CN117978454A - Vehicle SOA service authentication mechanism - Google Patents
Vehicle SOA service authentication mechanism Download PDFInfo
- Publication number
- CN117978454A CN117978454A CN202410023560.2A CN202410023560A CN117978454A CN 117978454 A CN117978454 A CN 117978454A CN 202410023560 A CN202410023560 A CN 202410023560A CN 117978454 A CN117978454 A CN 117978454A
- Authority
- CN
- China
- Prior art keywords
- authentication
- service
- white list
- application
- vehicle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007246 mechanism Effects 0.000 title claims abstract description 56
- 238000010276 construction Methods 0.000 claims abstract description 9
- 238000007726 management method Methods 0.000 claims description 38
- 230000006854 communication Effects 0.000 claims description 35
- 238000004891 communication Methods 0.000 claims description 35
- 238000000034 method Methods 0.000 claims description 27
- 230000003068 static effect Effects 0.000 claims description 25
- 230000008569 process Effects 0.000 claims description 21
- 238000012550 audit Methods 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 10
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 claims description 6
- 230000003993 interaction Effects 0.000 claims description 5
- 230000007175 bidirectional communication Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a vehicle SOA service authentication mechanism, which relates to the technical field of vehicle SOA service and comprises a generation mechanism authentication system, wherein an authentication application adding module, a white list construction module, a cache backup module and a double-end control module are arranged to provide selectable authority control for all service publishers and subscribers by using a white list mode.
Description
Technical Field
The invention relates to the technical field of vehicle SOA (service oriented architecture) service, in particular to a vehicle SOA service authentication mechanism.
Background
With the development of software-defined automobiles, the EEA of the current vehicle adopts an SOA architecture mode, and the SOA service matrix generally defined on one vehicle has thousands of pieces including processing of sensitive operations, however, the current SOA architecture lacks an authentication mechanism for providing and subscribing services, and is easy to suffer from crisis such as malicious attack, data sniffing and the like.
In the prior art, important data is easily subscribed and received by illegal application or malicious instructions are sent, so that crisis is caused, how to realize the control of the release and subscription authority of SOA service, ensure that sensitive operation is not maliciously acquired, ensure that sensitive service resists DOS attack, ensure that malicious SOA signals are not sent to endanger vehicle running, improve the safety protection capability of vehicle network, reduce the exposure point and become the focus problem of attention of vehicle enterprises, therefore, based on the problems, the invention needs to design a vehicle SOA service authentication mechanism to solve the problems
Accordingly, the present application provides a vehicle SOA service authentication mechanism to solve one of the above technical problems.
Disclosure of Invention
The application aims to provide a vehicle SOA service authentication mechanism which can solve at least one technical problem. The specific scheme is as follows:
According to the specific embodiment of the application, the purpose of the application is to provide a vehicle SOA service authentication mechanism for solving the problems that important data is easily subscribed and received by illegal application or malicious instructions are sent in the background art, so that crisis is caused, how to realize the release and subscription authority control of the SOA service, ensure that sensitive operation is not maliciously acquired, ensure that the sensitive service resists DOS attack, ensure that malicious SOA signals are not sent to endanger the vehicle running, improve the network security protection capability of the vehicle, and reduce the exposure point is solved.
In order to solve the problems, the invention provides a technical scheme that:
the vehicle SOA service authentication mechanism comprises the following specific steps:
s1, a generation mechanism authentication system provides selectable rights control for all service publishers and subscribers by using a white list mode;
S2, an application device is added separately to take charge of authentication operation, a static library which is originally communicated by someip is modified, and an authentication flow is embedded in subscription and release of the static library;
S3, configuring the SOA service and subscribing the SOA service based on someip protocols, applying in advance, constructing a white list together with the application identifier and the published and subscribed service information, and after powering on, preferentially starting and initializing the white list by the newly added authentication application module to perform one-time flow execution operation.
As a preferred technical solution, in step S3, after the white list policy is preferentially started and initialized, when other SOA service users publish or subscribe to the service, the service needs to obtain the authority through the authentication application, and the authority is allowed only through the authentication application, and the authority is not returned to the specific service error code information through the authentication application.
As a preferred technical solution, the static library for someip communications in step S2 includes:
libsomeip;
libsomeip-xtf;
libsomeip-rtp。
as a preferred technical solution, the rights in step S1 include access rights, service rights, security rights, management rights and audit rights.
As a preferred technical solution, the access right is used for reading vehicle data provided by a service related to submission, the service right is used for authorizing specific services, including a positioning service, a navigation service and a driving assistance service, the security right is used for verifying and tamper-proofing the data by using a digital signature technology, the management right is used for managing and configuring an access policy and a security policy, and the audit right is used for viewing audit logs, including own access logs and access logs of other vehicles or services.
As a preferred technical scheme, the mechanism authentication system comprises an authentication application adding module, a white list construction module, a cache backup module and a double-end control module, wherein the output end of the authentication application adding module is in communication connection with the input end of the white list construction module, the output end of the white list construction module is in communication connection with the input end of the cache backup module, and the output end of the cache backup module is in communication connection with the input end of the double-end control module.
As a preferred technical scheme, the authentication application adding module comprises an application adding unit, an authentication application unit and an embedded management unit, wherein the output end of the application adding unit is in communication connection with the input end of the authentication application unit, the authentication application unit is in bidirectional communication connection with the embedded management unit, and the output end of the authentication application unit is in communication connection with the input end of the whitelist building module;
the application adding unit is used for providing optional rights control for all service publishers and subscribers, making detailed access strategies, ensuring that the vehicle can only be accessed to the authorized service, and presetting and editing the content of the optional rights;
The authentication application unit is used for modifying the static library which is originally communicated by someip, and carrying out application authentication in subscription and release;
The embedded management unit is integrated inside the authentication application unit and is used for embedding an authentication process in subscription and release of the authentication process and performing real-time supervision processing on the whole process.
As a preferred technical scheme, the white list construction module comprises a white list updating unit, a white list management model and a white list encryption unit, wherein the output end of the white list management model is in communication connection with the input end of the white list updating unit, the white list updating unit and the white list management model are both in bidirectional communication connection with the white list encryption unit, and the output end of the white list updating unit is in communication connection with the input end of the cache backup module;
The white list updating unit is used for carrying out data synchronization and updating on the white list model updated in real time, constructing a white list together with the application identifier and the published and subscribed service information, and preferentially starting and initializing the white list to carry out one-time flow execution operation;
the white list management model is used for generating a model for each authentication mechanism and continuously updating and managing the model;
the white list encryption unit is used for ensuring that service requests and responses are encrypted in the transmission process by using an HTTPS protocol, and preventing white list information from being leaked.
As a preferred technical scheme, the cache backup module comprises an internal cache unit and a data backup unit, wherein the output end of the internal cache unit is in communication connection with the input end of the data backup unit, and the output end of the internal cache unit is in communication connection with the input end of the double-end control module;
The internal caching unit is used for reducing frequent application and caching mechanism of the authentication static library by reducing interaction between the internal caching unit and the authentication application equipment in a period;
The data backup unit is used for carrying out backup processing on all received data.
As a preferable technical scheme, the double-ended control module comprises a publisher operation port and a subscriber operation port, and the publisher operation port and the subscriber operation port are in bidirectional communication connection;
the publisher operation port is used for logging in and accessing the inside of the mechanism authentication system by the publisher, allows adjustment and updating according to real-time conditions, and formulates a fine-granularity access strategy so as to ensure that only authorized vehicles can execute specific operations;
The subscriber operation port is used for logging in and accessing the inside of the mechanism authentication system by the subscriber, and recording the detailed information of each service access, including vehicle identification, access time, access result and the like, so as to facilitate tracking and auditing.
Compared with the prior art, the scheme provided by the embodiment of the application has at least the following beneficial effects:
the invention generates a perfect mechanism authentication system by setting an authentication application adding module, a white list construction module, a cache backup module and a double-end control module, provides optional authority control for all service publishers and subscribers by using a white list mode when in use, modifies the original someip communication static library by independently adding an application device to be responsible for authentication operation, embeds an authentication flow in subscription and release of the application device, constructs the white list together with application identification and service information of the released and subscribed service, and after power-on, the newly added authentication application module can preferentially start and initialize the white list to perform one-time flow execution operation to manage, visualize and store vehicle SOA service and corresponding analysis results, is beneficial to realizing the mechanism authentication operation for the vehicle SOA service by Internet cloud management, improves the intelligent level of the mechanism authentication management, shortens the whole tedious flow, facilitates the global real-time management, ensures that malicious SOA signals are not sent, improves the vehicle running and improves the network security protection capability of vehicles and reduces the dew point.
Drawings
FIG. 1 illustrates a use case diagram of a vehicle SOA service authentication mechanism;
FIG. 2 shows a flow chart of a vehicle SOA service authentication mechanism.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The terminology used in the embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, the "plurality" generally includes at least two.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
It should be understood that although the terms first, second, third, etc. may be used in embodiments of the present application, these descriptions should not be limited to these terms. These terms are only used to distinguish one from another. For example, a first may also be referred to as a second, and similarly, a second may also be referred to as a first, without departing from the scope of embodiments of the application.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a product or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such product or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a commodity or device comprising such elements.
In particular, the symbols and/or numerals present in the description, if not marked in the description of the figures, are not numbered.
Alternative embodiments of the present application will be described in detail below with reference to the accompanying drawings.
The embodiment provided by the application is an embodiment of a vehicle SOA service authentication mechanism.
As shown in fig. 1 and 2, the following technical solutions are adopted in this embodiment:
the vehicle SOA service authentication mechanism comprises the following specific steps:
s1, a generation mechanism authentication system provides selectable rights control for all service publishers and subscribers by using a white list mode;
S2, an application device is added separately to take charge of authentication operation, a static library which is originally communicated by someip is modified, and an authentication flow is embedded in subscription and release of the static library;
S3, configuring the SOA service and subscribing the SOA service based on someip protocols, applying in advance, constructing a white list together with the application identifier and the published and subscribed service information, and after powering on, preferentially starting and initializing the white list by the newly added authentication application module to perform one-time flow execution operation.
In this embodiment, in step S3, after the white list policy is preferentially started and initialized, when other SOA service users publish or subscribe to the service, the authority needs to be acquired through the authentication application, and the authority is allowed only after the authority passes, and the authority is not returned to the specific service error code information.
In this embodiment, the static library for someip communications in step S2 includes:
libsomeip;
libsomeip-xtf;
libsomeip-rtp。
In this embodiment, the rights in step S1 include access rights, service rights, security rights, management rights, and audit rights.
In this embodiment, the access right is used for reading vehicle data provided by a service related to submission, the service right is used for authorizing specific services, including a positioning service, a navigation service and a driving assistance service, the security right is used for verifying and tamper-proofing the data by using a digital signature technology, the management right is used for managing and configuring an access policy and a security policy, and the audit right is used for viewing an audit log, including an access log of the vehicle and an access log of other vehicles or services.
In this embodiment, the mechanism authentication system includes an authentication application adding module, a whitelist building module, a cache backup module and a double-end control module, where an output end of the authentication application adding module is in communication connection with an input end of the whitelist building module, an output end of the whitelist building module is in communication connection with an input end of the cache backup module, and an output end of the cache backup module is in communication connection with an input end of the double-end control module.
In this embodiment, the authentication application adding module includes an application adding unit, an authentication application unit and an embedded management unit, where an output end of the application adding unit is in communication connection with an input end of the authentication application unit, the authentication application unit is in two-way communication connection with the embedded management unit, and an output end of the authentication application unit is in communication connection with an input end of the whitelist building module; the application adding unit is used for providing optional rights control for all service publishers and subscribers, making detailed access strategies, ensuring that the vehicle can only be accessed to the authorized service, and presetting and editing the content of the optional rights; the authentication application unit is used for modifying the static library which is originally communicated by someip, and carrying out application authentication in subscription and release; the embedded management unit is integrated inside the authentication application unit and is used for embedding an authentication process in subscription and release of the authentication process and performing real-time supervision processing on the whole process.
In this embodiment, the whitelist building module includes a whitelist updating unit, a whitelist management model and a whitelist encryption unit, where an output end of the whitelist management model is in communication connection with an input end of the whitelist updating unit, the whitelist updating unit and the whitelist management model are both in two-way communication connection with the whitelist encryption unit, and an output end of the whitelist updating unit is in communication connection with an input end of the cache backup module; the white list updating unit is used for carrying out data synchronization and updating on the white list model updated in real time, constructing a white list together with the application identifier and the published and subscribed service information, and preferentially starting and initializing the white list to carry out one-time flow execution operation; the white list management model is used for generating a model for each authentication mechanism and continuously updating and managing the model; the white list encryption unit is used for ensuring that service requests and responses are encrypted in the transmission process by using an HTTPS protocol, and preventing white list information from being leaked.
In this embodiment, the cache backup module includes an internal cache unit and a data backup unit, where the publisher operation port and the subscriber operation port are connected in two-way communication; the output end of the internal cache unit is in communication connection with the input end of the data backup unit, and the output end of the internal cache unit is in communication connection with the input end of the double-end control module; the internal caching unit is used for reducing frequent application and caching mechanism of the authentication static library by reducing interaction between the internal caching unit and the authentication application equipment in a period; the data backup unit is used for carrying out backup processing on all received data.
In this embodiment, the dual-end control module includes a publisher operation port and a subscriber operation port, where the publisher operation port is used for a publisher to log in and access the inside of the mechanism authentication system, and allows adjustment and update according to real-time conditions, and makes a fine-grained access policy to ensure that only authorized vehicles can perform specific operations; the subscriber operation port is used for logging in and accessing the inside of the mechanism authentication system by the subscriber, and recording the detailed information of each service access, including vehicle identification, access time, access result and the like, so as to facilitate tracking and auditing.
Example 1
When the mechanism authentication system is connected to the vehicle SOA service management:
S1, detecting required equipment one by vehicle publishers and vehicle subscribers, starting a mechanism authentication system, applying an adding unit to provide selectable authority control for all service publishers and subscribers by using a white list mode, wherein the authority comprises access authority, service authority, security authority, management authority and audit authority, the access authority reads vehicle data provided by related service and is authorized for specific service, the service authority comprises positioning service, navigation service and driving assistance service, the security authority uses a digital signature technology to verify and tamper-proof data, and the management authority manages and configures access strategies and security strategies, and the audit authority is used for checking audit logs, including own access logs and access logs of other vehicles or services;
S2, an application device is added separately to be responsible for authentication operation, an authentication application unit modifies a static library which is originally used for someip communication, application authentication is carried out in subscription and release of the application device, an authentication process is embedded in subscription and release of the application device by an embedding management unit, real-time supervision processing is carried out on the whole process, and the authentication process is embedded in subscription and release of the application device;
S3, configuring SOA service and subscribing SOA service based on someip protocol, generating a model for each authentication opportunity system by a white list management model, continuously updating and managing, synchronizing and updating data of the white list model updated in real time by a white list updating unit, constructing a white list together with application identification and published and subscribed service information, when power is on, starting and initializing the white list preferentially by a newly-added authentication application module, acquiring authority by authentication application when other SOA service users conduct service publishing or subscribing, and executing one-time flow execution operation by not returning specific service error code information by being allowed by the authentication application, ensuring that service requests and responses are encrypted in a transmission process by using HTTPS protocol, preventing leakage of the white list information, reducing interaction of the application equipment in a period by a caching unit, reducing frequent application and authentication static library caching mechanism, and backing up all accepted data by a data backup unit.
The selectable rights are tabulated below:
The static library table of contents for someip communications is as follows:
example 2
When the mechanism authentication system is connected to face identity data management:
S1, carrying out one-by-one detection on required equipment by face identity data publishers, starting a mechanism authentication system, applying an adding unit to provide selectable rights control for all service publishers and subscribers by using a white list mode, wherein the rights comprise access rights, service rights, security rights, management rights and audit rights, the access rights read vehicle data provided by related service submission, the service rights authorize specific services comprising positioning services, navigation services and driving assistance services, the security rights verify and tamper-proof the data by using a digital signature technology, and manage and configure access strategies and security strategies, and the audit rights are used for checking audit logs comprising own access logs and access logs of other vehicles or services;
s2, an application device is added to the face identity data publisher to be responsible for authentication operation, an authentication application unit modifies a static library which is originally used for someip communication, application authentication is carried out in subscription and publication, an authentication process is embedded in subscription and publication of the application authentication, real-time supervision processing is carried out on the whole process of face identity data authentication, and the authentication process is embedded in subscription and publication of the application authentication;
S3, the white list management model generates a model for each authentication opportunity system, the model is continuously updated and managed, the white list updating unit performs data synchronization and updating on the white list model updated in real time, the white list is built together with service information with application identifiers and published and subscribed service information, after the white list is powered on, a newly added authentication application module can be preferentially started and initialized, when other users conduct authentication publishing or subscribing of face identification data, permission is required to be acquired through authentication application, the permission is allowed through the authentication application, the permission is not returned to specific service error code information, one-time process execution operation is performed, the white list encryption unit ensures service request and response encryption in the transmission process through the HTTPS protocol, leakage of the white list information is prevented, the cache unit reduces interaction of the authentication application equipment in a period, a cache mechanism is achieved, and the data backup unit performs backup processing on all received data.
Specific:
In practical application, the system is provided with a plurality of double-end control modules which are respectively matched with an authentication application adding module, a white list construction module and a cache backup module for use, the plurality of double-end control modules are respectively positioned at different geographic positions, vehicle publishers and vehicle subscribers detect required equipment one by one, a mechanism authentication system is started, an application adding unit provides selectable authority control for all service publishers and subscribers by using a white list mode, the authority comprises access authority, service authority, security authority, management authority and audit authority, the access authority reads and submits vehicle data provided by related services, the service authority performs authorization aiming at specific services, including positioning service, navigation service and driving auxiliary service, the security authority uses a digital signature technology to verify and tamper-proof the data, and the authority management and configuration access strategy and security strategy are used for checking audit logs, including own access logs and access logs of other vehicles or services; an application device is added separately to be responsible for authentication operation, an authentication application unit modifies a static library which is originally used for someip communication, application authentication is carried out in subscription and release of the static library, an authentication process is embedded in subscription and release of the static library by an embedding management unit, real-time supervision processing is carried out on the whole process, and the authentication process is embedded in subscription and release of the static library; the SOA service is configured based on someip protocol and the SOA service is subscribed, the SOA service is required to be applied in advance, a white list management model generates a model at each authentication time, the model is continuously updated and managed, a white list updating unit performs data synchronization and updating on the white list model updated in real time, a white list is constructed together with application identifications and published and subscribed service information, when the SOA service is powered on, a newly added authentication application module can preferentially start and initialize the white list, when other SOA service users perform service publication or subscription, rights are required to be acquired through authentication application, the rights are allowed only through the rights are allowed, the service is not returned to specific service error code information, a process execution operation is performed, a white list encryption unit ensures that service requests and responses are encrypted in the transmission process through using HTTPS protocol, and white list information leakage is prevented, the invention generates perfect mechanism authentication system by setting authentication application adding module, white list constructing module, buffer backup module and double-end control module, when using, provides selectable right control for all service publishers and subscribers by using white list mode, modifies original static library using someip communication by adding one application device to charge authentication operation, embeds authentication flow in subscription and release, constructs white list by combining application identification and released and subscribed service information, when powering on, the new authentication application module will start and initialize white list first to execute flow execution operation, the vehicle SOA service and the corresponding analysis result are managed, visualized and stored, so that the mechanism authentication operation on the vehicle SOA service is realized through internet cloud management and control, the intelligent level of the mechanism authentication management is improved, the whole complicated process is shortened, the global real-time management is convenient, the vehicle running is ensured not to be damaged by sending malicious SOA signals, the safety protection capability of the vehicle network is improved, and the exposure point is reduced.
Those of ordinary skill in the art will appreciate that the modules and method steps of the examples described in connection with the embodiments disclosed herein can be implemented as electronic hardware, or as a combination of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus, device and module described above may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus, system, and method may be implemented in other ways.
For example, the system embodiments described above are merely illustrative;
for example, the division of the modules is merely a logic function division, and there may be another division manner when actually implemented, for example, a plurality of modules or units may be combined or may be integrated into another apparatus, or some features may be omitted or not performed.
Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or apparatuses, which may be in electrical, mechanical or other form.
The modules for authentication application addition, white list construction, cache backup and double-ended control may or may not be physically separated, and the components displayed as the modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present invention may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a read-only memory server, a random access memory server, a magnetic disk or an optical disk, or other various media capable of storing program instructions.
In addition, it should be noted that the combination of the technical features described in the present invention is not limited to the combination described in the claims or the combination described in the specific embodiments, and all the technical features described in the present invention may be freely combined or combined in any manner unless contradiction occurs between them.
It should be noted that the above-mentioned embodiments are merely examples of the present invention, and it is obvious that the present invention is not limited to the above-mentioned embodiments, and many similar variations are possible. All modifications attainable or obvious from the present disclosure set forth herein should be deemed to be within the scope of the present disclosure.
The foregoing is merely illustrative of the preferred embodiments of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the above embodiments within the protection scope of the present application only to illustrate the technical solution of the present application, not to limit it; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. The vehicle SOA service authentication mechanism is characterized by comprising the following specific steps:
s1, a generation mechanism authentication system provides selectable rights control for all service publishers and subscribers by using a white list mode;
S2, an application device is added separately to take charge of authentication operation, a static library which is originally communicated by someip is modified, and an authentication flow is embedded in subscription and release of the static library;
S3, configuring the SOA service and subscribing the SOA service based on someip protocols, applying in advance, constructing a white list together with the application identifier and the published and subscribed service information, and after powering on, preferentially starting and initializing the white list by the newly added authentication application module to perform one-time flow execution operation.
2. The vehicle SOA service authentication mechanism as claimed in claim 1, wherein: in step S3, after the white list policy is preferentially started and initialized, when other SOA service users perform service publishing or subscribing, the authority needs to be acquired through the authentication application, and the authority is allowed only after the authority passes, and the authority does not pass and returns to the specific service error code information.
3. The vehicle SOA service authentication mechanism as claimed in claim 1, wherein: the static library for someip communications in step S2 includes: libsomeip; libsomeip-xtf; libsomeip-rtp.
4. The vehicle SOA service authentication mechanism as claimed in claim 1, wherein: the rights in step S1 include access rights, service rights, security rights, management rights, and audit rights.
5. The vehicle SOA service authentication mechanism as claimed in claim 4, wherein: the access rights are used for reading vehicle data provided by related service, the service rights are used for authorizing specific service, including positioning service, navigation service and driving auxiliary service, the safety rights are used for verifying and tamper-proofing the data by using digital signature technology, the management rights are used for managing and configuring access strategies and safety strategies, and the audit rights are used for checking audit logs, including access logs of the vehicle and access logs of other vehicles or services.
6. The vehicle SOA service authentication mechanism as claimed in claim 1, wherein: the mechanism authentication system comprises an authentication application adding module, a white list constructing module, a cache backup module and a double-end control module, wherein the output end of the authentication application adding module is in communication connection with the input end of the white list constructing module, the output end of the white list constructing module is in communication connection with the input end of the cache backup module, and the output end of the cache backup module is in communication connection with the input end of the double-end control module.
7. The vehicle SOA service authentication mechanism as claimed in claim 6, wherein:
The authentication application adding module comprises an application adding unit, an authentication application unit and an embedded management unit;
The application adding unit is used for providing optional rights control for all service publishers and subscribers, and making detailed access strategies to ensure that the vehicle can only access the authorized services;
The authentication application unit is used for modifying the static library which is originally communicated by someip, and carrying out application authentication in subscription and release;
The embedded management unit is integrated inside the authentication application unit and is used for embedding an authentication process in subscription and release of the authentication process and performing real-time supervision processing on the whole process.
8. The vehicle SOA service authentication mechanism as claimed in claim 6, wherein:
The white list construction module comprises a white list updating unit, a white list management model and a white list encryption unit;
The white list updating unit is used for carrying out data synchronization and updating on the white list model updated in real time, constructing a white list together with the application identifier and the published and subscribed service information, and preferentially starting and initializing the white list to carry out one-time flow execution operation;
the white list management model is used for generating a model for each authentication mechanism and continuously updating and managing the model;
the white list encryption unit is used for ensuring that service requests and responses are encrypted in the transmission process by using an HTTPS protocol, and preventing white list information from being leaked.
9. The vehicle SOA service authentication mechanism as claimed in claim 6, wherein:
The cache backup module comprises an internal cache unit and a data backup unit;
The internal caching unit is used for reducing frequent application and caching mechanism of the authentication static library by reducing interaction between the internal caching unit and the authentication application equipment in a period;
The data backup unit is used for carrying out backup processing on all received data.
10. The vehicle SOA service authentication mechanism as claimed in claim 6, wherein:
the double-end control module comprises a publisher operation port and a subscriber operation port;
The publisher operation port is used for a publisher to log in and access the inside of the mechanism authentication system, and allows adjustment and update according to real-time conditions;
the subscriber operation port is used for logging in and accessing the inside of the mechanism authentication system by the subscriber and recording the detailed information of each service access.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410023560.2A CN117978454A (en) | 2024-01-08 | 2024-01-08 | Vehicle SOA service authentication mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410023560.2A CN117978454A (en) | 2024-01-08 | 2024-01-08 | Vehicle SOA service authentication mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117978454A true CN117978454A (en) | 2024-05-03 |
Family
ID=90860630
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410023560.2A Pending CN117978454A (en) | 2024-01-08 | 2024-01-08 | Vehicle SOA service authentication mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117978454A (en) |
-
2024
- 2024-01-08 CN CN202410023560.2A patent/CN117978454A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20190050598A1 (en) | Secure data storage | |
| US20200184042A1 (en) | Modular software protection | |
| EP2513804B1 (en) | Trustworthy extensible markup language for trustworthy computing and data services | |
| CN110266659B (en) | Data processing method and equipment | |
| RU2500075C2 (en) | Creating and validating cryptographically secured documents | |
| KR101861401B1 (en) | Binding applications to device capabilities | |
| CN109923548A (en) | Method, system and the computer program product that encryption data realizes data protection are accessed by supervisory process | |
| US7971232B2 (en) | Setting group policy by device ownership | |
| US8621036B1 (en) | Secure file access using a file access server | |
| CN108076057A (en) | A kind of data security system and method based on block chain | |
| US20100185852A1 (en) | Encryption and decryption method for shared encrypted file | |
| US20060236104A1 (en) | Method and apparatus for encrypting and decrypting data in a database table | |
| BRPI0615099A2 (en) | digital platform migration from first platform to second platform | |
| US20170237563A1 (en) | Controlled storage device access | |
| CN116490868A (en) | System and method for secure and fast machine learning reasoning in trusted execution environments | |
| CA2767115A1 (en) | Method for remotely controlling and monitoring the data produced on desktop software | |
| US20120233712A1 (en) | Method and Device for Accessing Control Data According to Provided Permission Information | |
| US7805601B2 (en) | Computerized apparatus and method for version control and management | |
| KR20030084798A (en) | Document security system | |
| CN104104650A (en) | Data file visit method and terminal equipment | |
| US20090119744A1 (en) | Device component roll back protection scheme | |
| CN117978454A (en) | Vehicle SOA service authentication mechanism | |
| May et al. | Towards unified authorization for android | |
| KR101294866B1 (en) | Development environment management system and development environment management method thereof | |
| US20220092193A1 (en) | Encrypted file control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |