CN117044162A - Authentication of plaintext and ciphertext in a vehicle networking (V2X) message - Google Patents
Authentication of plaintext and ciphertext in a vehicle networking (V2X) message Download PDFInfo
- Publication number
- CN117044162A CN117044162A CN202280019099.2A CN202280019099A CN117044162A CN 117044162 A CN117044162 A CN 117044162A CN 202280019099 A CN202280019099 A CN 202280019099A CN 117044162 A CN117044162 A CN 117044162A
- Authority
- CN
- China
- Prior art keywords
- hash
- ciphertext
- message
- plaintext message
- plaintext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006855 networking Effects 0.000 title claims abstract description 34
- 238000000034 method Methods 0.000 claims abstract description 95
- 238000012545 processing Methods 0.000 claims description 84
- 230000004044 response Effects 0.000 claims description 23
- 238000004891 communication Methods 0.000 description 50
- 238000010586 diagram Methods 0.000 description 21
- 230000006870 function Effects 0.000 description 15
- 230000005540 biological transmission Effects 0.000 description 14
- 230000008569 process Effects 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 7
- 230000001413 cellular effect Effects 0.000 description 6
- 230000002093 peripheral effect Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000010295 mobile communication Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- APTZNLHMIGJTEW-UHFFFAOYSA-N pyraflufen-ethyl Chemical compound C1=C(Cl)C(OCC(=O)OCC)=CC(C=2C(=C(OC(F)F)N(C)N=2)Cl)=C1F APTZNLHMIGJTEW-UHFFFAOYSA-N 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 235000017060 Arachis glabrata Nutrition 0.000 description 1
- 241001553178 Arachis glabrata Species 0.000 description 1
- 235000010777 Arachis hypogaea Nutrition 0.000 description 1
- 235000018262 Arachis monticola Nutrition 0.000 description 1
- 238000006424 Flood reaction Methods 0.000 description 1
- 102100035964 Gastrokine-2 Human genes 0.000 description 1
- 101001075215 Homo sapiens Gastrokine-2 Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000005670 electromagnetic radiation Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000002184 metal Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 235000020232 peanut Nutrition 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
Methods, devices, and systems for implementing methods for authenticating plaintext and ciphertext in a vehicle networking (V2X) message. The method comprises the following steps: generating a ciphertext from a plaintext message to be transmitted in the V2X message, generating a hash of the ciphertext and a hash of the plaintext message, generating a digital signature of a concatenation of the hash of the ciphertext and the hash of the plaintext message, and transmitting the V2X message comprising the ciphertext, the hash of the plaintext message, and the digital signature to a network node. The hash of the plaintext message, and the digital signature may be configured to enable the network node to verify that the V2X endpoint node signed the concatenation.
Description
RELATED APPLICATIONS
The present application claims priority from U.S. provisional patent application No.63/158,955 entitled "Authenticating Plaintext And Ciphertext In A Vehicle-To-evaluation (V2X) Message," filed on 3 months 10 of 2021, and U.S. provisional patent application No.63/180,450 entitled "Authenticating Plaintext And Ciphertext In A Vehicle-To-evaluation (V2X) Message With Enhanced Security (authenticating plaintext and ciphertext in internet of vehicles (V2X) messages with enhanced security), filed on 27 of 2021, the entire contents of which are hereby incorporated by reference herein for all purposes.
Background
Various regions of the world are developing standards for vehicle-based communication systems and functionality. Standards for north america developed in the Institute of Electrical and Electronics Engineers (IEEE) and Society of Automotive Engineers (SAE), or standards for europe developed in the European Telecommunications Standards Institute (ETSI) and the european standardization Committee (CEN). The IEEE 802.11p standard is the basis for the Dedicated Short Range Communications (DSRC) and ITS-G5 communications standards. IEEE 1609 is a higher layer standard based on IEEE 802.11 p. The cellular internet of vehicles (C-V2X) standard is a competing standard developed under support of the third generation partnership project. These standards are the basis for vehicle-based wireless communications and may be used to support intelligent highways, autonomous driving, and semi-autonomous driving vehicles and to improve the overall efficiency and safety of the highway transportation system. Other V2X wireless technologies are also being considered in different regions of the world. The techniques described herein are applicable to any V2X wireless technology.
The C-V2X protocol defines two transmission modes that together provide 360 ° non-line-of-sight perceptibility and a higher level of predictability to achieve enhanced road safety and autonomous driving. The first transmission mode includes direct C-V2X, which includes vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), and vehicle-to-pedestrian (V2P), and provides enhanced communication range and reliability in the dedicated Intelligent Transportation System (ITS) 5.9 gigahertz (GHz) spectrum that is independent of cellular networks. The second transmission mode includes vehicle-to-network communication (V2N) in mobile broadband systems and technologies such as third generation wireless mobile communication technology (3G) (e.g., global system for mobile communications (GSM) evolution (EDGE) system, code Division Multiple Access (CDMA) 2000 system, etc.), fourth generation wireless mobile communication technology (4G) (e.g., long Term Evolution (LTE) system, LTE-advanced system, mobile worldwide interoperability for microwave access (mobile WiMAX) system, etc.), fifth generation new radio wireless mobile communication technology (5G NR system, etc.), etc.
An element of the V2X system is the ability of vehicles to broadcast Basic Security Messages (BSM) in north america or Collaborative Awareness Messages (CAM) in europe, which other vehicles may receive and process to improve traffic safety. Processing of such messages in the transmitting and receiving vehicles occurs in onboard equipment that provides internet of vehicles (V2X) functionality (referred to herein as "V2X onboard equipment").
SUMMARY
Various aspects include methods and systems performed by an endpoint node for authenticating plaintext and ciphertext in a message. Some aspects may include: generating ciphertext from a plaintext message to be transmitted in the message; generating a hash of the ciphertext and a hash of the plaintext message; generating a concatenated digital signature of a hash of the ciphertext and a hash of the plaintext message; and sending a message comprising the ciphertext, a hash of the plaintext message, and the digital signature to the network node. In some aspects, the ciphertext, a hash of the plaintext message, and the digital signature may be configured to enable the network node to verify that the endpoint node signed the signed concatenation. In some aspects, the endpoint node may comprise a vehicle networking (V2X) endpoint node, and the message may comprise a V2X message.
In some aspects, the message may be configured for transmission over a limited bandwidth wireless communication link. In some aspects, the message may be configured as one of: charging messages, parking access messages, road condition messages, geographic networking messages, or emergency responder information. In some aspects, the plaintext message may comprise one of the following: charging information, parking access information, road condition information, geographic networking information, and emergency responder information. In some aspects, the concatenation of the hash of the ciphertext and the hash of the plaintext message may include a data structure that includes an identification of the ciphertext or the hash of the ciphertext and an identification of the plaintext message or the hash of the plaintext message.
Various aspects include methods and systems for processing messages performed by a processor of a network node. Some aspects may include: receiving, from the endpoint node, a digitally signed message comprising the ciphertext, a hash of the plaintext message, and a concatenation of the hash of the ciphertext and the hash of the plaintext message; determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message; and in response to determining that the endpoint node signed the concatenation of the hash of the ciphertext and the hash of the plaintext message, transmitting the ciphertext, the hash of the plaintext message, and the digital signature of the concatenation of the hash of the ciphertext and the hash of the plaintext message to the encryption key device.
In some aspects, the message may comprise a V2X message and the endpoint node may comprise a V2X endpoint node. In some aspects, determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message may include generating a hash of the ciphertext; concatenating the hash of the plaintext message and the generated hash of the ciphertext; and providing as input a concatenation of the hash of the plaintext message and the generated hash of the ciphertext to verify the digital signature using the public key of the endpoint node. In some aspects, generating the hash of the ciphertext may include generating the hash of the ciphertext using a hashing algorithm known to be used by the real endpoint node. In some aspects, the message may be configured for transmission over a limited bandwidth wireless communication link. In some aspects, the message may be configured as one of: charging messages, parking access messages, road condition messages, geographic networking messages, or emergency responder information.
In some aspects, the concatenation of the hash of the ciphertext and the hash of the plaintext message may include a data structure that includes an identification of the hash of the ciphertext and an identification of the hash of the plaintext message. In some aspects, sending the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message to the encryption key device may comprise: the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message are sent to an encryption key server. In some aspects, sending the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message to the encryption key device may comprise: the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message are sent to an encryption key module.
Various aspects include methods and systems for authenticating plaintext and ciphertext in a message that are performed by a processor of a computing device. Some aspects may include: receiving, from the encryption key device, a plaintext message originated by the endpoint node, a hash of a ciphertext of the plaintext message, and a concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message; determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message; and performing a data transaction for the endpoint node in response to determining that the endpoint node signed a concatenation of the ciphertext and plaintext message.
In some aspects, the message may comprise a V2X message and the endpoint node may comprise a V2X endpoint node. In some aspects, determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message may include: generating a hash of the plaintext message; concatenating the generated hash of the plaintext message and a hash of the ciphertext; and providing as input a concatenation of the generated hash of the plaintext message and a hash of the ciphertext to verify the digital signature using a public key of the endpoint node.
In some aspects, the plaintext message may comprise one of the following: charging information, parking access information, road condition information, geographic networking information, and emergency responder information. In some aspects, the concatenation of the hash of the ciphertext and the hash of the plaintext message may include a data structure that includes an identification of the ciphertext or the hash of the ciphertext and an identification of the plaintext message or the hash of the plaintext message. In some aspects, receiving from the encryption key device the plaintext message originated by the endpoint node, the hash of the ciphertext of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message may include receiving from the encryption key server the plaintext message originated by the endpoint node, the hash of the ciphertext of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message. In some aspects, receiving, from the encryption key device, the plaintext message originated by the endpoint node, the hash of the ciphertext of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message may include receiving, from the encryption key module, the plaintext message originated by the endpoint node, the hash of the ciphertext of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message.
Various aspects include a system for authenticating plaintext and ciphertext in a message, the system comprising an endpoint node comprising a processor configured with processor-executable instructions to: generating ciphertext from a plaintext message to be transmitted in the message; generating a hash of the ciphertext and a hash of the plaintext message; generating a concatenated digital signature of a hash of the ciphertext and a hash of the plaintext message; and transmitting a message comprising the ciphertext, a hash of the plaintext message, and the digital signature.
The system may also include a network node comprising a processor configured with processor-executable instructions to: receiving a message from the endpoint node comprising a ciphertext, a hash of the plaintext message, and a digital signature; determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message; and in response to determining that the endpoint node signed a concatenation of the hash of the ciphertext and the hash of the plaintext message, transmitting the ciphertext, the hash of the plaintext message, and the digital signature to the encryption key device. The system may also include a network processing device including a processor configured with processor-executable instructions to: receiving, from the encryption key device, a plaintext message originated by the endpoint node, a hash of a ciphertext of the plaintext message, and a concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message; determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message; and performing a data transaction for the endpoint node in response to determining that the endpoint node signed a concatenation of the ciphertext and plaintext message.
Further aspects include an endpoint node, a network node, and/or a computing device comprising a memory and a processor configured to perform the operations of any of the methods outlined above. Further aspects may include an endpoint node, a network node, and/or a computing device having various means for performing functions corresponding to any of the methods outlined above. Further aspects may include a non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of an endpoint node, a network node, and/or a computing device to perform various operations corresponding to any of the methods outlined above.
Brief Description of Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the claims and, together with the general description and the detailed description given, serve to explain the features herein.
Fig. 1A is a system block diagram illustrating an example V2X system suitable for implementing various embodiments.
Fig. 1B is a conceptual diagram illustrating an example V2X communication protocol stack suitable for implementing various embodiments.
FIG. 2 is a component diagram of an example vehicle system suitable for implementing various embodiments.
Fig. 3A is a message flow diagram illustrating an example of communications exchanged among network elements between a base station and a wireless device during a method of authenticating plaintext and ciphertext in a V2X message.
Fig. 3B illustrates an example data structure suitable for implementing the various embodiments.
Fig. 4 is a process flow diagram illustrating a method performed by a processor of V2X for authenticating plaintext and ciphertext in a V2X message, according to various embodiments.
Fig. 5 is a process flow diagram illustrating a method performed by a processor of a network node for processing V2X messages, in accordance with various embodiments.
Fig. 6 is a process flow diagram illustrating a method performed by a processor of a computing device for authenticating plaintext and ciphertext in a V2X message, in accordance with various embodiments.
Fig. 7 is a component block diagram illustrating an example mobile computing device suitable for use with the various embodiments.
Fig. 8 is a component block diagram illustrating an example mobile computing device suitable for use with the various embodiments.
Fig. 9 is a component block diagram illustrating an example V2X on-board equipment suitable for use with the various embodiments.
Detailed Description
Various embodiments will be described in detail with reference to the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts. References made to particular examples and implementations are for illustrative purposes, and are not intended to limit the scope of the claims.
Wireless communication links, which are typically used for V2X communications, are bandwidth constrained. In some cases, a V2X endpoint node (e.g., a vehicle) may send a V2X message with encrypted plaintext content. The V2X message may be received by an intermediate network node (e.g., a roadside unit (RSU), a rack deployment unit, etc.), which verifies that over-the-air transmission of the message did not introduce errors into the message. The intermediate network node may then pass the message to a processing network node, which decrypts the message content and performs an operation based on the message content. While two digital signatures may be generated for a V2X message, one for plaintext and the other for encrypting plaintext (i.e., ciphertext), doing so increases the bandwidth overhead incurred by the V2X message, as well as the computational overhead of generating two signatures for the V2X message.
Various embodiments include methods and mechanisms for authenticating plaintext and ciphertext in a vehicle networking (V2X) message in an Intelligent Transportation System (ITS). Various embodiments enable various network elements, such as V2X endpoint nodes (which may be mobile computing devices, such as V2X on-board equipment of a vehicle, a mobile phone, a laptop, a tablet, or another suitable computing device), intermediate nodes (such as another vehicle or mobile computing device, a Road Side Unit (RSU), a portal unit (such as a toll portal unit)), network processing devices (such as servers, available for data transactions, such as toll or parking fee processing, monitoring road conditions, commercial vehicle screening, and other suitable applications) to authenticate plaintext and ciphertext in V2X messages. The authentication methods supported by the various embodiments are particularly useful for V2X bandwidth constrained messages.
The V2X processing and communication system may be implemented in a variety of vehicles (such as automobiles, trucks, buses, trailers, autonomous vehicles, robotic systems, and the like). In addition, the ITS or other V2X system includes several fixed equipment facilities such as roadside units, access nodes, and wireless relay nodes. Further, the various embodiments may be useful in systems that are not related to ITS functionality but that utilize V2X capabilities, such as toll parking garages, wireless payment systems for various commercial applications, emergency medical services, and the like. The various embodiments may be implemented in any of a variety of V2X equipped vehicles, fixed facilities, and other devices that use V2X communication infrastructure. To cover all implementations of various embodiments, the term "V2X endpoint node" is used throughout the specification and claims to refer broadly to a mobile, semi-mobile, or fixed system that implements V2X communication functionality. A non-limiting example of a V2X endpoint node for description is a vehicle (such as an automobile that pays a fee when traveling on a toll road), but references to this example and other examples are not intended to limit the scope of the claims that recite the V2X endpoint node. Some implementations may be used in any communication system in which authenticated encrypted messages may be transmitted via a communication medium in which at least some portion (e.g., segment, hop, etc.) of the communication link has constrained communication resources, such as limited bandwidth, channel capacity, etc.
Verifying the integrity, authenticity, and in some cases confidentiality of V2X messages has various functions for implementing autonomous and semi-autonomous driving vehicles, as well as supporting various services in ITS. In various embodiments, a V2X endpoint node (e.g., a V2X equipped vehicle) may be requested to send information to a network processing device via an intermediate network node (e.g., a roadside unit or other ITS node). The encryption key device may generate an encryption key and send the encryption key to the intermediate network node. In some embodiments, the encryption key device may be a separate device, such as an encryption key server. In some embodiments, the encryption key device may be a module, unit, or function of an intermediate network node (or network processing device). The intermediate network node may send an encryption key to the V2X endpoint node, accompanied by a request for V2X to provide certain information. The V2X endpoint node may generate a response message, generate a digital signature of the message, encrypt the message, and generate a digital signature of the encrypted message. The V2X endpoint node may send the encrypted message and the digital signature to an intermediate network node. The intermediate network node may verify a digital signature of the encrypted message that verifies the integrity of the message sent from the V2X endpoint node. The intermediate network node may pass the encrypted message to an encryption key device that decrypts the message and sends the decrypted message and a digital signature of the message to the network processing device. The network processing device may verify the digital signature of the message and may perform some action or operation related to the message from the V2X endpoint node.
Example applications of various embodiments relate to performing charging or toll collection operations on V2X endpoint nodes, such as V2X equipped vehicles traveling on toll roads or entering pay parking lots. The charging chassis device (or other suitable device) may detect the V2X endpoint node and send a message (e.g., a charging advertisement message (TAM)) to the V2X mode requesting information of the charging operation. The V2X endpoint node may respond with a fee upload message (TUM) that includes the response message, the digital signature of the message, the encrypted version of the message, and the digital signature of the encrypted message. The toll collection bay device can use the digital signature of the encrypted message to verify that over-the-air transmissions of the TUM do not introduce errors in the message. The network node of the charging (fee) service provider may use the digital signature of the message (after decryption) to perform the relevant financial transaction operations for charging (provided that the digital signature of the message is verified).
As mentioned above, two digital signatures are generated, one for the message (i.e., plaintext) and the other for the encrypted version of the message (i.e., ciphertext). However, generating and transmitting two different digital signatures would increase the Radio Frequency (RF) overhead required to communicate this information via wireless communication. For example, in some communication protocol implementations, each additional signature may add 100 bytes or more to a single message. When numerous V2X endpoint nodes, intermediate nodes, and network nodes generate, encrypt, decrypt, and process such messages, the additional overhead may have a significant adverse impact on communication system resources, particularly in bandwidth constrained systems (e.g., V2X communication systems).
Various embodiments include methods, V2X processing devices and systems configured to perform methods for authenticating plaintext and ciphertext in V2X messages in a manner that increases efficiency and reduces processing and communication link overhead required to handle such V2X messages. In some embodiments, a V2X endpoint node (e.g., a V2X processing device in V2X onboard equipment of a vehicle) may generate ciphertext from a plaintext message to be transmitted in the V2X message, generate a hash of the ciphertext and a hash of the plaintext message, generate a digital signature of a concatenation of the hash of the ciphertext and the hash of the plaintext message, and send the V2X message including the ciphertext, the hash of the plaintext message, and the digital signature to a network node. In some embodiments, the ciphertext, the hash of the plaintext message, and the digital signature may be configured to enable the network node to verify that the wireless device signed the signed concatenation of the hash of the ciphertext and the hash of the plaintext message.
In various embodiments, the hash of the ciphertext and the hash of the plaintext message may be concatenated in any order. In some embodiments, the hash of the ciphertext and/or the hash of the plaintext message may be included in a data structure defining the position (e.g., defined byte range) of the hash of the ciphertext and the hash of the plaintext message in the message, such as may be described by a data structure description language such as abstract syntax notation one (asn.1) or another suitable data structure description language. In some embodiments, the hash of the ciphertext and/or the hash of the plaintext message may include an indication (e.g., a starting byte value or a field length value) of a location or boundary therebetween that identifies the ciphertext and/or the hash of the ciphertext and/or an identification of the plaintext message and/or the hash of the plaintext message.
In some embodiments, the V2X message is configured for transmission over a limited bandwidth wireless communication link, such as a bandwidth constrained V2X wireless communication link. In some embodiments, the V2X message may be configured according to one or more functions or systems. In some embodiments, the clear text message may include sensitive financial information (e.g., account number, credit card number, etc.) about or associated with the V2X endpoint node that may enable toll collection or charging operations associated with the V2X endpoint node. For example, the V2X message may be configured as a charging message (e.g., for a charging or toll collection system), a parking access message (e.g., for a parking payment system), a road condition message (e.g., a message to another vehicle, to an RSU, or to a network node regarding traffic, observed vehicle behavior, road damage, dangerous road conditions (such as ice or floods), etc.), a geographic networking message (e.g., for use in a geographic networking message or messaging system), an emergency responder message (e.g., a police, fire, emergency medical engineer, or other emergency responder system), or other suitable message or messaging system.
In some embodiments, the clear text message may include non-financial sensitive information, such as personal identity, medical information, classification, or proprietary information, for which protection and authentication are appropriate. In some embodiments, the clear text message may include parking access information, such as a parking location, a timer period, and/or a parking fee. In some embodiments, the clear text message may include road condition information. In some embodiments, the clear text message may include geographic networking information. In some embodiments, the clear text message may include emergency responder information (such as information about dangerous conditions, events, incidents, etc.), identity information about a suspect or victim, medical information, personally identifiable information (P11), etc. In some implementations, the content of the clear text message may include information of a confidential or sensitive nature, or information that must be treated confidential in accordance with laws or regulations (e.g., financial account information, medical information, etc.).
In some embodiments, a network node (e.g., an intermediate network node, such as a vehicle, RSU, rack unit, edge computing device, etc.) may receive a V2X message from a V2X endpoint node, the V2X message including ciphertext, a hash of a plaintext message, and a digital signature of a concatenation of the hash of the ciphertext and the hash of the plaintext message. The network node may determine whether the V2X endpoint node signs the concatenation of the hash of the ciphertext and the hash of the plaintext message by generating a hash of the ciphertext, using the generated hash of the ciphertext to construct the concatenation of the received hash of the plaintext message and the generated hash of the ciphertext, and using the concatenation of the received hash of the plaintext message and the generated hash of the ciphertext as input to verify the digital signature using a public key of the V2X endpoint node. In response to determining that the V2X endpoint node signed a concatenation of a hash of the ciphertext and a hash of the plaintext message, the network node may send the ciphertext, the hash of the plaintext message, and a digital signature of the concatenation of the hash of the ciphertext and the hash of the plaintext message to the encryption key device.
In some embodiments, a computing device (e.g., a payment processing server, a computing device configured to process road condition information, a computing device configured to process emergency responder messages and information, or other suitable computing device) may receive from an encryption key device a plaintext message initiated by a V2X endpoint node, a hash of a ciphertext of the plaintext message, and a digital signature of a concatenation of the hash of the ciphertext and the hash of the plaintext message. The computing device may determine whether the V2X endpoint node signs the concatenation of the hash of the ciphertext and the hash of the plaintext message by generating a hash of the plaintext message, constructing the concatenation of the generated hash of the plaintext message and the received hash of the ciphertext using the hash of the plaintext message, and using the concatenation of the generated hash of the plaintext message and the received hash of the ciphertext as input to verify the digital signature using a public key of the V2X endpoint node. The computing device may execute a data transaction for the V2X endpoint node in response to determining that the V2X endpoint node signs a concatenation of the ciphertext and plaintext message.
Various embodiments include methods, V2X processing devices and systems configured to perform methods for authenticating plaintext and ciphertext in V2X messages in a manner that improves processing and communication link efficiency and reduces processing and communication link overhead required to handle such V2X messages.
For ease of reference, some embodiments are described herein with reference to a vehicle using a V2X system and protocol. However, it should be understood that the various embodiments encompass any or all of V2X or vehicle-based communication standards, messages, protocols, and/or technologies. As such, nothing in this disclosure should be construed as limiting the claims to a particular system (e.g., V2X) or message or messaging protocol (e.g., basic Security Message (BSM)) unless explicitly so stated in the claims. Further, embodiments described herein may refer to a V2X processing system in a vehicle. Other embodiments are contemplated in which the V2X processing system may operate in or be included with mobile devices, mobile computers, RSUs, and other devices equipped to monitor road and vehicle conditions and participate in V2X communications.
Fig. 1A is a system block diagram illustrating an example V2X system 100 suitable for implementing various embodiments. Fig. 1B is a conceptual diagram illustrating an example V2X communication protocol stack 150 suitable for implementing various embodiments. Referring to fig. 1A and 1B, the vehicles 12, 14, 16 may include V2X onboard equipment 102, 104, 106, respectively, configured to send and receive V2X messages, including periodically broadcasting basic safety messages 112, 114, 116 for receipt and processing by the onboard equipment (e.g., 102, 104, 106) of other vehicles.
By sharing vehicle position, speed, direction, behavior (such as braking), and other information, the vehicle can maintain a safe interval and identify and avoid potential collisions. For example, the trailing vehicle 12 that receives the primary safety message 114 from the leading vehicle 16 may determine the speed and position of the vehicle 16 such that the vehicle 12 can match the speed and maintain the safety separation distance 20. By being notified via the basic safety message 114 when the lead vehicle 16 applies the brakes, the V2X equipment 102 in the trailing vehicle 12 can apply the brakes simultaneously to maintain the safety separation distance 20 even when the lead vehicle 16 suddenly stops. As another example, V2X equipment 104 within the truck vehicle 14 may receive basic safety messages 112, 116 from both vehicles 12, 16 and thus be notified that the truck vehicle 14 should stop at the intersection to avoid a collision. Further, each of the vehicle V2X onboard equipment 102, 104, 106 may communicate with each other using any of a variety of close proximity communication protocols.
Further, the vehicle may be capable of communicating data and information regarding basic security messages and other V2X communications over the communication network 18 (e.g., V2X, cellular, wiFi, etc.) to the various network elements 132, 134, 136 via the communication links 122, 124, 146. For example, the network element 132 may be incorporated into or in communication with an RSU, rack unit, or the like. The network elements 134, 136 may be configured to perform functions or services related to the vehicles 12, 14, 16, such as payment processing, road condition monitoring, emergency provider message handling, and the like. The network elements 134, 136 may be configured to communicate with each other over wired or wireless networks 142, 144 to exchange information associated with payment processing, road condition monitoring, emergency provider message handling, and similar services.
FIG. 2 is a component diagram of an example vehicle system 200 suitable for implementing various embodiments. Referring to fig. 1A-2, a system 200 may include a vehicle 202, the vehicle 202 including a V2X processing device 204 (e.g., a telematics control unit or an on-board unit (TCU/OBU)). The V2X processing device 202 may be in communication with various systems and devices, such as an in-vehicle network 210, an infotainment system 212, various sensors 214, various actuators 216, and a Radio Frequency (RF) module 218. The V2X processing device 202 may also communicate with various other vehicles 220, roadside units 222, base stations 224, and other external devices. The TCU/OBU 204 may be configured to perform operations for authenticating plaintext and ciphertext, as described further below.
The V2X processing device 204 may include a V2X antenna (e.g., RF module 218) and may be configured to communicate with one or more ITS participants (e.g., stations), such as another vehicle 220, a roadside unit 222, and a base station 224 or other suitable network access points. In various embodiments, V2X processing device 202 may receive information from a plurality of information sources, such as in-vehicle network 210, infotainment system 212, various sensors 214, various actuators 216, and RF module 218. The V2X processing device 204 may detect an improper behavior condition in a system of the vehicle, such as one of the plurality of information sources 210-218, an application or service executing on the V2X processing device 204, or another system of the vehicle.
Examples of in-vehicle networks 210 include Controller Area Network (CAN), local Interconnect Network (LIN), networks using FlexRay protocol, media Oriented System Transport (MOST) networks, and automotive ethernet. Examples of vehicle sensors 214 include location determination systems, such as Global Navigation Satellite System (GNSS) systems, cameras, radar, lidar, ultrasonic sensors, infrared sensors, and other suitable sensor devices and systems. Examples of vehicle actuators 216 include various physical control systems, such as for steering, brakes, engine operation, lights, direction signals, and the like.
Fig. 3A is a message flow diagram 300 illustrating an example of communications exchanged among network elements between a base station and a wireless device during a method of authenticating plaintext and ciphertext in a V2X message. Fig. 3B illustrates an example data structure 350 suitable for implementing the various embodiments. Referring to fig. 1-3B, the network elements may include a V2X endpoint node 320 (e.g., a vehicle 12, 14, 16, 202), a network node 322 (e.g., another of the vehicles 12, 14, 16, 220, RSU 132, 220), an encryption key device 324 (e.g., network element 134, 136), and a network processing device 326 (e.g., network element 134, 136). In some embodiments, encryption key device 324 may be a separate device, such as an encryption key server. In some embodiments, encryption key device 324 may be a module, unit, or function of network node 322 or network processing device 326.
In the first example scenario 300a, the encryption key device 324 may generate an encryption key and send the encryption key to the network node 322 in message 302. In some embodiments, the encryption key may be or may include a public key. Network node 322 may send an encryption key to V2X endpoint node 320 and request 304V2X to provide certain information. The request 304 may be a V2X message or may be included in a V2X message. In general, V2X messages are configured for use in V2X communication systems, formatted in accordance with V2X communication protocols, and configured for transmission via bandwidth and/or other resource constrained wireless communication links.
V2X endpoint node 320 may generate a response that includes the plaintext message. The V2X endpoint node may generate ciphertext from the plaintext message and may generate a hash of the ciphertext and a hash of the plaintext message. The V2X endpoint node may generate the hash(s) using a hashing algorithm, such as any of the SHA-2 algorithm set or the like. V2X endpoint node 320 may generate a digital signature that is a concatenation of a hash of the ciphertext and a hash of the plaintext message. In various embodiments, the hash of the ciphertext and the hash of the plaintext message may be concatenated in any order.
In some embodiments, the V2X endpoint node may generate a data structure, such as data structure 350 (fig. 3B), and the V2X endpoint node may generate a digital signature of the data structure. The data structure 350 may include indicia identifying a hash of the ciphertext and/or a hash of the plaintext message. The data structure 350 may also include other data. For example, the data structure 350 (e.g., "signed decryptabledata") may include a description 352 of its structure and/or content, such as a hash of the plaintext message itself ("hOP HashOrPlaintext"), a hash of the ciphertext, or the ciphertext message itself ("hOC HashOrCiphertext"), or the like. The data structure 350 may also include a hash of the plaintext message or description of the plaintext message 354, a hash of the ciphertext or description of the ciphertext message 356, and other data fields, descriptors, tags, and/or other content.
Returning to fig. 3a, the V2X endpoint node may send a V2X message 306 including a ciphertext, a hash of the plaintext message, and a digital signature to the network node 322. Network node 322 may determine whether V2X endpoint node 320 signs the concatenation of the hash of the ciphertext and the hash of the plaintext message by generating a hash of the ciphertext, using the generated hash of the ciphertext to construct an appropriately encoded concatenation of the received hash of the plaintext message and the generated hash of the ciphertext, and using the received hash of the plaintext message and the generated concatenation of the ciphertext as inputs to verify the digital signature using the public key of the V2X endpoint node. In response to determining that the V2X endpoint node signed a concatenation of a hash of the ciphertext and a hash of the plaintext message, network node 322 may send the ciphertext, the hash of the plaintext message, and the digital signature to encryption key device 324 in message 308.
Encryption key device 324 may decrypt the ciphertext to generate the plaintext message. The encryption key device 324 may then send the plaintext message, a hash of the ciphertext, and a digital signature (concatenation of the hash of the ciphertext and the hash of the plaintext message) to the network processing device 326 in communication 310.
In a second example scenario 300b according to some embodiments, the encryption key device 324 may return a plaintext message to the network node 322 in the message 312, and the network node 322 may send the plaintext message, a hash of the ciphertext, and a digital signature (of a concatenation of the hash of the ciphertext and the hash of the plaintext message) to the network processing device 326 in the message 314. In some embodiments, network node 322 and encryption key device 324 may be co-located with network node 322 or incorporated into network node 322, and the decryption operation may be performed in the vicinity of network node 322 or within network node 322.
In a third example scenario 300c according to some embodiments, an endpoint node may send ciphertext, a hash of a plaintext message, and a digital signature in a message 316 to a network processing device 326. In some embodiments, the network processing device 326 may determine whether the V2X endpoint node 320 signs the concatenation of the hash of the ciphertext and the hash of the plaintext message by generating a hash of the ciphertext, using the generated hash of the ciphertext to construct an appropriately encoded concatenation of the received hash of the plaintext message and the generated hash of the ciphertext, and using the received hash of the plaintext message and the concatenation of the generated hashes of the ciphertext as inputs to verify the digital signature using the public key of the V2X endpoint node. In response to determining that the V2X endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message, the network processing device 326 may send the ciphertext to the encryption key device 324 in the message 318 for decryption. The encryption key device may decrypt the ciphertext and may send the plaintext to the network processing device in message 320. In some embodiments, the encryption key device 324 may be co-located with the network processing device 326 or incorporated into the network processing device 326, and the decryption operation may be performed in the vicinity of the network processing device 326 or in the network processing device 326.
The network processing device 326 may determine whether the V2X endpoint node signs the concatenation of the hash of the ciphertext and the hash of the plaintext message by generating a hash of the plaintext message, constructing an appropriately encoded concatenation of the generated hash of the plaintext message and the received hash of the ciphertext, and using the generated hash of the plaintext message and the concatenation of the received hash of the ciphertext as inputs to verify the digital signature using the public key of the V2X endpoint node. In response to determining that the V2X endpoint node signs a concatenation of ciphertext and plaintext messages, the network processing device 326 may perform a data transaction for the V2X endpoint node.
In various embodiments, V2X messages 304 and 306 may be configured in accordance with one or more functions or systems. As two examples, V2X messages 304 and 306 may be configured as charging messages (e.g., for a toll or toll collection system) or parking access messages (e.g., for a parking payment system). V2X messages 304 and 306 may also be configured as road condition messages (e.g., messages to another vehicle, to an RSU, or to a network node regarding traffic, observed vehicle behavior, road damage, dangerous road conditions (such as ice or flood), etc.). V2X messages 304 and 306 may also be configured as geo-networking messages (e.g., for geo-networking messages or messaging systems). For example, the V2X endpoint node may send V2X messages for communication to a particular set of RSUs, such as other vehicles along a road or path or in a particular direction. For example, a geo-networking message may be used to inform other vehicles of dangerous traffic or road conditions along a particular road. As another example, a geo-networking message may be used to inform other vehicles that an emergency vehicle is approaching so that other vehicles may temporarily clear the road.
V2X messages 304 and 306 may also be configured as emergency responder messages (e.g., for use by police, fire, emergency medical engineers, or other emergency responder systems). For example, the emergency responder V2X message may include information intended to be received only by other emergency responders and not by the public, such as information about dangerous conditions, events, incidents, etc., identity information about a suspect or victim, medical information (e.g., must be treated with privacy), personally Identifiable Information (PII), etc. In some implementations, the content of the clear text message may include information of a confidential or sensitive nature, or information that must be treated confidential in accordance with laws or regulations (e.g., financial account information, medical information, etc.).
Fig. 4 is a process flow diagram illustrating a method 400 performed by a processor of a V2X endpoint node for authenticating plaintext and ciphertext in a V2X message, according to various embodiments. Referring to fig. 1A-4, the operations of method 400 may be performed by a V2X processing device in a V2X endpoint node (e.g., 12, 14, 16, 202, 320).
In block 402, the V2X processing device may generate ciphertext from a plaintext message to be transmitted in the V2X message. For example, the V2X processing device may generate a plaintext message and then generate ciphertext by encrypting the plaintext message.
In block 404, the V2X processing device may generate a hash of the ciphertext and a hash of the plaintext message. Any form of hash function or algorithm may be used to generate the two hashes, and different hash functions or algorithms may be used to generate the hash of the ciphertext and the hash of the plaintext message.
In block 406, the V2X processing device may generate a digital signature of a concatenation of a hash of the ciphertext and a hash of the plaintext message. Any form of signature function or algorithm may be used to generate the digital signature.
In block 408, the V2X processing device may send a V2X message including a ciphertext, a hash of the plaintext message, and a digital signature to the network node. In some embodiments, the ciphertext, the hash of the plaintext message, and the digital signature may be configured to enable the network node to verify that the V2X endpoint node signed the signed concatenation. In some embodiments, V2X messages may be configured for transmission over a wireless communication link of limited bandwidth, such as V2X messages transmitted by one V2X endpoint node and received by another V2X endpoint node.
In some embodiments, the V2X message may be configured as a charging message, a parking access message, a road condition message, a geographic networking message, or emergency responder information. In some embodiments, the plaintext message may comprise one of the following: charging information, parking access information, road condition information, geographic networking information, and emergency responder information. In some embodiments, the concatenation of the hash of the ciphertext and the hash of the plaintext message may include or be included in a data structure that defines or specifies a byte range or boundary of the ciphertext and/or the hash of the ciphertext and an identification of the plaintext message and/or the hash of the plaintext message.
Fig. 5 is a process flow diagram illustrating a method 500 for processing V2X messages performed by a processor of a network node, in accordance with various embodiments. Referring to fig. 1-5, the operations of method 500 may be performed by a processing device (which may be a V2X processing device) in a network node (e.g., 12, 14, 16, 220, 132, 220, 322).
In block 502, a processing device may receive a V2X message from a V2X endpoint node (e.g., 12, 14, 16, 202, 320), the V2X message including ciphertext, a hash of a plaintext message, and a digital signature of a concatenation of the hash of the ciphertext and the hash of the plaintext message.
In decision block 504, the processing device may determine whether the V2X endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message. In some embodiments, the processing device may generate a hash of the ciphertext, construct a concatenation of the received hash of the plaintext message and the generated hash of the ciphertext using the generated hash of the ciphertext, and use the concatenation of the received hash of the plaintext message and the generated hash of the ciphertext as input to verify the digital signature using the public key of the V2X endpoint node.
In response to determining that the V2X endpoint node is not signing a concatenation of a hash of the ciphertext and a hash of the plaintext message (i.e., determination block 504 = "no"), the processing device may reject the V2X message from the V2X endpoint node in block 506. Rejecting the V2X message may include ignoring the V2X message, stopping further processing of the V2X message, and other suitable operations.
In response to determining that the V2X endpoint node does sign the concatenation of the hash of the ciphertext and the hash of the plaintext message (i.e., determination block 504 = "yes"), the processing device may send the ciphertext, the hash of the plaintext message, and a digital signature of the concatenation of the hash of the ciphertext and the hash of the plaintext message to the encryption key device in block 508.
In some embodiments, the processing device may generate a hash of the ciphertext using a hashing algorithm known to be used by the real V2X endpoint node. In some embodiments, the V2X message may be configured for transmission over a limited bandwidth wireless communication link. In some embodiments, the V2X message may be configured as a charging message, a parking access message, a road condition message, a geographic networking message, or emergency responder information. In some embodiments, the concatenation of the hash of the ciphertext and the hash of the plaintext message may include or be included in a data structure that includes an identification of the ciphertext and/or the hash of the ciphertext and an identification of the plaintext message and/or the hash of the plaintext message.
Fig. 6 is a process flow diagram illustrating a method 600 performed by a processor of a computing device for authenticating plaintext and ciphertext in a V2X message, in accordance with various embodiments. Referring to fig. 1-6, the operations of method 600 may be performed by a processing device in a network processing device (e.g., 134, 136).
In block 602, the processing device may receive, from an encryption key device (e.g., 324), a plaintext message initiated by a V2X endpoint node (e.g., 12, 14, 16, 202, 320), a hash of a ciphertext of the plaintext message, and a digital signature of a concatenation of the hash of the ciphertext and the hash of the plaintext message.
In decision block 604, the processing device may determine whether the V2X endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message. In some embodiments, the processing device may generate a hash of the plaintext message, construct a concatenation of the generated hash of the plaintext message and a received hash of the ciphertext, and use the concatenation of the generated hash of the plaintext message and the received hash of the ciphertext as input to verify the digital signature using a public key of the V2X endpoint node. In some embodiments, the concatenation of the hash of the ciphertext and the hash of the plaintext message may include a data structure that includes an identification of the ciphertext or the hash of the ciphertext and an identification of the plaintext message or the hash of the plaintext message.
In response to determining that the V2X endpoint node is not signing a concatenation of a hash of the ciphertext and a hash of the plaintext message (i.e., determination block 604 = "no"), the processing device may reject the V2X message from the V2X endpoint in block 606. Rejecting the V2X message may include ignoring the V2X message, stopping further processing of the V2X message, and other suitable operations.
In response to determining that the V2X endpoint node does sign a concatenation of a hash of the ciphertext and a hash of the plaintext message (i.e., determination block 604 = "yes"), the processing device may execute the data transaction for the V2X endpoint node in block 608.
Fig. 7 is a component block diagram illustrating an example mobile computing device 700 suitable for use with the various embodiments. With reference to fig. 1-7, the various embodiments may be implemented in a variety of computing systems including in-vehicle equipment and mobile computing devices, including an example mobile computing device 700. The mobile computing device 700 may include a processor 702, the processor 702 coupled to a touch screen controller 704 and an internal memory 706. Processor 702 may be one or more multi-core integrated circuits designated for general or specific processing tasks. The internal memory 706 may be volatile or non-volatile memory and may also be secure and/or encrypted memory, or unsecure and/or unencrypted memory, or any combination thereof. Examples of memory types that may be utilized include, but are not limited to DDR, LPDDR, GDDR, WIDEIO, RAM, SRAM, DRAM, P-RAM, R-RAM, M-RAM, STT-RAM, and embedded DRAM. The touch screen controller 704 and the processor 702 may also be coupled to a touch screen panel 712, such as a resistive sensing touch screen, capacitive sensing touch screen, infrared sensing touch screen, or the like. Additionally, the display of mobile computing device 700 need not have touch screen capabilities.
The mobile computing device 700 may have one or more radio signal transceivers 708 (e.g., peanut, bluetooth, zigbee, wi-Fi, RF radio) coupled to each other and/or to the processor 702, and an antenna 710 for transmitting and receiving communications. The transceiver 708 and antenna 710 may be used with the above-mentioned circuitry to implement various wireless transmission protocol stacks and interfaces. The mobile computing device 700 may include a cellular network wireless modem chip 716 that enables communication via a cellular network and is coupled to a processor.
The mobile computing device 700 may include a peripheral device connection interface 718 coupled to the processor 702. Peripheral device connection interface 718 may be configured to accept one type of connection alone or may be configured to accept various types of physical and communication connections, either common or proprietary, such as Universal Serial Bus (USB), fireWire (FireWire), thunderbolt (Thunderbolt), or PCIe. Peripheral connection interface 718 may also be coupled to a similarly configured peripheral connection port (not shown).
The mobile computing device 700 may also include a speaker 714 for providing audio output. The mobile computing device 700 may also include a housing 720 for containing all or some of the components described herein, the housing being constructed of plastic, metal, or a combination of materials. One of ordinary skill in the art will recognize that the housing 720 may be a dashboard console of a vehicle in an on-board embodiment. The mobile computing device 700 may include a power supply 722, such as a disposable or rechargeable battery, coupled to the processor 702. The rechargeable battery may also be coupled to the peripheral device connection port to receive charging current from a source external to the mobile computing device 700. The mobile computing device 700 may also include physical buttons 724 for receiving user input. The mobile computing device 700 may also include a power button 726 for turning the mobile computing device 700 on and off.
Fig. 8 is a component block diagram illustrating an example mobile computing device 800 suitable for use with the various embodiments. With reference to fig. 1-8, the various embodiments may be implemented in various computing systems including an example mobile computing device 800, the example mobile computing device 800 being illustrated as a laptop computer. The mobile computing device 800 may include a touchpad touch surface 817 that serves as a pointing device for a computer and, thus, may receive drag, scroll, and flick gestures similar to those implemented on a computing device equipped with a touch screen display and as described above. The mobile computing device 800 will typically include a processor 802 coupled to volatile memory 812 and a large capacity nonvolatile memory, such as a hard disk drive 813 of flash memory. Additionally, the mobile computing device 800 may have one or more antennas 808 for sending and receiving electromagnetic radiation, connectable to a wireless data link, and/or a cellular telephone transceiver 816 coupled to the processor 802. The mobile computing device 800 may also include a floppy disk drive 814 and a Compact Disc (CD) drive 815 coupled to the processor 802. In a notebook configuration, the computer housing includes a touch pad 817, a keyboard 818, and a display 819, all coupled to the processor 802. Other configurations of computing devices may include a computer mouse or trackball coupled to a processor (e.g., via a USB input) as is well known, which may also be used in connection with the various embodiments.
Fig. 9 is a component block diagram illustrating an example V2X on-board equipment 900 suitable for use with the various embodiments. Referring to fig. 1-9, various embodiments may be implemented in a wide variety of V2X on-board equipment 900. This V2X on-board equipment 900 may be configured to be implemented in a vehicle and connected to various vehicle systems and sensors. The V2X on-board equipment 900 may include a processor 902 coupled to a memory 904. The memory 904 may be any form of non-transitory medium (e.g., read Only Memory (ROM), flash memory, etc.) and may store data and processor-executable instructions configured to cause the processor 902 to perform the operations of any of the embodiment methods described herein. The processor 902 may also be coupled to a wireless transceiver 906, the wireless transceiver 906 coupled to an antenna (not shown) of the vehicle and configured to transmit and receive V2X messages.
The various embodiments illustrated and described are provided merely as examples illustrating the various features of the claims. However, the features illustrated and described for any given embodiment are not necessarily limited to the associated embodiment and may be used or combined with other embodiments illustrated and described. Furthermore, the claims are not intended to be limited to any one example embodiment. For example, one or more operations of methods 400, 500, and 600 may be substituted for or combined with one or more operations of methods 400, 500, and 600.
Examples of implementations are described in the following paragraphs. While some of the following implementation examples are described in terms of example methods, further example implementations may include: an example method discussed in the following paragraphs implemented by a V2X processing device, network node, or computing device, which may be an on-board unit, a mobile device unit, a mobile computing unit, or a fixed roadside unit, the V2X processing device, network node, or computing device comprising a processor configured with processor-executable instructions to perform operations to implement the example method; an example method discussed in the following paragraphs implemented by a V2X processing device, a network node processing device, or a network computing node processing device, the V2X processing device, network node processing device, or network computing node processing device comprising means for performing the functions of the following implemented example methods; and the example methods discussed in the following paragraphs may be implemented as a non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a V2X processing device, a network node processing device, or a processor of a network computing node processing device to perform operations of the following implementing the example methods.
Example 1. A method performed by a processor of an endpoint node for authenticating plaintext and ciphertext in a message, comprising: generating ciphertext from a plaintext message to be transmitted in the message; generating a hash of the ciphertext and a hash of the plaintext message; generating a concatenated digital signature of a hash of the ciphertext and a hash of the plaintext message; and sending a message to the network node comprising a ciphertext, a hash of the plaintext message, and a digital signature, wherein the ciphertext, the hash of the plaintext message, and the digital signature are configured to enable the network node to verify that the endpoint node signed the signed concatenation.
Example 2 the method of example 1, wherein the endpoint node comprises a vehicle networking (V2X) endpoint node and the message comprises a V2X message.
Example 3 the method of any one of examples 1 and 2, wherein the message is configured for transmission over a limited bandwidth wireless communication link.
Example 4 the method of any one of examples 1-3, wherein the message is configured to one of: charging messages, parking access messages, road condition messages, geographic networking messages, or emergency responder information.
Example 5 the method of any one of examples 1-4, wherein the plaintext message comprises one of: charging information, parking access information, road condition information, geographic networking information, and emergency responder information.
Example 6 the method of any of examples 1-5, wherein the concatenation of the hash of the ciphertext and the hash of the plaintext message comprises a data structure comprising an identification of the ciphertext or the hash of the ciphertext and an identification of the plaintext message or the hash of the plaintext message.
Example 7. A method performed by a processor of a network node for processing a message, comprising: receiving, from the endpoint node, a digitally signed message comprising the ciphertext, a hash of the plaintext message, and a concatenation of the hash of the ciphertext and the hash of the plaintext message; determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message; and in response to determining that the endpoint node signed the concatenation of the hash of the ciphertext and the hash of the plaintext message, transmitting the ciphertext, the hash of the plaintext message, and the digital signature of the concatenation of the hash of the ciphertext and the hash of the plaintext message to the encryption key device.
Example 8 the method of example 7, wherein the message comprises a vehicle networking (V2X) message and the endpoint node comprises a V2X endpoint node.
Example 9 the method of any one of examples 7 and 8, wherein determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message comprises: generating a hash of the ciphertext; concatenating the hash of the plaintext message and the generated hash of the ciphertext; and providing as input a concatenation of the hash of the plaintext message and the generated hash of the ciphertext to verify the digital signature using the public key of the endpoint node.
Example 10 the method of any of examples 7-9, wherein generating the hash of the ciphertext comprises generating the hash of the ciphertext using a hashing algorithm known to be used by the real endpoint node.
Example 11 the method of any of examples 7-10, wherein the message is configured for transmission over a limited bandwidth wireless communication link.
Example 12 the method of any one of examples 7-11, wherein the message is configured to one of: charging messages, parking access messages, road condition messages, geographic networking messages, or emergency responder information.
Example 13 the method of any of examples 7-12, wherein the concatenation of the hash of the ciphertext and the hash of the plaintext message comprises a data structure comprising an identification of the ciphertext or the hash of the ciphertext and an identification of the plaintext message or the hash of the plaintext message.
Example 14 the method of any of examples 7-13, wherein sending the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message to the encryption key device comprises: the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message are sent to an encryption key server.
Example 15 the method of any of examples 7-14, wherein sending the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message to the encryption key device comprises: the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message are sent to an encryption key module.
Example 16. A method performed by a processor of a computing device for authenticating plaintext and ciphertext in a message, comprising: receiving, from the encryption key device, a plaintext message originated by the endpoint node, a hash of a ciphertext of the plaintext message, and a concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message; determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message; and performing a data transaction for the endpoint node in response to determining that the endpoint node signed a concatenation of the ciphertext and plaintext message.
Example 17 the method of example 16, wherein the message comprises a vehicle networking (V2X) message and the endpoint node comprises a V2X endpoint node.
Example 18 the method of any one of examples 16 and 17, wherein determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message comprises: generating a hash of the plaintext message; concatenating the generated hash of the plaintext message and a hash of the ciphertext; and providing as input a concatenation of the generated hash of the plaintext message and a hash of the ciphertext to verify the digital signature using a public key of the endpoint node.
Example 19 the method of any one of examples 16-18, wherein the plaintext message comprises one of: charging information, parking access information, road condition information, geographic networking information, and emergency responder information.
Example 20 the method of any of examples 16-19, wherein the concatenation of the hash of the ciphertext and the hash of the plaintext message comprises a data structure comprising an identification of the ciphertext or the hash of the ciphertext and an identification of the plaintext message or the hash of the plaintext message.
Example 21 the method of any of examples 16-20, wherein receiving, from the encryption key device, the plaintext message originated by the endpoint node, the hash of the ciphertext of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message comprises: a plaintext message initiated by an endpoint node, a hash of a ciphertext of the plaintext message, and a concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message are received from an encryption key server.
Example 22 the method of any of examples 16-21, wherein receiving, from the encryption key device, the plaintext message originated by the endpoint node, the hash of the ciphertext of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message comprises: a plaintext message initiated by an endpoint node, a hash of a ciphertext of the plaintext message, and a concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message are received from an encryption key module.
Example 23. A system for authenticating plaintext and ciphertext in a message, comprising: an endpoint node comprising a processor configured with processor-executable instructions to generate ciphertext from a plaintext message to be transmitted in a message; generating a hash of the ciphertext and a hash of the plaintext message; generating a concatenated digital signature of a hash of the ciphertext and a hash of the plaintext message; and transmitting a message comprising the ciphertext, a hash of the plaintext message, and the digital signature; a network node comprising a processor configured with processor-executable instructions to receive a message comprising ciphertext, a hash of a plaintext message, and a digital signature from an endpoint node; determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message; and in response to determining that the endpoint node signed a concatenation of the hash of the ciphertext and the hash of the plaintext message, sending the ciphertext, the hash of the plaintext message, and the digital signature to the encryption key device; and a network processing device including a processor configured with processor-executable instructions to receive from the encryption key device a plaintext message initiated by the endpoint node, a hash of a ciphertext of the plaintext message, and a digital signature of a concatenation of the hash of the ciphertext and the hash of the plaintext message; determining whether the endpoint node signs a concatenation of a hash of the ciphertext and a hash of the plaintext message; and performing a data transaction for the endpoint node in response to determining that the endpoint node signed a concatenation of the ciphertext and plaintext message.
The foregoing method descriptions and the process flow diagrams are provided merely as illustrative examples and are not intended to require or imply that the operations of the various embodiments must be performed in the order presented. As will be appreciated by those skilled in the art, the order of operations in the foregoing embodiments may be performed in any order. Words such as "thereafter," "then," "next," etc. are not intended to limit the order of operations; these terms are only used to simply direct the reader through a description of the method. Furthermore, any reference to claim elements in the singular (e.g., using the articles "a," "an," or "the") is not to be construed as limiting the element to the singular.
The various illustrative logical blocks, modules, circuits, and algorithm operations described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and operations have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the claims.
The hardware used to implement the various illustrative logic, logic blocks, modules, and circuits described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a Digital Signal Processor (DSP), an application specific integrated circuit (TCUASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration. Alternatively, some operations or methods may be performed by circuitry dedicated to a given function.
In one or more embodiments, the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored as one or more instructions or code on a non-transitory computer-readable medium or a non-transitory processor-readable medium. The operations of the methods or algorithms disclosed herein may be implemented in a processor-executable software module, which may reside on a non-transitory computer-readable or processor-readable storage medium. The non-transitory computer-readable or processor-readable storage medium may be any storage medium that can be accessed by a computer or processor. By way of example, and not limitation, such non-transitory computer-readable or processor-readable media can comprise RAM, ROM, EEPROM, flash memory, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer. Disk (disk) and disc (disk) as used herein include Compact Disc (CD), laser disc, optical disc, digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks (disk) often reproduce data magnetically, while discs (disk) reproduce data optically with lasers. Combinations of the above are also included within the scope of non-transitory computer-readable and processor-readable media. Additionally, the operations of a method or algorithm may reside as one or any combination or set of codes and/or instructions on a non-transitory processor-readable medium and/or computer-readable medium, which may be incorporated into a computer program product.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present claims. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the claims. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the following claims and the principles and novel features disclosed herein.
Claims (33)
1. A method performed by a processor of an endpoint node for authenticating plaintext and ciphertext in a message, comprising:
generating ciphertext from a plaintext message to be transmitted in the message;
generating a hash of the ciphertext and a hash of the plaintext message;
generating a concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message; and
transmitting a message comprising said ciphertext, said hash of said plaintext message and said digital signature to a network node,
wherein the ciphertext, the hash of the plaintext message, and the digital signature are configured to enable the network node to verify that the endpoint node signed a signed concatenation.
2. The method of claim 1, wherein the endpoint node comprises a vehicle networking (V2X) endpoint node and the message comprises a V2X message.
3. The method of claim 1, wherein the message is configured to be one of: charging messages, parking access messages, road condition messages, geographic networking messages, or emergency responder information.
4. The method of claim 1, wherein the plaintext message comprises one of: charging information, parking access information, road condition information, geographic networking information, and emergency responder information.
5. The method of claim 1, wherein the concatenation of the hash of the ciphertext and the hash of the plaintext message comprises a data structure that includes an identification of the ciphertext or the hash of the ciphertext and an identification of the plaintext message or the hash of the plaintext message.
6. An endpoint node, comprising:
a processor configured with processor-executable instructions to:
generating ciphertext from a plaintext message to be transmitted in the message;
generating a hash of the ciphertext and a hash of the plaintext message;
Generating a concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message; and
transmitting a message comprising said ciphertext, said hash of said plaintext message and said digital signature to a network node,
wherein the ciphertext, the hash of the plaintext message, and the digital signature are configured to enable the network node to verify that the endpoint node signed a signed concatenation.
7. The endpoint node of claim 6, wherein the endpoint node comprises a vehicle networking (V2X) endpoint node and the message comprises a V2X message.
8. The endpoint node of claim 6, wherein the message is configured to be one of: charging messages, parking access messages, road condition messages, geographic networking messages, or emergency responder information.
9. The endpoint node of claim 6, wherein the plaintext message comprises one of: charging information, parking access information, road condition information, geographic networking information, and emergency responder information.
10. The endpoint node of claim 6, wherein the concatenation of the hash of the ciphertext and the hash of the plaintext message comprises a data structure comprising an identification of the ciphertext or the hash of the ciphertext and an identification of the plaintext message or the hash of the plaintext message.
11. A method performed by a processor of a network node for processing a message, comprising:
receiving a digitally signed message from an endpoint node comprising ciphertext, a hash of a plaintext message, and a concatenation of the hash of the ciphertext and the hash of the plaintext message;
determining whether the end point node signs the concatenation of the hash of the ciphertext and the hash of the plaintext message; and
in response to determining that the endpoint node signed the concatenation of the hash of the ciphertext and the hash of the plaintext message, sending the ciphertext, the hash of the plaintext message, and the digital signature of the concatenation of the hash of the ciphertext and the hash of the plaintext message to an encryption key device.
12. The method of claim 11, wherein the message comprises a vehicle networking (V2X) message and the endpoint node comprises a V2X endpoint node.
13. The method of claim 11, wherein determining whether the endpoint node signs the concatenation of the hash of the ciphertext and the hash of the plaintext message comprises:
generating a hash of the ciphertext;
Concatenating the hash of the plaintext message and the generated hash of the ciphertext; and
the concatenation of the hash of the plaintext message and the generated hash of the ciphertext is provided as input to verify the digital signature using a public key of the endpoint node.
14. The method of claim 11, wherein generating the hash of the ciphertext comprises generating the hash of the ciphertext using a hashing algorithm known to be used by a real endpoint node.
15. The method of claim 11, wherein the message is configured to be one of: charging messages, parking access messages, road condition messages, geographic networking messages, or emergency responder information.
16. The method of claim 11, wherein the concatenation of the hash of the ciphertext and the hash of the plaintext message comprises a data structure that includes an identification of the ciphertext or the hash of the ciphertext and an identification of the plaintext message or the hash of the plaintext message.
17. The method of claim 11, wherein sending the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message to an encryption key device comprises: the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message are sent to an encryption key server.
18. The method of claim 11, wherein sending the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message to an encryption key device comprises: the ciphertext, the hash of the plaintext message, and the concatenated digital signature of the hash of the ciphertext and the hash of the plaintext message are sent to an encryption key module.
19. A network node, comprising:
a processor configured with processor-executable instructions to:
receiving a digitally signed message from an endpoint node comprising ciphertext, a hash of a plaintext message, and a concatenation of the hash of the ciphertext and the hash of the plaintext message;
determining whether the end point node signs the concatenation of the hash of the ciphertext and the hash of the plaintext message; and
in response to determining that the endpoint node signed the concatenation of the hash of the ciphertext and the hash of the plaintext message, sending the ciphertext, the hash of the plaintext message, and the digital signature of the concatenation of the hash of the ciphertext and the hash of the plaintext message to an encryption key device.
20. The network node of claim 19, wherein the message comprises a vehicle networking (V2X) message and the endpoint node comprises a V2X endpoint node.
21. The network node of claim 19, wherein the processor is further configured with processor-executable instructions to:
generating a hash of the ciphertext;
concatenating the hash of the plaintext message and the generated hash of the ciphertext; and
the concatenation of the hash of the plaintext message and the generated hash of the ciphertext is provided as input to verify the digital signature using a public key of the endpoint node.
22. The network node of claim 19, wherein the processor is further configured with processor-executable instructions to generate the hash of the ciphertext using a hashing algorithm known to be used by a real endpoint node.
23. The network node of claim 19, wherein the message is configured to be one of: charging messages, parking access messages, road condition messages, geographic networking messages, or emergency responder information.
24. The network node of claim 19, wherein the concatenation of the hash of the ciphertext and the hash of the plaintext message comprises a data structure comprising an identification of the ciphertext or the hash of the ciphertext and an identification of the plaintext message or the hash of the plaintext message.
25. The network node of claim 19, wherein the processor is further configured with processor-executable instructions to send the ciphertext, the hash of the plaintext message, and the digital signature of the concatenation of the hash of the ciphertext and the hash of the plaintext message to an encryption key server.
26. The network node of claim 19, wherein the processor is further configured with processor-executable instructions to send the ciphertext, the hash of the plaintext message, and the digital signature of the concatenation of the hash of the ciphertext and the hash of the plaintext message to an encryption key module.
27. A method performed by a processor of a computing device for authenticating plaintext and ciphertext in a message, comprising:
receiving, from an encryption key device, a plaintext message originated by an endpoint node, a hash of a ciphertext of the plaintext message, and a concatenated digital signature of the hash of the ciphertext and a hash of the plaintext message;
determining whether the end point node signs the concatenation of the hash of the ciphertext and the hash of the plaintext message; and
A data transaction is performed for the endpoint node in response to determining that the endpoint node signs the concatenation of the ciphertext and the plaintext message.
28. The method of claim 27, wherein the message comprises a vehicle networking (V2X) message and the endpoint node comprises a V2X endpoint node.
29. The method of claim 27, wherein determining whether the endpoint node signs the concatenation of the hash of the ciphertext and the hash of the plaintext message comprises:
generating a hash of the plaintext message;
concatenating the generated hash of the plaintext message and the hash of the ciphertext; and
the concatenation of the generated hash of the plaintext message and the hash of the ciphertext is provided as input to verify the digital signature using a public key of the endpoint node.
30. The method of claim 27, wherein the plaintext message comprises one of: charging information, parking access information, road condition information, geographic networking information, and emergency responder information.
31. The method of claim 27, wherein the concatenation of the hash of the ciphertext and the hash of the plaintext message comprises a data structure that includes an identification of the ciphertext or the hash of the ciphertext and an identification of the plaintext message or the hash of the plaintext message.
32. The method of claim 27, wherein receiving, from an encryption key device, a plaintext message originated by an endpoint node, a hash of a ciphertext of the plaintext message, and a digital signature of a concatenation of the hash of the ciphertext and a hash of the plaintext message comprises: a digital signature of a concatenation of the plaintext message, a hash of a ciphertext of the plaintext message, and the hash of the ciphertext and a hash of the plaintext message, initiated by an endpoint node, is received from an encryption key server.
33. The method of claim 27, wherein receiving, from an encryption key device, a plaintext message originated by an endpoint node, a hash of a ciphertext of the plaintext message, and a digital signature of a concatenation of the hash of the ciphertext and a hash of the plaintext message comprises: a digital signature of a concatenation of the plaintext message, a hash of a ciphertext of the plaintext message, and the hash of the ciphertext and a hash of the plaintext message, initiated by the endpoint node, is received from an encryption key module.
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US63/158,955 | 2021-03-10 | ||
| US63/180,450 | 2021-04-27 | ||
| US17/497,120 US11792645B2 (en) | 2021-03-10 | 2021-10-08 | Authenticating plaintext and ciphertext in a vehicle-to-everything (V2X) message |
| US17/497,120 | 2021-10-08 | ||
| PCT/US2022/011077 WO2022191908A1 (en) | 2021-03-10 | 2022-01-04 | Authenticating plaintext and ciphertext in a vehicle-to-everything (v2x) message |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117044162A true CN117044162A (en) | 2023-11-10 |
Family
ID=88628595
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202280019099.2A Pending CN117044162A (en) | 2021-03-10 | 2022-01-04 | Authentication of plaintext and ciphertext in a vehicle networking (V2X) message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117044162A (en) |
-
2022
- 2022-01-04 CN CN202280019099.2A patent/CN117044162A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107659550B (en) | Vehicle-to-vehicle private communication | |
| KR102304709B1 (en) | Method for adjusting adaptive security level on v2x communication message and apparatus for the same | |
| EP4106371A1 (en) | Communication method, apparatus and system | |
| CN111886883B (en) | Method, device and storage medium for detecting improper behavior of vehicle-mounted equipment and reporting route | |
| CN110149611B (en) | Identity verification method, equipment, system and computer readable medium | |
| WO2020199134A1 (en) | Methods and systems for provisioning of certificates for vehicle-based communication | |
| CN110796853A (en) | Intermediate vehicle transponder for out-of-range vehicles | |
| CN112435028B (en) | Block chain-based Internet of things data sharing method and device | |
| KR102495705B1 (en) | Vehicle-to-vehicle wireless payment method and system based on 5G communication network | |
| Da Silva et al. | Examining privacy in vehicular ad-hoc networks | |
| US11716596B2 (en) | Methods and systems for communication vehicle-to-everything (V2X) information | |
| US11792645B2 (en) | Authenticating plaintext and ciphertext in a vehicle-to-everything (V2X) message | |
| KR20210142170A (en) | security emergency vehicle communication | |
| CN117044162A (en) | Authentication of plaintext and ciphertext in a vehicle networking (V2X) message | |
| EP4305802A1 (en) | Authenticating plaintext and ciphertext in a vehicle-to-everything (v2x) message | |
| WO2022191909A1 (en) | Methods and systems for communication vehicle-to-everything (v2x) information | |
| CN116918361A (en) | Method and system for communicating internet of vehicles (V2X) information | |
| US11613264B2 (en) | Transmit-side misbehavior condition management | |
| US11937087B2 (en) | Vehicle-to-everything (V2X) participant type-based misbehavior detection | |
| US20220232383A1 (en) | Local Misbehavior Prevention System for Cooperative Intelligent Transportation Systems | |
| Nguyen et al. | The security concerns and countermeasures towards V2V and autonomous cars | |
| JP2024505423A (en) | Local malfunction prevention system for cooperative intelligent transportation systems | |
| Kanáliková et al. | Trends in the area of security within c2c communications | |
| CN115119164A (en) | Communication method, device and equipment | |
| Notaro | Simulating Malicious Attacks on VANETs for Connected and Autonomous Vehicles |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |