Disclosure of Invention
In order to protect privacy of vehicle-mounted cloud key negotiation in a self-organizing vehicle-mounted cloud building process, the invention provides a vehicle-mounted cloud computing method with privacy protection based on an SDN (software defined network), a vehicle-mounted cloud computing system based on the SDN is built, the system comprises an SDN controller, and the vehicle-mounted cloud computing method after the vehicle-mounted cloud computing system based on the SDN is initialized comprises the following steps:
s1, the vehicle in the vehicle-mounted cloud computing system based on the SDN sends the vehicle identity information to apply for registration to the SDN controller;
s2, the vehicle which completes the registration sends a resource certificate request to the SDN controller;
s3, after receiving the resource certificate request, the SDN controller judges the validity of the request and judges whether the quantity of the resources requested by the vehicle is not more than the quantity of the available resources of the vehicle, if so, the SDN controller sends the resource certificate to the vehicle;
s4, the vehicle which wants to join the vehicle-mounted cloud sends the information with the resource certificate to the vehicle-mounted cloud initiator, the vehicle-mounted cloud initiator verifies the resource certificate of the application vehicle, and n-1 members are randomly selected from the verified application vehicles;
s5, the vehicle-mounted cloud initiator numbers each member including the vehicle-mounted cloud initiator, broadcasts member information and a signature user set;
s6, the vehicle-mounted cloud initiator and n users selected by the vehicle-mounted cloud initiator in the number of n-1 members negotiate a vehicle-mounted cloud key;
s7, when other new vehicles want to join the vehicle-mounted cloud formed by the n members, the vehicle-mounted cloud initiator numbers the vehicle after verifying the validity of the resource certificate of the new user, and renegotiates a vehicle-mounted cloud secret key;
and S8, when the member leaves the vehicle-mounted cloud, the leaving member sends the leaving message to the neighbor vehicle of the member, and the vehicle-mounted cloud key is renegotiated.
Further, the vehicle applies for registration to the SDN controller, that is, the vehicle sends a request ciphertext obtained by encrypting a message including the information of the vehicle to the SDN controller for registration, and a process of generating the request ciphertext obtained by encrypting the message including the information of the vehicle includes:
vehicle v
iRandomly selecting a secret value
And calculates a corresponding temporary public key
Generating a signature according to the idle resource description, the temporary public key and the identity ID which the vehicle is willing to contribute;
the method comprises the following steps of encrypting a free resource description, a temporary public key, an identity ID and a generated signature which are willing to be contributed by a vehicle by using a long-term private key distributed to an SDN controller during initialization of a system to obtain a request ciphertext, wherein the request ciphertext is represented as:
wherein the content of the first and second substances,
for vehicles v
iThe request ciphertext of (1);
public key encryption using SDN controller C;
for vehicles v
iThe identity ID of (1);
for vehicles v
iThe temporary public key of (2);
for vehicles v
iFree resource descriptions willing to contribute; t is t
0A presentation time stamp; σ is a signature generated according to the free resource description, the temporary public key and the identity ID which the vehicle is willing to contribute, and is represented as:
indicating a vehicle v
iSignatures made using a long-term private key.
Further, the vehicle that completes registration initiates a resource certificate request to the SDN controller, that is, the SDN controller verifies a registration application message sent by the vehicle, and the process includes:
the SDN controller confirms the number of available resources of a request vehicle according to information sent by the request vehicle application registration, and judges whether the number of the resources is not larger than the number of the available resources of the request vehicle in a resource view maintained by the SDN controller;
if yes, the SDN controller uses the private key sk
CSigning resource descriptions of vehicles
And use the temporary public key
Obtaining a resource certificate, the resource certificate being expressed as:
long-term public key assigned to requesting vehicle upon system initialization
Encrypted transmission to requesting vehicle v
i;
The SDN controller stores the mapping relation between the resource certificate and the identity ID of the requesting vehicle;
wherein the content of the first and second substances,
issuing SDN controllers to vehicles v
iThe resource certificate of (2); t is
expIndicating a validity period of the certificate;
representing SDN controller to utilize its private key sk
CThe signature made;
indicating a vehicle v
iThe temporary public key of (2).
