CN111698255B - Service data transmission method, device and system - Google Patents

Service data transmission method, device and system Download PDF

Info

Publication number
CN111698255B
CN111698255B CN202010542470.6A CN202010542470A CN111698255B CN 111698255 B CN111698255 B CN 111698255B CN 202010542470 A CN202010542470 A CN 202010542470A CN 111698255 B CN111698255 B CN 111698255B
Authority
CN
China
Prior art keywords
vehicle
equipment
mounted terminal
certificate
identification code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010542470.6A
Other languages
Chinese (zh)
Other versions
CN111698255A (en
Inventor
续泽昕
肖炯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Leading Technology Co Ltd
Original Assignee
Nanjing Leading Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Leading Technology Co Ltd filed Critical Nanjing Leading Technology Co Ltd
Priority to CN202010542470.6A priority Critical patent/CN111698255B/en
Publication of CN111698255A publication Critical patent/CN111698255A/en
Application granted granted Critical
Publication of CN111698255B publication Critical patent/CN111698255B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Abstract

The invention provides a service data transmission method, equipment and a system, which are applied to vehicle-mounted terminal equipment, wherein the method comprises the following steps: acquiring an identification code ID which is issued by a management server and used for identifying the vehicle-mounted terminal equipment; sending an equipment fingerprint generation request carrying the identification code ID to a security server, and acquiring an equipment certificate configured by the security server according to the identification code ID by adopting an encryption algorithm of a CA/PKI system; and generating an equipment fingerprint according to the identification code ID and the equipment certificate, authenticating when the equipment fingerprint is connected with a cloud server, and transmitting service data with the cloud server after the authentication is passed so that the cloud server determines whether a safety risk exists according to an authentication result or a service data transmission process. The invention provides a business data transmission method, equipment and a system, which are used for solving the problem that the existing Internet of vehicles system and the business data transmission safety thereof are low.

Description

Service data transmission method, device and system
Technical Field
The invention relates to the field of vehicle networking safety, in particular to a service data transmission method, device and system.
Background
With the rapid development of wireless technology and the coming of the 4G and 5G times, the application of internet of vehicles is gradually merged into life. As a core technology of smart travel, a vehicle-mounted network realizes communication between a vehicle and a cloud server through a vehicle-mounted wireless device, and gathers signals to a CAN (Controller area network) bus through a sensing layer to form an electronic control unit configured by systems on the vehicle. Real-time information such as original pieces, running states, surrounding traffic conditions and surrounding dynamics of the vehicle are collected and transmitted to a cloud for calculation, analysis and storage in a large quantity.
Therefore, in the car networking, in fact, related devices in the car machine are accessed to various network platforms such as an internet server, a cloud server or other application systems in various wireless modes, and relevant data of the car machine are transmitted to various network servers for corresponding analysis and processing. However, once the network platform is accessed, the car-machine information enters the public network, and data transmission under the public network may be attacked by various hackers, and these problems brought by data security may affect the operation state of the car networking system, so that the car networking system has a greater security risk.
The network architecture of the current internet of vehicles can be divided into three areas, namely a vehicle-mounted terminal area, a network transmission area and a cloud platform area, and when vehicle-mounted terminal equipment in the current internet of vehicles is accessed to a server, the safety of connection is ensured by carrying out equipment authentication. However, the security of the current device authentication mechanism is low, and the risk that the vehicle-mounted terminal device and the server in the vehicle networking system are attacked by the virtual device is high. Therefore, a car networking system with higher safety needs to be established, and a method for rapidly and accurately determining the abnormality in the system and performing alarm or corresponding processing in the car networking service data transmission process is provided, so that the safety and reliability of the car networking platform are maintained.
Disclosure of Invention
The invention provides a service data transmission method, equipment and a system, which are used for solving the problem that the existing Internet of vehicles system and the service data transmission safety thereof are low.
According to a first aspect of an embodiment of the present invention, a method for transmitting service data is provided, where the method includes:
acquiring an identification code ID which is issued by a management server and used for identifying the vehicle-mounted terminal equipment;
sending an equipment fingerprint generation request carrying the identification code ID to a security server, and acquiring an equipment certificate configured by the security server according to the identification code ID by adopting an encryption algorithm of a CA/PKI system;
and generating a device fingerprint according to the identification code ID and the device certificate, authenticating when the connection is established with a cloud server by using the device fingerprint, and transmitting service data with the cloud server after the authentication is passed so that the cloud server can determine whether a safety risk exists according to an authentication result or a service data transmission process.
Optionally, the obtaining of the device certificate configured by the security server according to the ID of the identification code and using an encryption algorithm of a CA/PKI system includes:
and receiving a certificate generation key corresponding to the equipment certificate issued by the security server, generating the equipment certificate by utilizing an encryption algorithm of a CA/PKI system according to the certificate generation key.
Optionally, the receiving a certificate generation key corresponding to the device certificate issued by the security server includes:
receiving a certificate Subject generated by the security server according to the identification code ID;
generating a certificate request P10 according to the Subject and sending the certificate request P10 to the security server;
and receiving a certificate generation key generated by the security server according to the certificate request P10, wherein the certificate generation key is a certificate chain P7B.
Optionally, the generating a certificate request P10 according to the Subject includes:
and writing the Subject into a software development data package (SDK), and generating a certificate request P10 by using the SDK and adopting a preset algorithm.
Optionally, the obtaining the identification code ID identifying the vehicle-mounted terminal device issued by the management server includes:
sending an ID generation request carrying hardware configuration information of the vehicle-mounted terminal equipment to the management server;
and receiving the identification code ID generated by the management server according to the hardware configuration information of the vehicle-mounted terminal equipment and a preset rule.
Optionally, the identification code ID comprises at least one of:
equipment type code, equipment producer code, time code, equipment hardware information code and random code.
Optionally, the authenticating with the device fingerprint when establishing a connection with a cloud server includes:
sending the device fingerprint to the cloud server;
and after the cloud server is received to determine the device fingerprint, and the device fingerprint is consistent with the device fingerprint corresponding to the terminal device acquired from the security server, when the transmitted authentication passes the indication, establishing the SSL long connection with the cloud server.
According to a second aspect of an embodiment of the present invention, there is provided a vehicle-mounted terminal apparatus including:
the ID acquisition module is used for acquiring an identification code ID which is issued by the management server and used for identifying the vehicle-mounted terminal equipment;
the certificate generation module is used for sending an equipment fingerprint generation request carrying the identification code ID to a security server and acquiring an equipment certificate configured by the security server according to the identification code ID by adopting an encryption algorithm of a CA/PKI system;
and the authentication connection module is used for generating an equipment fingerprint according to the identification code ID and the equipment certificate, authenticating when the equipment fingerprint is connected with the cloud server, and transmitting the service data with the cloud server after the authentication is passed so that the cloud server can determine whether a safety risk exists according to an authentication result or a service data transmission process.
Optionally, the acquiring, by the ID acquiring module, the device certificate configured by the security server according to the ID of the identifier code and by using an encryption algorithm of a CA/PKI system includes:
and receiving a certificate generation key corresponding to the equipment certificate issued by the security server, generating the equipment certificate according to the certificate generation key and by utilizing an encryption algorithm of a CA/PKI system.
Optionally, the receiving, by the certificate generation module, a certificate generation key corresponding to the device certificate issued by the security server includes:
receiving a certificate Subject generated by the security server according to the identification code ID;
generating a certificate request P10 according to the Subject and sending the certificate request P10 to the security server;
and receiving a certificate generation key generated by the security server according to the certificate request P10, wherein the certificate generation key is a certificate chain P7B.
Optionally, the certificate generating module generates a certificate request P10 according to the Subject, including:
and writing the Subject into a software development data package (SDK), and generating a certificate request P10 by using the SDK and adopting a preset algorithm.
Optionally, the acquiring, by the certificate generation module, the identification code ID that identifies the vehicle-mounted terminal device and is issued by the management server includes:
sending an ID generation request carrying hardware configuration information of the vehicle-mounted terminal equipment to the management server;
and receiving the identification code ID generated by the management server according to the hardware configuration information of the vehicle-mounted terminal equipment and a preset rule.
Optionally, the identification code ID comprises at least one of:
equipment type code, equipment producer code, time code, equipment hardware information code and random code.
Optionally, the authenticating the connection module by using the device fingerprint when establishing a connection with a cloud server includes:
sending the device fingerprint to the cloud server;
and after the cloud server is received to determine the device fingerprint, and the device fingerprint is consistent with the device fingerprint corresponding to the terminal device acquired from the security server, when the transmitted authentication passes the indication, establishing the SSL long connection with the cloud server.
According to a third aspect of the embodiments of the present invention, there is provided a vehicle-mounted terminal apparatus including: a memory and a processor; wherein:
the memory is used for storing programs;
the processor is configured to execute the program in the memory, and includes the steps of:
acquiring an identification code ID which is issued by a management server and used for identifying the vehicle-mounted terminal equipment;
sending an equipment fingerprint generation request carrying the identification code ID to a security server, and acquiring an equipment certificate configured by the security server according to the identification code ID by adopting an encryption algorithm of a CA/PKI system;
and generating a device fingerprint according to the identification code ID and the device certificate, authenticating when the connection is established with a cloud server by using the device fingerprint, and transmitting service data with the cloud server after the authentication is passed so that the cloud server can determine whether a safety risk exists according to an authentication result or a service data transmission process.
Optionally, the acquiring, by the processor, the device certificate configured by the security server according to the ID of the identification code and using an encryption algorithm of a CA/PKI system includes:
and receiving a certificate generation key corresponding to the equipment certificate issued by the security server, generating the equipment certificate according to the certificate generation key and by utilizing an encryption algorithm of a CA/PKI system.
Optionally, the receiving, by the processor, a certificate generation key corresponding to the device certificate issued by the security server includes:
receiving a certificate Subject generated by the security server according to the identification code ID;
generating a certificate request P10 according to the Subject and sending the certificate request P10 to the security server;
and receiving a certificate generation key generated by the security server according to the certificate request P10, wherein the certificate generation key is a certificate chain P7B.
Optionally, the processor generates a certificate request P10 according to the Subject, including:
and writing the Subject into a software development data package (SDK), and generating a certificate request P10 by using the SDK and adopting a preset algorithm.
Optionally, the acquiring, by the processor, an identification code ID identifying the vehicle-mounted terminal device issued by the management server includes:
sending an ID generation request carrying hardware configuration information of the vehicle-mounted terminal equipment to the management server;
and receiving the identification code ID generated by the management server according to the hardware configuration information of the vehicle-mounted terminal equipment and a preset rule.
Optionally, the identification code ID comprises at least one of:
equipment type code, equipment producer code, time code, equipment hardware information code and random code.
Optionally, the authenticating, by the processor, when establishing a connection with a cloud server using the device fingerprint includes:
sending the device fingerprint to the cloud server;
and after the cloud server is received to determine the device fingerprint, and the device fingerprint is consistent with the device fingerprint corresponding to the terminal device acquired from the security server, when the sent authentication passes the indication, the cloud server establishes SSL long connection with a secure socket layer.
According to a fourth aspect of the embodiments of the present invention, there is provided a service data transmission system, including:
the in-vehicle terminal apparatus according to the third aspect described above;
the management server is used for receiving an ID generation request which is sent by the vehicle-mounted terminal device and carries hardware configuration information of the vehicle-mounted terminal device, generating an identification code ID according to the hardware configuration information and a preset rule, and sending the identification code ID to the vehicle-mounted terminal device;
the safety server is used for receiving an equipment fingerprint generation request which is sent by the vehicle-mounted terminal equipment and carries an identification code ID, configuring an equipment certificate by adopting an encryption algorithm of a CA/PKI system according to the identification code ID, and sending the equipment certificate to the vehicle-mounted terminal equipment;
and the cloud server is used for authenticating the vehicle-mounted terminal equipment by adopting the equipment fingerprint in the process of establishing connection with the vehicle-mounted terminal equipment, determining whether a safety risk exists according to an authentication result, transmitting service data with the vehicle-mounted terminal equipment after the authentication is passed, and determining whether the safety risk exists according to a service data transmission process.
Optionally, the security server is further configured to compare the identifier ID with an identifier ID of a device fingerprint in a historical fingerprint database;
if similar identification code IDs exist, other parts except the preset part, of which are the same as the corresponding parts in the identification code IDs, determining corresponding equipment certificates according to the equipment fingerprints corresponding to the similar identification code IDs, and configuring the equipment certificates into the equipment certificates of the vehicle-mounted terminal equipment;
otherwise, according to the ID, the device certificate is configured by adopting an encryption algorithm of a CA/PKI system, and after a device fingerprint is generated according to the ID and the device certificate, the device fingerprint is stored in a historical fingerprint database.
Optionally, the security server is further configured to, if an apparatus fingerprint generation request sent by the vehicle-mounted terminal apparatus is received within a preset time, and it is determined that a security risk exists and an alarm is given when it is determined that the number of times of the similar identification code IDs existing in the historical fingerprint database exceeds a set threshold.
Optionally, the security server is further configured to send, to the cloud server, the device fingerprint corresponding to the terminal device, which is generated according to the identification code ID and the device certificate, so that the cloud server authenticates the device fingerprint sent by the vehicle-mounted terminal device based on the device fingerprint.
Optionally, the cloud server is further configured to receive a device fingerprint sent by the vehicle-mounted terminal device, send an authentication passing indication to the vehicle-mounted terminal device when it is determined that the device fingerprint corresponding to the vehicle-mounted terminal device sent by the security server is consistent, and establish a secure socket layer SSL long connection with the vehicle-mounted terminal device;
otherwise, determining that the safety risk exists, and giving an alarm or canceling the device fingerprint corresponding to the vehicle-mounted terminal device.
Optionally, the cloud server is further configured to perform feature extraction and big data analysis on a service transmission process with the vehicle-mounted terminal device by using a rule engine;
and when the safety risk is determined to exist according to the analysis result, alarming or intercepting the service data transmission of the vehicle-mounted terminal equipment.
According to a fifth aspect of the embodiments of the present invention, there is provided a chip, the chip is coupled to a memory in a device, so that the chip invokes program instructions stored in the memory when running, thereby implementing the above aspects of the embodiments of the present application and any method that may be designed according to the aspects.
According to a sixth aspect of the embodiments of the present invention, there is provided a computer-readable storage medium storing program instructions which, when executed on a computer, cause the computer to perform the method of any one of the possible designs to which the above aspects and aspects relate.
According to a seventh aspect of embodiments of the present invention, there is provided a computer program product, which, when run on an electronic device, causes the electronic device to perform a method of implementing the above aspects of embodiments of the present application and any possible design to which the aspects relate.
The service data transmission method, the equipment and the system provided by the invention have the following beneficial effects:
according to the service data transmission method, the service data transmission device and the service data transmission system, the vehicle-mounted terminal acquires the identification code ID issued by the management server, the vehicle-mounted terminal device requests the security server to generate the device fingerprint by using the identification code ID, and the device fingerprint is generated according to the device certificate configured by the security server according to the identification code ID and the identification code ID. The vehicle-mounted terminal equipment authenticates through the equipment fingerprint, establishes connection with the cloud server after the authentication is successful and transmits the service data, and the cloud server can determine whether the safety risk exists according to the authentication result or the service data transmission process. According to the scheme provided by the invention, the identity authentication of the vehicle-mounted terminal equipment is jointly carried out by utilizing the equipment ID and the equipment certificate, and the safety monitoring is carried out through the cloud, so that the problem that the transmission safety of the current vehicle networking system and the service data thereof is low is solved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram illustrating a service data transmission method provided in an embodiment of the present invention;
fig. 2 is a schematic flowchart of a process in which a vehicle-mounted terminal device generates a device certificate through interaction with a security server according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating that a security server authenticates a vehicle-mounted terminal device according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating anomaly detection performed by a cloud server according to an embodiment of the present invention;
fig. 5 is a schematic security design diagram of a service data transmission system provided in an embodiment of the present invention;
fig. 6 is a schematic diagram of a service data transmission system architecture according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a device for transmitting service data according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a device for transmitting service data according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. For convenience of understanding, terms referred to in the embodiments of the present invention are explained below:
1) the Internet of vehicles: the vehicle-mounted equipment on the car indicator effectively utilizes the car dynamic information in the information network platform through a wireless communication technology, and provides different functional services during the running of the car; the car networking has the following characteristics: the car networking can provide guarantee for the distance between the cars, and reduce the probability of collision accidents of the car machines; the car networking can help the car machine to navigate in real time, and the efficiency of traffic operation is improved through communication with other car machines and a network system; the Internet of vehicles can sense the state information of the vehicle machine by using a sensing technology, and realize intelligent management of traffic, intelligent decision of traffic information service and intelligent control of the vehicle machine by using a wireless communication network and a modern intelligent information processing technology;
2) big data analysis: the data processing method has stronger decision-making power and flow optimization capacity, and is suitable for massive, high-growth-rate and diversified information assets; big data analysis can effectively process a large amount of data, including massively parallel processing data, data mining, distributed data processing, cloud computing and the like.
The safety problem of the Internet of vehicles is mainly solved by solving the following problems:
1) complexity of device authentication: at present, most terminal devices can manually input account passwords to complete authentication, but most vehicle-mounted terminal devices do not have keyboard screens to input authentication information.
2) The cloud end of the device which can be disguised issues an instruction, so that key elements of the vehicle machine are controlled by hackers, such as a brake system, a steering system and the like;
3) a Distributed Denial of Service (DDoS) attack initiated by a virtual device, that is, a hacker sends huge network traffic to a target server by using a massive amount of virtual devices, may cause that the server cannot respond to a normal request.
In view of this, embodiments of the present invention provide a service data transmission method, device, and system, which are applied to an internet of vehicles system, a cloud identifies an identity of a vehicle-mounted terminal device through a device fingerprint to prevent unauthorized access to data resources, and device fingerprint information stored in the cloud is updated in real time and sets a validity period to prevent theft. The scheme provided by the invention can timely discover and detect the security event or the attack behavior during or after the security risk event occurs through real-time detection. This requires analysis of logs requested by the vehicle-mounted terminal device and returned results, and evaluation of whether or not there is a loss value of an attack behavior and data leakage.
After the security event is detected, the cloud can take effective measures to prevent the attack from being continuously carried out, and influence caused by the abnormal event is reduced as much as possible. After the event response is completed, the application or the service is restored to the state before the attack, namely, the application and the data are repaired and re-online, and meanwhile, the security mechanism is further improved after the event reason is subjected to the multi-disk analysis.
Example 1
The embodiment of the invention provides a service data transmission method which is applied to vehicle-mounted terminal equipment in a vehicle networking system. As shown in fig. 1, the method includes:
step S101, acquiring an identification code ID which is issued by a management server and used for identifying the vehicle-mounted terminal equipment;
in the embodiment of the invention, the device fingerprint of the vehicle-mounted terminal device is used as the identity identification information of the vehicle-mounted terminal device. The device fingerprint is the unique identification of the vehicle-mounted terminal device identified by the cloud server, and the cloud server can be associated with all data of the vehicle-mounted terminal corresponding to the vehicle through the device fingerprint, so that the design and protection of the device fingerprint are the core part of the whole set of safety system design.
The device fingerprint of the vehicle-mounted terminal device comprises an identification code ID and a device certificate. The identification code ID is the equipment ID of the vehicle-mounted terminal equipment, is used for carrying out primary identity verification on the vehicle-mounted terminal equipment, and is configured and issued to the vehicle-mounted terminal equipment by a management server for carrying out information management on the vehicle-mounted terminal equipment and a corresponding vehicle machine. The device certificate is configured by a security server for managing certificate information and is issued to the vehicle-mounted terminal device. The vehicle-mounted terminal device combines the identification code ID issued by the management server with the device certificate issued by the security server to generate a device fingerprint, and the device fingerprint is connected with the cloud server to perform subsequent data transmission and the like. The details will be described below.
In the embodiment of the invention, when vehicle-mounted terminal equipment acquires an identification code ID which is issued by a management server and identifies the vehicle-mounted terminal equipment, an ID generation request carrying hardware configuration information of the vehicle-mounted terminal equipment is sent to the management server; and receiving the identification code ID generated by the management server according to the hardware configuration information of the vehicle-mounted terminal equipment and a preset rule. The identification code ID comprises at least one of: equipment type coding, equipment producer coding, time coding, equipment hardware information coding and random codes.
Specifically, referring to table 1 below, an example of hardware configuration information of a vehicle-mounted terminal device provided in an embodiment of the present invention is shown. As shown in table 1, the hardware configuration information of the vehicle-mounted terminal device includes information such as device information (device name, code, or the like), device type, device producer information, International Mobile Equipment Identity (IMEI), a processor CPU, a motherboard, and an internal memory. The vehicle-mounted terminal device sends the information to the safety management server as hardware configuration information, and requests the safety management server to configure the identification code ID for the vehicle-mounted terminal device.
TABLE 1 hardware configuration information of in-vehicle terminal device
Device information Types of Manufacturer IMEI Processor with a memory having a plurality of memory cells Memory device
A TBOX X1 54823 i3-8700 1G
B TBOX X1 89435 i3-8700 1G
C AIBOX X2 521500 i7-8700 2G
When the safety management server receives an ID generation request sent by the vehicle-mounted terminal equipment, the safety management server codes the equipment type according to the hardware configuration information in the ID generation request to obtain an equipment type code, codes the equipment producer information to obtain an equipment producer code, and codes other equipment hardware information such as an international mobile equipment identification code, a processor CPU, a mainboard, a memory and the like to obtain an equipment hardware information code. And combining the obtained codes with the time codes corresponding to the current time, and then adding random codes with preset digits to obtain the identification code ID corresponding to the vehicle-mounted terminal equipment. And sending the identification code ID to the vehicle-mounted terminal equipment so that the vehicle-mounted terminal equipment requests the security server to generate the equipment fingerprint according to the identification code ID.
As an optional implementation manner, the identification code ID may be set to 1-2 bits as a vehicle-mounted terminal device type code, 3-4 bits as a vehicle-mounted terminal device producer code, 5-10 bits as a time code corresponding to the current time, and 11-16 bits as a device hardware information code, for example, a short code generated by using a digest algorithm on the CPU and the motherboard-related information is used, and then 4-bit random codes are spliced and combined to obtain the identification code ID.
In the embodiment of the invention, after the vehicle-mounted terminal equipment is reset or updated, the identification code ID of the vehicle-mounted terminal equipment is kept unchanged.
And step S102, sending an equipment fingerprint generation request carrying the identification code ID to a security server, and acquiring an equipment certificate configured by the security server according to the identification code ID by adopting an encryption algorithm of a CA/PKI system.
PKI (Public Key Infrastructure) is a system or platform that provides Public Key encryption and digital signature services for the purpose of managing keys and certificates. An organization can establish a secure network environment by managing keys and certificates using a PKI framework. The CA (Certificate Authority) is the core of the PKI system, and is the Authority responsible for issuing and managing digital certificates.
The above CA/PKI system in the embodiment of the present invention can be applied to the prior art, and is not described in detail here.
After the vehicle-mounted terminal equipment acquires the identification code ID through the method, the vehicle-mounted terminal equipment requests the security server to generate the equipment fingerprint according to the identification code ID. Specifically, the vehicle-mounted terminal device sends a device fingerprint generation request carrying the identification code ID to a security server, and receives a certificate Subject generated by the security server according to the identification code ID; generating a certificate request P10 according to the Subject and sending the certificate request P10 to the security server; and receiving a certificate generation key generated by the security server according to the certificate request P10, wherein the certificate generation key is a certificate chain P7B. And the vehicle-mounted terminal equipment writes the Subject into a software development data package (SDK), and generates a certificate request P10 by using the SDK and adopting a preset algorithm. And the vehicle-mounted terminal equipment generates a key by receiving the certificate corresponding to the equipment certificate issued by the security server, generates the key according to the certificate, and generates the equipment certificate by using an encryption algorithm of a CA/PKI system. The details will be described below.
The independent uniqueness of the vehicle-mounted terminal equipment can be ensured through the equipment fingerprint, but the data which cannot be interacted between the vehicle-mounted terminal equipment and the cloud server is sent by the current vehicle-mounted terminal equipment, and the safety cannot be ensured by simply or comprehensively using an encryption algorithm. The most important is the trust problem of the public key, and a method for preventing hackers from forging the public key to attack is still absent at present, so that the embodiment of the invention summarizes the certificate generation and encryption algorithm of the CA/PKI system, constructs the trust chain of the public key through CA, and meets the invisibility of data in the data transmission process of the vehicle-mounted terminal device and the cloud server, thereby improving the security of data transmission.
Referring to fig. 2, a schematic flowchart of a process in which a vehicle-mounted terminal device generates a device certificate through interaction with a security server according to an embodiment of the present invention is shown.
As shown in fig. 2, the method comprises the following steps:
step 1, the vehicle-mounted terminal equipment requests an equipment certificate from a security server according to an identification code ID;
after acquiring the identification code ID from the management server, the vehicle-mounted terminal device sends a device fingerprint generation request containing the identification code ID to the security server so as to request the security server to configure a device certificate for the security server according to the identification code ID.
Step 2, the security server issues a temporary token and a certificate Subject to the vehicle-mounted terminal equipment;
and after receiving the request sent by the vehicle-mounted terminal equipment, the safety server performs simple identity recognition on the vehicle-mounted terminal equipment to determine whether the vehicle-mounted terminal equipment is the supported equipment in the vehicle networking system, and if so, generates a certificate theme and a temporary token according to the identification code ID carried in the request and returns the certificate theme and the temporary token to the vehicle-mounted terminal equipment. The certificate theme is used for the vehicle-mounted terminal equipment to generate a certificate request, and the temporary token is used for verifying whether the certificate request subsequently sent by the vehicle-mounted terminal equipment is valid or not. If the safety server determines that the vehicle-mounted terminal equipment is not the equipment in the supported vehicle networking system, the safety server does not configure an equipment certificate for the vehicle-mounted terminal equipment, and can also give an alarm and the like.
Step 3, the vehicle-mounted terminal equipment calls the SDK and generates a certificate request P10 according to the received certificate Subject;
after receiving the temporary token and the Subject of the certificate sent by the security server, the vehicle-mounted terminal device calls the SDK, generates a character string containing the relevant information of the device certificate required to be applied according to the identification code ID by using a preset encryption algorithm of a CA/PKI system, such as a hash encryption algorithm, and sends the character string as a certificate request P10 to the security server.
The SDK is a set of development tools for establishing application software for a specific software package, a software framework, a hardware platform, an operating system and the like, and in view of the fact that the encryption algorithm of the CA/PKA system in the embodiment of the invention is complex, the encryption algorithm can be integrated into the SDK and called when the vehicle-mounted terminal equipment needs. The SDK may be implemented by a separate device or may be integrated into the vehicle-mounted terminal device.
Step 4, the vehicle-mounted terminal equipment sends a certificate request P10 to the security server;
step 5, the security server generates a certificate chain P7B according to a certificate request P10 sent by the vehicle-mounted terminal equipment, and verifies the certificate chain;
and after receiving the certificate request P10 sent by the vehicle-mounted terminal equipment, the security server verifies the certificate request according to the temporary token information, and generates a certificate chain P7B by a unified algorithm according to the certificate request P10 when the verification is confirmed to pass. The temporary Token may be Token, Cookie, or the like, and the specific verification method may adopt the prior art, which is not described in detail herein.
Step 6, the security server sends the certificate chain P7B to the vehicle-mounted terminal equipment;
the security server issues the certificate chain P7B to the vehicle-mounted terminal device, and binds the certificate information with the identification code ID of the vehicle-mounted terminal device.
After the security server generates P7B, a corresponding device certificate is generated according to P7B, the device certificate is combined with the identification code ID of the vehicle-mounted terminal device to generate a device fingerprint of the vehicle-mounted terminal device, and the device fingerprint is sent to the cloud server, so that the cloud server authenticates the device fingerprint sent by the vehicle-mounted terminal device based on the device fingerprint.
And 7, generating a corresponding device certificate by the vehicle-mounted terminal device by using an encryption algorithm according to the certificate chain P7B.
After receiving the certificate chain P7B issued by the security server, the vehicle-mounted terminal device generates a corresponding device certificate by using the same encryption algorithm, combines the device certificate with the identification code ID to generate a device fingerprint, and establishes connection with the cloud server by using the device fingerprint in the subsequent process.
In specific implementation, there may be a case where hardware configuration information of different vehicle-mounted terminal devices is similar, resulting in similar identification codes IDs, for example, as shown in table 1, hardware information of vehicle-mounted terminal device a is similar to hardware information of vehicle-mounted terminal device B, only the device ID is different from the IMEI, if a single generation may be only verified repeatedly, it is likely that a hacker attacker utilizes a change of the IMEI information, and performs a small-range replacement on a hardware information code, especially a random code portion, of the identification code, thereby pseudo-recognizing that the vehicle-mounted terminal device acquires a device certificate or a cloud service resource, thereby gaining a benefit.
In view of this, in the embodiment of the present invention, the vehicle-mounted terminal device is further authenticated by the security server. Specifically, when receiving a request for generating a certificate by the vehicle-mounted terminal equipment, the security server compares an identification code ID corresponding to the vehicle-mounted terminal equipment with an identification code ID of an equipment fingerprint in a historical fingerprint database; if similar identification code IDs exist, other parts except the preset part, of which are the same as the corresponding parts in the identification code IDs, determining corresponding equipment certificates according to the equipment fingerprints corresponding to the similar identification code IDs, and configuring the equipment certificates into the equipment certificates of the vehicle-mounted terminal equipment; otherwise, according to the ID of the identification code, an encryption algorithm of a CA/PKI system is adopted to configure an equipment certificate, and after an equipment fingerprint is generated according to the ID of the identification code and the equipment certificate, the equipment fingerprint is stored in a historical fingerprint database. And the safety server receives an equipment fingerprint generation request sent by the vehicle-mounted terminal equipment within preset time, and determines that safety risk exists and gives an alarm when the frequency of similar identification code IDs existing in the historical fingerprint database exceeds a set threshold value.
Referring to fig. 3, which is a schematic diagram illustrating that a security server verifies a vehicle-mounted terminal device according to an embodiment of the present invention, as shown in the figure, after the vehicle-mounted terminal device sends an identification code ID to the security server, the security server compares, through the above steps, the identification code ID sent by the vehicle-mounted terminal device with an identification code ID in a device fingerprint corresponding to the vehicle-mounted terminal device in a historical fingerprint database. The historical fingerprint database stores the vehicle-mounted terminal equipment which requests the security server to generate the identification code ID and the corresponding identification code ID. When the safety server determines that similar historical equipment exists through comparison, whether the historical equipment is determined for multiple times is determined, if yes, an alarm is given, otherwise, the vehicle-mounted terminal equipment is considered to be equipment which requests the ID of the identification code, and the equipment fingerprint corresponding to the historical equipment is directly used as the equipment fingerprint corresponding to the vehicle-mounted terminal equipment; and when the similar historical equipment does not exist, calculating a new equipment fingerprint based on the hardware configuration information of the vehicle-mounted terminal equipment. The determination that similar history devices exist may be that similar history devices exist when part of the identification code ID is replaced. For example, if it is determined that only the random code in the identification code ID sent by the vehicle-mounted terminal device is different from the identification code ID corresponding to the historical device in the historical fingerprint database, the historical device is considered to be a similar device of the vehicle-mounted terminal device, that is, the two devices are considered to be the same device. And if the device fingerprint generation request sent by the terminal device is received for multiple times within the preset time and similar historical devices exist, the vehicle-mounted terminal device is considered to be abnormal, and alarming and follow-up monitoring are performed.
After the security server configures the device certificate for the vehicle-mounted terminal device, the device fingerprint corresponding to the terminal device and generated according to the identification code ID of the vehicle-mounted terminal device and the device certificate is stored in a historical fingerprint database and is sent to the cloud server, so that the cloud server authenticates the device fingerprint sent by the vehicle-mounted terminal device based on the device fingerprint.
Step S103, generating a device fingerprint according to the identification code ID and the device certificate, authenticating when the connection is established with a cloud server by using the device fingerprint, and transmitting service data with the cloud server after the authentication is passed so that the cloud server can determine whether a security risk exists according to an authentication result or a service data transmission process.
After the vehicle-mounted terminal device generates the device certificate, the identification code ID of the vehicle-mounted terminal device and the device certificate are combined to generate a device fingerprint, when the vehicle-mounted terminal device is connected with the cloud server, the device fingerprint is sent to the cloud server and received by the cloud server to determine the device fingerprint, and after the device fingerprint is consistent with the device fingerprint corresponding to the terminal device acquired from the security server, the sent authentication is in long connection with the cloud server to establish a secure socket layer SSL (secure socket layer) when the authentication is indicated, so that service data transmission is performed with the cloud server.
Specifically, when the vehicle-mounted terminal equipment needs to be connected with a cloud server, the vehicle-mounted terminal equipment sends the own equipment fingerprint to the cloud server, the cloud server receives the equipment fingerprint sent by the vehicle-mounted terminal equipment, and when the condition that the equipment fingerprint corresponding to the vehicle-mounted terminal equipment sent by the safety server is consistent is determined, an authentication passing indication is sent to the vehicle-mounted terminal equipment, and the vehicle-mounted terminal equipment establishes a secure socket layer SSL long connection with the vehicle-mounted terminal equipment; otherwise, determining that the safety risk exists, and giving an alarm or canceling the device fingerprint corresponding to the vehicle-mounted terminal device.
When business data are transmitted, the cloud server performs feature extraction and big data analysis on a business transmission process between the cloud server and the vehicle-mounted terminal equipment by using a rule engine; and when the safety risk is determined to exist according to the analysis result, alarming or intercepting the service data transmission of the vehicle-mounted terminal equipment.
Fig. 4 is a schematic diagram of performing anomaly detection on a cloud server according to an embodiment of the present invention. As shown in the figure, the cloud server carries out rule management and presets rules for judging the behavior of the vehicle-mounted terminal equipment, the rule execution, namely the abnormity judgment, is realized through a rule engine, and the rule engine can receive the original data of the business sent by the vehicle-mounted terminal equipment, extract data characteristics of the business data and extract event characteristics of the corresponding business events, analyze the data characteristics and determine whether the abnormity exists. For example, the time interval of the sending and receiving response of the vehicle-mounted terminal equipment in the latest period of time is collected, and whether the equipment is falsely used or not is identified according to the rule of the service data reported by the vehicle-mounted terminal equipment.
After the features are obtained through feature extraction, rules can be formulated to judge the behavior of the vehicle-mounted terminal equipment. If the login or logout failure interval of the vehicle-mounted terminal device does not meet the preset interval, or the type of the service data transmitted by the vehicle-mounted terminal device is different from the preset type, or the data flow of the data transmitted by the vehicle-mounted terminal device does not meet the preset condition, the behavior of the vehicle-mounted terminal device is considered to be abnormal. For example: when judging whether the login behavior of the vehicle-mounted terminal equipment is abnormal or not, the equipment login failure interval can be preset to be 30 seconds, and if the behavior that the vehicle-mounted terminal equipment logs in for 5 times in 1 minute belongs to the abnormal behavior, an alarm or an interception is given.
According to the service data transmission method provided by the embodiment of the invention, the identification code ID of the equipment is generated according to the vehicle-mounted terminal enabling hardware configuration information in the vehicle networking system, the equipment certificate is configured by utilizing a CA/PKI system according to the ID, the identification code ID and the equipment certificate are combined to generate the equipment fingerprint of the vehicle-mounted terminal equipment, the equipment fingerprint is used for being responsible for the identity authentication of the vehicle-mounted terminal equipment, and the channel data safety of a vehicle-mounted equipment domain and a cloud platform domain is ensured. The whole car networking security system is subjected to multiple monitoring through the security server and the cloud server, and the security problem is quickly repaired after the security problem occurs, so that the whole security system becomes sustainable self-examination. The problem of current car networking system and business data transmission security low is solved.
Example 2
The embodiment of the invention provides a service data transmission system which is used in a vehicle networking system.
Fig. 5 is a schematic view of a security design of a service data transmission system according to an embodiment of the present invention. As shown in the figure, in the embodiment of the present invention, the hardware configuration information of the vehicle-mounted terminal device, including the device producer information and the information such as the device hardware CPU and the memory, generates the corresponding identification code ID through a specific digest algorithm, and is used for performing the preliminary identity authentication on the vehicle-mounted terminal device. The safety server distributes independent authentication resources for each device through the identification code ID to generate a device certificate, the identification code is authenticated through the safety server, and the corresponding device certificate can be cancelled at any time when the authentication is not passed, so that the reliability of the authentication resources is ensured. The cloud server authenticates the vehicle-mounted terminal equipment through the equipment fingerprint, after connection is established through authentication, the data transmission process of the vehicle-mounted terminal equipment is monitored or irregularly patrolled, and when various abnormalities detect that the information of the vehicle-mounted terminal equipment is stolen or is falsely acted by virtual equipment, the equipment certificate can be quickly cancelled and blackened, so that the influence on a service system is reduced, and the safety of the system is ensured.
Referring to fig. 6, a schematic diagram of a service data transmission system architecture provided in an embodiment of the present invention includes a vehicle-mounted terminal device 601, a management server 602, a security server 603, and a cloud server 604.
The vehicle-mounted terminal device 601 is used for acquiring an identification code ID which is issued by the management server and used for identifying the vehicle-mounted terminal device; sending an equipment fingerprint generation request carrying the identification code ID to a security server, and acquiring an equipment certificate configured by the security server according to the identification code ID by adopting an encryption algorithm of a CA/PKI system; and generating a device fingerprint according to the identification code ID and the device certificate, authenticating when the connection is established with a cloud server by using the device fingerprint, and transmitting service data with the cloud server after the authentication is passed so that the cloud server can determine whether a safety risk exists according to an authentication result or a service data transmission process.
The management server 602 is configured to receive an ID generation request which is sent by the vehicle-mounted terminal device and carries hardware configuration information of the vehicle-mounted terminal device, generate an identification code ID according to a preset rule according to the hardware configuration information, and send the identification code ID to the vehicle-mounted terminal device;
the security server 603 is configured to receive an apparatus fingerprint generation request carrying an identification code ID sent by the vehicle-mounted terminal apparatus, configure an apparatus certificate according to the identification code ID by using an encryption algorithm of a CA/PKI system, and send the apparatus certificate to the vehicle-mounted terminal apparatus;
and the cloud server 604 is configured to authenticate the vehicle-mounted terminal device with a device fingerprint in a process of establishing a connection with the vehicle-mounted terminal device, determine whether a security risk exists according to an authentication result, transmit service data with the vehicle-mounted terminal device after the authentication is passed, and determine whether a security risk exists according to a service data transmission process.
The security server 603 is further configured to compare the ID with an ID of a device fingerprint in a historical fingerprint database; if the similar identification code ID with the other parts except the preset part identical to the corresponding part in the identification code ID exists, determining a corresponding equipment certificate according to the equipment fingerprint corresponding to the similar identification code ID, and configuring the equipment certificate as the equipment certificate of the vehicle-mounted terminal equipment; otherwise, according to the ID, the device certificate is configured by adopting an encryption algorithm of a CA/PKI system, and after a device fingerprint is generated according to the ID and the device certificate, the device fingerprint is stored in a historical fingerprint database.
The security server 603 is further configured to, if the device fingerprint generation request sent by the vehicle-mounted terminal device is received within a preset time, and when it is determined that the number of times of the similar identification code IDs existing in the historical fingerprint database exceeds a set threshold, determine that a security risk exists and perform an alarm.
The security server 603 is further configured to send, to the cloud server, the device fingerprint corresponding to the terminal device that is generated according to the identification code ID and the device certificate, so that the cloud server authenticates the device fingerprint sent by the vehicle-mounted terminal device based on the device fingerprint.
The cloud server 604 is further configured to receive the device fingerprint sent by the vehicle-mounted terminal device, send an authentication passing indication to the vehicle-mounted terminal device when determining that the device fingerprint corresponding to the vehicle-mounted terminal device sent by the security server is consistent, and establish a secure socket layer SSL long connection with the vehicle-mounted terminal device; otherwise, determining that the safety risk exists, and giving an alarm or canceling the device fingerprint corresponding to the vehicle-mounted terminal device.
The cloud server 604 is further configured to perform feature extraction and big data analysis on a service transmission process with the vehicle-mounted terminal device by using a rule engine; and when the safety risk is determined to exist according to the analysis result, alarming or intercepting the service data transmission of the vehicle-mounted terminal equipment.
In the embodiment of the invention, the vehicle-mounted terminal equipment is equipment which is bound with the vehicle machine in the vehicle networking, can acquire relevant information of the vehicle machine and perform information interaction with a server in the vehicle networking, can be independently arranged and connected to the vehicle machine, and can also be integrated into the vehicle machine. The management server, the security server and the cloud server can be independently arranged respectively, and can be partially integrated on different server devices or can be fully integrated on the same server device.
The system comprises at least one vehicle-mounted terminal device and management servers, wherein each management server corresponds to at least one vehicle-mounted terminal device, and each vehicle-mounted terminal device corresponds to a vehicle machine. For convenience of description, fig. 1 only illustrates one vehicle-mounted terminal device and one management server, and in an actual system, multiple vehicle-mounted terminal devices and multiple management servers may coexist, which is not described herein again.
It should be noted that the above-mentioned system architecture is only an example of the system architecture applicable to the embodiment of the present invention, and the system architecture applicable to the embodiment of the present invention may further add other entities or reduce some entities compared with the system architecture shown in fig. 1.
The service data transmission system provided in the embodiment of the present invention and the service data transmission method provided in the embodiment 1 of the present invention belong to the same inventive concept, and various implementation modes applied to the service data transmission method provided in the embodiment may be applied to the service data transmission system in the embodiment for implementation, and are not repeated here.
Example 3
A method and a system for transmitting service data according to the present invention are described above, and a device for performing the method for transmitting service data is described below.
Referring to fig. 7, an embodiment of the present invention provides a device for service data transmission, including:
an ID obtaining module 701, configured to obtain an identification code ID that identifies the vehicle-mounted terminal device and is issued by a management server;
the certificate generation module 702 is configured to send an apparatus fingerprint generation request carrying the identification code ID to a security server, and acquire an apparatus certificate configured by the security server according to the identification code ID by using an encryption algorithm of a CA/PKI system;
the authentication connection module 703 is configured to generate an apparatus fingerprint according to the identification code ID and the apparatus certificate, perform authentication when establishing connection with the cloud server using the apparatus fingerprint, and transmit service data with the cloud server after the authentication is passed, so that the cloud server determines whether a security risk exists according to an authentication result or a service data transmission process.
Optionally, the acquiring, by the ID acquiring module, the device certificate configured by the security server according to the ID of the identifier code and by using an encryption algorithm of a CA/PKI system includes:
and receiving a certificate generation key corresponding to the equipment certificate issued by the security server, generating the equipment certificate by utilizing an encryption algorithm of a CA/PKI system according to the certificate generation key.
Optionally, the receiving, by the certificate generation module, a certificate generation key corresponding to the device certificate issued by the security server includes:
receiving a certificate Subject generated by the security server according to the identification code ID;
generating a certificate request P10 according to the Subject and sending the certificate request P10 to the security server;
and receiving a certificate generation key generated by the security server according to the certificate request P10, wherein the certificate generation key is a certificate chain P7B.
Optionally, the certificate generating module generates a certificate request P10 according to the Subject, including:
and writing the Subject into a software development data package (SDK), and generating a certificate request P10 by using the SDK and adopting a preset algorithm.
Optionally, the acquiring, by the certificate generation module, the identification code ID that identifies the vehicle-mounted terminal device and is issued by the management server includes:
sending an ID generation request carrying hardware configuration information of the vehicle-mounted terminal equipment to the management server;
and receiving the identification code ID generated by the management server according to the hardware configuration information of the vehicle-mounted terminal equipment and a preset rule.
Optionally, the identification code ID comprises at least one of:
equipment type coding, equipment producer coding, time coding, equipment hardware information coding and random codes.
Optionally, the authenticating the connection module by using the device fingerprint when establishing a connection with a cloud server includes:
sending the device fingerprint to the cloud server;
and after the cloud server is received to determine the device fingerprint, and the device fingerprint is consistent with the device fingerprint corresponding to the terminal device acquired from the security server, when the sent authentication passes the indication, the cloud server establishes SSL long connection with a secure socket layer.
The above describes the service data transmission device in the embodiment of the present application from the perspective of the modular functional entity, and the following describes the service data transmission device in the embodiment of the present application from the perspective of hardware processing.
Example 4
Referring to fig. 8, another embodiment of the service data transmission device in the embodiment of the present application includes:
a processor 801, a memory 802, a transceiver 809, and a bus system 811;
the memory is used for storing programs;
the processor is configured to execute the program in the memory, and includes the steps of:
acquiring an identification code ID which is issued by a management server and used for identifying the vehicle-mounted terminal equipment;
sending an equipment fingerprint generation request carrying the identification code ID to a security server, and acquiring an equipment certificate configured by the security server according to the identification code ID by adopting an encryption algorithm of a CA/PKI system;
and generating a device fingerprint according to the identification code ID and the device certificate, authenticating when the connection is established with a cloud server by using the device fingerprint, and transmitting service data with the cloud server after the authentication is passed so that the cloud server can determine whether a safety risk exists according to an authentication result or a service data transmission process.
Fig. 8 is a schematic structural diagram of a service data transmission device according to an embodiment of the present invention, where the device 800 may generate a relatively large difference due to different configurations or performances, and may include one or more processors (CPU) 801 (e.g., one or more processors), a memory 802, and one or more storage media 803 (e.g., one or more mass storage devices) for storing applications 804 or data 806. Memory 802 and storage medium 803 may be, among other things, transient storage or persistent storage. The program stored in the storage medium 803 may include one or more modules (not shown), and each module may include a series of instruction operations for the information processing apparatus. Still further, the processor 801 may be configured to communicate with the storage medium 803 to execute a sequence of instruction operations in the storage medium 803 on the device 800.
The apparatus 800 may also include one or more power supplies 810, one or more wired or wireless network interfaces 807, one or more input-output interfaces 808, and/or one or more operating systems 805, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc.
Optionally, the acquiring, by the processor, the device certificate configured by the security server according to the ID of the identification code and using an encryption algorithm of a CA/PKI system includes:
and receiving a certificate generation key corresponding to the equipment certificate issued by the security server, generating the equipment certificate by utilizing an encryption algorithm of a CA/PKI system according to the certificate generation key.
Optionally, the receiving, by the processor, a certificate generation key corresponding to the device certificate issued by the security server includes:
receiving a certificate Subject generated by the security server according to the identification code ID;
generating a certificate request P10 according to the Subject and sending the certificate request P10 to the security server;
and receiving a certificate generation key generated by the security server according to the certificate request P10, wherein the certificate generation key is a certificate chain P7B.
Optionally, the processor generates a certificate request P10 according to the Subject, including:
and writing the Subject into a software development data package (SDK), and generating a certificate request P10 by using the SDK and adopting a preset algorithm.
Optionally, the acquiring, by the processor, an identification code ID identifying the vehicle-mounted terminal device issued by the management server includes:
sending an ID generation request carrying hardware configuration information of the vehicle-mounted terminal equipment to the management server;
and receiving the identification code ID generated by the management server according to the hardware configuration information of the vehicle-mounted terminal equipment and a preset rule.
Optionally, the identification code ID comprises at least one of:
equipment type coding, equipment producer coding, time coding, equipment hardware information coding and random codes.
Optionally, the authenticating, by the processor, when establishing a connection with a cloud server using the device fingerprint includes:
sending the device fingerprint to the cloud server;
and after the cloud server is received to determine the device fingerprint, and the device fingerprint is consistent with the device fingerprint corresponding to the terminal device acquired from the security server, when the transmitted authentication passes the indication, establishing the SSL long connection with the cloud server.
An embodiment of the present invention further provides a computer-readable storage medium, which includes instructions, and when the computer-readable storage medium runs on a computer, the computer is enabled to execute the service data transmission method provided in the foregoing embodiment.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described apparatuses and modules may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some interfaces, indirect coupling or communication connection between devices or modules, and may be in an electrical, mechanical or other form.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may be stored in a computer-readable storage medium.
In the above embodiments, all or part of the implementation may be realized by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.
The technical solutions provided by the present application are introduced in detail, and the principles and embodiments of the present application are explained by applying specific examples in the present application, and the descriptions of the above examples are only used to help understanding the method and the core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (16)

1. A service data transmission method is applied to vehicle-mounted terminal equipment and is characterized by comprising the following steps:
acquiring an identification code ID which is issued by a management server and used for identifying the vehicle-mounted terminal equipment;
sending an equipment fingerprint generation request carrying the identification code ID to a security server, and acquiring an equipment certificate configured by the security server according to the identification code ID by adopting an encryption algorithm of a CA/PKI system;
and generating a device fingerprint according to the identification code ID and the device certificate, sending the device fingerprint to a cloud server, so that the cloud server authenticates the vehicle-mounted terminal device according to the device fingerprint and the device fingerprint corresponding to the vehicle-mounted terminal device acquired from the security server, and transmits service data with the cloud server after the authentication is passed, so that the cloud server determines whether a security risk exists according to an authentication result or a service data transmission process.
2. The method according to claim 1, wherein the obtaining of the device certificate configured by the security server according to the ID of the identification code by using an encryption algorithm of CA/PKI system comprises:
and receiving a certificate generation key corresponding to the equipment certificate issued by the security server, generating the equipment certificate according to the certificate generation key and by utilizing an encryption algorithm of a CA/PKI system.
3. The method of claim 2, wherein the receiving the certificate generation key corresponding to the device certificate issued by the security server comprises:
receiving a certificate Subject generated by the security server according to the identification code ID;
generating a certificate request P10 according to the Subject and sending the certificate request P10 to the security server;
and receiving a certificate generation key generated by the security server according to the certificate request P10, wherein the certificate generation key is a certificate chain P7B.
4. The method according to claim 3, wherein generating a certificate request P10 according to the Subject comprises:
and writing the Subject into a software development data package (SDK), and generating a certificate request P10 by using the SDK and adopting a preset algorithm.
5. The method according to claim 1, wherein the obtaining of the identification code ID identifying the vehicle-mounted terminal device issued by the management server includes:
sending an ID generation request carrying hardware configuration information of the vehicle-mounted terminal equipment to the management server;
and receiving the identification code ID generated by the management server according to the hardware configuration information of the vehicle-mounted terminal equipment and a preset rule.
6. The method of claim 5, wherein the identification code ID comprises at least one of:
equipment type coding, equipment producer coding, time coding, equipment hardware information coding and random codes.
7. The method of claim 1, wherein after sending the device fingerprint to a cloud server, the method further comprises:
and after the cloud server is received to determine the device fingerprint, and the device fingerprint is consistent with the device fingerprint corresponding to the vehicle-mounted terminal device acquired from the security server, when the transmitted authentication passes the indication, establishing the SSL long connection with the cloud server.
8. An in-vehicle terminal device characterized by comprising: a memory and a processor;
wherein the memory is used for storing programs;
the processor is used for executing the program in the memory and realizing the steps of the method according to any one of claims 1 to 7.
9. The utility model provides a service data transmission system, is applied to the car networking system, its characterized in that includes:
the in-vehicle terminal device of claim 8;
the management server is used for receiving an ID generation request which is sent by the vehicle-mounted terminal equipment and carries hardware configuration information of the vehicle-mounted terminal equipment, generating an identification code ID according to the hardware configuration information and a preset rule, and sending the identification code ID to the vehicle-mounted terminal equipment;
the safety server is used for receiving an equipment fingerprint generation request which is sent by the vehicle-mounted terminal equipment and carries an identification code ID, configuring an equipment certificate by adopting an encryption algorithm of a CA/PKI system according to the identification code ID, and sending the equipment certificate to the vehicle-mounted terminal equipment;
and the cloud server is used for authenticating the vehicle-mounted terminal equipment by adopting the equipment fingerprint sent by the vehicle-mounted terminal equipment and the equipment fingerprint corresponding to the vehicle-mounted terminal equipment acquired from the security server in the process of establishing connection with the vehicle-mounted terminal equipment, determining whether a security risk exists according to an authentication result, transmitting service data with the vehicle-mounted terminal equipment after the authentication is passed, and determining whether the security risk exists according to a service data transmission process.
10. The system of claim 9,
the security server is further used for comparing the identification code ID with the identification code ID of the device fingerprint in the historical fingerprint database;
if the similar identification code ID with the other parts except the preset part identical to the corresponding part in the identification code ID exists, determining a corresponding equipment certificate according to the equipment fingerprint corresponding to the similar identification code ID, and configuring the equipment certificate as the equipment certificate of the vehicle-mounted terminal equipment;
otherwise, according to the ID of the identification code, an encryption algorithm of a CA/PKI system is adopted to configure an equipment certificate, and after an equipment fingerprint is generated according to the ID of the identification code and the equipment certificate, the equipment fingerprint is stored in a historical fingerprint database.
11. The system of claim 10,
and the safety server is also used for receiving an equipment fingerprint generation request sent by the vehicle-mounted terminal equipment within preset time, determining that safety risk exists and giving an alarm when the frequency of similar identification code IDs existing in the historical fingerprint database exceeds a set threshold value.
12. The system of claim 9,
the safety server is further used for sending the device fingerprint corresponding to the vehicle-mounted terminal device, which is generated according to the identification code ID and the device certificate, to the cloud server, so that the cloud server authenticates the device fingerprint sent by the vehicle-mounted terminal device based on the device fingerprint.
13. The system of claim 9,
the cloud server is further used for receiving the device fingerprints sent by the vehicle-mounted terminal device, sending an authentication passing indication to the vehicle-mounted terminal device when the device fingerprints corresponding to the vehicle-mounted terminal device sent by the security server are determined to be consistent, and establishing a Secure Socket Layer (SSL) long connection with the vehicle-mounted terminal device;
otherwise, determining that the safety risk exists, and giving an alarm or canceling the device fingerprint corresponding to the vehicle-mounted terminal device.
14. The system of claim 9,
the cloud server is also used for performing feature extraction and big data analysis on a service transmission process between the cloud server and the vehicle-mounted terminal equipment by using a rule engine;
and when the safety risk is determined to exist according to the analysis result, alarming or intercepting the service data transmission of the vehicle-mounted terminal equipment.
15. An in-vehicle terminal device characterized by comprising:
the ID acquisition module is used for acquiring an identification code ID which is issued by the management server and used for identifying the vehicle-mounted terminal equipment;
the certificate generation module is used for sending an equipment fingerprint generation request carrying the identification code ID to a security server and acquiring an equipment certificate configured by the security server according to the identification code ID by adopting an encryption algorithm of a CA/PKI system;
and the authentication connection module is used for generating an equipment fingerprint according to the identification code ID and the equipment certificate, sending the equipment fingerprint to a cloud server, so that the cloud server authenticates the vehicle-mounted terminal equipment according to the equipment fingerprint and the equipment fingerprint corresponding to the vehicle-mounted terminal equipment acquired from the security server, and transmits service data with the cloud server after the authentication is passed, so that the cloud server determines whether a security risk exists according to an authentication result or a service data transmission process.
16. A computer program medium, having a computer program stored thereon, wherein the program, when executed by a processor, performs the steps of the method according to any one of claims 1 to 7.
CN202010542470.6A 2020-06-15 2020-06-15 Service data transmission method, device and system Active CN111698255B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010542470.6A CN111698255B (en) 2020-06-15 2020-06-15 Service data transmission method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010542470.6A CN111698255B (en) 2020-06-15 2020-06-15 Service data transmission method, device and system

Publications (2)

Publication Number Publication Date
CN111698255A CN111698255A (en) 2020-09-22
CN111698255B true CN111698255B (en) 2022-07-22

Family

ID=72480991

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010542470.6A Active CN111698255B (en) 2020-06-15 2020-06-15 Service data transmission method, device and system

Country Status (1)

Country Link
CN (1) CN111698255B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112381528B (en) * 2020-12-04 2022-06-03 四川长虹电器股份有限公司 Method for real-time data interaction in production process
CN112351112B (en) * 2021-01-05 2021-08-17 智道网联科技(北京)有限公司 Method for determining type of vehicle-mounted device, vehicle-mounted system, electronic device and vehicle
CN113067854B (en) * 2021-03-12 2023-08-25 斑马网络技术有限公司 Method, device, equipment and storage medium for acquiring content resources of vehicle-mounted equipment
CN112799647B (en) * 2021-04-12 2021-11-23 四川新网银行股份有限公司 Business personnel-oriented rule engine adapter device identification method
CN113282587B (en) * 2021-06-01 2023-06-16 青岛海尔科技有限公司 Method and device for transmitting state data, storage medium and electronic device
CN113239338A (en) * 2021-06-10 2021-08-10 宝能(广州)汽车研究院有限公司 Certificate issuing method, system, electronic device and computer readable storage medium
CN113343641B (en) * 2021-06-21 2024-01-16 亿咖通(湖北)技术有限公司 Equipment identification method, device, system and cloud server
CN113630405B (en) * 2021-07-30 2023-05-02 北京达佳互联信息技术有限公司 Network access authentication method and device, electronic equipment and storage medium
CN115118759B (en) * 2022-05-31 2024-03-22 在行(杭州)大数据科技有限公司 Data transmission method and system of vehicle-mounted equipment
CN115242455B (en) * 2022-06-27 2023-08-18 山西西电信息技术研究院有限公司 Social network instant information safety monitoring system and method based on cloud computing

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103107996A (en) * 2013-02-07 2013-05-15 北京中视广信科技有限公司 On-line download method and system of digital certificate and digital certificate issuing platform
CN105763521A (en) * 2014-12-18 2016-07-13 阿里巴巴集团控股有限公司 Equipment verification method and device
CN107171805A (en) * 2017-05-17 2017-09-15 济南浪潮高新科技投资发展有限公司 A kind of internet-of-things terminal digital certificate signs and issues system and method
CN108111497A (en) * 2017-12-14 2018-06-01 深圳市共进电子股份有限公司 Video camera and server inter-authentication method and device
CN109495498A (en) * 2018-12-12 2019-03-19 北京车联天下信息技术有限公司 The ca authentication method, apparatus and car networking information management system of vehicle arrangement
CN109982150A (en) * 2017-12-27 2019-07-05 国家新闻出版广电总局广播科学研究院 The trust chain method for building up and Intelligent television terminal of Intelligent television terminal
CN110162936A (en) * 2019-05-31 2019-08-23 北京比特安索信息技术有限公司 A kind of use authorization method of software content
CN111193748A (en) * 2020-01-06 2020-05-22 惠州市德赛西威汽车电子股份有限公司 Interactive key security authentication method and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103107996A (en) * 2013-02-07 2013-05-15 北京中视广信科技有限公司 On-line download method and system of digital certificate and digital certificate issuing platform
CN105763521A (en) * 2014-12-18 2016-07-13 阿里巴巴集团控股有限公司 Equipment verification method and device
CN107171805A (en) * 2017-05-17 2017-09-15 济南浪潮高新科技投资发展有限公司 A kind of internet-of-things terminal digital certificate signs and issues system and method
CN108111497A (en) * 2017-12-14 2018-06-01 深圳市共进电子股份有限公司 Video camera and server inter-authentication method and device
CN109982150A (en) * 2017-12-27 2019-07-05 国家新闻出版广电总局广播科学研究院 The trust chain method for building up and Intelligent television terminal of Intelligent television terminal
CN109495498A (en) * 2018-12-12 2019-03-19 北京车联天下信息技术有限公司 The ca authentication method, apparatus and car networking information management system of vehicle arrangement
CN110162936A (en) * 2019-05-31 2019-08-23 北京比特安索信息技术有限公司 A kind of use authorization method of software content
CN111193748A (en) * 2020-01-06 2020-05-22 惠州市德赛西威汽车电子股份有限公司 Interactive key security authentication method and system

Also Published As

Publication number Publication date
CN111698255A (en) 2020-09-22

Similar Documents

Publication Publication Date Title
CN111698255B (en) Service data transmission method, device and system
CN111082940B (en) Internet of things equipment control method and device, computing equipment and storage medium
CN101764819B (en) For detecting the method and system of man-in-the-browser attacks
CN111383021B (en) Node management method, device, equipment and medium based on block chain network
CN105430000A (en) Cloud computing security management system
CN108777675B (en) Electronic device, block chain-based identity authentication method, and computer storage medium
CN111865993B (en) Identity authentication management method, distributed system and readable storage medium
CN112235301B (en) Access right verification method and device and electronic equipment
US11757637B2 (en) Token node locking with signed fingerprints offloaded to clients
CN111143808B (en) System security authentication method and device, computing equipment and storage medium
CN114297609A (en) Single sign-on method and device, electronic equipment and computer readable storage medium
CN112583594B (en) Data processing method, acquisition device, gateway, trusted platform and storage medium
CN112132576B (en) Payment information processing method based on block chain communication and block chain information platform
CN113612616A (en) Vehicle communication method and device based on block chain
EP3907683B1 (en) Method and program for authentication between apparatuses based on virtual authentication code
CN113672888A (en) Cloud platform access method, device and system and cloud platform server
CN111294315B (en) Block chain-based security authentication method, block chain-based security authentication device, block chain-based security authentication equipment and storage medium
CN112631177A (en) Agricultural data acquisition device based on hardware encryption transmission
CN114172660B (en) Account management method, device and equipment of alliance chain and storage medium
CN114117373B (en) Equipment authentication system and method based on secret key
CN112511565B (en) Request response method and device, computer readable storage medium and electronic equipment
WO2023170995A1 (en) Vehicle diagnosis system
CN114445158A (en) Invoice system and operation method thereof
CN116800454A (en) Method and system for data processing based on cloud platform
CN116961967A (en) Data processing method, device, computer readable medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant