motor vehicle stored by the on-board device 100.

If the data to be read is stored in the second memory 160 (as in the case, for example, of the aforementioned basic data), the short- range communication stage 150 advantageously may read it even if the battery 1 10 is completely discharged, or when the data processing unit 120 and/or the first memory 130 are not functioning.

The basic data stored in the second memory 160 can therefore be advantageously read by means of the electronic device 210, irrespective as to whether the on-board device 100 is functioning or not. The second memory 160 therefore advantageously performs substantially an electronic tag function.

If instead the data to be read is not stored in the second memory

160, the short-range communication stage 150 may read it only if the battery 1 10 is charged and the on-board device 100 (at least the data processing unit 120 and the first memory 130) is functioning correctly.

In order to start a read operation, the electronic device 210 preferably sends a command signal to the short-range communication stage 150.

If the read operation relates to data stored in the second memory 160 (for example the aforementioned basic data), the short-range communication stage 150 retrieves the required data from the second memory 160 and sends it to the electronic device 210, without requesting any action by the data processing unit 120.

If instead the read operation relates to data which is not stored in the second memory 160 (operation for which, as mentioned above, the battery 1 10 must be sufficiently charged), the short-range communication stage 150 forwards the command signal to the data processing unit 120 which retrieves the data required (for example from the first memory 130) and sends it to the short-range communication stage 150 which in turn forwards it the electronic device 210. Preferably, this command signal is preceded by a wake- up signal which activates the data processing unit 120.

In addition to the read operations, by means of the short-range radio link between electronic device 210 and on-board device 100, the short-range communication stage 150 may receive from the electronic device 210 data to be supplied to the other components of the on-board device 100 (in particular to the data processing unit 120 and/or to the first memory 130 and/or to the second memory 160), thus allowing writing of this data onto the on-board device 100 via the electronic device 210.

These write operations may for example allow the user of the electronic device 210 (who may be the user who has been assigned the on-board device 100 or the personnel of the provider of the telematic traffic service supported by the on-board device 100) to modify the configuration of the on-board device 100, for example updating or activating the software applications which are already present or loading new applications or removing or deactivating those applications which are no longer of interest for the user. These write operations may therefore be advantageously performed without having to visit a customer service operating centre.

A write operation preferably envisages that the central server 700 transmits the data to be written to the on-board device 100 via the communications network 600 and the electronic device 210.

The electronic device 210 preferably does not perform any processing of the data, merely performing a transducer function between the connection to the communications network 600 (for example Wi-Fi or cellular network) and the short-range radio link with the on-board device 100 (for example NFC). The data transmitted on the short-range radio link between electronic device 210 and onboard device 100 is therefore the same as the data transmitted on the communication network 600 between the central server 700 and the electronic device 210.

It should be noted that the establishment of the short-range radio link does not require any manual setting or any pairing procedure and is therefore very quick (about 1/10th of a second). Moreover, since the short-range link has a maximum radius of 10 cm, it is intrinsically not exposed to the risk of sniffing of the transmitted data which, in any case, as will be explained below, is preferably encrypted by the central server 700.

Once the data to be written has been received via the short-range radio link, the short-range communication stage 150 preferably saves it temporarily in the second memory 160. In order to prevent any overwriting or unauthorised access to the second memory 160, preferably a passcode write protection mechanism is provided. Alternatively, it is possible to provide in the second memory 160 one or more areas which are protected or have a write function enabled only by the data processing unit 120 and not by the short-range communication stage 150.

If the write operation relates to data to be stored permanently in the second memory 160 (for example the aforementioned basic data), the short-range communication stage 150 may identify and store said data directly in a permanent manner in the second memory 160 (without requiring any action by the data processing unit 120), for example in an address location of the second memory 160 dedicated for the permanent storage of the basic data. Alternatively, the short-range communication stage 150 may forward the data to be written in a transparent manner to the data processing unit 120, which identifies said data and transfers it back into the second memory 160, for example in the address location of the second memory 160 dedicated for the permanent storage of basic data.

If instead the write operation relates to the data intended for the data processing unit 120 and/or for the first memory 130 (for example, the aforementioned configuration data), the short-range communication stage 150 forwards said data preferably in a transparent manner to the data processing unit 120, which processes it and if necessary writes it in the first memory 130.

It should be noted that, if the write operation involves the data processing unit 120, the battery 1 10 must be charged. If, on the other hand, the data processing unit 120 is not involved, the write operation may be performed even if the battery 1 10 is discharged.

Preferably, if the data processing unit 120 is involved in the write operation, it preferably starts processing of the data to be written upon reception of a wake-up signal. This wake-up signal may be sent to the data processing unit 120 by the short-range communication stage 150 or by the user of the on-board device 100, for example by means of a special button which can be accessed manually on the outside of the on-board device 100.

According to an advantageous variant, the on-board device 100 may be provided with one or more indicators (for example LED light indicators) designed to provide the user with visual feedback as regards the outcome of the data write operation on the on-board device 100. For example, the on-board device 100 may be provided with a light indicator configured to signal to the user whether the operation of writing the data in the first memory 130 has been successfully completed.

To summarise, the on-board device 100 according to the present invention therefore is substantially able to operate in three different operating configurations:

- first operating configuration: reading, via short-range radio link with the electronic device 210, of basic data stored in the second memory 160 (electronic tag function);

- second operating configuration: reading, via short-range radio link with the electronic device 210, of data not stored in the second memory 160. This operating configuration is generally useful for the purpose of verification of operation of the on-board device 100, for diagnostic purposes and, generally, for the purpose of reading the data contained in the first memory 130; and

- third operating configuration: writing, via short-range radio link with the electronic device 210, of data in the first memory 130 or in the second memory 160. This operating configuration is generally useful for the purpose of configuration of the on-board device 100 (for example in order to modify the tag data, update or activate the software applications already present, or load new applications, or in order to remove or disable those applications which are no longer of interest for the user, see the aforementioned example where the user wishes to activate temporarily a toll payment service in a foreign country).

The system shown in Figure 1 is preferably configured to provide a secure connection between the on-board device 100 and electronic device 210 and optionally between central server 700 and on-board device 100. For this purpose, a mechanism for ensuring the authenticity of the data read from the second memory 160 (namely so that the electronic device 210 and/or the central server 700 can be sure that the read data really relates to the on-board device 100 and has not instead been cloned by another on-board device) and a mechanism for protecting the data exchanged between the central server 700 and the on-board device 100.

Preferably, the mechanism for ensuring the authenticity of the data read from the second memory 160 (for example the basic data of the on-board device 100) is based on asymmetric encryption of the data made available during reading by means of permanent storage in the second memory 160.

In particular, the data which can be read from the second memory 160 is stored in the second memory 160 encrypted with a private key. In order not to have to keep the private key stored in the onboard device 100, the central server 700 preferably sends to the onboard device 100 the data to be rendered readable from the second memory 160 in a form already encrypted with private key. In this case, upon reception of the data encrypted with private key from the central server 700, the short-range communication stage 150 may store it directly in the second memory 160, without requesting any action by the data processing unit 120.

Alternatively, the central server 700 may send to the on-board device 100 the data to be rendered readable from the second memory in a form not yet encrypted with private key. In this case, upon reception of the data not encrypted with private key from the central server 700, the short-range communication stage 150 preferably forwards it to the data processing unit 120 which encrypts it with private key and stores it permanently in the second memory 160. In this second case, therefore, action by the data processing unit 120 and storage of the private key in the first memory 130 are required.

If, subsequently, the electronic device 210 or the central server 700 requests reading of this data, said data is transmitted, encrypted with private key, to the electronic device 210 via the short-range communication stage 150. During this operation, no command is sent to the data processing unit 120 of the on-board device 100, which is not required to perform reading operations from the second memory 160.

Therefore, according to a first variant, the electronic device 210 preferably uses the public key in order to decrypt the read data which is encrypted with private key. The public key, since it may be freely distributed, is preferably saved locally in the electronic device 210 (for example within an application executed by the device 210 for managing reading of data from the device 100), thus freeing the electronic device 210 from the need to be connected to the central server 700 during the whole of the operation of reading of the data stored by the second memory 160.

Optionally, it is possible to provide additional authentication of the data read, based on a hardware identifier UID ₆ o of the memory 160 (for example, its silicon number). According to this variant, the hardware identifier UIDi ₆ o is preferably written by the manufacturer of the memory 160 in a specific area thereof so that it is stored permanently and is available in read-only mode and therefore cannot be modified. Preferably, in the second memory 160 the hardware identifier UID ₆ o is stored both unencrypted and encrypted with private key together with the data to be rendered readable (for example the basic data) permanently saved in the second memory 160 (containing, as described above, the identifier OBU-ID and optionally data about the user and/or the vehicle).

The hardware identifier UIDi ₆ o is preferably transmitted to the electronic device 210 unencrypted, together with the data to be read encrypted with private key.

After carrying out decryption of the data to be read with public key, the electronic device 210 preferably compares the hardware identifier UID-I 60 received unencrypted with the hardware identifier UIDi ₆ o obtained from decryption with public key. If the two hardware identifiers coincide, the data to be read is further authenticated.

In this way, it is possible advantageously to prevent the second memory 160 from being cloned and transferred onto another onboard device. If the contents of the second memory 160 of the onboard device 100 were to be copied onto another on-board device, the lack of correspondence between the two hardware identifiers would be detected and the data read would thus not be authenticated. The non-clonability of the data stored in the second memory 160, namely the impossibility of copying this data into the memory of another on-board device, is thus advantageously ensured.

As an alternative to asymmetric encryption, it is possible to envisage symmetric encryption of the data stored permanently by the second memory 160. In this way, the private key (which is the same for encryption and decryption) is preferably known only to the central server 700 and to the on-board device 100. Therefore, reading of this data in electronic tag mode by the electronic device 210 requires in any case forwarding of the data to the central server 700 which decrypts it with the private key known to it and, if authenticated, retransmits it unencrypted to the electronic device 210.

As regards instead the mechanism for protecting the data transmitted from the central server 700 to the on-board device 100, it is preferably based on symmetric encryption of the transmitted data. This symmetric encryption uses a same private key to encrypt and decrypt the data, which key must therefore be known both to the central server 700 and to the on-board device 100. In particular, the private key is stored in the first memory 130 of the on-board device 100, preferably in a non-erasable and non-modifiable area of the first memory 130.

With reference, for example, to an operation for writing data in the first memory 130, the central server 700 preferably encrypts the data to be written with the private key and transmits it to the electronic device 210 where, as described above, it is temporarily saved in the second memory 160.

If the battery 1 10 and the data processing unit 120 are operative and functioning, the data processing unit 120 preferably (upon reception of a wake-up signal, as described above) decrypts the data to be written using the private key stored in the first memory 130 and stores it in the first memory 130. This operation may be performed in different ways.

According to a first variant, the data processing unit 120 firstly transfers the encrypted data from the second memory 162 to the first memory 130 and then decrypts it, using the symmetric key stored in the first memory 130.

According to a second variant, the data processing unit 120 firstly recovers the symmetric key from the first memory 130, then uses it to decrypt the data (for example saved temporarily in an associated internal RAM memory), and finally transfers it into the first memory 130.

It should be noted that, in both the variants, in any case the data to be decrypted and the private key which is used to decrypt said data reside in two physically separate memories, one of which (namely the first memory 130 which stores the private key) is accessible only for the data processing unit 120 and therefore is not directly accessible by the short-range communication stage 150. Despite the fact, therefore, that the short-range communication stage 150 allows an unprotected connection to be established between electronic device 210 and on-board device 100, the on-board device 100 is advantageously very secure.

Moreover, according to an advantageous variant, the central server 700 divides the data to be written into blocks (before or after performing symmetric-key encryption of said data), which it then transmits to the on-board device 100 via the electronic device 210. Preferably, before starting decryption of the data to be written in the first memory 130 as described above, the data processing unit 120 waits for reception of all the encrypted blocks in the second memory 160. This advantageously further increases the security and reliability of the communication between central server 700 and on-board device 100 since the blocks, before being written in the memory 130, must be decrypted by a process which is totally external to the memory 160 in which it is temporarily stored.

The security of the private key used for symmetric encryption is preferably ensured in the manner described below.

Preferably, personalisation at the factory of the on-board device 100 is performed, this operation comprising the following steps:

(i) Reading, via the radiofrequency communication stage 140, a unique identifier of the on-board device 100, for example its unique identification code OBU-ID;

(ii) Transmitting the code OBU-ID to the input of a secure server (for example of the HSM - Hardware Security Module - type). The secure server stores (in a manner not accessible from outside) at least one master key, on the basis of which it then calculates at least one derived key using the OBU-ID code received as diversifier. The secure server then provides at its output the at least one derived key calculated. Preferably the secure server stores a master administration key MAdBTKey and a master application key MApBTKey on the basis of which it calculates, respectively, a derived administration key DAdBTKey and a derived application key DApBTKey, using the OBU-ID code received as diversifier. The two derived keys, output by the secure server, may be used for different applications.

(iii) Storing the at least one derived key in the on-board device 100.

As already mentioned, this operation is preferably performed at the factory, the at least one derived key being sent to the onboard device 100 via the radiofrequency communication stage 140. The derived key(s) is/are then stored in the first memory 130 so that it/they is/are protected (non-readable), non- modifiable and non-erasable without the action of the processing unit 120.

During operation of the on-board device 100, as regards transmission of the data to be written from the central server 700 to the on-board device 100, the central server 700 preferably uses a second secure HSM server (also containing the master key(s)), supplying it with the unique identification code OBU-ID of the on- board device 100 and obtaining from it the specific derived key to be used for communication with the on-board device 100. The transmitted data, encrypted by the central server 700 with derived key, is received as described above by the data processing unit 120 which, using the appropriate derived key stored in its first memory 130, decrypts the data received which is finally stored in the first memory 130.

In the case of transmission of data from the on-board device 100 to the central server 700, it is necessary to allow the on-board device 100 to be identified by the central server 700 so that the central server 700 may calculate (via the secure second server) the derived key necessary for decryption of the data received from the on-board device 100. This requires an exchange of data between on-board device 100 and central server 700, which will now be described in greater detail with reference to Figure 2.

A first step preferably envisages that the electronic device 210, after being registered (logged in) with the central server 700, obtains from the on-board device 100 via the short-range link with the short- range communication stage 150 the following data read from the second memory 160:

- the unique identification code OBU-ID of the on-board device 100 unencrypted (so as to allow the central server 700 to calculate the derived key);

- the code OBU-ID encrypted with the derived key (to ensure authentication); and

- the data to be transmitted encrypted by the data processing unit 120 with the derived key. This data is then sent to the central server 700 via the communications network 600 (Figure 2 shows the sake of simplicity a repeater 800 of the communications network 600).

Once the aforementioned data has been received, the central server 700 preferably uses the aforementioned second secure HSM server (indicated by the reference number 710 in Figure 2), supplying it with the unique identification code OBU-ID of the on-board device 100 received unencrypted and obtaining from it the specific derived key to be used for communication with the on-board device 100. Once the derived key has been obtained, the central server 700 decrypts the data received and validates its correctness.

The configuration data sent from the central server 700 to the onboard device 100 and encrypted with derived key may also comprise data to be stored in the second memory 160, so that it remains readable by the electronic device 210 via short-range radio communication. This data may or may not be already encrypted by the central server 700 for the purposes of authentication, as described above.

The data processing unit 120, once the message with the derived key has been decrypted, identifies the data to be made available for reading and establishes whether it is already encrypted for the purposes of authentication. If this is so, it permanently stores it in the second memory 160. If this is not the case, it retrieves from the first memory 130 the private key of the asymmetric encryption intended to allow authentication of the data read, uses it to encrypt the data and stores it permanently in the second memory 160.

Optionally, a session key may also be used for communication between the central server 700 and the on-board device 100. Preferably, the sender (namely the central server 700 if data is written in the on-board device 100, or the on-board device 100 if data is read from the on-board device 100) calculates a session key, for example based on the derived key and a random number. The session key is recalculated (and is therefore different) for each communication session.

The sender preferably uses the calculated session key to further encrypt the data to be transmitted, already encrypted with the derived key of the symmetric encryption mechanism. The sender also preferably encrypts the calculated session key, using for example the public key of the recipient (namely the on-board device 100 if data is written, or the central server 700 if data is read) and also sends this to the recipient.

The recipient, upon reception of the data and the encrypted session key, decrypts the session key using the associated private key and then uses the session key to decrypt the data received (to be further decrypted using the derived key).

This mechanism is advantageous since it represents a solution which is less complex from a computational point of view compared to asymmetric encryption of all the data exchanged between central server 700 and on-board device 100 and which allows the calculation time necessary for encryption and decryption of the exchanged data to be reduced significantly.

According to a number of variants, protection with the session key is used only on the link between electronic device 210 and central server 700. The management of the session keys in this case is entrusted to the electronic device 210 and not to the on-board device 100.

If the on-board device 100 is equipped with a data connection interface (for example if it is a satellite device also equipped with radio communication technology or Bluetooth), writing of the data in the second memory 160 (and then in the memory 130) may be managed by the data processing unit 120, interfaced in this case with the data connection interface (for example the radio communication technology internal modem or Bluetooth interface). In this case, the short-range communication stage 150 may be used solely for the function of reading data from the memory 160.

The advantages of the on-board device 100 are clear from the above description.

The on-board device described, in addition to allowing the reading of data (for example for verification or diagnostic purposes) and the writing of data (for example for configurational purposes) by the electronic device 210 allows in fact the exchange of data with the electronic device 210 and the central server 700 to be managed in a particularly secure manner.