Further, the vehicle which wants to join the vehicle-mounted cloud sends the information with the resource certificate to the vehicle-mounted cloud initiator, and the sent information is represented as
Wherein
Indicating use of vehicle v
iEncrypting the resource certificate and the signature on the resource certificate by the temporary public key;
indicating a vehicle v
iThe resource certificate of (2);
according to vehicle v
iPrivate key of
For vehicle v
iThe resource certificate of (a) is signed.
Further, the process that the vehicle-mounted cloud initiator numbers each member, broadcasts the member information and signs the user set comprises the following steps:
the vehicle-mounted cloud initiator verifies the validity of the received information with the resource certificate according to the public key verification signature of the SDN controller;
the vehicle-mounted cloud initiator carries out ring type numbering on n-1 members, namely the numbering is from 1 to n;
the number of the vehicle-mounted cloud members from 1 to n is v in sequence
1,v
2,v
3,...,v
n,
Indicating a vehicle v
iThe vehicle-mounted cloud initiator issues the vehicle-mounted cloud member set and the signature thereof according to the serial number sequence, and the vehicle-mounted cloud member set and the signature thereof are represented as follows:
the VCmember represents a member set of the vehicle-mounted cloud initiated by a vehicle-mounted cloud initiator and a signature thereof;
a signature representing an onboard cloud initiated by an onboard cloud initiator;
representing the signature of the vehicle cloud originator V on the member set using the ephemeral private key.
Further, the process of negotiating the key of the vehicle cloud by the user in the member set of the vehicle cloud includes:
vehicle v
iUsing temporary private keys
Generating two authentication messages
Respectively sent to adjacent vehicles v
i-1,v
i+1;
Member v
iWill receive member v
i+1Transmitted message
And member v
i-1Transmitted message
Calculating a key parameter B from a transmitted message
i+1、B
i-1Respectively using v
i+1And v
i-1Temporary public key verification signature
And
the effectiveness of (a); if all the verification is successful, calculating and broadcasting a key parameter value X
i;
Each vehicle in the vehicle-mounted cloud receives n-1X
iAnd calculating the vehicle-mounted cloud key according to a formula, wherein the calculation process comprises the following steps:
the vehicle-mounted cloud key confirms that the vehicle-mounted cloud initiator encrypts the vehicle-mounted cloud member set VCmember by using the temporary key calculated by the vehicle-mounted cloud initiator, and signs the ciphertext by using the temporary private key to obtain the message
Broadcasting to a vehicle-mounted cloud, wherein each member carries out signature verification on the received message and carries out decryption verification by using a key calculated by the member, if the decrypted plaintext is the same as the broadcasted user set, a confirmation message is broadcasted, and after all other cloud members send the confirmation message, key negotiation is successful;
wherein D is
i,i-1Indicating a vehicle v
iRandomly selecting a secret value s
iAnd use of v
i-1Temporary public key of
Hidden secret value s
iIs sent to v
i-1;
Indicating a vehicle v
iAccording to
Calculating a Key parameter B
i-1N denotes the number of vehicles in the vehicle cloud, s
iIndicating a vehicle v
iThe selected secret value.
Further, the key parameter value XiExpressed as:
where g is a common parameter of the system, siIndicating a vehicle viThe selected secret value.
Further, when a new vehicle joins the vehicle-mounted cloud, the vehicle-mounted cloud initiator numbers the vehicle after verifying the validity of the resource certificate of the new user, and renegotiates a vehicle-mounted cloud key, including:
when a vehicle w outside the vehicle cloud joins the vehicle cloud initiated by the vehicle V, the vehicle w sends a request
pk
VRepresenting the temporary public key of vehicle V.
The vehicle-mounted cloud initiator verifies the validity of the new member resource certificate and numbers a new vehiclen+1And signing the member set by using a long-term private key and broadcasting, wherein the long-term private key signature member set is expressed as:
new vehicle v
n+1Using temporary private keys in resource certificates
Computing two authentication messages
And
message sending
Are sent to member v separately
1And v
n;
Vehicle v
1Use v first
n+1Temporary public key verification signature
The effectiveness of (a); if the verification is successful, calculating
Calculating Key parameter X'
1=B
2/B
n+1Prepared from X'
1Broadcast to the vehicle cloud, will
For vehicle v
n+1;
Vehicle v
nFirst verifying the signature
The effectiveness of (a); if the verification is successful, calculating
Calculating X'
n=B
n+1/B
n-1Prepared from X'
nBroadcast to the vehicle cloud, will
For vehicle v
n+1;
Vehicle v
n+1First, the signatures are verified separately
And
the effectiveness of (a); if the verification is successful, calculating
And
compute and broadcast X
n+1=B
1/B
n;
All vehicles in the vehicle-mounted cloud can receive X'
1,X'
n,X
n+1At the moment, the vehicle-mounted cloud has N +1 members in total, N is equal to N +1, and the vehicle in the vehicle-mounted cloud is according to a formula
And { X'
1,X
2,X
3,...,X'
n,X
n+1Updating the vehicle-mounted cloud key;
the vehicle-mounted cloud initiator issues a vehicle-mounted cloud member set, and the set is expressed as:
wherein, Req
wA request ciphertext for vehicle w;
the temporary public key of the vehicle-mounted cloud initiator V is used for encryption; cert
wA resource certificate for vehicle w;
temporary key sk indicating utilization of vehicle w
wSigning the resource certificate; VCmember is a member set;
indicating a vehicle v
iThe temporary key of (2); s
iFor vehicles v
iA randomly selected secret value;
a signature representing the vehicle V for the user set VCmember; g is a common parameter of the system.
Further, when a member leaves the vehicle-mounted cloud, the leaving member sends a leaving message to a neighboring vehicle of the member, and renegotiates a vehicle-mounted cloud key, including:
vehicle V in vehicle cloud initiated by vehicle V
jWhen the vehicle-mounted cloud exits, a leaving message is initiated and broadcasted to the vehicle-mounted cloud, and the leaving message is represented as
Vehicle v
j+1Receiving v
jAfter exiting the broadcast message, calculating
Will be provided with
Send to member v
j-1;
Vehicle v
j-1First verifying the signature
The effectiveness of (a); if the verification is successful, calculating
Broadcasting a message D;
all vehicles in the vehicle cloud are according to
Updating the vehicle cloud key, expressed as:
wherein the content of the first and second substances,
indicating a vehicle v
jThe temporary public key of (2);
indicating a vehicle v
jA parameter of the leaving-vehicle cloud broadcast,
indicating a vehicle v
jA signature on the broadcast; s
jIndicating a vehicle v
jA selected secret value; d
j+1,j-1Indicating a vehicle v
j+1Sent to vehicle v
j-1Parameter of (a), r
j+1Indicating a vehicle v
j+1The temporary private key of (a); d represents a vehicle v
jOf adjacent vehicles, r
j-1Indicating a vehicle v
j-1The temporary private key of (a); k
newIs an updated key; k
oldIs the pre-update key.
Further, when the system is initialized, the SDN controller and each vehicle in the system are allocated with a long-term public and private key pair (pk) for the SDN controller and all vehicles v in the system to have a pair of long-term public and private key pairs
C,sk
C) And
two large prime numbers p and q are randomly selected during system initialization, wherein q is (p-1), and G is
A cycle subgroup of (a) and order q, a common parameter G of the system is a generator on the group G, and the system common parameter is represented as PP ═ { p, q, G }; wherein the content of the first and second substances,
is a temporary key value field.
The invention achieves the following beneficial effects:
1. the building of the vehicle-mounted cloud is completed by vehicle self-organization, and meanwhile, the privacy security of interaction between vehicles can be guaranteed.
2. The method comprises the steps of designing SDN-based vehicle resource authentication, maintaining the resource state of a vehicle and issuing an anonymous resource certificate by an SDN controller, wherein the SDN controller is used for participating in the anonymous authentication of the VCC vehicle, preventing malicious vehicles from falsely reporting own resources and disturbing the normal execution of VCC.
3. The existing VC key agreement protocol is improved, anonymous authentication and member dynamic joining/quitting are realized, man-in-the-middle attack is resisted, the forward security of the VC key is ensured, and safe, reliable and privacy-protected dynamic VCC management is provided.
4. It is guaranteed that all vehicle nodes cannot confirm the true identity of the sender through the message, and cannot track the position information of the vehicle through the link message.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a vehicle-mounted cloud computing method with privacy protection based on an SDN (software defined network), which is used for constructing a vehicle-mounted cloud computing system based on the SDN, wherein the system comprises an SDN controller, and the vehicle-mounted cloud computing method after the vehicle-mounted cloud computing system based on the SDN is initialized comprises the following steps:
s1, the vehicle in the vehicle-mounted cloud computing system based on the SDN sends the vehicle identity information to apply for registration to the SDN controller;
s2, the vehicle which completes the registration sends a resource certificate request to the SDN controller;
s3, after receiving the resource certificate request, the SDN controller judges the validity of the request and judges whether the quantity of the resources requested by the vehicle is not more than the quantity of the available resources of the vehicle, if so, the SDN controller sends the resource certificate to the vehicle;
s4, the vehicle which wants to join the vehicle-mounted cloud sends the information with the resource certificate to the vehicle-mounted cloud initiator, the vehicle-mounted cloud initiator verifies the resource certificate of the application vehicle, and n-1 members are randomly selected from the verified application vehicles;
s5, the vehicle-mounted cloud initiator numbers each member including the vehicle-mounted cloud initiator, broadcasts member information and a signature user set;
s6, the vehicle-mounted cloud initiator and n users selected by the vehicle-mounted cloud initiator in the number of n-1 members negotiate a vehicle-mounted cloud key;
s7, when other new vehicles want to join the vehicle cloud formed by the n members, the vehicle cloud initiator numbers the vehicle after verifying the validity of the resource certificate of the new user, and renegotiates a vehicle cloud key;
and S8, when the member leaves the vehicle-mounted cloud, the leaving member sends the leaving message to the neighbor vehicle of the member, and the vehicle-mounted cloud key is renegotiated.
The invention constructs a vehicle-mounted cloud computing system based on an SDN, as shown in figure 1, the system is divided into a control layer and a service layer; the SDN controller and the RSU are located in a control layer and manage vehicle resources and cloud services, and the vehicles and the VCs are located in a service layer and execute service requests and supply. In fig. 1, the SDN controllers communicate with each other through long-connection wires, the long-connection wires and the RSUs use an OpenFlow communication protocol, and the RSUs and the vehicle-mounted cloud use short-range wireless communication dedicated to the vehicle-mounted network.
The invention comprises four entities of an SDN controller, an RSU, a vehicle and a vehicle-mounted cloud, wherein:
an SDN controller: each SDN controller communicates with a plurality of RSUs in a certain range (called a domain) by adopting a long-distance communication protocol, manages all vehicles in the domain, and comprises vehicle resource management, vehicle registration, anonymous resource certificate issuing and vehicle-mounted cloud anonymous access management;
RSU: directly communicating with vehicles within range through a short-range communication protocol (DSRC), and collecting and sending VC related information to an SDN controller;
vehicle: the system is provided with certain vehicle-mounted resources such as communication, calculation, storage, sensors and the like. The vehicle provided by the invention is divided into a vehicle cloud initiator and a request vehicle. The vehicle carries out information interaction with an external entity through an On Board Unit (OBU) and carries out resource sharing with other vehicles;
vehicle-mounted cloud: the vehicle key agreement is a dynamic entity and is formed by self-organizing a group of vehicles by running a VC key agreement protocol, so that the vehicles share resources and information.
The invention relates to a vehicle-mounted cloud computing method with privacy protection based on an SDN (software defined network), which is shown in a figure 2 and comprises the following steps:
s1: initializing and setting a system;
s11: system initialization settings are performed by an SDN controller, which has the characteristics of a global knowledge view. The SDN controller initializes system parameters, randomly selects two large prime numbers p and q, wherein q is (p-1), and G is
With the order q, G is a primitive on the group G. And releasing a system common parameter PP (p, q, g).
S2: a new vehicle wants to join the vehicle-mounted cloud, signs and encrypts a temporary public key, an identity and a resource description, and initiates a resource certificate request to the SDN controller;
s21: vehicle v
iRandomly selecting a secret value
And calculates a corresponding temporary public key
S22: will vehicle v
iFree resource description willing to contribute
Temporary public key
Identity ID, with public key pk of controller C
CEncrypting to obtain request ciphertext
Wherein
Is a long-term private key for vehicles
Signature made, t
0A time stamp is represented. Will request the ciphertext
And sending the data to the controller C for registration.
S3: SDN controller receiving vehicle viAnd the sent request ciphertext firstly verifies the validity of the signature and judges that the quantity of the resources in the resource description submitted by the request vehicle is not more than the quantity of the available resources of the vehicle in the resource view maintained by the controller. If both the resource description and the temporary public key signature certificate of the vehicle are established, the SDN controller utilizes the private key of the SDN controller to sign the certificate for the resource description and the temporary public key of the vehicle, encrypts the resource certificate by using the long-term public key of the vehicle and sends the encrypted resource certificate to the requesting vehicle;
s31: SDN controller C decryption request ciphertext
Verify signature and determine
The number of resources described in (1) is not greater than the number of available resources for the vehicle in the resource view maintained by the SDN controller C. If the SDN controller C meets the requirements, using the private key sk
CSigning resource descriptions
And a temporary public key
Obtaining a resource certificate
And use the long-term public key of the vehicle
Encrypted transmission to requesting vehicle v
i;
S32: the SDN controller stores the mapping relation between the resource certificate and the identity ID of the vehicle.
S4: a vehicle which wants to join the VC signs a resource certificate by using a temporary private key and encrypts the resource certificate by using a long-term public key of a vehicle-mounted cloud initiator to send the resource certificate to the vehicle-mounted cloud initiator V;
s41: vehicle v intended to participate in an onboard cloud
iSigning a resource certificate with a temporary private key and encrypting with a temporary public key of an onboard cloud initiator V
And sending the data to the vehicle-mounted cloud initiator V.
S5: the vehicle initiator V successfully verifies the resource certificate and selects n-1 members, numbers each member, and broadcasts the information of the participating members and a signature user set;
s51: vehicle-mounted cloud initiator V decrypts and verifies resource certificate
Verifying signatures with a public key of an SDN controller
Thereby verifying the validity of the vehicle resource and the temporary public key;
s52: the vehicle-mounted cloud initiator V selects n-1 vehicles which pass through the resource certificate verification;
s53: for convenience of description, the vehicle cloud initiator performs ring numbering for n-1 members, i.e., numbering from 1 to n. Suppose that vehicle-mounted cloud members numbered 1 to n are v in sequence
1,v
2,v
3,...,v
n,
Indicating a vehicle v
iThe vehicle V issues a VC member set (V is also one of them) and its signature in the order of numbering:
s6: after n members are selected, VC key negotiation is started, and each member v
i(i ═ 1,2, 3.., n) takes a random value
Respectively calculating two authentication messages and sending the authentication messages to front and rear adjacent vehicles;
s61: each VC member v
i(i ═ 1,2, 3.., n) takes a random value
For value range of temporary private key, calculating
And separately compute signatures
Will generate two authentication messages
Respectively sent to adjacent vehicles v
i-1,v
i+1。
S7: vehicle v receiving anonymous authentication messageiThe validity of the message is verified and verified with its own temporary private key. The successful message of verification calculates and broadcasts VC key parameter value Xi;
S71: each VC member v
iWill receive member v
i+1Transmitted message
And member v
i-1Transmitted message
First, the signatures are verified separately
The effectiveness of (a); if all the verification succeeds, calculating key parameters
Compute and broadcast
S8: each member in the vehicle cloud receives n-1 xsiRespectively calculating VC keys;
s81: the vehicle receives n-1X
iCalculating VC key according to formula
S82: VC key confirmation, VC initiator V utilizes self-calculated key to encrypt VC member set VCmember, and uses self-temporary private key to sign cipher text to obtain message
And broadcasting to the VC, each member carries out signature verification on the received message and carries out decryption verification by using the key calculated by the member, if the decryption is correct, the confirmation message is broadcasted, and after all other cloud members send the confirmation message, the key negotiation is successful. I.e. VC key K ═ K
1=K
2=…=K
nThe key can establish basic trust in the VC, and the security of VCC is guaranteed.
S9: the new vehicle joins the vehicle-mounted cloud, the vehicle-mounted cloud initiator can verify the validity of the resource certificate of the new vehicle, number the new vehicle, and number X of n-2 vehiclesiSending the information to a new vehicle, calculating the authentication information by the new vehicle by using the temporary private key of the new vehicle, and sending the authentication information to a serial number v1,vnIs a member of (1). Vehicle v1,vnRespectively calculating new VC key parameter value X'1,X'nAnd broadcasts and simultaneously sends the authentication information of itself to vn+1,vn+1Verifying and calculating own VC key parameter value Xn+1. Updating and confirming the VC key by all vehicles in the vehicle-mounted cloud according to the new parameter value;
s91: when a vehicle w outside VC joins VC (pk)
V 0,I
vc) When the vehicle w sends a request
S92: the vehicle-mounted cloud initiator verifies the validity of the new member resource certificate and numbers v for the new membern+1Signing the new member set with the long-term private key and broadcasting:
s93: new Member v
n+1Taking random values
Computing
And
and separately compute signatures
And
message sending
Are sent to member v separately
1And v
n;
S94: vehicle v
1Use v first
n+1Temporary public key verification signature
The effectiveness of (a); if the verification is successful, calculating
Calculating Key parameter X'
1=B
2/B
n+1Prepared from X'
1Broadcast to the vehicle cloud, will
For vehicle v
n+1(ii) a Vehicle v
nFirst verifying the signature
The effectiveness of (a); if the verification is successful, calculating
Calculating X'
n=B
n+1/B
n-1Prepared from X'
nBroadcast to the vehicle cloud, will
For vehicle v
n+1;
S95: vehicle v
n+1First, the signatures are verified separately
And
the effectiveness of (a); if the verification is successful, calculating
And
compute and broadcast X
n+1=B
1/B
n。
S96: all members in VC will receive three new X'
1,X'
n,X
n+1In this case, VC has N +1 members, N is N +1, and VC members are calculated according to the formula
And { X'
1,X
2,X
3,...,X'
n,X
n+1Updating VC key;
s97: a key validation is performed.
S98: VC initiator V issues new VC member set
S10: when the member in the vehicle-mounted cloud leaves the vehicle-mounted cloud, a leaving message is constructed. And according to the leaving message, the adjacent vehicle leaving the vehicle can calculate and broadcast a VC key updating parameter value, and the members in the vehicle-mounted cloud update and confirm the VC key according to the leaving message broadcast by the vehicle and the parameter value broadcast by the adjacent vehicle.
S101: vehicle-mounted cloud member v
jQuit the vehicle cloud (pk)
V,I
vc) Initiating a leave message
And broadcast into the VC, wherein
S102: member v
j+1Receiving v
jAfter exiting the broadcast message, calculating
Will be provided with
Send to member v
j-1;
S103: vehicle v
j-1First verifying the signature
The effectiveness of (a); if the verification is successful, calculating
Broadcasting a message D;
s104: all VC members update the VC key:
s105: VC key validation is performed.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.