WO2023082190A1 - Device authentication method and apparatus - Google Patents

Device authentication method and apparatus Download PDF

Info

Publication number
WO2023082190A1
WO2023082190A1 PCT/CN2021/130393 CN2021130393W WO2023082190A1 WO 2023082190 A1 WO2023082190 A1 WO 2023082190A1 CN 2021130393 W CN2021130393 W CN 2021130393W WO 2023082190 A1 WO2023082190 A1 WO 2023082190A1
Authority
WO
WIPO (PCT)
Prior art keywords
fingerprint
parameter
authenticated
authentication
client
Prior art date
Application number
PCT/CN2021/130393
Other languages
French (fr)
Chinese (zh)
Inventor
钟胤
魏卓
李铁岩
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2021/130393 priority Critical patent/WO2023082190A1/en
Publication of WO2023082190A1 publication Critical patent/WO2023082190A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords

Definitions

  • the present application relates to the technical field of authentication, and more specifically, to a device authentication method and device.
  • the embodiments of the present application provide a device authentication method and device, which can be applied to the fields of vehicles, ships, airplanes and other means of transportation, as well as the authentication of devices in fields such as security and the Internet of Things, and can improve the security of the devices.
  • a device authentication method is provided, and the method is applied to a client.
  • the client may be a control device in the vehicle, for example, a domain controller in the vehicle, a mobile data center (mobile data center, MDC), etc., and may also be a cloud server .
  • the control device in the vehicle can be preferably selected as the client.
  • the method includes: obtaining a first fingerprint of the device to be authenticated; receiving a first parameter, the first parameter is associated with the first fingerprint, and the first parameter is at least used to authenticate the device to be authenticated; sending the first parameter to blockchain.
  • the above-mentioned device to be authenticated may be a vehicle-mounted device.
  • the fingerprint of the device is an identification of the identity of the device, which can reflect the unique physical characteristics of the device.
  • the above-mentioned first parameter being associated with the first fingerprint includes that the first parameter may be obtained based on the first fingerprint.
  • the above-mentioned first parameter may include a hash value of the first fingerprint, or may include a result of directly compressing the first fingerprint, which is not limited in this application.
  • the hash value of the first fingerprint can be generated through the file system.
  • the file system may be the Interplanetary File System IPFS.
  • IPFS can generate an independent hash value to identify the file through the content of the file instead of the location where the file is saved, so there will only be one copy of the file with the same content in the system, which can save storage space; in addition, stored in IPFS File data on the Internet can be quickly obtained, making access to data faster, safer, and more open.
  • the first fingerprint of the device to be authenticated is obtained through the client, and the first parameter related to the first fingerprint is sent to the block chain, so that the first parameter can be based on the block chain Authenticate the device to be authenticated, so that on the one hand, it can improve the security of the device; on the other hand, because there is no need to program and pre-key the device, and there is no need to add a hardware security module to the device, thus solving the hardware cost There is no need to worry about the space problem of hardware security storage, and the device can be plug-and-play.
  • the first parameter includes a first hash value; and receiving the first parameter includes: receiving the first hash value from an interplanetary file system IPFS.
  • the client can first extract the fingerprint of the device to be authenticated, and then send the fingerprint of the device to be authenticated to IPFS, encrypt and store the fingerprint data through IPFS and return a hash value to the client, thereby
  • the storage of fingerprints to be authenticated on the client side can be avoided, saving the storage space of the client side.
  • the first fingerprint is associated with an output of the device to be authenticated.
  • the signal or data output by the device usually hides unique physical features that reflect the identity of the device, so the physical features of the device can be determined based on the output of the device as the fingerprint of the device.
  • the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals multiple.
  • the acquiring the first fingerprint of the device to be authenticated includes: acquiring the first fingerprint of the device to be authenticated at a period of T, where T is an integer greater than 0.
  • the receiving the first parameter includes: receiving the first parameter at a period of T;
  • the sending the first parameter to the blockchain includes: sending the first parameter to the blockchain at a period of T.
  • the method before acquiring the first fingerprint of the device to be authenticated, the method further includes: acquiring a second fingerprint of the preset device, where the second fingerprint is a reference fingerprint; receiving a second parameter, the second parameter is associated with the second fingerprint, and the second parameter is at least used to authenticate the device to be authenticated; and sending the second parameter to the block chain.
  • the pre-installed device refers to a pre-installed trusted device, whose fingerprint is used as a reference fingerprint, which can be compared with the fingerprint of the device to be authenticated based on the fingerprint to determine whether the device has been maliciously replaced.
  • the preset device can be preset under different circumstances.
  • the device can be preset by the vehicle manufacturer or an equipment supplier trusted by the vehicle manufacturer when leaving the factory, or it can be done during subsequent after-sales maintenance. Relevant professional and technical personnel carry out the preset of the equipment or replace the original preset equipment, which is not limited in this application.
  • the second fingerprint of the preset device before obtaining the first fingerprint of the device to be authenticated, can be obtained first, and the second fingerprint is a reference fingerprint, and the second parameter related to the second fingerprint is sent to to the block chain, so that the device to be authenticated can be authenticated on the block chain based on the first parameter and the second parameter, thereby improving the security of the device.
  • the second parameter includes a second hash value; receiving the second parameter includes: receiving the second hash value from an interplanetary file system IPFS.
  • the client can first extract the fingerprint of the preset device, then send the fingerprint of the preset device to IPFS, encrypt and store the fingerprint data through IPFS, and return a hash value to the client, so that It can avoid storing the preset device fingerprint on the client, saving the storage space of the client.
  • the method further includes: determining that the provisioning device or the second fingerprint has configuration authority, and the configuration authority is at least used to indicate that the second fingerprint is a reference fingerprint.
  • the method further includes: determining that the provisioning device or the second fingerprint has configuration authority; and performing an acquisition and/or configuration operation on the second fingerprint based on the configuration authority .
  • the client since the second fingerprint of the pre-provisioned device needs to be used as a reference fingerprint, the client also needs to determine whether the pre-provisioned device or the second fingerprint has configuration authority, so that the second fingerprint can be obtained and/or configured subsequently. , where the configuring operation may include configuring the second fingerprint as the reference fingerprint. If it is determined that the provisioning device or the second fingerprint has configuration authority, the second fingerprint may be configured as a reference fingerprint, or it may be understood that the second fingerprint may be configured as a reference fingerprint or the second fingerprint may be used as a reference fingerprint.
  • the client may determine whether the provisioning device or the second fingerprint has configuration authority, and if it is determined that there is configuration authority, the second fingerprint may be used as a reference fingerprint. Based on this, the security of device authentication can be guaranteed.
  • the preset device or the second fingerprint may be determined whether the preset device or the second fingerprint has configuration authority when the client switches to the "reference fingerprint extraction and upload mode" (for example: configuration mode, engineering mode, etc.). It should be understood that in this mode, if it is determined that the pre-installed device or the second fingerprint has the configuration authority, the uploaded second fingerprint will be marked as a reference fingerprint, and the blockchain will use this reference fingerprint with subsequent new fingerprints in the subsequent authentication process. fingerprint (ie the first fingerprint) for comparison. If the blockchain has already recorded a reference fingerprint when uploading, then the newly uploaded reference fingerprint can replace the old reference fingerprint. It should be understood that the switch of the configuration mode can also pass through the authority control process (for example: authentication, password, etc.), to ensure that only authorized persons can perform the operation/configuration of the reference fingerprint, thereby ensuring the security of device authentication.
  • the authority control process for example: authentication, password, etc.
  • a device authentication method is provided, the method is applied to a block chain, and the method includes: receiving a first parameter sent by a client, the first parameter being associated with a first fingerprint of the device to be authenticated; according to the The first parameter is used to authenticate the device to be authenticated.
  • the first parameter related to the first fingerprint of the device to be authenticated sent by the client is received through the blockchain, and then the device to be authenticated is authenticated on the blockchain according to the first parameter to ensure that the device Trustworthy, so that on the one hand, the security of the device can be improved; on the other hand, because there is no need to program and pre-key the device, and there is no need to add a hardware security module to the device, thus solving the hardware cost problem, and also There is no need to worry about the space problem of hardware security storage, and the device can be plug-and-play.
  • the first parameter includes a first hash value
  • the first hash value is generated through an interplanetary file system IPFS.
  • the client can first extract the fingerprint of the device to be authenticated, and then send the fingerprint of the device to be authenticated to IPFS, encrypt and store the fingerprint data through IPFS and return a hash value to the client, thereby
  • the storage of fingerprints to be authenticated on the client side can be avoided, saving the storage space of the client side.
  • the first fingerprint is associated with an output of the device to be authenticated.
  • the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals. item.
  • the method before receiving the first parameter sent by the client, the method further includes: receiving a second parameter sent by the client, and the second parameter is the same as the preset The second fingerprint of the device is associated, and the second fingerprint is a reference fingerprint; authenticating the device to be authenticated according to the first parameter includes: authenticating the device to be authenticated according to the first parameter and the second parameter.
  • the block chain before the block chain receives the first parameter sent by the client, it can first receive the second parameter related to the second fingerprint (reference fingerprint) of the preset device sent by the client, and then according to the first parameter The first parameter and the second parameter are used to authenticate the device to be authenticated, so that the security of the device can be improved.
  • the authenticating the device to be authenticated according to the first parameter and the second parameter includes: obtaining the first parameter according to the first parameter and the second parameter fingerprint and the second fingerprint; authenticating the device to be authenticated according to the first fingerprint and the second fingerprint.
  • the first fingerprint and the second fingerprint are obtained according to the first parameter and the second parameter, and the block chain may obtain the first fingerprint directly from the file system (for example, IPFS) based on the first parameter and the second parameter.
  • IPFS file system
  • the first fingerprint and the second fingerprint can improve the speed and security of fingerprint acquisition.
  • the device to be authenticated is authenticated according to the first fingerprint and the second fingerprint, specifically, the device to be authenticated may be authenticated according to a similarity between the first fingerprint and the second fingerprint.
  • the device to be authenticated can be continuously authenticated by periodically authenticating the device to be authenticated according to the first parameter received from the client at a period of T, thereby improving the security of the device .
  • authenticating the device to be authenticated according to the first parameter includes: authenticating the device to be authenticated by using a smart contract and the first parameter.
  • smart contracts can automatically execute some pre-defined rules and terms based on the data stored on the blockchain. Moreover, the execution of the smart contract does not need to rely on the participation or intervention of a third-party organization. The supervision and arbitration of the contract are completed by the computer; once the smart contract is deployed, all content cannot be modified, and no party can interfere with the execution of the contract. Therefore, in the embodiment of the present application, the device to be authenticated can be authenticated through the smart contract and the first parameter, so that the reliability of device authentication can be improved, and thus the security of the device can be improved.
  • the method further includes: processing the authentication result, the processing operation includes recording a log One or more of triggering a warning and feeding back the authentication result to the client.
  • a device authentication device which is applied to a client, and the device includes: a processing module, used to obtain a first fingerprint of a device to be authenticated; a transceiver module, used to receive a first parameter, the first A parameter is associated with the first fingerprint, and the first parameter is at least used to authenticate the device to be authenticated; the transceiver module is also used to send the first parameter to the block chain.
  • the transceiver module has the capability of data sending and/or receiving.
  • the first parameter includes a first hash value; the transceiver module is further configured to receive the first hash value from an interplanetary file system IPFS.
  • the first fingerprint is associated with an output of the device to be authenticated.
  • the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals. item.
  • the processing module is further configured to acquire the first fingerprint of the device to be authenticated at a period of T, where T is an integer greater than 0.
  • the processing module before acquiring the first fingerprint of the device to be authenticated, is further configured to acquire a second fingerprint of the preset device, and the second fingerprint is a reference Fingerprint; the transceiver module is also used to receive a second parameter, the second parameter is associated with the second fingerprint, and the second parameter is at least used to authenticate the device to be authenticated; and send the second parameter to the block chain.
  • the second parameter includes a second hash value; the transceiver module is further configured to receive the second hash value from an interplanetary file system IPFS.
  • the processing module is configured to determine that the preset device or the second fingerprint has configuration authority, and the configuration authority is at least used to indicate that the second fingerprint is a reference fingerprint .
  • the processing module is configured to determine that the preset device or the second fingerprint has configuration authority, and acquire and/or obtain the second fingerprint based on the configuration authority. Configure operations. Exemplarily, the processing module may determine that the provisioning device or the second fingerprint has configuration authority before acquiring the second fingerprint of the provisioning device.
  • a device authentication device configured to apply to a blockchain, and the device includes: a transceiver module, configured to receive a first parameter sent by a client, the first parameter and the first fingerprint of the device to be authenticated Associated; a processing module, configured to authenticate the device to be authenticated according to the first parameter.
  • the first parameter includes a first hash value
  • the first hash value is generated through an interplanetary file system IPFS.
  • the first fingerprint is associated with an output of the device to be authenticated.
  • the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals. item.
  • the transceiver module before receiving the first parameter sent by the client, is further configured to receive a second parameter sent by the client, and the second parameter is the same as The second fingerprint of the preset device is associated, and the second fingerprint is a reference fingerprint; the processing module is also used to authenticate the device to be authenticated according to the first parameter and the second parameter.
  • the processing module is further configured to acquire the first fingerprint and the second fingerprint according to the first parameter and the second parameter; The similarity of the second fingerprint authenticates the device to be authenticated.
  • the transceiver module is further configured to receive the first parameter sent by the client at a period of T, where T is an integer greater than 0; the processing module is also configured to , periodically authenticate the device to be authenticated according to the first parameter sent by the client received at a period of T.
  • the processing module is further configured to authenticate the device to be authenticated by using the smart contract and the first parameter.
  • the processing module is further configured to perform processing operations on the authentication results, the processing operations including recording logs, triggering warnings, and feeding back the authentication results to the client in the client. one or more.
  • a device authentication device including an input and output interface, a processor and a memory, the processor is used to control the input and output interface to send and receive signals or information, the memory is used to store computer programs, and the processor is used to Call and run the computer program from the memory, so that the device authentication apparatus executes the authentication method in the first aspect or any possible implementation of the first aspect; and/or executes the authentication method in the second aspect or the second An authentication method in any possible implementation of the aspect.
  • the device authentication device can be applied to scenarios where authentication is required and storage space is limited, for example, it can be applied to the authentication of equipment in vehicles, ships, airplanes, etc., and it can also be applied to the authentication of equipment in the security field, or It can be applied to authentication of devices in fields such as the Internet of Things, which is not limited in this application.
  • a sixth aspect provides an authentication system for a device, including a client for executing the authentication method in the first aspect or any possible implementation of the first aspect and a client for executing the second aspect or the second aspect Blockchain of authentication methods in any of the possible implementations.
  • a vehicle component including a client for executing the authentication method in the first aspect or any possible implementation manner of the first aspect.
  • a vehicle including an electronic control unit, and the electronic control unit is configured to execute the authentication method in the first aspect or any possible implementation manner of the first aspect.
  • a computer-readable storage medium which is characterized by comprising instructions; the instructions are used to implement the authentication method in the first aspect or in any possible implementation manner of the first aspect; and/or , implementing the second aspect or the authentication method in any possible implementation manner of the second aspect.
  • a computer program product which is characterized in that it includes: a computer program that, when the computer program is run, causes the computer to perform the authentication in the first aspect or in any possible implementation manner of the first aspect. method; and/or, execute the authentication method in the second aspect or any possible implementation manner of the second aspect.
  • a computing device including: at least one processor and a memory, the at least one processor is coupled to the memory, and is used to read and execute instructions in the memory, so as to execute the An authentication method in one aspect or any possible implementation manner of the first aspect; and/or, execute the authentication method in the second aspect or any possible implementation manner of the second aspect.
  • a chip in a twelfth aspect, there is provided a chip, the chip includes a processor and a data interface, and the processor reads instructions stored on the memory through the data interface, and executes any of the possible functions of the first aspect or the first aspect.
  • the authentication method in the implementation manner of the second aspect; and/or, execute the authentication method in the second aspect or any possible implementation manner of the second aspect.
  • the chip may further include a memory, the memory stores instructions, the processor is configured to execute the instructions stored in the memory, and when the instructions are executed, the The processor is configured to execute the authentication method in the first aspect or any possible implementation manner of the first aspect; and/or execute the authentication method in the second aspect or any possible implementation manner of the second aspect.
  • a chip system which includes at least one processor, configured to support the implementation of the functions involved in the first aspect or some implementations of the first aspect, for example, receiving or processing the above-mentioned Data and/or information involved in the method.
  • the chip system further includes a memory, the memory is used to store program instructions and data, and the memory is located inside or outside the processor.
  • the system-on-a-chip may consist of chips, or may include chips and other discrete devices.
  • FIG. 1 is an example diagram of a traditional solution for authenticating a vehicle-mounted device.
  • Fig. 2 is an example diagram of a device authentication method provided by an embodiment of the present application.
  • Fig. 3 is an example of a continuous authentication method for a vehicle-mounted device provided by an embodiment of the present application.
  • Fig. 4 is an example diagram of a process of storing and uploading reference fingerprints provided by the embodiment of the present application.
  • Fig. 5 is an example diagram of a process of storing and uploading a fingerprint to be authenticated according to an embodiment of the present application.
  • FIG. 6 is an example diagram of a fingerprint acquisition process in a fingerprint authentication process provided by an embodiment of the present application.
  • Fig. 7 is an apparatus 700 for device authentication provided by an embodiment of the present application.
  • FIG. 8 is an apparatus 800 for device authentication provided by an embodiment of the present application.
  • FIG. 9 is a device authentication system 900 provided by an embodiment of the present application.
  • FIG. 10 is an exemplary block diagram of a hardware structure of a device authentication apparatus 1000 provided by an embodiment of the present application.
  • Blockchain technology is a technical solution that does not rely on third parties and stores, verifies, transmits and communicates network data through its own distributed nodes. Blockchain technology has the advantages of decentralization, openness, security, independence, and anonymity.
  • Smart contract Based on the data stored on the blockchain, some pre-defined rules and terms can be automatically executed.
  • IPFS Interplanetary file system
  • IPFS IP-Fi Protected Access
  • Physical unclonable function The physical unclonable function uses the inherent physical structure to uniquely identify it, and any input stimulus will output a unique and unpredictable response.
  • Consensus Algorithm Can be defined as a mechanism for reaching consensus through a blockchain network.
  • the public (decentralized) blockchain does not rely on a central authority, but is passed by the distributed nodes to realize transactions.
  • the consensus algorithm comes into play, which ensures the normal execution of protocol rules and transactions can occur without trust.
  • the service-oriented in-vehicle architecture is the current development direction. Services such as autonomous driving, entertainment information, and vehicle body management all need to be realized through in-vehicle equipment, so the safety of in-vehicle equipment is particularly important.
  • the service-oriented in-vehicle architecture is also open.
  • the in-vehicle architecture provides standard interfaces for various in-vehicle devices and sensors. Therefore, the possibility of the in-vehicle devices being stolen or replaced is high, resulting in the inability to guarantee the safety of the in-vehicle devices, which in turn leads to Safety cannot be guaranteed. Therefore, it is necessary to authenticate the vehicle-mounted device to improve the security of the vehicle-mounted device.
  • the authentication of the on-board device is mainly realized based on a symmetric key.
  • the authentication process 100 of the traditional solution mainly includes steps S110 to S170, and these steps are briefly described below.
  • the vehicle-mounted system sends the random number to the vehicle-mounted device
  • the vehicle device encrypts the random number
  • the vehicle-mounted device sends the ciphertext of the random number to the vehicle-mounted system
  • the on-board system compares the ciphertexts and determines the authentication result, considers the authentication successful when the ciphertexts are the same, and considers the authentication failure when the ciphertexts are different;
  • the vehicle system feeds back the authentication result to the vehicle device.
  • this application provides a device authentication method and device, which is mainly based on the physical unclonable feature of the device as an identity (i.e. fingerprint), and then combines the blockchain technology to authenticate the device on the blockchain to ensure that the device Trusted, which can improve the security of the device.
  • an identity i.e. fingerprint
  • the device uses physical features to authenticate the device requires extracting features from the output of the device and performing feature comparison. It does not require programming and pre-keying in the device, avoiding adding hardware security modules to the device, and solving the hardware cost problem; At the same time, there is no need to worry about the space problem of hardware security storage. Moreover, the device can be plug-and-play without the need for pre-programming and pre-keying.
  • Fig. 2 is an example diagram of a device authentication method provided by an embodiment of the present application. It should be understood that the method 200 can be applied to the fields of vehicles, ships, airplanes and other vehicles, as well as the authentication of devices in fields such as security and Internet of Things, which is not limited in this application. However, for ease of description, in the following embodiments, the application to vehicles is taken as an example.
  • the method 200 may include S210 to S240 , and each step in the method 200 will be described in detail below.
  • the client acquires the first fingerprint of the device to be authenticated.
  • the client may be a control device in the vehicle, for example, a domain controller in the vehicle, a mobile data center (mobile data center, MDC), etc., and may also be a cloud server.
  • the control device in the vehicle may be preferably selected as the client.
  • the device when applied to a vehicle, the device may be described as an in-vehicle device.
  • the vehicle-mounted device can be a sensor such as a camera, a millimeter-wave radar, or a laser radar on the vehicle, or it can be a vehicle-mounted device communicating through a controller area network (CAN) or an Ethernet (ethereum, ETH) on the vehicle. equipment, which is not limited in this application.
  • CAN controller area network
  • Ethernet ethereum, ETH
  • the fingerprint of the device is an identification of the identity of the device, which can reflect the unique physical characteristics of the device.
  • the first fingerprint of the device to be authenticated can be obtained according to the output of the device to be authenticated.
  • the unique physical features reflecting the device identity can be extracted from the output of these devices as the device fingerprint (ie, the first fingerprint).
  • the embodiment of the present application does not limit the manner of obtaining the device fingerprint reflecting the unique physical characteristics of the device through the signal or data output by the device.
  • the first fingerprint of the device to be authenticated is obtained according to the output of the device to be authenticated, which can also be described as that the first fingerprint of the device to be authenticated is associated with the output of the device to be authenticated.
  • the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals, which are not limited in this application.
  • the client receives a first parameter.
  • the first parameter is associated with the first fingerprint, and the first parameter is at least used to authenticate the device to be authenticated.
  • the foregoing first parameter being associated with the first fingerprint means that the first parameter is obtained based on the first fingerprint.
  • the above-mentioned first parameter may include a hash value of the first fingerprint (that is, the first hash value), or may include a result of directly compressing the first fingerprint, which is not limited in this application.
  • the hash value of the first fingerprint may be generated by a file system or by other means, which is not limited in this application.
  • the file system may be IPFS
  • the above-mentioned receiving of the first parameter by the client may be that the client receives the first parameter from IPFS.
  • the client can first extract the fingerprint of the device to be authenticated (that is, the first fingerprint), and then send the fingerprint to IPFS, encrypt and store the fingerprint through IPFS and return a hash value to the client, It should be understood that the hash value is obtained based on the fingerprint, so that the storage of the fingerprint to be authenticated at the client can be avoided and the storage space of the client can be saved.
  • the client sends the first parameter to the blockchain.
  • the blockchain receives the first parameter sent by the client.
  • the block chain authenticates the device to be authenticated according to the first parameter.
  • the first fingerprint of the device to be authenticated is obtained through the client, and the first parameter related to the first fingerprint is sent to the block chain, and at the same time, device authentication is performed on the block chain based on the first parameter , to ensure the reliability of the device and improve the security of the device.
  • the solution of this application does not need to program and pre-set keys in the device, and does not need to add a hardware security module to the device, thus solving the problem of hardware cost, and there is no need to worry about the space for hardware security storage problem, it can also realize the device plug and play.
  • the method 200 may further include: the client acquires a second fingerprint of the preset device, where the second fingerprint is a reference fingerprint; the client receives a second parameter, the The second parameter is associated with the second fingerprint, and the second parameter is at least used to authenticate the device to be authenticated; the client sends the second parameter to the block chain.
  • the block chain receives the second parameter sent by the client, and authenticates the device to be authenticated according to the first parameter and the second parameter.
  • the foregoing second parameter being associated with the second fingerprint may also mean that the second parameter is obtained based on the second fingerprint.
  • the above-mentioned second parameter may include a hash value of the second fingerprint (that is, the second hash value), or may include a result of directly compressing the second fingerprint, which is not limited in the present application.
  • the hash value of the second fingerprint can be generated through the file system.
  • the file system may be IPFS
  • the above-mentioned receiving of the second parameter by the client may be that the client receives the second parameter from IPFS.
  • the client can first extract the fingerprint of the pre-installed device, then send the fingerprint to IPFS, encrypt and store the fingerprint data through IPFS, and return a hash value to the client, thereby avoiding The terminal stores the preset device fingerprints, which saves the storage space of the client.
  • the pre-installed device refers to a pre-installed trusted device, whose fingerprint is used as a reference fingerprint, which can be compared with the fingerprint of the device to be authenticated based on the fingerprint to determine whether the device has been maliciously replaced.
  • the preset device can be preset under different circumstances.
  • the device can be preset by the vehicle manufacturer or an equipment supplier trusted by the vehicle manufacturer when leaving the factory, or it can be done during subsequent after-sales maintenance. Relevant professional and technical personnel carry out the preset of the equipment or replace the original preset equipment, which is not limited in this application.
  • authenticating the device to be authenticated according to the first parameter and the second parameter includes: obtaining the first fingerprint and the second fingerprint according to the first parameter and the second parameter; certified.
  • the acquisition of the first fingerprint and the second fingerprint according to the first parameter and the second parameter above may be that the blockchain directly acquires the first fingerprint and the second fingerprint from the file system (for example, IPFS) based on the first parameter and the second parameter.
  • IPFS file system
  • the blockchain can directly obtain the first fingerprint of the device to be authenticated and the second fingerprint of the preset device sent by the previous client from IPFS, and then compare the first fingerprint and the second fingerprint. Comparison, in order to realize the authentication of the equipment to be authenticated, and then ensure the security of the equipment.
  • the device to be authenticated is authenticated according to the first fingerprint and the second fingerprint, specifically, the device to be authenticated may be authenticated according to the similarity between the first fingerprint and the second fingerprint.
  • the second parameter related to the second fingerprint of the preset device (that is, the reference fingerprint) sent by the client may be received first, and then according to the first parameter and The second parameter authenticates the device to be authenticated, so that the security of the device can be improved.
  • the method 200 may further include: determining that the provisioning device or the second fingerprint has configuration authority, where the configuration authority is at least used to indicate that the second fingerprint is a reference fingerprint.
  • the method 200 may further include: determining that the provisioning device or the second fingerprint has a configuration authority; and performing an acquisition and/or configuration operation on the second fingerprint based on the configuration authority.
  • the client may determine that the provisioning device or the second fingerprint has configuration authority.
  • the client since the second fingerprint of the pre-provisioned device needs to be used as a reference fingerprint, the client also needs to determine whether the pre-provisioned device or the second fingerprint has configuration authority, so that the second fingerprint can be obtained and/or configured subsequently. , wherein the configuring operation may include configuring the second fingerprint as a reference fingerprint. If the provisioning device or the second fingerprint has configuration authority, the second fingerprint may be a reference fingerprint, or it may be understood that the second fingerprint may be configured as a reference fingerprint or the second fingerprint may be used as a reference fingerprint. For example, before acquiring the second fingerprint, the client may determine whether the provisioning device or the second fingerprint has configuration authority, and if it is determined that there is configuration authority, the second fingerprint may be used as a reference fingerprint. Based on this, the security of device authentication can be guaranteed.
  • the preset device or the second fingerprint may be determined whether the preset device or the second fingerprint has configuration authority when the client switches to the "reference fingerprint extraction and upload mode" (for example: configuration mode, engineering mode, etc.). It should be understood that in this mode, if it is determined that the preset device or the second fingerprint has configuration authority, the uploaded second fingerprint will be marked as a reference fingerprint, and the blockchain will use this reference fingerprint and Subsequent new fingerprints (ie, the first fingerprint) are compared. If the blockchain has already recorded a reference fingerprint when uploading, then the newly uploaded reference fingerprint can replace the old reference fingerprint. It should be understood that the switch of the configuration mode can also pass through the authority control process (for example: authentication, password, etc.), to ensure that only authorized persons can perform the operation/configuration of the reference fingerprint, thereby ensuring the security of device authentication.
  • the authority control process for example: authentication, password, etc.
  • the device to be authenticated can also be authenticated through a smart contract, thereby improving the security of the device.
  • the method 200 may further include: processing the authentication result by the blockchain.
  • the processing operation may include one or more of logging, triggering a warning, and feeding back an authentication result to the client.
  • the blockchain can use background records or trigger warnings for processing, and can also directly feed back the authentication results to the client, so that the client can process itself according to the authentication results.
  • the client can use Refuse communication, record logs, and risk warnings to ensure device security.
  • the client acquires the first fingerprint of the device to be authenticated, which may be that the client acquires the first fingerprint of the device to be authenticated at a period of T, where T is an integer greater than 0.
  • the client receiving the first parameter can be: the client receives the first parameter at a period of T; the client sending the first parameter to the blockchain can be: the client sends the first parameter to the blockchain at a period of T .
  • the device to be authenticated can be continuously authenticated by periodically authenticating the device to be authenticated according to the first parameter received from the client at a period of T, thereby improving the security of the device .
  • the continuous authentication scheme of the vehicle-mounted device will be introduced in detail with reference to FIG. 3 to FIG. 6 .
  • Fig. 3 is an example of a continuous authentication method for a vehicle-mounted device provided by an embodiment of the present application. As shown in FIG. 3 , the method 300 includes steps S310 to S360 , and these steps will be described in detail below.
  • the original data output by sensors such as cameras, millimeter-wave radars, and lidars (for example: output images, videos, distances, speeds, point cloud data, etc.) hide their inherent physical characteristics; other vehicle-mounted devices, such as through CAN or For ETH communication equipment, the physical layer signals and messages received from CAN and ETH also carry the physical characteristics of the sending equipment.
  • the unique physical characteristics that can reflect the identity of the vehicle-mounted device in advance can be used as the fingerprint of the vehicle-mounted device.
  • the unique physical characteristics that reflect the identity of the vehicle-mounted device can be extracted from the signals or data output by these vehicle-mounted devices as device fingerprints.
  • the fingerprint extraction process will be exemplarily introduced below by taking the fingerprint extraction of a pre-installed camera as an example.
  • Step 1 First, acquire N images from the video stream output by the preset camera, and this application does not limit the number of acquired images.
  • Step 2 Define the linear relationship between one pixel and other pixels in the pixel blocks included in each of the N images.
  • each of the N images includes multiple pixel blocks, and each pixel block includes an M*R pixel array.
  • M represents the number of horizontal pixels
  • R represents the number of vertical pixels
  • M and R may be the same or different.
  • the number of pixel blocks included in each image can be the same or different; and the pixel arrays corresponding to different pixel blocks can be the same or different (that is, the M value and R value of the pixel arrays corresponding to different pixel blocks can be the same can also be different), which is not limited in this application.
  • the pixel array may be 3*3, 3*5, 5*5, 5*9, 9*9, 16*16, etc., which is not limited in this application.
  • the description below will take different pixel blocks corresponding to the same pixel array as an example.
  • a and b respectively satisfy the relationship: 1 ⁇ a ⁇ R, 1 ⁇ b ⁇ M.
  • the linear relationship model between the light intensity x 33 of the pixel in the third row and the third column and the light intensity of other pixels is:
  • Step 3 According to the pixels of K pixel blocks in the above N images (each pixel block in these K pixel blocks can come from a different image, or, multiple pixel blocks in these K pixel blocks can come from The same image, which is not limited in this application), construct the following sample data:
  • y i represents the light intensity of the pixel in row a and column b in the i-th pixel block of K pixel blocks
  • x i,1 , xi,2 ,...,xi ,n represent the i-th In a pixel block, the light intensity of other pixels except the pixels in the ath row and the bth column
  • M and R can be understood as the number of horizontal pixels and vertical pixels included in the ith pixel block
  • the above-defined model is trained to determine parameters C and B in the model.
  • the light intensity of the pixel in row a and column b in each pixel block can be predicted according to the model, that is, the light intensity that can pass through its surrounding pixels (that is, other pixels except row a and column b
  • the light intensity of the pixel is used as input, and the light intensity of the pixel in row a and column b is calculated through the model.
  • Step 4 Predict the pixel value of row a and column b in each pixel block according to the model, and calculate the deviation between the predicted value and the real value, and calculate the deviation between the predicted value of row a and column b and the real value Denoted as (a,b,bias).
  • Step 5 Take D maximum deviations from K pixel blocks to form a vector, and use this vector as a fingerprint.
  • the client After obtaining the reference fingerprint, the client sends the reference fingerprint to IPFS; encrypts and stores the above-mentioned extracted reference fingerprint data through IPFS, and returns the hash value of the reference fingerprint (ie, the above-mentioned second hash value) to the client; then The client sends the second hash value returned by IPFS as a transaction to each node of the blockchain, as shown in Figure 4.
  • the on-chain fingerprint hash value refers to storing the hash value of the fingerprint as a transaction on each node of the blockchain.
  • each node of the blockchain packs the received second hash value into a block according to the data structure of the blockchain, and uses a consensus algorithm to drive each node to verify the transaction in the block, and the data is broadcast after the verification is completed To all nodes, the data is successfully uploaded to the chain, that is, the storage of fingerprint data is completed.
  • the fingerprint to be authenticated (that is, the first fingerprint) is extracted and uploaded to the blockchain.
  • the block chain can adopt the Ethereum private chain and the consensus mechanism based on proof of stake (POS). After the fingerprint data is packaged on the chain, there is a block chain data layer. Immutability ensures identity integrity.
  • smart contracts with Turing completeness can also be deployed on the blockchain, for example, deploying authentication contracts to authenticate fingerprints (see step S350) and anti-counterfeit contracts to process authentication results (see step S360).
  • the authentication script algorithm is deployed in the contract layer of the blockchain.
  • the authentication smart contract is triggered, and then the smart contract is transferred from IPFS according to the second hash value of the reference fingerprint and the first hash value of the fingerprint to be authenticated.
  • the reference fingerprint and the fingerprint to be authenticated are extracted and compared for authentication, as shown in Figure 6. During the comparison process, it can be judged whether the two fingerprints come from the same vehicle-mounted device according to their similarity.
  • the similarity of two fingerprints can be calculated by cosine similarity. If the cosine similarity is greater than a preset threshold, the authentication is considered successful (that is, the two fingerprints come from the same vehicle-mounted device).
  • the fingerprint to be authenticated may also be collected periodically for comparison with the reference fingerprint, so as to realize continuous authentication of fingerprints (that is, to periodically repeat S340 and S350 to realize continuous authentication).
  • the collection period of fingerprints to be authenticated can be set to 1min, 5min, 10min, 15min, etc., which need to be determined in conjunction with the transaction time and data processing time of the actual blockchain, which is not limited in this application.
  • the contract status of successful authentication can be recorded as 0, and the contract status of failed authentication can be recorded as 1.
  • the contract status is displayed as 0; when the authentication fails, the contract status is displayed as 1.
  • the anti-counterfeiting contract can also be triggered, and the anti-counterfeiting contract will record that the device has failed authentication. times or do other tasks (for example, prompting the owner, etc.), this application does not limit this.
  • Fig. 7 is an apparatus 700 for device authentication provided by an embodiment of the present application.
  • the apparatus 700 is applied to a client, and the apparatus includes: a processing module 710 and a transceiver module 720 .
  • the transceiver module has the capability of sending and/or receiving data.
  • the processing module 710 is configured to obtain the first fingerprint of the device to be authenticated.
  • the transceiver module 720 is configured to receive a first parameter, the first parameter is associated with the first fingerprint, and the first parameter is at least used to authenticate the device to be authenticated.
  • the transceiver module 720 is also used to send the first parameter to the block chain.
  • the first parameter may include a first hash value; the transceiver module 720 may also be configured to receive the first hash value from the interplanetary file system IPFS.
  • the first fingerprint may be associated with the output of the device to be authenticated.
  • the output of the device to be authenticated may include one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals.
  • the processing module 710 may also be configured to acquire the first fingerprint of the device to be authenticated at a period of T, where T is an integer greater than 0.
  • the processing module 710 may also be used to obtain a second fingerprint of the preset device, where the second fingerprint is a reference fingerprint; the transceiver module 720 may also be used to receive the second parameter, the second parameter is associated with the second fingerprint, and the second parameter is at least used to authenticate the device to be authenticated; and the second parameter is sent to the block chain.
  • the second parameter may include a second hash value; the transceiver module 720 may also be configured to receive the second hash value from the interplanetary file system IPFS.
  • the processing module 710 may be further configured to determine that the provisioning device or the second fingerprint has configuration authority, and the configuration authority is at least used to indicate that the second fingerprint is a reference fingerprint.
  • the processing module 710 may also be configured to determine that the pre-configured device or the second fingerprint has configuration authority; and perform acquisition and/or configuration operations on the second fingerprint based on the configuration authority.
  • the processing module 710 may determine that the provisioning device or the second fingerprint has configuration authority before obtaining the second fingerprint of the provisioning device.
  • FIG. 8 is an apparatus 800 for device authentication provided by an embodiment of the present application.
  • the device 800 is applied to a block chain, and the device includes: a transceiver module 810 and a processing module 820 . It should be understood that the transceiver module has the capability of sending and/or receiving data.
  • the transceiver module 810 is configured to receive the first parameter sent by the client, and the first parameter is associated with the first fingerprint of the device to be authenticated.
  • the processing module 820 is configured to authenticate the device to be authenticated according to the first parameter.
  • the first parameter may include a first hash value, and the first hash value may be generated through the interplanetary file system IPFS.
  • the first fingerprint may be associated with the output of the device to be authenticated.
  • the output of the device to be authenticated may include one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals.
  • the transceiver module 810 may also be configured to receive a second parameter sent by the client, the second parameter is associated with the second fingerprint of the preset device, and the second fingerprint is Referring to the fingerprint; the processing module 820 may also be configured to authenticate the device to be authenticated according to the first parameter and the second parameter.
  • the processing module 820 may also be configured to acquire the first fingerprint and the second fingerprint according to the first parameter and the second parameter; and authenticate the device to be authenticated according to the similarity between the first fingerprint and the second fingerprint.
  • the transceiver module 810 can also be used to receive the first parameter sent by the client at a period of T, where T is an integer greater than 0; the processing module 820 can also be used to receive the first parameter from the client at a period of T.
  • the sent first parameter periodically authenticates the device to be authenticated.
  • processing module 820 may also be configured to authenticate the device to be authenticated through the smart contract and the first parameter.
  • the processing module 820 may also be configured to perform a processing operation on the authentication result, and the processing operation includes one or more of logging, triggering a warning, and feeding back the authentication result to the client.
  • FIG. 9 is a device authentication system 900 provided by an embodiment of the present application.
  • the system 900 includes a device 700 and a device 800, and the device 700 is applied to the client, and can be used to perform related operations corresponding to the client in the method embodiment of the present application.
  • the device 800 is applied to the block
  • the chain can be used to perform related operations corresponding to the blockchain in the method embodiments of this application.
  • Fig. 10 is an exemplary block diagram of the hardware structure of the device authentication apparatus provided by the embodiment of the present application.
  • the apparatus 1000 may specifically be a computer device.
  • the device 1000 includes a memory 1010 , a processor 1020 , a communication interface 1030 and a bus 1040 .
  • the memory 1010 , the processor 1020 , and the communication interface 1030 are connected to each other through the bus 1040 .
  • the memory 1010 may be a read-only memory (read-only memory, ROM), a static storage device, a dynamic storage device or a random access memory (random access memory, RAM).
  • the memory 1010 may store a program, and when the program stored in the memory 1010 is executed by the processor 1020, the processor 1020 is configured to execute each step of the authentication method in the embodiment of the present application.
  • the processor 1020 may adopt a general-purpose CPU, a microprocessor, an ASIC, a graphics processing unit (graphics processing unit, GPU) or one or more integrated circuits for executing related programs to implement the authentication method of the method embodiment of the present application.
  • the processor 1020 may also be an integrated circuit chip with signal processing capability. During implementation, the authentication method of the present application may be completed by an integrated logic circuit of hardware in the processor 1020 or instructions in the form of software.
  • the above-mentioned processor 1020 may also be a general-purpose processor, a digital signal processor (digital signal processor, DSP), ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, and discrete hardware components.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field-programmable gate array
  • Various methods, steps, and logic block diagrams disclosed in the embodiments of the present application may be implemented or executed.
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
  • the steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.
  • the storage medium is located in the memory 1010, and the processor 1020 reads the information in the memory 1010, and combines its hardware to complete the functions required by the modules included in the device of the embodiment of the present application, or execute the authentication method of the method embodiment of the present application.
  • the communication interface 1030 implements communication between the apparatus 1000 and other devices or communication networks by using a transceiver device such as but not limited to a transceiver.
  • Bus 1040 may include pathways for communicating information between various components of device 1000 (eg, memory 1010, processor 1020, communication interface 1030).
  • the embodiment of the present application also provides an on-vehicle component, including a device for performing related operations corresponding to the client in the method embodiment of the present application.
  • the embodiment of the present application also provides a vehicle, including an electronic control unit, and the electronic control unit is configured to perform related operations corresponding to the client in the method embodiment of the present application.
  • the embodiment of the present application also provides a computer-readable storage medium, which is characterized by including instructions; the instructions are used to implement the related operations corresponding to the client in the method embodiments of the application; and/or, to implement the method of the application Related operations corresponding to the blockchain in the embodiment.
  • the embodiment of the present application also provides a computer program product, which is characterized in that it includes: a computer program that, when the computer program is run, causes the computer to perform the relevant operations corresponding to the client in the method embodiment of the present application; and/or , to execute the relevant operations corresponding to the blockchain in the method embodiment of the present application.
  • the embodiment of the present application also provides a computing device, including: at least one processor and a memory, the at least one processor is coupled to the memory, and is used to read and execute instructions in the memory to execute the present application
  • the embodiment of the present application also provides a chip, the chip includes a processor and a data interface, the processor reads the instructions stored on the memory through the data interface, and executes the instructions corresponding to the client in the method embodiment of the present application.
  • the disclosed systems, devices and methods may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
  • the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disc and other media that can store program codes. .

Abstract

Provided in the embodiments of the present application are a device authentication method and apparatus, which can be applied to the authentication of devices in fields of transportation means such as vehicles, ships and airplanes, and devices in fields such as security protection and the Internet of Things. The method comprises: a client acquiring a first fingerprint of a device to be authenticated; the client receiving a first parameter, wherein the first parameter is associated with the first fingerprint, and the first parameter is at least used for authenticating said device; the client sending the first parameter to a blockchain; and the blockchain authenticating said device according to the first parameter. By means of the solution of the present application, the security of a device can be improved.

Description

设备认证方法及装置Device authentication method and device 技术领域technical field
本申请涉及认证技术领域,并且更具体地,涉及一种设备认证方法及装置。The present application relates to the technical field of authentication, and more specifically, to a device authentication method and device.
背景技术Background technique
车辆、轮船、飞机等交通工具领域以及安保、物联网等领域中所涉及的服务通常需要通过设备来实现。以车辆为例,自动驾驶、娱乐信息、车身管理等服务,都需要通过车载设备来提供给消费者,因而设备的安全尤其重要。然而这些领域中的服务架构通常是开放的,设备被盗或被替换的可能性较高,导致设备的安全性无法保证。Services involved in vehicles, ships, airplanes and other transportation fields, as well as security, Internet of Things and other fields usually need to be realized through equipment. Taking vehicles as an example, services such as autonomous driving, entertainment information, and vehicle body management all need to be provided to consumers through on-board equipment, so the safety of equipment is particularly important. However, the service architecture in these fields is usually open, and the possibility of equipment being stolen or replaced is high, resulting in that the security of the equipment cannot be guaranteed.
因此,如何提高设备的安全性是亟需解决的技术问题。Therefore, how to improve the safety of equipment is a technical problem that needs to be solved urgently.
发明内容Contents of the invention
本申请实施例提供一种设备认证方法及装置,可以应用于车辆、轮船、飞机等交通工具领域以及安保、物联网等领域中设备的认证,能够提高设备的安全性。The embodiments of the present application provide a device authentication method and device, which can be applied to the fields of vehicles, ships, airplanes and other means of transportation, as well as the authentication of devices in fields such as security and the Internet of Things, and can improve the security of the devices.
第一方面,提供了一种设备认证方法,该方法应用于客户端。可选地,以该方法应用于车辆领域为例,该客户端可以是车辆中控制装置,例如,车辆中的域控制器、移动数据中心(mobile data center,MDC)等,还可以为云端服务器。应理解,为避免认证过程中数据传输时发生泄露,在实际操作中,可优先选用车辆中的控制装置作为客户端。In a first aspect, a device authentication method is provided, and the method is applied to a client. Optionally, taking the application of the method in the field of vehicles as an example, the client may be a control device in the vehicle, for example, a domain controller in the vehicle, a mobile data center (mobile data center, MDC), etc., and may also be a cloud server . It should be understood that, in order to avoid data leakage during the authentication process, in actual operation, the control device in the vehicle can be preferably selected as the client.
该方法包括:获取待认证设备的第一指纹;接收第一参数,该第一参数与该第一指纹相关联,且该第一参数至少用于认证该待认证设备;发送该第一参数至区块链。The method includes: obtaining a first fingerprint of the device to be authenticated; receiving a first parameter, the first parameter is associated with the first fingerprint, and the first parameter is at least used to authenticate the device to be authenticated; sending the first parameter to blockchain.
应理解,在应用于车辆领域时,上述待认证设备可以是车载设备。It should be understood that when applied to the field of vehicles, the above-mentioned device to be authenticated may be a vehicle-mounted device.
应理解,设备的指纹是设备身份的一种标识,能够体现设备独特的物理特征。It should be understood that the fingerprint of the device is an identification of the identity of the device, which can reflect the unique physical characteristics of the device.
应理解,上述第一参数与第一指纹相关联包括第一参数可以基于第一指纹得到。可选地,上述第一参数可以包括第一指纹的哈希值,也可以包括对第一指纹直接进行压缩之后的结果,本申请对此不做限定。It should be understood that the above-mentioned first parameter being associated with the first fingerprint includes that the first parameter may be obtained based on the first fingerprint. Optionally, the above-mentioned first parameter may include a hash value of the first fingerprint, or may include a result of directly compressing the first fingerprint, which is not limited in this application.
可选地,第一指纹的哈希值可以通过文件系统生成。作为一个示例,该文件系统可以是星际文件系统IPFS。其中,IPFS可以通过文件内容生成独立哈希值来标识文件,而不是通过文件保存位置来标识,因而相同内容的文件在系统中只会存在一份,从而能够节约存储空间;另外,存储在IPFS上的文件数据能够快速被获取,使得访问数据更快、更安全、同时更加开放。Optionally, the hash value of the first fingerprint can be generated through the file system. As an example, the file system may be the Interplanetary File System IPFS. Among them, IPFS can generate an independent hash value to identify the file through the content of the file instead of the location where the file is saved, so there will only be one copy of the file with the same content in the system, which can save storage space; in addition, stored in IPFS File data on the Internet can be quickly obtained, making access to data faster, safer, and more open.
在传统方案中,设备的认证通常是基于对称密钥实现的。然而,基于对称密钥的认证,会导致出现如下问题:设备中需要预编程、预置证书和私钥,造成设备需要具有安全存储模块,增加了硬件成本;对称密钥用在不同设备上,必然会给不同设备的存储空间均带来挑战;另外,由于设备中需预编程和预置密钥等,使得无法实现设备即插即用。In traditional solutions, device authentication is usually based on symmetric keys. However, authentication based on symmetric keys will lead to the following problems: pre-programmed, pre-installed certificates and private keys are required in the device, causing the device to have a secure storage module, which increases hardware costs; symmetric keys are used on different devices, It will inevitably bring challenges to the storage space of different devices; in addition, due to the need for pre-programming and preset keys in the device, it is impossible to realize plug-and-play of the device.
在本申请实施例中,通过客户端获取待认证设备的第一指纹,并将与该第一指纹相关 的第一参数发送至区块链,以便于可以在区块链上基于该第一参数对待认证设备进行认证,从而在一方面,能够提高设备的安全性;在另一方面,由于无需在设备中编程和预置密钥,也无需在设备中增加硬件安全模块,从而解决了硬件成本问题,也不需要担心硬件安全存储的空间问题,还可以实现设备即插即用。In this embodiment of the application, the first fingerprint of the device to be authenticated is obtained through the client, and the first parameter related to the first fingerprint is sent to the block chain, so that the first parameter can be based on the block chain Authenticate the device to be authenticated, so that on the one hand, it can improve the security of the device; on the other hand, because there is no need to program and pre-key the device, and there is no need to add a hardware security module to the device, thus solving the hardware cost There is no need to worry about the space problem of hardware security storage, and the device can be plug-and-play.
结合第一方面,在第一方面的某些实现方式中,该第一参数包括第一哈希值;该接收第一参数包括:从星际文件系统IPFS接收该第一哈希值。With reference to the first aspect, in some implementation manners of the first aspect, the first parameter includes a first hash value; and receiving the first parameter includes: receiving the first hash value from an interplanetary file system IPFS.
具体地,在实际操作中,客户端可以先提取待认证设备的指纹,然后把待认证设备的指纹发送给IPFS,通过IPFS对指纹数据进行加密和存储并返回一个哈希值给客户端,从而能够避免在客户端进行待认证指纹的存储,节省了客户端的存储空间。Specifically, in actual operation, the client can first extract the fingerprint of the device to be authenticated, and then send the fingerprint of the device to be authenticated to IPFS, encrypt and store the fingerprint data through IPFS and return a hash value to the client, thereby The storage of fingerprints to be authenticated on the client side can be avoided, saving the storage space of the client side.
结合第一方面,在第一方面的某些实现方式中,该第一指纹与该待认证设备的输出相关联。With reference to the first aspect, in some implementation manners of the first aspect, the first fingerprint is associated with an output of the device to be authenticated.
应理解,设备输出的信号或数据中通常隐藏体现设备身份的独特物理特征,因此可以基于设备的输出确定出设备的物理特征来作为设备的指纹。It should be understood that the signal or data output by the device usually hides unique physical features that reflect the identity of the device, so the physical features of the device can be determined based on the output of the device as the fingerprint of the device.
结合第一方面,在第一方面的某些实现方式中,该待认证设备的输出包括图像、视频、距离、速度、点云数据、控制器域网信号和以太坊信号等中的一项或多项。With reference to the first aspect, in some implementations of the first aspect, the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals multiple.
结合第一方面,在第一方面的某些实现方式中,该获取待认证设备的第一指纹,包括:以T为周期获取该待认证设备的第一指纹,T为大于0的整数。With reference to the first aspect, in some implementation manners of the first aspect, the acquiring the first fingerprint of the device to be authenticated includes: acquiring the first fingerprint of the device to be authenticated at a period of T, where T is an integer greater than 0.
同样地,该接收第一参数包括:以T为周期接收第一参数;该发送该第一参数至区块链包括:以T为周期发送该第一参数至区块链。Likewise, the receiving the first parameter includes: receiving the first parameter at a period of T; the sending the first parameter to the blockchain includes: sending the first parameter to the blockchain at a period of T.
结合第一方面,在第一方面的某些实现方式中,在该获取待认证设备的第一指纹之前,该方法还包括:获取预置设备的第二指纹,该第二指纹为参考指纹;接收第二参数,该第二参数与该第二指纹相关联,且该第二参数至少用于认证该待认证设备;发送该第二参数至区块链。With reference to the first aspect, in some implementations of the first aspect, before acquiring the first fingerprint of the device to be authenticated, the method further includes: acquiring a second fingerprint of the preset device, where the second fingerprint is a reference fingerprint; receiving a second parameter, the second parameter is associated with the second fingerprint, and the second parameter is at least used to authenticate the device to be authenticated; and sending the second parameter to the block chain.
其中,预置设备是指预先安装的可信任的设备,将其指纹作为参考指纹,可以在后续基于该指纹与待认证设备的指纹进行比较,以确定设备有没有被恶意替换。可选地,预置设备可以在不同情况下完成预置,例如,可以在出厂时由整车厂商或者整车厂商信任的设备供应商进行设备的预置,也可以是在后续售后维修时,由相关专业技术人员进行设备的预置或将原有的预置设备进行替换,本申请对此不做限定。Among them, the pre-installed device refers to a pre-installed trusted device, whose fingerprint is used as a reference fingerprint, which can be compared with the fingerprint of the device to be authenticated based on the fingerprint to determine whether the device has been maliciously replaced. Optionally, the preset device can be preset under different circumstances. For example, the device can be preset by the vehicle manufacturer or an equipment supplier trusted by the vehicle manufacturer when leaving the factory, or it can be done during subsequent after-sales maintenance. Relevant professional and technical personnel carry out the preset of the equipment or replace the original preset equipment, which is not limited in this application.
在本申请实施例中,在获取待认证设备的第一指纹之前,可以先获取预置设备的第二指纹,该第二指纹为参考指纹,并将与该第二指纹相关的第二参数发送至区块链,以便于可以在区块链上基于该第一参数和第二参数对待认证设备进行认证,从而能够提高设备的安全性。In this embodiment of the application, before obtaining the first fingerprint of the device to be authenticated, the second fingerprint of the preset device can be obtained first, and the second fingerprint is a reference fingerprint, and the second parameter related to the second fingerprint is sent to to the block chain, so that the device to be authenticated can be authenticated on the block chain based on the first parameter and the second parameter, thereby improving the security of the device.
结合第一方面,在第一方面的某些实现方式中,该第二参数包括第二哈希值;该接收第二参数包括:从星际文件系统IPFS接收该第二哈希值。With reference to the first aspect, in some implementation manners of the first aspect, the second parameter includes a second hash value; receiving the second parameter includes: receiving the second hash value from an interplanetary file system IPFS.
具体地,在实际操作中,客户端可以先提取预置设备的指纹,然后把预置设备的指纹发送给IPFS,通过IPFS对指纹数据进行加密和存储并返回一个哈希值给客户端,从而能够避免在客户端进行预置设备指纹的存储,节省了客户端的存储空间。Specifically, in actual operation, the client can first extract the fingerprint of the preset device, then send the fingerprint of the preset device to IPFS, encrypt and store the fingerprint data through IPFS, and return a hash value to the client, so that It can avoid storing the preset device fingerprint on the client, saving the storage space of the client.
结合第一方面,在第一方面的某些实现方式中,该方法还包括:确定该预置设备或该第二指纹具有配置权限,该配置权限至少用于指示该第二指纹为参考指纹。With reference to the first aspect, in some implementation manners of the first aspect, the method further includes: determining that the provisioning device or the second fingerprint has configuration authority, and the configuration authority is at least used to indicate that the second fingerprint is a reference fingerprint.
结合第一方面,在第一方面的某些实现方式中,该方法还包括:确定该预置设备或第二指纹具有配置权限;基于该配置权限对该第二指纹进行获取和/或配置操作。With reference to the first aspect, in some implementations of the first aspect, the method further includes: determining that the provisioning device or the second fingerprint has configuration authority; and performing an acquisition and/or configuration operation on the second fingerprint based on the configuration authority .
应理解,由于预置设备的第二指纹需要作为参考指纹,因而客户端还需要确定该预置设备或该第二指纹是否具有配置权限,以便后续可以对第二指纹进行获取和/或配置操作,其中,该配置操作可以包括将第二指纹配置为参考指纹。如果确定该预置设备或该第二指纹具有配置权限,则可以将第二指纹配置为参考指纹,或者可以理解为,第二指纹可以被配置为参考指纹或者将第二指纹作为参考指纹。示例地,客户端可以在获取第二指纹之前,确定该预置设备或该第二指纹是否具有配置权限,如果确定有配置权限,则将第二指纹作为参考指纹。基于此,可以保证设备认证的安全性。It should be understood that since the second fingerprint of the pre-provisioned device needs to be used as a reference fingerprint, the client also needs to determine whether the pre-provisioned device or the second fingerprint has configuration authority, so that the second fingerprint can be obtained and/or configured subsequently. , where the configuring operation may include configuring the second fingerprint as the reference fingerprint. If it is determined that the provisioning device or the second fingerprint has configuration authority, the second fingerprint may be configured as a reference fingerprint, or it may be understood that the second fingerprint may be configured as a reference fingerprint or the second fingerprint may be used as a reference fingerprint. For example, before acquiring the second fingerprint, the client may determine whether the provisioning device or the second fingerprint has configuration authority, and if it is determined that there is configuration authority, the second fingerprint may be used as a reference fingerprint. Based on this, the security of device authentication can be guaranteed.
可选地,可以在客户端切换到“参考指纹提取与上传模式”(例如:配置模式、工程模式等)时确定该预置设备或该第二指纹是否具备配置权限。应理解,在该模式下,如果确定预置设备或第二指纹具备配置权限,则上传的第二指纹会被标注为参考指纹,区块链在后续认证过程中将用该参考指纹与后续新指纹(即第一指纹)进行对比。若在上传时,区块链已经记录有一个参考指纹,那么新上传的参考指纹可以替换旧的参考指纹。应理解,配置模式的切换还可以通过权限控制流程(例如:认证、密码等),保证只有授权的人才能进行参考指纹的操作/配置,进而保证设备认证的安全性。Optionally, it may be determined whether the preset device or the second fingerprint has configuration authority when the client switches to the "reference fingerprint extraction and upload mode" (for example: configuration mode, engineering mode, etc.). It should be understood that in this mode, if it is determined that the pre-installed device or the second fingerprint has the configuration authority, the uploaded second fingerprint will be marked as a reference fingerprint, and the blockchain will use this reference fingerprint with subsequent new fingerprints in the subsequent authentication process. fingerprint (ie the first fingerprint) for comparison. If the blockchain has already recorded a reference fingerprint when uploading, then the newly uploaded reference fingerprint can replace the old reference fingerprint. It should be understood that the switch of the configuration mode can also pass through the authority control process (for example: authentication, password, etc.), to ensure that only authorized persons can perform the operation/configuration of the reference fingerprint, thereby ensuring the security of device authentication.
第二方面,提供了一种设备认证方法,该方法应用于区块链,该方法包括:接收客户端发送的第一参数,该第一参数与待认证设备的第一指纹相关联;根据该第一参数对该待认证设备进行认证。In a second aspect, a device authentication method is provided, the method is applied to a block chain, and the method includes: receiving a first parameter sent by a client, the first parameter being associated with a first fingerprint of the device to be authenticated; according to the The first parameter is used to authenticate the device to be authenticated.
在传统方案中,设备的认证通常是基于对称密钥实现的。然而,基于对称密钥的认证,会导致出现如下问题:设备中需要预编程、预置证书和私钥,造成设备需要具有安全存储模块,增加了硬件成本;对称密钥用在不同设备上,必然会给不同设备的存储空间均带来挑战;另外,由于设备中需预编程和预置密钥等,使得无法实现设备即插即用。In traditional solutions, device authentication is usually based on symmetric keys. However, authentication based on symmetric keys will lead to the following problems: pre-programmed, pre-installed certificates and private keys are required in the device, causing the device to have a secure storage module, which increases hardware costs; symmetric keys are used on different devices, It will inevitably bring challenges to the storage space of different devices; in addition, due to the need for pre-programming and preset keys in the device, it is impossible to realize plug-and-play of the device.
在本申请实施例中,通过区块链接收客户端发送的与待认证设备的第一指纹相关的第一参数,然后在区块链上根据第一参数对该待认证设备进行认证,保证设备可信,从而在一方面,能够提高设备的安全性;在另一方面,由于无需在设备中编程和预置密钥,也无需在设备中增加硬件安全模块,从而解决了硬件成本问题,也不需要担心硬件安全存储的空间问题,还可以实现设备即插即用。In the embodiment of this application, the first parameter related to the first fingerprint of the device to be authenticated sent by the client is received through the blockchain, and then the device to be authenticated is authenticated on the blockchain according to the first parameter to ensure that the device Trustworthy, so that on the one hand, the security of the device can be improved; on the other hand, because there is no need to program and pre-key the device, and there is no need to add a hardware security module to the device, thus solving the hardware cost problem, and also There is no need to worry about the space problem of hardware security storage, and the device can be plug-and-play.
结合第二方面,在第二方面的某些实现方式中,该第一参数包括第一哈希值,该第一哈希值通过星际文件系统IPFS生成。With reference to the second aspect, in some implementation manners of the second aspect, the first parameter includes a first hash value, and the first hash value is generated through an interplanetary file system IPFS.
具体地,在实际操作中,客户端可以先提取待认证设备的指纹,然后把待认证设备的指纹发送给IPFS,通过IPFS对指纹数据进行加密和存储并返回一个哈希值给客户端,从而能够避免在客户端进行待认证指纹的存储,节省了客户端的存储空间。Specifically, in actual operation, the client can first extract the fingerprint of the device to be authenticated, and then send the fingerprint of the device to be authenticated to IPFS, encrypt and store the fingerprint data through IPFS and return a hash value to the client, thereby The storage of fingerprints to be authenticated on the client side can be avoided, saving the storage space of the client side.
结合第二方面,在第二方面的某些实现方式中,该第一指纹与该待认证设备的输出相关联。With reference to the second aspect, in some implementation manners of the second aspect, the first fingerprint is associated with an output of the device to be authenticated.
结合第二方面,在第二方面的某些实现方式中,该待认证设备的输出包括图像、视频、距离、速度、点云数据、控制器域网信号和以太坊信号中的一项或多项。With reference to the second aspect, in some implementations of the second aspect, the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals. item.
结合第二方面,在第二方面的某些实现方式中,在该接收客户端发送的第一参数之前,该方法还包括:接收该客户端发送的第二参数,该第二参数与预置设备的第二指纹相关联, 该第二指纹为参考指纹;该根据该第一参数对该待认证设备进行认证包括:根据该第一参数和该第二参数对该待认证设备进行认证。With reference to the second aspect, in some implementations of the second aspect, before receiving the first parameter sent by the client, the method further includes: receiving a second parameter sent by the client, and the second parameter is the same as the preset The second fingerprint of the device is associated, and the second fingerprint is a reference fingerprint; authenticating the device to be authenticated according to the first parameter includes: authenticating the device to be authenticated according to the first parameter and the second parameter.
在本申请实施例中,在区块链接收客户端发送的第一参数之前,可以先接收客户端发送的与预置设备的第二指纹(即参考指纹)相关的第二参数,然后根据第一参数和第二参数对待认证设备进行认证,从而能够提高设备的安全性。In this embodiment of the application, before the block chain receives the first parameter sent by the client, it can first receive the second parameter related to the second fingerprint (reference fingerprint) of the preset device sent by the client, and then according to the first parameter The first parameter and the second parameter are used to authenticate the device to be authenticated, so that the security of the device can be improved.
结合第二方面,在第二方面的某些实现方式中,该根据该第一参数和该第二参数对该待认证设备进行认证包括:根据该第一参数和该第二参数获取该第一指纹和该第二指纹;根据该第一指纹和该第二指纹对该待认证设备进行认证。With reference to the second aspect, in some implementations of the second aspect, the authenticating the device to be authenticated according to the first parameter and the second parameter includes: obtaining the first parameter according to the first parameter and the second parameter fingerprint and the second fingerprint; authenticating the device to be authenticated according to the first fingerprint and the second fingerprint.
可选地,根据该第一参数和该第二参数获取该第一指纹和该第二指纹,可以是区块链基于第一参数和第二参数直接从文件系统(例如,IPFS)获取该第一指纹和该第二指纹,从而能够提高指纹获取的速度和安全性。Optionally, the first fingerprint and the second fingerprint are obtained according to the first parameter and the second parameter, and the block chain may obtain the first fingerprint directly from the file system (for example, IPFS) based on the first parameter and the second parameter. The first fingerprint and the second fingerprint can improve the speed and security of fingerprint acquisition.
可选地,根据该第一指纹和该第二指纹对该待认证设备进行认证,具体可以是根据第一指纹和该第二指纹的相似度对该待认证设备进行认证。Optionally, the device to be authenticated is authenticated according to the first fingerprint and the second fingerprint, specifically, the device to be authenticated may be authenticated according to a similarity between the first fingerprint and the second fingerprint.
结合第二方面,在第二方面的某些实现方式中,该接收客户端发送的第一参数包括:以T为周期接收该客户端发送的第一参数,T为大于0的整数;该根据该第一参数对该待认证设备进行认证包括:根据以T为周期接收到的该客户端发送的第一参数周期性地对该待认证设备进行认证。With reference to the second aspect, in some implementations of the second aspect, the receiving the first parameter sent by the client includes: receiving the first parameter sent by the client at a period of T, where T is an integer greater than 0; Authenticating the device to be authenticated by the first parameter includes: periodically authenticating the device to be authenticated according to the first parameter sent by the client received at a period of T.
在本申请实施例中,通过根据以T为周期接收到的该客户端发送的第一参数周期性地对该待认证设备进行认证可以实现对待认证设备的持续认证,从而能够提高设备的安全性。In the embodiment of this application, the device to be authenticated can be continuously authenticated by periodically authenticating the device to be authenticated according to the first parameter received from the client at a period of T, thereby improving the security of the device .
结合第二方面,在第二方面的某些实现方式中,根据该第一参数对该待认证设备进行认证,包括:通过智能合约和该第一参数对该待认证设备进行认证。With reference to the second aspect, in some implementation manners of the second aspect, authenticating the device to be authenticated according to the first parameter includes: authenticating the device to be authenticated by using a smart contract and the first parameter.
其中,智能合约可以基于区块链上所存储的数据,自动化的执行一些预先定义好的规则和条款。且智能合约的执行无需依赖第三方机构的参与或介入,合约的监督和仲裁都由计算机完成;智能合约一旦部署完成,所有内容无法修改,任何一方都无法干预合约的执行。因而,在本申请实施例中,可以通过智能合约和该第一参数对该待认证设备进行认证,从而能够提高设备认证的可靠性,进而提高设备的安全性。Among them, smart contracts can automatically execute some pre-defined rules and terms based on the data stored on the blockchain. Moreover, the execution of the smart contract does not need to rely on the participation or intervention of a third-party organization. The supervision and arbitration of the contract are completed by the computer; once the smart contract is deployed, all content cannot be modified, and no party can interfere with the execution of the contract. Therefore, in the embodiment of the present application, the device to be authenticated can be authenticated through the smart contract and the first parameter, so that the reliability of device authentication can be improved, and thus the security of the device can be improved.
结合第二方面,在第二方面的某些实现方式中,在该根据该第一参数对该待认证设备进行认证之后,该方法还包括:对认证结果进行处理操作,该处理操作包括记录日志、触发警告和反馈该认证结果至该客户端中的一项或多项。With reference to the second aspect, in some implementations of the second aspect, after the device to be authenticated is authenticated according to the first parameter, the method further includes: processing the authentication result, the processing operation includes recording a log One or more of triggering a warning and feeding back the authentication result to the client.
第三方面,提供了一种设备认证装置,该装置应用于客户端,该装置包括:处理模块,用于获取待认证设备的第一指纹;收发模块,用于接收第一参数,该第一参数与该第一指纹相关联,且该第一参数至少用于认证该待认证设备;该收发模块还用于,发送该第一参数至区块链。In a third aspect, a device authentication device is provided, which is applied to a client, and the device includes: a processing module, used to obtain a first fingerprint of a device to be authenticated; a transceiver module, used to receive a first parameter, the first A parameter is associated with the first fingerprint, and the first parameter is at least used to authenticate the device to be authenticated; the transceiver module is also used to send the first parameter to the block chain.
其中,该收发模块具有数据发送和/或接收的能力。Wherein, the transceiver module has the capability of data sending and/or receiving.
结合第三方面,在第三方面的某些实现方式中,该第一参数包括第一哈希值;该收发模块还用于,从星际文件系统IPFS接收该第一哈希值。With reference to the third aspect, in some implementation manners of the third aspect, the first parameter includes a first hash value; the transceiver module is further configured to receive the first hash value from an interplanetary file system IPFS.
结合第三方面,在第三方面的某些实现方式中,该第一指纹与该待认证设备的输出相关联。With reference to the third aspect, in some implementation manners of the third aspect, the first fingerprint is associated with an output of the device to be authenticated.
结合第三方面,在第三方面的某些实现方式中,该待认证设备的输出包括图像、视频、距离、速度、点云数据、控制器域网信号和以太坊信号中的一项或多项。In conjunction with the third aspect, in some implementations of the third aspect, the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals. item.
结合第三方面,在第三方面的某些实现方式中,该处理模块还用于,以T为周期获取该待认证设备的第一指纹,T为大于0的整数。With reference to the third aspect, in some implementation manners of the third aspect, the processing module is further configured to acquire the first fingerprint of the device to be authenticated at a period of T, where T is an integer greater than 0.
结合第三方面,在第三方面的某些实现方式中,在该获取待认证设备的第一指纹之前,该处理模块还用于,获取预置设备的第二指纹,该第二指纹为参考指纹;该收发模块还用于,接收第二参数,该第二参数与该第二指纹相关联,且该第二参数至少用于认证该待认证设备;发送该第二参数至区块链。With reference to the third aspect, in some implementations of the third aspect, before acquiring the first fingerprint of the device to be authenticated, the processing module is further configured to acquire a second fingerprint of the preset device, and the second fingerprint is a reference Fingerprint; the transceiver module is also used to receive a second parameter, the second parameter is associated with the second fingerprint, and the second parameter is at least used to authenticate the device to be authenticated; and send the second parameter to the block chain.
结合第三方面,在第三方面的某些实现方式中,该第二参数包括第二哈希值;该收发模块还用于,从星际文件系统IPFS接收该第二哈希值。With reference to the third aspect, in some implementation manners of the third aspect, the second parameter includes a second hash value; the transceiver module is further configured to receive the second hash value from an interplanetary file system IPFS.
结合第三方面,在第三方面的某些实现方式中,该处理模块用于,确定该预置设备或该第二指纹具有配置权限,该配置权限至少用于指示该第二指纹为参考指纹。With reference to the third aspect, in some implementation manners of the third aspect, the processing module is configured to determine that the preset device or the second fingerprint has configuration authority, and the configuration authority is at least used to indicate that the second fingerprint is a reference fingerprint .
结合第三方面,在第三方面的某些实现方式中,该处理模块用于,确定该预置设备或该第二指纹具有配置权限,基于该配置权限对该第二指纹进行获取和/或配置操作。示例性地,该处理模块可以在获取该预置设备的第二指纹之前,确定该预置设备或该第二指纹具有配置权限。With reference to the third aspect, in some implementation manners of the third aspect, the processing module is configured to determine that the preset device or the second fingerprint has configuration authority, and acquire and/or obtain the second fingerprint based on the configuration authority. Configure operations. Exemplarily, the processing module may determine that the provisioning device or the second fingerprint has configuration authority before acquiring the second fingerprint of the provisioning device.
第四方面,提供了一种设备认证装置,该装置应用于区块链,该装置包括:收发模块,用于接收客户端发送的第一参数,该第一参数与待认证设备的第一指纹相关联;处理模块,用于根据该第一参数对该待认证设备进行认证。In a fourth aspect, a device authentication device is provided, the device is applied to a blockchain, and the device includes: a transceiver module, configured to receive a first parameter sent by a client, the first parameter and the first fingerprint of the device to be authenticated Associated; a processing module, configured to authenticate the device to be authenticated according to the first parameter.
结合第四方面,在第四方面的某些实现方式中,该第一参数包括第一哈希值,该第一哈希值通过星际文件系统IPFS生成。With reference to the fourth aspect, in some implementation manners of the fourth aspect, the first parameter includes a first hash value, and the first hash value is generated through an interplanetary file system IPFS.
结合第四方面,在第四方面的某些实现方式中,该第一指纹与该待认证设备的输出相关联。With reference to the fourth aspect, in some implementation manners of the fourth aspect, the first fingerprint is associated with an output of the device to be authenticated.
结合第四方面,在第四方面的某些实现方式中,该待认证设备的输出包括图像、视频、距离、速度、点云数据、控制器域网信号和以太坊信号中的一项或多项。With reference to the fourth aspect, in some implementations of the fourth aspect, the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals. item.
结合第四方面,在第四方面的某些实现方式中,在该接收客户端发送的第一参数之前,该收发模块还用于,接收该客户端发送的第二参数,该第二参数与预置设备的第二指纹相关联,该第二指纹为参考指纹;该处理模块还用于,根据该第一参数和该第二参数对该待认证设备进行认证。With reference to the fourth aspect, in some implementation manners of the fourth aspect, before receiving the first parameter sent by the client, the transceiver module is further configured to receive a second parameter sent by the client, and the second parameter is the same as The second fingerprint of the preset device is associated, and the second fingerprint is a reference fingerprint; the processing module is also used to authenticate the device to be authenticated according to the first parameter and the second parameter.
结合第四方面,在第四方面的某些实现方式中,该处理模块还用于,根据该第一参数和该第二参数获取该第一指纹和该第二指纹;根据该第一指纹和该第二指纹的相似度对该待认证设备进行认证。With reference to the fourth aspect, in some implementation manners of the fourth aspect, the processing module is further configured to acquire the first fingerprint and the second fingerprint according to the first parameter and the second parameter; The similarity of the second fingerprint authenticates the device to be authenticated.
结合第四方面,在第四方面的某些实现方式中,该收发模块还用于,以T为周期接收该客户端发送的第一参数,T为大于0的整数;该处理模块还用于,根据以T为周期接收到的该客户端发送的第一参数周期性地对该待认证设备进行认证。With reference to the fourth aspect, in some implementations of the fourth aspect, the transceiver module is further configured to receive the first parameter sent by the client at a period of T, where T is an integer greater than 0; the processing module is also configured to , periodically authenticate the device to be authenticated according to the first parameter sent by the client received at a period of T.
结合第四方面,在第四方面的某些实现方式中,该处理模块还用于,通过智能合约和该第一参数对该待认证设备进行认证。With reference to the fourth aspect, in some implementation manners of the fourth aspect, the processing module is further configured to authenticate the device to be authenticated by using the smart contract and the first parameter.
结合第四方面,在第四方面的某些实现方式中,该处理模块还用于,对认证结果进行处理操作,该处理操作包括记录日志、触发警告和反馈该认证结果至该客户端中的一项或 多项。With reference to the fourth aspect, in some implementation manners of the fourth aspect, the processing module is further configured to perform processing operations on the authentication results, the processing operations including recording logs, triggering warnings, and feeding back the authentication results to the client in the client. one or more.
第五方面,提供了一种设备认证装置,包括输入输出接口、处理器和存储器,所述处理器用于控制输入输出接口收发信号或信息,所述存储器用于存储计算机程序,所述处理器用于从存储器中调用并运行所述计算机程序,使得所述设备认证装置执行如第一方面或者第一方面的任一可能的实现方式中的认证方法;和/或,执行如第二方面或者第二方面的任一可能的实现方式中的认证方法。In the fifth aspect, a device authentication device is provided, including an input and output interface, a processor and a memory, the processor is used to control the input and output interface to send and receive signals or information, the memory is used to store computer programs, and the processor is used to Call and run the computer program from the memory, so that the device authentication apparatus executes the authentication method in the first aspect or any possible implementation of the first aspect; and/or executes the authentication method in the second aspect or the second An authentication method in any possible implementation of the aspect.
其中,该设备认证装置可以应用于需要进行认证,且储存空间有限的场景当中,例如,可以应用在车辆、轮船、飞机等交通工具中设备的认证,还可以应用在安保领域设备的认证,或者可以应用于物联网等领域设备的认证,本申请对此不做限定。Wherein, the device authentication device can be applied to scenarios where authentication is required and storage space is limited, for example, it can be applied to the authentication of equipment in vehicles, ships, airplanes, etc., and it can also be applied to the authentication of equipment in the security field, or It can be applied to authentication of devices in fields such as the Internet of Things, which is not limited in this application.
第六方面,提供了一种设备的认证系统,包括用于执行如第一方面或者第一方面的任一可能的实现方式中的认证方法的客户端和用于执行第二方面或者第二方面的任一可能的实现方式中的认证方法的区块链。A sixth aspect provides an authentication system for a device, including a client for executing the authentication method in the first aspect or any possible implementation of the first aspect and a client for executing the second aspect or the second aspect Blockchain of authentication methods in any of the possible implementations.
第七方面,提供了一种车载部件,包括用于执行如第一方面或者第一方面的任一可能的实现方式中的认证方法的客户端。In a seventh aspect, a vehicle component is provided, including a client for executing the authentication method in the first aspect or any possible implementation manner of the first aspect.
第八方面,提供了一种车辆,包括电子控制单元,电子控制单元用于执行如第一方面或者第一方面的任一可能的实现方式中的认证方法。In an eighth aspect, a vehicle is provided, including an electronic control unit, and the electronic control unit is configured to execute the authentication method in the first aspect or any possible implementation manner of the first aspect.
第九方面,提供了一种计算机可读存储介质,其特征在于,包括指令;所述指令用于实现如第一方面或者第一方面的任一可能的实现方式中的认证方法;和/或,实现如第二方面或者第二方面的任一可能的实现方式中的认证方法。In a ninth aspect, there is provided a computer-readable storage medium, which is characterized by comprising instructions; the instructions are used to implement the authentication method in the first aspect or in any possible implementation manner of the first aspect; and/or , implementing the second aspect or the authentication method in any possible implementation manner of the second aspect.
第十方面,提供了一种算机程序产品,其特征在于,包括:计算机程序,当计算机程序被运行时,使得计算机执行如第一方面或者第一方面的任一可能的实现方式中的认证方法;和/或,执行如第二方面或者第二方面的任一可能的实现方式中的认证方法。In a tenth aspect, there is provided a computer program product, which is characterized in that it includes: a computer program that, when the computer program is run, causes the computer to perform the authentication in the first aspect or in any possible implementation manner of the first aspect. method; and/or, execute the authentication method in the second aspect or any possible implementation manner of the second aspect.
第十一方面,提供了一种计算设备,包括:至少一个处理器和存储器,所述至少一个处理器与所述存储器耦合,用于读取并执行所述存储器中的指令,以执行如第一方面或者第一方面的任一可能的实现方式中的认证方法;和/或,执行如第二方面或者第二方面的任一可能的实现方式中的认证方法。In an eleventh aspect, a computing device is provided, including: at least one processor and a memory, the at least one processor is coupled to the memory, and is used to read and execute instructions in the memory, so as to execute the An authentication method in one aspect or any possible implementation manner of the first aspect; and/or, execute the authentication method in the second aspect or any possible implementation manner of the second aspect.
第十二方面,提供一种芯片,所述芯片包括处理器与数据接口,所述处理器通过所述数据接口读取存储器上存储的指令,执行如第一方面或者第一方面的任一可能的实现方式中的认证方法;和/或,执行如第二方面或者第二方面的任一可能的实现方式中的认证方法。In a twelfth aspect, there is provided a chip, the chip includes a processor and a data interface, and the processor reads instructions stored on the memory through the data interface, and executes any of the possible functions of the first aspect or the first aspect. The authentication method in the implementation manner of the second aspect; and/or, execute the authentication method in the second aspect or any possible implementation manner of the second aspect.
可选地,作为一种实现方式,所述芯片还可以包括存储器,所述存储器中存储有指令,所述处理器用于执行所述存储器上存储的指令,当所述指令被执行时,所述处理器用于执行如第一方面或者第一方面的任一可能的实现方式中的认证方法;和/或,执行如第二方面或者第二方面的任一可能的实现方式中的认证方法。Optionally, as an implementation manner, the chip may further include a memory, the memory stores instructions, the processor is configured to execute the instructions stored in the memory, and when the instructions are executed, the The processor is configured to execute the authentication method in the first aspect or any possible implementation manner of the first aspect; and/or execute the authentication method in the second aspect or any possible implementation manner of the second aspect.
第十三方面,提供了一种芯片系统,该芯片系统包括至少一个处理器,用于支持实现上述第一方面或第一方面的某些实现中所涉及的功能,例如,例如接收或处理上述方法中所涉及的数据和/或信息。In a thirteenth aspect, a chip system is provided, which includes at least one processor, configured to support the implementation of the functions involved in the first aspect or some implementations of the first aspect, for example, receiving or processing the above-mentioned Data and/or information involved in the method.
在一种可能的设计中,所述芯片系统还包括存储器,所述存储器,用于保存程序指令和数据,存储器位于处理器之内或处理器之外。该芯片系统,可以由芯片构成,也可以包 含芯片和其他分立器件。In a possible design, the chip system further includes a memory, the memory is used to store program instructions and data, and the memory is located inside or outside the processor. The system-on-a-chip may consist of chips, or may include chips and other discrete devices.
附图说明Description of drawings
图1是一种对车载设备进行认证的传统方案的示例图。FIG. 1 is an example diagram of a traditional solution for authenticating a vehicle-mounted device.
图2是本申请实施例提供的一种设备认证方法的示例图。Fig. 2 is an example diagram of a device authentication method provided by an embodiment of the present application.
图3是本申请实施例提供的一种车载设备的持续认证方法示例性。Fig. 3 is an example of a continuous authentication method for a vehicle-mounted device provided by an embodiment of the present application.
图4是本申请实施例提供的一种参考指纹的存储与上链的过程示例图。Fig. 4 is an example diagram of a process of storing and uploading reference fingerprints provided by the embodiment of the present application.
图5是本申请实施例提供的一种待认证指纹的存储与上链的过程示例图。Fig. 5 is an example diagram of a process of storing and uploading a fingerprint to be authenticated according to an embodiment of the present application.
图6是本申请实施例提供的一种指纹认证过程中指纹获取的过程示例图。FIG. 6 is an example diagram of a fingerprint acquisition process in a fingerprint authentication process provided by an embodiment of the present application.
图7是本申请实施例提供的一种设备认证装置700。Fig. 7 is an apparatus 700 for device authentication provided by an embodiment of the present application.
图8是本申请实施例提供的一种设备认证装置800。FIG. 8 is an apparatus 800 for device authentication provided by an embodiment of the present application.
图9是本申请实施例提供的一种设备认证系统900。FIG. 9 is a device authentication system 900 provided by an embodiment of the present application.
图10是本申请实施例提供的设备认证装置1000的硬件结构示例性框图。FIG. 10 is an exemplary block diagram of a hardware structure of a device authentication apparatus 1000 provided by an embodiment of the present application.
具体实施方式Detailed ways
为了便于理解本申请的技术方案,首先对本申请涉及的概念做简要介绍。In order to facilitate the understanding of the technical solution of the present application, a brief introduction is first made to the concepts involved in the present application.
区块链技术:区块链技术是一种不依赖第三方、通过自身分布式节点进行网络数据的存储、验证、传递和交流的一种技术方案。区块链技术具有去中心化、开放性、安全性、独立性、匿名性等优点。Blockchain technology: Blockchain technology is a technical solution that does not rely on third parties and stores, verifies, transmits and communicates network data through its own distributed nodes. Blockchain technology has the advantages of decentralization, openness, security, independence, and anonymity.
智能合约:可以基于区块链上所存储的数据,自动化的执行一些预先定义好的规则和条款。Smart contract: Based on the data stored on the blockchain, some pre-defined rules and terms can be automatically executed.
星际文件存储系统(interplanetary file system,IPFS)技术:IPFS是一种点到点的分布式文件系统,其连接的计算设备都具有文件管理模式,是一种内容可寻址的对等超媒体分发协议。通过IPFS,用户搜索的是内容而非文件名。Interplanetary file system (IPFS) technology: IPFS is a point-to-point distributed file system, and its connected computing devices have a file management mode, which is a content-addressable peer-to-peer hypermedia distribution protocol. With IPFS, users search for content rather than filenames.
IPFS工作原理:将文件存储在IPFS中,IPFS存储后会生成专属于这个文件的哈希值返回给客户端,客户端可以将该哈希值存在区块链中防止篡改,请求文件时只需出示此哈希值,IPFS会根据这个哈希值再从存有这个文件的节点将文件传输给请求客户端。Working principle of IPFS: Store files in IPFS. After IPFS storage, it will generate a hash value dedicated to this file and return it to the client. The client can store the hash value in the blockchain to prevent tampering. When requesting a file, just Show this hash value, and IPFS will transfer the file to the requesting client from the node storing the file based on this hash value.
物理不可克隆函数(physical unclonable function,PUF):物理不可克隆函数利用内在的物理构造来对其进行唯一性标识,输入任意激励都会输出一个唯一且不可预测的响应。Physical unclonable function (PUF): The physical unclonable function uses the inherent physical structure to uniquely identify it, and any input stimulus will output a unique and unpredictable response.
共识算法:可以被定义为一个通过区块链网络达成共识的机制。公共的(去中心化的)区块链作为一个分布式系统,并不依赖于一个中央机构,而是由分布式节点全票通过来实现交易。与此同时,共识算法开始发挥作用,它保证了协议规则的正常执行以及交易可以在免信任情况下发生。Consensus Algorithm: Can be defined as a mechanism for reaching consensus through a blockchain network. As a distributed system, the public (decentralized) blockchain does not rely on a central authority, but is passed by the distributed nodes to realize transactions. At the same time, the consensus algorithm comes into play, which ensures the normal execution of protocol rules and transactions can occur without trust.
为便于理解,下面再对本申请涉及的背景技术进行简单的介绍。For ease of understanding, the background technology involved in this application will be briefly introduced below.
设备的认证对于提高设备的安全性具有重要意义。以车载设备为例,面向服务的车载架构是目前发展的方向,自动驾驶、娱乐信息、车身管理等服务,都需要通过车载设备来实现,因而车载设备的安全尤其重要。但是,面向服务的车载架构也是开放的,车载架构提供了各种车载设备和传感器的标准接口,因此车载设备被盗或替换的可能性较高,导致 车载设备的安全性无法保证,进而导致车辆安全无法保证。因此,需要对车载设备进行认证以提高车载设备的安全性。The authentication of equipment is of great significance to improve the security of equipment. Taking in-vehicle equipment as an example, the service-oriented in-vehicle architecture is the current development direction. Services such as autonomous driving, entertainment information, and vehicle body management all need to be realized through in-vehicle equipment, so the safety of in-vehicle equipment is particularly important. However, the service-oriented in-vehicle architecture is also open. The in-vehicle architecture provides standard interfaces for various in-vehicle devices and sensors. Therefore, the possibility of the in-vehicle devices being stolen or replaced is high, resulting in the inability to guarantee the safety of the in-vehicle devices, which in turn leads to Safety cannot be guaranteed. Therefore, it is necessary to authenticate the vehicle-mounted device to improve the security of the vehicle-mounted device.
在传统方案中,车载设备的认证主要是基于对称密钥实现的,如图1所示,传统方案的认证过程100主要包括步骤S110至S170,下面对这些步骤进行简单描述。In the traditional solution, the authentication of the on-board device is mainly realized based on a symmetric key. As shown in FIG. 1 , the authentication process 100 of the traditional solution mainly includes steps S110 to S170, and these steps are briefly described below.
S110,车载系统生成随机数;S110, the vehicle system generates a random number;
S120,车载系统发送随机数给车载设备;S120, the vehicle-mounted system sends the random number to the vehicle-mounted device;
S130,车载系统对随机数加密;S130, the vehicle system encrypts the random number;
S140,车载设备对随机数加密;S140, the vehicle device encrypts the random number;
S150,车载设备发送随机数的密文给车载系统;S150, the vehicle-mounted device sends the ciphertext of the random number to the vehicle-mounted system;
S160,车载系统比较密文并确定认证结果,在密文相同时认为认证成功,在密文不同时认为认证失败;S160, the on-board system compares the ciphertexts and determines the authentication result, considers the authentication successful when the ciphertexts are the same, and considers the authentication failure when the ciphertexts are different;
S170,车载系统将认证结果反馈给车载设备。S170, the vehicle system feeds back the authentication result to the vehicle device.
传统方案基于对称密钥的认证,会导致出现如下问题:车载设备中需要预编程、预置证书和私钥,造成车载设备需要具有安全存储模块,增加了硬件成本;对称密钥用在不同设备上,必然会给不同设备的存储空间均带来挑战;另外,由于车载设备中需预编程和预置密钥等,使得无法实现设备即插即用。Traditional schemes based on symmetric key authentication will lead to the following problems: pre-programmed, preset certificates and private keys are required in the vehicle-mounted device, resulting in the need for a secure storage module in the vehicle-mounted device, which increases hardware costs; the use of symmetric keys in different devices Above all, it will inevitably bring challenges to the storage space of different devices; in addition, due to the need for pre-programming and preset keys in the vehicle-mounted devices, it is impossible to achieve plug-and-play devices.
基于此,本申请提供了一种设备认证方法及装置,主要基于设备的物理不可克隆特征作为身份标识(即指纹),然后结合区块链技术,在区块链上进行设备的认证,保证设备可信,从而能够提高设备的安全性。Based on this, this application provides a device authentication method and device, which is mainly based on the physical unclonable feature of the device as an identity (i.e. fingerprint), and then combines the blockchain technology to authenticate the device on the blockchain to ensure that the device Trusted, which can improve the security of the device.
另外,利用物理特征对设备进行认证,需要从设备的输出中提取特征并做特征比较,不需要在设备中编程和预置密钥,避免在设备中增加硬件安全模块,解决了硬件成本问题;同时,也不需要担心硬件安全存储的空间问题。而且,设备在不需预编程和预置密钥的情况下,便可实现即插即用。In addition, using physical features to authenticate the device requires extracting features from the output of the device and performing feature comparison. It does not require programming and pre-keying in the device, avoiding adding hardware security modules to the device, and solving the hardware cost problem; At the same time, there is no need to worry about the space problem of hardware security storage. Moreover, the device can be plug-and-play without the need for pre-programming and pre-keying.
下面将结合附图,对本申请中的技术方案进行描述。The technical solution in this application will be described below with reference to the accompanying drawings.
图2是本申请实施例提供的一种设备认证方法的示例图。应理解,该方法200可以应用于车辆、轮船、飞机等交通工具领域以及安保、物联网等领域中设备的认证,本申请对此不做限定。但为便于描述,在下文实施例中,均以应用于车辆为例。Fig. 2 is an example diagram of a device authentication method provided by an embodiment of the present application. It should be understood that the method 200 can be applied to the fields of vehicles, ships, airplanes and other vehicles, as well as the authentication of devices in fields such as security and Internet of Things, which is not limited in this application. However, for ease of description, in the following embodiments, the application to vehicles is taken as an example.
如图2所示,方法200可以包括S210至S240,下面对方法200中的各个步骤进行详细描述。As shown in FIG. 2 , the method 200 may include S210 to S240 , and each step in the method 200 will be described in detail below.
S210,客户端获取待认证设备的第一指纹。S210, the client acquires the first fingerprint of the device to be authenticated.
可选地,以该方法200应用于车辆领域为例,该客户端可以是车辆中控制装置,例如,车辆中的域控制器、移动数据中心(mobile data center,MDC)等,还可以为云端服务器。应理解,为避免认证过程中数据传输时数据发生泄露,在实际操作中,可优先选用车辆中的控制装置作为客户端。Optionally, taking the application of the method 200 in the field of vehicles as an example, the client may be a control device in the vehicle, for example, a domain controller in the vehicle, a mobile data center (mobile data center, MDC), etc., and may also be a cloud server. It should be understood that, in order to avoid data leakage during data transmission during the authentication process, in actual operation, the control device in the vehicle may be preferably selected as the client.
应理解,在应用于车辆时,设备可以描述为车载设备。可选地,车载设备可以是车辆上的摄像头、毫米波雷达、激光雷达等传感器,也可以是车辆上的通过控制器局域网(controller area network,CAN)或以太坊(ethereum,ETH)通讯的车载设备,本申请对此不做限定。It should be understood that when applied to a vehicle, the device may be described as an in-vehicle device. Optionally, the vehicle-mounted device can be a sensor such as a camera, a millimeter-wave radar, or a laser radar on the vehicle, or it can be a vehicle-mounted device communicating through a controller area network (CAN) or an Ethernet (ethereum, ETH) on the vehicle. equipment, which is not limited in this application.
应理解,设备的指纹是设备身份的一种标识,能够体现设备独特的物理特征。It should be understood that the fingerprint of the device is an identification of the identity of the device, which can reflect the unique physical characteristics of the device.
应理解,设备输出的信号或数据中通常隐藏着其物理特征。因而,可以根据待认证设备的输出得到待认证设备的第一指纹。例如,根据PUF原理或者基于PUF,可以从这些设备的输出中提取体现设备身份的独特物理特征,来作为设备指纹(即第一指纹)。本申请实施例对通过设备输出的信号或数据得到体现该设备独特物理特征的设备指纹的方式不做限定。It should be understood that the physical characteristics of a device are often hidden in the signal or data output by it. Therefore, the first fingerprint of the device to be authenticated can be obtained according to the output of the device to be authenticated. For example, according to the PUF principle or based on the PUF, the unique physical features reflecting the device identity can be extracted from the output of these devices as the device fingerprint (ie, the first fingerprint). The embodiment of the present application does not limit the manner of obtaining the device fingerprint reflecting the unique physical characteristics of the device through the signal or data output by the device.
应理解,在本申请实施例中,根据待认证设备的输出得到该待认证设备的第一指纹,也可以描述为,待认证设备的第一指纹与待认证设备的输出相关联。It should be understood that in this embodiment of the present application, the first fingerprint of the device to be authenticated is obtained according to the output of the device to be authenticated, which can also be described as that the first fingerprint of the device to be authenticated is associated with the output of the device to be authenticated.
可选地,待认证设备的输出包括图像、视频、距离、速度、点云数据、控制器域网信号和以太坊信号等中的一项或多项,本申请对此不做限定。Optionally, the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals, which are not limited in this application.
S220,客户端接收第一参数。其中,第一参数与第一指纹相关联,且第一参数至少用于认证待认证设备。S220, the client receives a first parameter. Wherein, the first parameter is associated with the first fingerprint, and the first parameter is at least used to authenticate the device to be authenticated.
应理解,上述第一参数与第一指纹相关联是指第一参数基于第一指纹得到。可选地,上述第一参数可以包括第一指纹的哈希值(即第一哈希值),也可以包括对第一指纹直接进行压缩之后的结果,本申请对此不做限定。It should be understood that the foregoing first parameter being associated with the first fingerprint means that the first parameter is obtained based on the first fingerprint. Optionally, the above-mentioned first parameter may include a hash value of the first fingerprint (that is, the first hash value), or may include a result of directly compressing the first fingerprint, which is not limited in this application.
可选地,第一指纹的哈希值可以通过文件系统生成或者通过其他方式生成,本申请对此不做限定。作为一个示例,该文件系统可以是IPFS,那么上述客户端接收第一参数可以是客户端从IPFS中接收第一参数。具体地,在实际操作中,客户端可以先提取待认证设备的指纹(即第一指纹),然后把指纹发送给IPFS,通过IPFS对指纹进行加密和存储并返回一个哈希值给客户端,应理解,该哈希值是基于该指纹得到的,从而能够避免在客户端进行待认证指纹的存储,节省了客户端的存储空间。Optionally, the hash value of the first fingerprint may be generated by a file system or by other means, which is not limited in this application. As an example, the file system may be IPFS, then the above-mentioned receiving of the first parameter by the client may be that the client receives the first parameter from IPFS. Specifically, in actual operation, the client can first extract the fingerprint of the device to be authenticated (that is, the first fingerprint), and then send the fingerprint to IPFS, encrypt and store the fingerprint through IPFS and return a hash value to the client, It should be understood that the hash value is obtained based on the fingerprint, so that the storage of the fingerprint to be authenticated at the client can be avoided and the storage space of the client can be saved.
S230,客户端发送第一参数至区块链。相应地,区块链接收客户端发送的第一参数。S230, the client sends the first parameter to the blockchain. Correspondingly, the blockchain receives the first parameter sent by the client.
S240,区块链根据第一参数对待认证设备进行认证。S240, the block chain authenticates the device to be authenticated according to the first parameter.
在本申请实施例中,通过客户端获取待认证设备的第一指纹,并将与该第一指纹相关的第一参数发送至区块链,同时在区块链上基于第一参数进行设备认证,保证设备可信,能够提高设备的安全性。另外,本申请方案相对于传统方案而言,由于无需在设备中编程和预置密钥,也无需在设备中增加硬件安全模块,从而解决了硬件成本问题,也不需要担心硬件安全存储的空间问题,还可以实现设备即插即用。In the embodiment of this application, the first fingerprint of the device to be authenticated is obtained through the client, and the first parameter related to the first fingerprint is sent to the block chain, and at the same time, device authentication is performed on the block chain based on the first parameter , to ensure the reliability of the device and improve the security of the device. In addition, compared with the traditional solution, the solution of this application does not need to program and pre-set keys in the device, and does not need to add a hardware security module to the device, thus solving the problem of hardware cost, and there is no need to worry about the space for hardware security storage problem, it can also realize the device plug and play.
可选地,在客户端获取待认证设备的第一指纹之前,方法200还可以包括:客户端获取预置设备的第二指纹,该第二指纹为参考指纹;客户端接收第二参数,该第二参数与第二指纹相关联,且第二参数至少用于认证待认证设备;客户端发送第二参数至区块链。相应的,区块链接收客户端发送的第二参数,并根据第一参数和第二参数对待认证设备进行认证。Optionally, before the client acquires the first fingerprint of the device to be authenticated, the method 200 may further include: the client acquires a second fingerprint of the preset device, where the second fingerprint is a reference fingerprint; the client receives a second parameter, the The second parameter is associated with the second fingerprint, and the second parameter is at least used to authenticate the device to be authenticated; the client sends the second parameter to the block chain. Correspondingly, the block chain receives the second parameter sent by the client, and authenticates the device to be authenticated according to the first parameter and the second parameter.
同样地,上述第二参数与第二指纹相关联也可以是指第二参数基于第二指纹得到。可选地,上述第二参数可以包括第二指纹的哈希值(即第二哈希值),也可以包括对第二指纹直接进行压缩之后的结果,本申请对此不做限定。Likewise, the foregoing second parameter being associated with the second fingerprint may also mean that the second parameter is obtained based on the second fingerprint. Optionally, the above-mentioned second parameter may include a hash value of the second fingerprint (that is, the second hash value), or may include a result of directly compressing the second fingerprint, which is not limited in the present application.
可选地,第二指纹的哈希值可以通过文件系统生成。作为一个示例,该文件系统可以是IPFS,那么上述客户端接收第二参数可以是客户端从IPFS中接收第二参数。具体地,在实际操作中,客户端可以先提取预置设备的指纹,然后把指纹发送给IPFS,通过IPFS对指纹数据进行加密和存储并返回一个哈希值给客户端,从而能够避免在客户端进行预置 设备指纹的存储,节省了客户端的存储空间。Optionally, the hash value of the second fingerprint can be generated through the file system. As an example, the file system may be IPFS, then the above-mentioned receiving of the second parameter by the client may be that the client receives the second parameter from IPFS. Specifically, in actual operation, the client can first extract the fingerprint of the pre-installed device, then send the fingerprint to IPFS, encrypt and store the fingerprint data through IPFS, and return a hash value to the client, thereby avoiding The terminal stores the preset device fingerprints, which saves the storage space of the client.
其中,预置设备是指预先安装的可信任的设备,将其指纹作为参考指纹,可以在后续基于该指纹与待认证设备的指纹进行比较,以确定设备有没有被恶意替换。可选地,预置设备可以在不同情况下完成预置,例如,可以在出厂时由整车厂商或者整车厂商信任的设备供应商进行设备的预置,也可以是在后续售后维修时,由相关专业技术人员进行设备的预置或将原有的预置设备进行替换,本申请对此不做限定。Among them, the pre-installed device refers to a pre-installed trusted device, whose fingerprint is used as a reference fingerprint, which can be compared with the fingerprint of the device to be authenticated based on the fingerprint to determine whether the device has been maliciously replaced. Optionally, the preset device can be preset under different circumstances. For example, the device can be preset by the vehicle manufacturer or an equipment supplier trusted by the vehicle manufacturer when leaving the factory, or it can be done during subsequent after-sales maintenance. Relevant professional and technical personnel carry out the preset of the equipment or replace the original preset equipment, which is not limited in this application.
可选地,根据第一参数和第二参数对该待认证设备进行认证包括:根据第一参数和第二参数获取第一指纹和第二指纹;根据第一指纹和第二指纹对待认证设备进行认证。Optionally, authenticating the device to be authenticated according to the first parameter and the second parameter includes: obtaining the first fingerprint and the second fingerprint according to the first parameter and the second parameter; certified.
可选地,上述根据第一参数和第二参数获取第一指纹和第二指纹,可以是区块链基于第一参数和第二参数直接从文件系统(例如,IPFS)获取第一指纹和第二指纹,从而能够提高指纹获取的速度和安全性。Optionally, the acquisition of the first fingerprint and the second fingerprint according to the first parameter and the second parameter above may be that the blockchain directly acquires the first fingerprint and the second fingerprint from the file system (for example, IPFS) based on the first parameter and the second parameter. Two fingerprints, which can improve the speed and security of fingerprint acquisition.
具体地,区块链基于第一参数和第二参数可以直接从IPFS获取先前客户端发送的待认证设备的第一指纹和预置设备的第二指纹,然后将第一指纹和第二指纹进行比对,以实现对待认证设备的认证,进而保证设备的安全。Specifically, based on the first parameter and the second parameter, the blockchain can directly obtain the first fingerprint of the device to be authenticated and the second fingerprint of the preset device sent by the previous client from IPFS, and then compare the first fingerprint and the second fingerprint. Comparison, in order to realize the authentication of the equipment to be authenticated, and then ensure the security of the equipment.
可选地,根据第一指纹和第二指纹对待认证设备进行认证,具体可以是根据第一指纹和第二指纹的相似度对待认证设备进行认证。Optionally, the device to be authenticated is authenticated according to the first fingerprint and the second fingerprint, specifically, the device to be authenticated may be authenticated according to the similarity between the first fingerprint and the second fingerprint.
在本申请实施例中,在接收客户端发送的第一参数之前,可以先接收客户端发送的与预置设备的第二指纹(即参考指纹)相关的第二参数,然后根据第一参数和第二参数对待认证设备进行认证,从而能够提高设备的安全性。In this embodiment of the present application, before receiving the first parameter sent by the client, the second parameter related to the second fingerprint of the preset device (that is, the reference fingerprint) sent by the client may be received first, and then according to the first parameter and The second parameter authenticates the device to be authenticated, so that the security of the device can be improved.
在一种可选的实施方式中,方法200还可以包括:确定预置设备或第二指纹具有配置权限,该配置权限至少用于指示该第二指纹为参考指纹。In an optional implementation manner, the method 200 may further include: determining that the provisioning device or the second fingerprint has configuration authority, where the configuration authority is at least used to indicate that the second fingerprint is a reference fingerprint.
在一种可选的实施方式中,方法200还可以包括:确定预置设备或第二指纹具有配置权限;基于配置权限对第二指纹进行获取和/或配置操作。In an optional implementation manner, the method 200 may further include: determining that the provisioning device or the second fingerprint has a configuration authority; and performing an acquisition and/or configuration operation on the second fingerprint based on the configuration authority.
示例性地,客户端可以在获取预置设备的第二指纹之前,确定预置设备或第二指纹具有配置权限。Exemplarily, before obtaining the second fingerprint of the provisioning device, the client may determine that the provisioning device or the second fingerprint has configuration authority.
应理解,由于预置设备的第二指纹需要作为参考指纹,因而客户端还需要确定该预置设备或该第二指纹是否具有配置权限,以便后续可以对第二指纹进行获取和/或配置操作,其中,配置操作可以包括第二指纹配置为参考指纹。如果该预置设备或该第二指纹具有配置权限,则第二指纹可以为参考指纹,或者可以理解为,第二指纹可以被配置为参考指纹或者将第二指纹作为参考指纹。示例地,客户端可以在获取第二指纹之前,确定该预置设备或该第二指纹是否具有配置权限,如果确定有配置权限,则将第二指纹作为参考指纹。基于此,可以保证设备认证的安全性。It should be understood that since the second fingerprint of the pre-provisioned device needs to be used as a reference fingerprint, the client also needs to determine whether the pre-provisioned device or the second fingerprint has configuration authority, so that the second fingerprint can be obtained and/or configured subsequently. , wherein the configuring operation may include configuring the second fingerprint as a reference fingerprint. If the provisioning device or the second fingerprint has configuration authority, the second fingerprint may be a reference fingerprint, or it may be understood that the second fingerprint may be configured as a reference fingerprint or the second fingerprint may be used as a reference fingerprint. For example, before acquiring the second fingerprint, the client may determine whether the provisioning device or the second fingerprint has configuration authority, and if it is determined that there is configuration authority, the second fingerprint may be used as a reference fingerprint. Based on this, the security of device authentication can be guaranteed.
可选地,可以在客户端切换到“参考指纹提取与上传模式”(例如:配置模式、工程模式等)时确定该预置设备或该第二指纹是否具备配置权限。应理解,在该模式下,如果确定该预置设备或该第二指纹具备配置权限,则上传的第二指纹会被标注为参考指纹,区块链在后续认证过程中将用该参考指纹与后续新指纹(即第一指纹)进行对比。若在上传时,区块链已经记录有一个参考指纹,那么新上传的参考指纹可以替换旧的参考指纹。应理解,配置模式的切换还可以通过权限控制流程(例如:认证、密码等),保证只有授权的人才能进行参考指纹的操作/配置,进而保证设备认证的安全性。Optionally, it may be determined whether the preset device or the second fingerprint has configuration authority when the client switches to the "reference fingerprint extraction and upload mode" (for example: configuration mode, engineering mode, etc.). It should be understood that in this mode, if it is determined that the preset device or the second fingerprint has configuration authority, the uploaded second fingerprint will be marked as a reference fingerprint, and the blockchain will use this reference fingerprint and Subsequent new fingerprints (ie, the first fingerprint) are compared. If the blockchain has already recorded a reference fingerprint when uploading, then the newly uploaded reference fingerprint can replace the old reference fingerprint. It should be understood that the switch of the configuration mode can also pass through the authority control process (for example: authentication, password, etc.), to ensure that only authorized persons can perform the operation/configuration of the reference fingerprint, thereby ensuring the security of device authentication.
可选地,还可以通过智能合约对待认证设备进行认证,从而能够提高设备的安全性。Optionally, the device to be authenticated can also be authenticated through a smart contract, thereby improving the security of the device.
可选地,在区块链对待认证设备进行认证之后,方法200还可以包括:区块链对认证结果进行处理操作。可选地,该处理操作可以包括记录日志、触发警告和反馈认证结果至客户端等中的一项或多项。具体地,若认证失败,区块链可以采用后台记录或者触发警告的方式进行处理,还可以直接反馈认证结果给客户端,以使得客户端可以根据认证结果自行进行处理,例如,客户端可以采用拒绝通信、记录日志、风险提示等方式来处理,以保证设备的安全。Optionally, after the blockchain authenticates the device to be authenticated, the method 200 may further include: processing the authentication result by the blockchain. Optionally, the processing operation may include one or more of logging, triggering a warning, and feeding back an authentication result to the client. Specifically, if the authentication fails, the blockchain can use background records or trigger warnings for processing, and can also directly feed back the authentication results to the client, so that the client can process itself according to the authentication results. For example, the client can use Refuse communication, record logs, and risk warnings to ensure device security.
可选地,上述客户端获取待认证设备的第一指纹,可以是客户端以T为周期获取待认证设备的第一指纹,T为大于0的整数。同样地,客户端接收第一参数可以是:客户端以T为周期接收第一参数;客户端发送第一参数至区块链可以是:客户端以T为周期发送第一参数至区块链。相应地,区块链接收客户端发送的第一参数可以是:区块链以T为周期接收客户端发送的第一参数;区块链根据第一参数对待认证设备进行认证可以是:区块链根据以T为周期接收到的客户端发送的第一参数周期性地对待认证设备进行认证。Optionally, the client acquires the first fingerprint of the device to be authenticated, which may be that the client acquires the first fingerprint of the device to be authenticated at a period of T, where T is an integer greater than 0. Similarly, the client receiving the first parameter can be: the client receives the first parameter at a period of T; the client sending the first parameter to the blockchain can be: the client sends the first parameter to the blockchain at a period of T . Correspondingly, the block chain receives the first parameter sent by the client may be: the block chain receives the first parameter sent by the client at a period of T; the block chain authenticates the device to be authenticated according to the first parameter may be: block The chain periodically authenticates the device to be authenticated according to the first parameter received from the client at a period of T.
在本申请实施例中,通过根据以T为周期接收到的该客户端发送的第一参数周期性地对该待认证设备进行认证可以实现对待认证设备的持续认证,从而能够提高设备的安全性。In the embodiment of this application, the device to be authenticated can be continuously authenticated by periodically authenticating the device to be authenticated according to the first parameter received from the client at a period of T, thereby improving the security of the device .
下面以车载设备为例,结合图3至图6对车载设备的持续认证方案进行详细介绍。Taking the vehicle-mounted device as an example, the continuous authentication scheme of the vehicle-mounted device will be introduced in detail with reference to FIG. 3 to FIG. 6 .
图3是本申请实施例提供的一种车载设备的持续认证方法示例性。如图3所示,方法300包括步骤S310至S360,下面对这些步骤进行详细描述。Fig. 3 is an example of a continuous authentication method for a vehicle-mounted device provided by an embodiment of the present application. As shown in FIG. 3 , the method 300 includes steps S310 to S360 , and these steps will be described in detail below.
S310,提取参考指纹(即上述第二指纹)。具体地,通过客户端提取参考指纹。S310. Extract a reference fingerprint (that is, the above-mentioned second fingerprint). Specifically, the reference fingerprint is extracted through the client.
摄像头、毫米波雷达、激光雷达等传感器输出的原始数据(例如:输出的图像、视频、距离、速度、点云数据等数据)中隐藏着其固有的物理特征;其他车载设备,如通过CAN或ETH通讯的设备,从CAN和ETH接收的物理层信号和消息中,也携带有发送设备的物理特征。根据这些车载设备输出的信号或数据,可以提前体现该车载设备身份的独特物理特征作为该车载设备的指纹。例如根据PUF原理,便可以从这些车载设备输出的信号或数据中提取体现车载设备身份的独特物理特征,来作为设备指纹。The original data output by sensors such as cameras, millimeter-wave radars, and lidars (for example: output images, videos, distances, speeds, point cloud data, etc.) hide their inherent physical characteristics; other vehicle-mounted devices, such as through CAN or For ETH communication equipment, the physical layer signals and messages received from CAN and ETH also carry the physical characteristics of the sending equipment. According to the signals or data output by these vehicle-mounted devices, the unique physical characteristics that can reflect the identity of the vehicle-mounted device in advance can be used as the fingerprint of the vehicle-mounted device. For example, according to the PUF principle, the unique physical characteristics that reflect the identity of the vehicle-mounted device can be extracted from the signals or data output by these vehicle-mounted devices as device fingerprints.
下面将以提取预置摄像头指纹为例对指纹提取的过程进行示例性介绍。The fingerprint extraction process will be exemplarily introduced below by taking the fingerprint extraction of a pre-installed camera as an example.
步骤1:首先从预置摄像头输出的视频流中获取N张图像,本申请对所获取的图像数目不做限定。Step 1: First, acquire N images from the video stream output by the preset camera, and this application does not limit the number of acquired images.
步骤2:定义N张图像中的每张图像包括的像素块中的一个像素与其他像素的线性关系。Step 2: Define the linear relationship between one pixel and other pixels in the pixel blocks included in each of the N images.
应理解,N张图像的每张图像中,都包括多个像素块,每个像素块都包括M*R的像素阵列。其中,M表示水平像素数,R表示垂直像素数,M和R可以相同,也可以不同。应理解,每张图像中所包括的像素块的数目可以相同也可以不同;且不同像素块对应的像素阵列可以相同也可以不同(即不同像素块对应的像素阵列的M值和R值可以相同也可以不同),本申请对此不做限定。示例性地,像素阵列可以为3*3、3*5、5*5、5*9、9*9、16*16等,本申请对此不做限定。为便于描述,下文均以不同像素块对应相同的像素阵列为例进行描述。It should be understood that each of the N images includes multiple pixel blocks, and each pixel block includes an M*R pixel array. Wherein, M represents the number of horizontal pixels, and R represents the number of vertical pixels, and M and R may be the same or different. It should be understood that the number of pixel blocks included in each image can be the same or different; and the pixel arrays corresponding to different pixel blocks can be the same or different (that is, the M value and R value of the pixel arrays corresponding to different pixel blocks can be the same can also be different), which is not limited in this application. Exemplarily, the pixel array may be 3*3, 3*5, 5*5, 5*9, 9*9, 16*16, etc., which is not limited in this application. For the convenience of description, the description below will take different pixel blocks corresponding to the same pixel array as an example.
接下来,定义每个像素块中第a行第b列的像素对应的光强x ab与其他像素光强的线性 关系模型: Next, define the linear relationship model between the light intensity x ab corresponding to the pixel in row a and column b in each pixel block and the light intensity of other pixels:
Figure PCTCN2021130393-appb-000001
Figure PCTCN2021130393-appb-000001
其中,a和b分别满足关系:1≤a≤R,1≤b≤M。Wherein, a and b respectively satisfy the relationship: 1≤a≤R, 1≤b≤M.
示例性地,以5*5的像素阵列(如表1所示)为例,定义每个像素块中的第3行第3列像素的光强x 33与其他像素的光强的线性关系。 Exemplarily, taking a 5*5 pixel array (as shown in Table 1) as an example, define a linear relationship between the light intensity x 33 of the pixel in the third row and the third column in each pixel block and the light intensity of other pixels.
表1:Table 1:
x 11 x 11 x 12 x 12 x 13 x 13 x 14 x 14 x 15 x 15
x 21 x 21 x 22 x 22 x 23 x 23 x 24 x 24 x 25 x 25
x 31 x 31 x 32 x 32 x 33 x 33 x 34 x 34 x 35 x 35
x 41 x 41 x 42 x 42 x 43 x 43 x 44 x 44 x 45 x 45
x 51 x 51 x 52 x 52 x 53 x 53 x 54 x 54 x 55 x 55
第3行第3列像素的光强x 33与其他像素的光强的线性关系模型为: The linear relationship model between the light intensity x 33 of the pixel in the third row and the third column and the light intensity of other pixels is:
Figure PCTCN2021130393-appb-000002
Figure PCTCN2021130393-appb-000002
步骤3:根据上述N张图像中的K个像素块的像素(这K个像素块中的每个像素块都可以来自不同的图像,或者,这K个像素块中的多个像素块可以来自同一张图像,本申请对此不做限定),构建如下样本数据:Step 3: According to the pixels of K pixel blocks in the above N images (each pixel block in these K pixel blocks can come from a different image, or, multiple pixel blocks in these K pixel blocks can come from The same image, which is not limited in this application), construct the following sample data:
Figure PCTCN2021130393-appb-000003
Figure PCTCN2021130393-appb-000003
其中,y i表示K个像素块中的第i个像素块中第a行第b列的像素的光强,x i,1,x i,2,...,x i,n表示第i个像素块中除第a行第b列的像素以外的其他像素的光强,n=M*R-1,这里的M、R可以理解为第i个像素块包括的水平像素数和垂直像素数,其中K个像素块中每个像素块对应的M和R的取值如前述描述,这里不做赘述。 Among them, y i represents the light intensity of the pixel in row a and column b in the i-th pixel block of K pixel blocks, and x i,1 , xi,2 ,...,xi ,n represent the i-th In a pixel block, the light intensity of other pixels except the pixels in the ath row and the bth column, n=M*R-1, where M and R can be understood as the number of horizontal pixels and vertical pixels included in the ith pixel block The values of M and R corresponding to each pixel block in the K pixel blocks are as described above, and will not be repeated here.
然后基于所构建的样本数据,对上述所定义的模型进行训练,以确定模型中的参数C和B。Then, based on the constructed sample data, the above-defined model is trained to determine parameters C and B in the model.
应理解,在得到模型之后,便可以根据模型预测每个像素块中第a行第b列的像素的光强,即可以通过其周边像素的光强(即除第a行第b列的其他像素的光强)作为输入,通过模型计算出第a行第b列像素的光强。It should be understood that after the model is obtained, the light intensity of the pixel in row a and column b in each pixel block can be predicted according to the model, that is, the light intensity that can pass through its surrounding pixels (that is, other pixels except row a and column b The light intensity of the pixel) is used as input, and the light intensity of the pixel in row a and column b is calculated through the model.
步骤4:根据模型对每个像素块中的第a行第b列的像素值进行预测,并计算预测值与真实值的偏差,并将第a行第b列的预测值与真实值的偏差记为(a,b,bias)。Step 4: Predict the pixel value of row a and column b in each pixel block according to the model, and calculate the deviation between the predicted value and the real value, and calculate the deviation between the predicted value of row a and column b and the real value Denoted as (a,b,bias).
步骤5:在K个像素块中取D个最大偏差构成向量,并将该向量作为指纹。Step 5: Take D maximum deviations from K pixel blocks to form a vector, and use this vector as a fingerprint.
S320,存储参考指纹。S320, storing the reference fingerprint.
在得到参考指纹后,客户端将参考指纹发送给IPFS;通过IPFS来加密并存储上述提取的参考指纹数据,并向客户端返回参考指纹的哈希值(即上述第二哈希值);然后客户端将IPFS返回的第二哈希值作为交易发送给区块链各节点,如图4所示。After obtaining the reference fingerprint, the client sends the reference fingerprint to IPFS; encrypts and stores the above-mentioned extracted reference fingerprint data through IPFS, and returns the hash value of the reference fingerprint (ie, the above-mentioned second hash value) to the client; then The client sends the second hash value returned by IPFS as a transaction to each node of the blockchain, as shown in Figure 4.
S330,参考指纹哈希值上链。S330, referring to the hash value of the fingerprint on the chain.
应理解,指纹哈希值上链是指将指纹的哈希值作为交易存储在区块链的各节点上。It should be understood that the on-chain fingerprint hash value refers to storing the hash value of the fingerprint as a transaction on each node of the blockchain.
示例地,区块链的各节点将接收到的第二哈希值按照区块链的数据结构打包成区块,并利用共识算法驱动各节点验证区块中的交易,验证完成后数据被广播到所有的节点,数据成功上链,即完成对指纹数据的存证。For example, each node of the blockchain packs the received second hash value into a block according to the data structure of the blockchain, and uses a consensus algorithm to drive each node to verify the transaction in the block, and the data is broadcast after the verification is completed To all nodes, the data is successfully uploaded to the chain, that is, the storage of fingerprint data is completed.
S340,待认证指纹(即第一指纹)提取上链。S340, the fingerprint to be authenticated (that is, the first fingerprint) is extracted and uploaded to the blockchain.
参考上述步骤S310至S330,提取待认证指纹并上链,如图5所示。Referring to the above steps S310 to S330, extract the fingerprint to be authenticated and upload it to the chain, as shown in Figure 5.
应理解,在本申请中,区块链可以采用以太坊私有链和基于权益证明(proof of stake,POS)的共识机制,将指纹数据打包上链后存在区块链数据层,区块链的不可篡改性可以保证身份的完整性。在本申请中,还可以在区块链上部署具备图灵完备性的智能合约,例如,部署认证合约对指纹进行认证(参见步骤S350)和防伪合约对认证结果进行处理(参见步骤S360)。It should be understood that in this application, the block chain can adopt the Ethereum private chain and the consensus mechanism based on proof of stake (POS). After the fingerprint data is packaged on the chain, there is a block chain data layer. Immutability ensures identity integrity. In this application, smart contracts with Turing completeness can also be deployed on the blockchain, for example, deploying authentication contracts to authenticate fingerprints (see step S350) and anti-counterfeit contracts to process authentication results (see step S360).
S350,指纹认证。S350, fingerprint authentication.
区块链的合约层中部署有认证的脚本算法,待认证指纹上链时,触发认证智能合约,进而智能合约根据参考指纹的第二哈希值和待认证指纹的第一哈希值从IPFS中提取出参考指纹和待认证指纹并进行对比认证,如图6所示。在对比过程中,可以根据两个指纹的相似度来判别它们是否来自同一个车载设备。The authentication script algorithm is deployed in the contract layer of the blockchain. When the fingerprint to be authenticated is uploaded to the chain, the authentication smart contract is triggered, and then the smart contract is transferred from IPFS according to the second hash value of the reference fingerprint and the first hash value of the fingerprint to be authenticated. The reference fingerprint and the fingerprint to be authenticated are extracted and compared for authentication, as shown in Figure 6. During the comparison process, it can be judged whether the two fingerprints come from the same vehicle-mounted device according to their similarity.
可选地,可以通过余弦相似度来计算两个指纹的相似度,若余弦相似度大于预设阈值,则认为认证成功(即两个指纹来自同一个车载设备)。Optionally, the similarity of two fingerprints can be calculated by cosine similarity. If the cosine similarity is greater than a preset threshold, the authentication is considered successful (that is, the two fingerprints come from the same vehicle-mounted device).
应理解,由于余弦相似度的值域为[-1,1],在实际操作中可以先通过实验,获取一个合理的预设阈值,例如:0.4,那么就是说,若两个指纹的余弦相似度大于0.4,则认为认证成功。It should be understood that since the value range of cosine similarity is [-1,1], in actual operation, a reasonable preset threshold can be obtained through experiments, for example: 0.4, that is to say, if the cosines of two fingerprints are similar If the degree is greater than 0.4, the authentication is considered successful.
应理解,实际操作中也可以通过其他现有方法计算两个指纹的相似度,本申请对此不做限定。It should be understood that in practice, other existing methods may also be used to calculate the similarity between two fingerprints, which is not limited in this application.
可选地,基于上述方法,还可以周期性地采集待认证指纹来与参考指纹进行比较,以实现指纹的持续认证(即周期性的重复S340和S350实现持续认证)。Optionally, based on the above method, the fingerprint to be authenticated may also be collected periodically for comparison with the reference fingerprint, so as to realize continuous authentication of fingerprints (that is, to periodically repeat S340 and S350 to realize continuous authentication).
可选地,待认证指纹采集周期可以设定为1min、5min、10min、15min等,具体需结合实际区块链的交易时间、数据处理时间等确定,本申请对此不做限定。Optionally, the collection period of fingerprints to be authenticated can be set to 1min, 5min, 10min, 15min, etc., which need to be determined in conjunction with the transaction time and data processing time of the actual blockchain, which is not limited in this application.
S360,认证结果处理。S360, processing the authentication result.
在本申请中,可以将认证成功的合约状态记为0,将认证失败的合约状态记为1。以使得,在认证成功的状态下,合约状态显示为0;在认证失败的情况下,合约状态显示为1,同时,在认证失败时,还可以触发防伪合约,防伪合约则记录该设备认证失败的次数或做其他任务(例如,提示车主等),本申请对此不做限定。In this application, the contract status of successful authentication can be recorded as 0, and the contract status of failed authentication can be recorded as 1. In this way, when the authentication is successful, the contract status is displayed as 0; when the authentication fails, the contract status is displayed as 1. At the same time, when the authentication fails, the anti-counterfeiting contract can also be triggered, and the anti-counterfeiting contract will record that the device has failed authentication. times or do other tasks (for example, prompting the owner, etc.), this application does not limit this.
图7是本申请实施例提供的一种设备认证装置700。该装置700应用于客户端,该装置包括:处理模块710和收发模块720。应理解,收发模块具有数据发送和/或接收的能力。Fig. 7 is an apparatus 700 for device authentication provided by an embodiment of the present application. The apparatus 700 is applied to a client, and the apparatus includes: a processing module 710 and a transceiver module 720 . It should be understood that the transceiver module has the capability of sending and/or receiving data.
其中,处理模块710用于获取待认证设备的第一指纹。Wherein, the processing module 710 is configured to obtain the first fingerprint of the device to be authenticated.
收发模块720用于接收第一参数,第一参数与第一指纹相关联,且第一参数至少用于认证待认证设备。The transceiver module 720 is configured to receive a first parameter, the first parameter is associated with the first fingerprint, and the first parameter is at least used to authenticate the device to be authenticated.
收发模块720还用于,发送第一参数至区块链。The transceiver module 720 is also used to send the first parameter to the block chain.
可选地,第一参数可以包括第一哈希值;收发模块720还可以用于,从星际文件系统IPFS接收第一哈希值。Optionally, the first parameter may include a first hash value; the transceiver module 720 may also be configured to receive the first hash value from the interplanetary file system IPFS.
可选地,第一指纹可以与待认证设备的输出相关联。Optionally, the first fingerprint may be associated with the output of the device to be authenticated.
可选地,待认证设备的输出可以包括图像、视频、距离、速度、点云数据、控制器域网信号和以太坊信号等中的一项或多项。Optionally, the output of the device to be authenticated may include one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals.
可选地,处理模块710还可以用于,以T为周期获取待认证设备的第一指纹,T为大于0的整数。Optionally, the processing module 710 may also be configured to acquire the first fingerprint of the device to be authenticated at a period of T, where T is an integer greater than 0.
可选地,在获取待认证设备的第一指纹之前,处理模块710还可以用于,获取预置设备的第二指纹,第二指纹为参考指纹;收发模块720还可以用于,接收第二参数,第二参数与第二指纹相关联,且第二参数至少用于认证待认证设备;发送第二参数至区块链。Optionally, before obtaining the first fingerprint of the device to be authenticated, the processing module 710 may also be used to obtain a second fingerprint of the preset device, where the second fingerprint is a reference fingerprint; the transceiver module 720 may also be used to receive the second parameter, the second parameter is associated with the second fingerprint, and the second parameter is at least used to authenticate the device to be authenticated; and the second parameter is sent to the block chain.
可选地,第二参数可以包括第二哈希值;收发模块720还可以用于,从星际文件系统IPFS接收第二哈希值。Optionally, the second parameter may include a second hash value; the transceiver module 720 may also be configured to receive the second hash value from the interplanetary file system IPFS.
可选地,该处理模块710还可以用于,确定预置设备或第二指纹具有配置权限,该配置权限至少用于指示所述第二指纹为参考指纹。Optionally, the processing module 710 may be further configured to determine that the provisioning device or the second fingerprint has configuration authority, and the configuration authority is at least used to indicate that the second fingerprint is a reference fingerprint.
在一种可选的实施方式中,该处理模块710还可以用于,确定预置设备或第二指纹具有配置权限;基于该配置权限对该第二指纹进行获取和/或配置操作。In an optional implementation manner, the processing module 710 may also be configured to determine that the pre-configured device or the second fingerprint has configuration authority; and perform acquisition and/or configuration operations on the second fingerprint based on the configuration authority.
示例性地,该处理模块710可以在获取预置设备的第二指纹之前,确定预置设备或第二指纹具有配置权限。Exemplarily, the processing module 710 may determine that the provisioning device or the second fingerprint has configuration authority before obtaining the second fingerprint of the provisioning device.
图8是本申请实施例提供的一种设备认证装置800。该装置800应用于区块链,该装置包括:收发模块810和处理模块820。应理解,收发模块具有数据发送和/或接收的能力。FIG. 8 is an apparatus 800 for device authentication provided by an embodiment of the present application. The device 800 is applied to a block chain, and the device includes: a transceiver module 810 and a processing module 820 . It should be understood that the transceiver module has the capability of sending and/or receiving data.
其中,收发模块810用于接收客户端发送的第一参数,第一参数与待认证设备的第一指纹相关联。Wherein, the transceiver module 810 is configured to receive the first parameter sent by the client, and the first parameter is associated with the first fingerprint of the device to be authenticated.
处理模块820用于根据第一参数对待认证设备进行认证。The processing module 820 is configured to authenticate the device to be authenticated according to the first parameter.
可选地,第一参数可以包括第一哈希值,第一哈希值可以通过星际文件系统IPFS生成。Optionally, the first parameter may include a first hash value, and the first hash value may be generated through the interplanetary file system IPFS.
可选地,第一指纹可以与待认证设备的输出相关联。Optionally, the first fingerprint may be associated with the output of the device to be authenticated.
可选地,待认证设备的输出可以包括图像、视频、距离、速度、点云数据、控制器域网信号和以太坊信号等中的一项或多项。Optionally, the output of the device to be authenticated may include one or more of images, videos, distances, speeds, point cloud data, controller area network signals, and Ethernet signals.
可选地,在接收客户端发送的第一参数之前,收发模块810还可以用于,接收客户端发送的第二参数,第二参数与预置设备的第二指纹相关联,第二指纹为参考指纹;处理模块820还可以用于,根据第一参数和第二参数对待认证设备进行认证。Optionally, before receiving the first parameter sent by the client, the transceiver module 810 may also be configured to receive a second parameter sent by the client, the second parameter is associated with the second fingerprint of the preset device, and the second fingerprint is Referring to the fingerprint; the processing module 820 may also be configured to authenticate the device to be authenticated according to the first parameter and the second parameter.
可选地,处理模块820还可以用于,根据第一参数和第二参数获取第一指纹和第二指纹;根据第一指纹和第二指纹的相似度对待认证设备进行认证。Optionally, the processing module 820 may also be configured to acquire the first fingerprint and the second fingerprint according to the first parameter and the second parameter; and authenticate the device to be authenticated according to the similarity between the first fingerprint and the second fingerprint.
可选地,收发模块810还可以用于,以T为周期接收客户端发送的第一参数,T为大于0的整数;处理模块820还可以用于,根据以T为周期接收到的客户端发送的第一参数周期性地对待认证设备进行认证。Optionally, the transceiver module 810 can also be used to receive the first parameter sent by the client at a period of T, where T is an integer greater than 0; the processing module 820 can also be used to receive the first parameter from the client at a period of T. The sent first parameter periodically authenticates the device to be authenticated.
可选地,处理模块820还可以用于,通过智能合约和第一参数对待认证设备进行认证。Optionally, the processing module 820 may also be configured to authenticate the device to be authenticated through the smart contract and the first parameter.
可选地,处理模块820还可以用于,对认证结果进行处理操作,处理操作包括记录日志、触发警告和反馈认证结果至客户端等中的一项或多项。Optionally, the processing module 820 may also be configured to perform a processing operation on the authentication result, and the processing operation includes one or more of logging, triggering a warning, and feeding back the authentication result to the client.
图9是本申请实施例提供的一种设备认证系统900。如图9所示,该系统900包括装置700和装置800,且该装置700应用于客户端,可以用于执行本申请方法实施例中客户端所对应的相关操作,该装置800应用于区块链,可以用于执行本申请方法实施例中区块链所对应的相关操作。FIG. 9 is a device authentication system 900 provided by an embodiment of the present application. As shown in Figure 9, the system 900 includes a device 700 and a device 800, and the device 700 is applied to the client, and can be used to perform related operations corresponding to the client in the method embodiment of the present application. The device 800 is applied to the block The chain can be used to perform related operations corresponding to the blockchain in the method embodiments of this application.
图10是本申请实施例提供的设备认证装置的硬件结构示例性框图。可选地,该装置1000具体可以是一种计算机设备。该装置1000包括存储器1010、处理器1020、通信接口1030以及总线1040。其中,存储器1010、处理器1020、通信接口1030通过总线1040实现彼此之间的通信连接。Fig. 10 is an exemplary block diagram of the hardware structure of the device authentication apparatus provided by the embodiment of the present application. Optionally, the apparatus 1000 may specifically be a computer device. The device 1000 includes a memory 1010 , a processor 1020 , a communication interface 1030 and a bus 1040 . Wherein, the memory 1010 , the processor 1020 , and the communication interface 1030 are connected to each other through the bus 1040 .
存储器1010可以是只读存储器(read-only memory,ROM),静态存储设备,动态存储设备或者随机存取存储器(random access memory,RAM)。存储器1010可以存储程序,当存储器1010中存储的程序被处理器1020执行时,处理器1020用于执行本申请实施例的认证方法的各个步骤。The memory 1010 may be a read-only memory (read-only memory, ROM), a static storage device, a dynamic storage device or a random access memory (random access memory, RAM). The memory 1010 may store a program, and when the program stored in the memory 1010 is executed by the processor 1020, the processor 1020 is configured to execute each step of the authentication method in the embodiment of the present application.
处理器1020可以采用通用CPU,微处理器,ASIC,图形处理器(graphics processing unit,GPU)或者一个或多个集成电路,用于执行相关程序,以实现本申请方法实施例的认证方法。The processor 1020 may adopt a general-purpose CPU, a microprocessor, an ASIC, a graphics processing unit (graphics processing unit, GPU) or one or more integrated circuits for executing related programs to implement the authentication method of the method embodiment of the present application.
处理器1020还可以是一种集成电路芯片,具有信号处理能力。在实现过程中,本申请的认证方法可以通过处理器1020中的硬件的集成逻辑电路或者软件形式的指令完成。The processor 1020 may also be an integrated circuit chip with signal processing capability. During implementation, the authentication method of the present application may be completed by an integrated logic circuit of hardware in the processor 1020 or instructions in the form of software.
上述处理器1020还可以是通用处理器、数字信号处理器(digital signal processor,DSP)、ASIC、FPGA或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1010,处理器1020读取存储器1010中的信息,结合其硬件完成本申请实施例的装置中包括的模块所需执行的功能,或者执行本申请方法实施例的认证方法。The above-mentioned processor 1020 may also be a general-purpose processor, a digital signal processor (digital signal processor, DSP), ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, and discrete hardware components. Various methods, steps, and logic block diagrams disclosed in the embodiments of the present application may be implemented or executed. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory 1010, and the processor 1020 reads the information in the memory 1010, and combines its hardware to complete the functions required by the modules included in the device of the embodiment of the present application, or execute the authentication method of the method embodiment of the present application.
通信接口1030使用例如但不限于收发器一类的收发装置,来实现装置1000与其他设备或通信网络之间的通信。The communication interface 1030 implements communication between the apparatus 1000 and other devices or communication networks by using a transceiver device such as but not limited to a transceiver.
总线1040可包括在装置1000各个部件(例如,存储器1010、处理器1020、通信接口1030)之间传送信息的通路。Bus 1040 may include pathways for communicating information between various components of device 1000 (eg, memory 1010, processor 1020, communication interface 1030).
本申请实施例还提供了一种车载部件,包括用于执行本申请方法实施例中客户端所对应的相关操作。The embodiment of the present application also provides an on-vehicle component, including a device for performing related operations corresponding to the client in the method embodiment of the present application.
本申请实施例还提供了一种车辆,包括电子控制单元,该电子控制单元用于执行本申请方法实施例中客户端所对应的相关操作。The embodiment of the present application also provides a vehicle, including an electronic control unit, and the electronic control unit is configured to perform related operations corresponding to the client in the method embodiment of the present application.
本申请实施例还提供了一种计算机可读存储介质,其特征在于,包括指令;所述指令用于实现本申请方法实施例中客户端所对应的相关操作;和/或,实现本申请方法实施例 中区块链所对应的相关操作。The embodiment of the present application also provides a computer-readable storage medium, which is characterized by including instructions; the instructions are used to implement the related operations corresponding to the client in the method embodiments of the application; and/or, to implement the method of the application Related operations corresponding to the blockchain in the embodiment.
本申请实施例还提供了一种算机程序产品,其特征在于,包括:计算机程序,当计算机程序被运行时,使得计算机执行本申请方法实施例中客户端所对应的相关操作;和/或,执行本申请方法实施例中区块链所对应的相关操作。The embodiment of the present application also provides a computer program product, which is characterized in that it includes: a computer program that, when the computer program is run, causes the computer to perform the relevant operations corresponding to the client in the method embodiment of the present application; and/or , to execute the relevant operations corresponding to the blockchain in the method embodiment of the present application.
本申请实施例还提供了一种计算设备,包括:至少一个处理器和存储器,所述至少一个处理器与所述存储器耦合,用于读取并执行所述存储器中的指令,以执行本申请方法实施例中客户端所对应的相关操作;和/或,执行本申请方法实施例中区块链所对应的相关操作。The embodiment of the present application also provides a computing device, including: at least one processor and a memory, the at least one processor is coupled to the memory, and is used to read and execute instructions in the memory to execute the present application The related operations corresponding to the client in the method embodiment; and/or, the execution of the related operation corresponding to the block chain in the method embodiment of the present application.
本申请实施例还提供了一种芯片,所述芯片包括处理器与数据接口,所述处理器通过所述数据接口读取存储器上存储的指令,执行本申请方法实施例中客户端所对应的相关操作;和/或,执行本申请方法实施例中区块链所对应的相关操作。The embodiment of the present application also provides a chip, the chip includes a processor and a data interface, the processor reads the instructions stored on the memory through the data interface, and executes the instructions corresponding to the client in the method embodiment of the present application. Related operations; and/or, performing related operations corresponding to the blockchain in the method embodiments of the present application.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disc and other media that can store program codes. .
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖 在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above is only a specific implementation of the application, but the scope of protection of the application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. Should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims (30)

  1. 一种设备认证方法,其特征在于,所述方法应用于客户端,所述方法包括:A device authentication method, characterized in that the method is applied to a client, and the method includes:
    获取待认证设备的第一指纹;Obtain the first fingerprint of the device to be authenticated;
    接收第一参数,所述第一参数与所述第一指纹相关联,且所述第一参数至少用于认证所述待认证设备;receiving a first parameter, the first parameter is associated with the first fingerprint, and the first parameter is used to at least authenticate the device to be authenticated;
    发送所述第一参数至区块链。Send the first parameter to the block chain.
  2. 如权利要求1所述的方法,其特征在于,所述第一参数包括第一哈希值;所述接收第一参数包括:The method according to claim 1, wherein the first parameter comprises a first hash value; and the receiving the first parameter comprises:
    从星际文件系统IPFS接收所述第一哈希值。The first hash value is received from the Interplanetary File System IPFS.
  3. 如权利要求1或2所述的方法,其特征在于,所述第一指纹与所述待认证设备的输出相关联。The method according to claim 1 or 2, characterized in that the first fingerprint is associated with the output of the device to be authenticated.
  4. 如权利要求3所述的方法,其特征在于,所述待认证设备的输出包括图像、视频、距离、速度、点云数据、控制器域网信号和以太坊信号中的一项或多项。The method according to claim 3, wherein the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals and Ethernet signals.
  5. 如权利要求1至4中任一项所述的方法,其特征在于,所述获取待认证设备的第一指纹,包括:The method according to any one of claims 1 to 4, wherein said obtaining the first fingerprint of the device to be authenticated comprises:
    以T为周期获取所述待认证设备的第一指纹,T为大于0的整数。Acquire the first fingerprint of the device to be authenticated at a period of T, where T is an integer greater than 0.
  6. 如权利要求1至5中任一项所述的方法,其特征在于,在所述获取待认证设备的第一指纹之前,所述方法还包括:The method according to any one of claims 1 to 5, wherein, before said obtaining the first fingerprint of the device to be authenticated, said method further comprises:
    获取预置设备的第二指纹,所述第二指纹为参考指纹;Obtain a second fingerprint of the preset device, where the second fingerprint is a reference fingerprint;
    接收第二参数,所述第二参数与所述第二指纹相关联,且所述第二参数至少用于认证所述待认证设备;receiving a second parameter, the second parameter is associated with the second fingerprint, and the second parameter is used to at least authenticate the device to be authenticated;
    发送所述第二参数至区块链。Send the second parameter to the block chain.
  7. 如权利要求6所述的方法,其特征在于,所述第二参数包括第二哈希值;所述接收第二参数包括:The method according to claim 6, wherein the second parameter comprises a second hash value; and the receiving the second parameter comprises:
    从星际文件系统IPFS接收所述第二哈希值。The second hash value is received from the Interplanetary File System IPFS.
  8. 如权利要求6或7所述的方法,其特征在于,所述方法还包括:The method according to claim 6 or 7, wherein the method further comprises:
    确定所述预置设备或所述第二指纹具有配置权限,所述配置权限至少用于指示所述第二指纹为参考指纹。It is determined that the provisioning device or the second fingerprint has configuration authority, and the configuration authority is at least used to indicate that the second fingerprint is a reference fingerprint.
  9. 一种设备认证方法,其特征在于,所述方法应用于区块链,所述方法包括:A device authentication method, characterized in that the method is applied to a block chain, and the method includes:
    接收客户端发送的第一参数,所述第一参数与待认证设备的第一指纹相关联;receiving a first parameter sent by the client, where the first parameter is associated with the first fingerprint of the device to be authenticated;
    根据所述第一参数对所述待认证设备进行认证。Authenticate the device to be authenticated according to the first parameter.
  10. 如权利要求9所述的方法,其特征在于,所述第一参数包括第一哈希值,所述第一哈希值通过星际文件系统IPFS生成。The method according to claim 9, wherein the first parameter includes a first hash value, and the first hash value is generated through an interplanetary file system (IPFS).
  11. 如权利要求9或10所述的方法,其特征在于,所述第一指纹与所述待认证设备的输出相关联。The method according to claim 9 or 10, characterized in that the first fingerprint is associated with the output of the device to be authenticated.
  12. 如权利要求11所述的方法,其特征在于,所述待认证设备的输出包括图像、视频、距离、速度、点云数据、控制器域网信号和以太坊信号中的一项或多项。The method according to claim 11, wherein the output of the device to be authenticated includes one or more of images, videos, distances, speeds, point cloud data, controller area network signals and Ethernet signals.
  13. 如权利要求9至12中任一项所述的方法,其特征在于,在所述接收客户端发送的第一参数之前,所述方法还包括:The method according to any one of claims 9 to 12, wherein before receiving the first parameter sent by the client, the method further comprises:
    接收所述客户端发送的第二参数,所述第二参数与预置设备的第二指纹相关联,所述第二指纹为参考指纹;receiving a second parameter sent by the client, the second parameter is associated with a second fingerprint of the preset device, and the second fingerprint is a reference fingerprint;
    所述根据所述第一参数对所述待认证设备进行认证包括:The authenticating the device to be authenticated according to the first parameter includes:
    根据所述第一参数和所述第二参数对所述待认证设备进行认证。Authenticate the device to be authenticated according to the first parameter and the second parameter.
  14. 如权利要求13所述的方法,其特征在于,所述根据所述第一参数和所述第二参数对所述待认证设备进行认证包括:The method according to claim 13, wherein the authenticating the device to be authenticated according to the first parameter and the second parameter comprises:
    根据所述第一参数和所述第二参数获取所述第一指纹和所述第二指纹;obtaining the first fingerprint and the second fingerprint according to the first parameter and the second parameter;
    根据所述第一指纹和所述第二指纹的相似度对所述待认证设备进行认证。Authenticate the device to be authenticated according to the similarity between the first fingerprint and the second fingerprint.
  15. 如权利要求9至14中任一项所述的方法,其特征在于,所述接收客户端发送的第一参数包括:The method according to any one of claims 9 to 14, wherein the first parameter sent by the receiving client includes:
    以T为周期接收所述客户端发送的第一参数,T为大于0的整数;receiving the first parameter sent by the client at a period of T, where T is an integer greater than 0;
    所述根据所述第一参数对所述待认证设备进行认证包括:The authenticating the device to be authenticated according to the first parameter includes:
    根据以T为周期接收到的所述客户端发送的第一参数周期性地对所述待认证设备进行认证。Periodically authenticate the device to be authenticated according to the received first parameter sent by the client at a period of T.
  16. 如权利要求9至15中任一项所述的方法,其特征在于,根据所述第一参数对所述待认证设备进行认证,包括:The method according to any one of claims 9 to 15, wherein authenticating the device to be authenticated according to the first parameter includes:
    通过智能合约和所述第一参数对所述待认证设备进行认证。Authenticate the device to be authenticated by using the smart contract and the first parameter.
  17. 如权利要求9至16中任一项所述的方法,其特征在于,在所述根据所述第一参数对所述待认证设备进行认证之后,所述方法还包括:The method according to any one of claims 9 to 16, wherein after the authentication of the device to be authenticated according to the first parameter, the method further comprises:
    对认证结果进行处理操作,所述处理操作包括记录日志、触发警告和反馈所述认证结果至所述客户端中的一项或多项。A processing operation is performed on the authentication result, and the processing operation includes one or more of recording a log, triggering a warning, and feeding back the authentication result to the client.
  18. 一种设备认证装置,其特征在于,所述装置应用于客户端,所述装置包括:A device authentication device, characterized in that the device is applied to a client, and the device includes:
    处理模块,用于获取待认证设备的第一指纹;A processing module, configured to obtain the first fingerprint of the device to be authenticated;
    收发模块,用于接收第一参数,所述第一参数与所述第一指纹相关联,且所述第一参数至少用于认证所述待认证设备;A transceiver module, configured to receive a first parameter, the first parameter is associated with the first fingerprint, and the first parameter is at least used to authenticate the device to be authenticated;
    所述收发模块还用于,发送所述第一参数至区块链。The transceiver module is further configured to send the first parameter to a block chain.
  19. 如权利要求18所述的装置,其特征在于,所述第一指纹与所述待认证设备的输出相关联。The apparatus of claim 18, wherein the first fingerprint is associated with an output of the device to be authenticated.
  20. 如权利要求18或19所述的装置,其特征在于,在所述获取待认证设备的第一指纹之前,所述处理模块还用于,The device according to claim 18 or 19, wherein, before said acquiring the first fingerprint of the device to be authenticated, said processing module is further configured to:
    获取预置设备的第二指纹,所述第二指纹为参考指纹;Obtain a second fingerprint of the preset device, where the second fingerprint is a reference fingerprint;
    所述收发模块还用于,接收第二参数,所述第二参数与所述第二指纹相关联,且所述第二参数至少用于认证所述待认证设备;发送所述第二参数至区块链。The transceiver module is also configured to receive a second parameter, the second parameter is associated with the second fingerprint, and the second parameter is at least used to authenticate the device to be authenticated; send the second parameter to blockchain.
  21. 一种设备认证装置,其特征在于,所述装置应用于区块链,所述装置包括:A device authentication device, characterized in that the device is applied to a block chain, and the device includes:
    收发模块,用于接收客户端发送的第一参数,所述第一参数与待认证设备的第一指纹相关联;A transceiver module, configured to receive a first parameter sent by the client, where the first parameter is associated with the first fingerprint of the device to be authenticated;
    处理模块,用于根据所述第一参数对所述待认证设备进行认证。A processing module, configured to authenticate the device to be authenticated according to the first parameter.
  22. 如权利要求21所述的装置,其特征在于,在所述接收客户端发送的第一参数之前,所述收发模块还用于,The device according to claim 21, wherein before receiving the first parameter sent by the client, the transceiver module is further configured to:
    接收所述客户端发送的第二参数,所述第二参数与预置设备的第二指纹相关联,所述第二指纹为参考指纹;receiving a second parameter sent by the client, the second parameter is associated with a second fingerprint of the preset device, and the second fingerprint is a reference fingerprint;
    所述处理模块还用于,根据所述第一参数和所述第二参数对所述待认证设备进行认证。The processing module is further configured to authenticate the device to be authenticated according to the first parameter and the second parameter.
  23. 如权利要求22所述的装置,其特征在于,所述处理模块还用于,The device according to claim 22, wherein the processing module is further configured to:
    根据所述第一参数和所述第二参数获取所述第一指纹和所述第二指纹;obtaining the first fingerprint and the second fingerprint according to the first parameter and the second parameter;
    根据所述第一指纹和所述第二指纹的相似度对所述待认证设备进行认证。Authenticate the device to be authenticated according to the similarity between the first fingerprint and the second fingerprint.
  24. 一种设备认证装置,其特征在于,包括输入输出接口、处理器和存储器,所述处理器用于控制输入输出接口收发信号或信息,所述存储器用于存储计算机程序,所述处理器用于从存储器中调用并运行所述计算机程序,使得所述设备认证装置执行如权利要求1至8中任一项所述的认证方法;和/或,执行如权利要求9至17中任一项所述的认证方法。A device authentication device, characterized in that it includes an input and output interface, a processor and a memory, the processor is used to control the input and output interface to send and receive signals or information, the memory is used to store computer programs, and the processor is used to read from the memory call and run the computer program, so that the device authentication device executes the authentication method according to any one of claims 1 to 8; and/or, executes the authentication method according to any one of claims 9 to 17 authentication method.
  25. 一种设备的认证系统,其特征在于,包括用于执行如权利要求1至8中任一项所述的认证方法的客户端和用于执行如权利要求9至17中任一项所述的认证方法的区块链。An authentication system for a device, characterized in that it includes a client for executing the authentication method according to any one of claims 1 to 8 and a client for executing the authentication method according to any one of claims 9 to 17 Blockchain of authentication methods.
  26. 一种车载部件,其特征在于,包括用于执行如权利要求1至8中任一项所述的认证方法的客户端。An in-vehicle component, characterized by comprising a client for executing the authentication method according to any one of claims 1-8.
  27. 一种车辆,其特征在于,包括电子控制单元,所述电子控制单元用于执行如权利要求1至8中任一项所述的认证方法。A vehicle, characterized by comprising an electronic control unit for executing the authentication method according to any one of claims 1-8.
  28. 一种芯片,其特征在于,所述芯片包括处理器与数据接口,所述处理器通过所述数据接口读取存储器上存储的指令,执行如权利要求1至8中任一项所述的认证方法;和/或,执行如权利要求9至17中任一项所述的认证方法。A chip, characterized in that the chip includes a processor and a data interface, the processor reads instructions stored on the memory through the data interface, and performs the authentication as described in any one of claims 1 to 8 method; and/or, execute the authentication method as described in any one of claims 9-17.
  29. 一种计算机可读存储介质,其特征在于,包括指令;所述指令用于实现如权利要求1至8中任一项所述的认证方法;和/或,实现如权利要求9至17中任一项所述的认证方法。A computer-readable storage medium, characterized by comprising instructions; the instructions are used to implement the authentication method according to any one of claims 1 to 8; and/or, to implement the authentication method according to any one of claims 9 to 17 One of the described authentication methods.
  30. 一种算机程序产品,其特征在于,包括:计算机程序,当计算机程序被运行时,使得计算机执行如权利要求1至8中任一项所述的认证方法;和/或,执行如权利要求9至17中任一项所述的认证方法。A computer program product, characterized in that it includes: a computer program, when the computer program is executed, the computer executes the authentication method according to any one of claims 1 to 8; and/or executes the authentication method according to any one of claims 1 to 8; The authentication method described in any one of 9 to 17.
PCT/CN2021/130393 2021-11-12 2021-11-12 Device authentication method and apparatus WO2023082190A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/130393 WO2023082190A1 (en) 2021-11-12 2021-11-12 Device authentication method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/130393 WO2023082190A1 (en) 2021-11-12 2021-11-12 Device authentication method and apparatus

Publications (1)

Publication Number Publication Date
WO2023082190A1 true WO2023082190A1 (en) 2023-05-19

Family

ID=86334821

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/130393 WO2023082190A1 (en) 2021-11-12 2021-11-12 Device authentication method and apparatus

Country Status (1)

Country Link
WO (1) WO2023082190A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108880797A (en) * 2018-06-27 2018-11-23 京信通信系统(中国)有限公司 A kind of authentication method and internet of things equipment of internet of things equipment
CN109327457A (en) * 2018-11-09 2019-02-12 广州大学 A kind of internet of things equipment identity identifying method and system based on block chain
US20200058176A1 (en) * 2018-08-16 2020-02-20 Sterling Pratz Blockchain based hardware appliance authentication
CN111209558A (en) * 2019-12-26 2020-05-29 曙光网络科技有限公司 Internet of things equipment identity authentication method and system based on block chain

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108880797A (en) * 2018-06-27 2018-11-23 京信通信系统(中国)有限公司 A kind of authentication method and internet of things equipment of internet of things equipment
US20200058176A1 (en) * 2018-08-16 2020-02-20 Sterling Pratz Blockchain based hardware appliance authentication
CN109327457A (en) * 2018-11-09 2019-02-12 广州大学 A kind of internet of things equipment identity identifying method and system based on block chain
CN111209558A (en) * 2019-12-26 2020-05-29 曙光网络科技有限公司 Internet of things equipment identity authentication method and system based on block chain

Similar Documents

Publication Publication Date Title
DE102015215120B4 (en) METHOD OF USING ONE DEVICE TO UNLOCK ANOTHER DEVICE
US11777936B2 (en) Friend key sharing
US9774596B2 (en) Privacy-preserving biometric authentication
US10057269B1 (en) Systems and methods for device verification and authentication
US11228438B2 (en) Security device for providing security function for image, camera device including the same, and system on chip for controlling the camera device
US20230035187A1 (en) Cryptographically secure mechanism for remotely controlling an autonomous vehicle
CN110177124B (en) Identity authentication method based on block chain and related equipment
Appathurai et al. Trusted FPGA‐based transport traffic inject, impersonate (I2) attacks beaconing in the Internet of Vehicles
US11528273B2 (en) Expended trust for onboarding
US20190260739A1 (en) Device and Methods for Authenticating a User Equipment
US9977888B2 (en) Privacy protected input-output port control
EP3794485B1 (en) Method and network node for managing access to a blockchain
CN111034116A (en) Key management device, communication apparatus, and key sharing method
CN115088232A (en) Data encryption method, data transmission method, related device and equipment
US20200145220A1 (en) Verification system, verification method and non-transitory computer readable storage medium
CN115868189A (en) Method, vehicle, terminal and system for establishing vehicle safety communication
KR102321405B1 (en) System and method for providing security service using blockchain and biometric information
WO2023082190A1 (en) Device authentication method and apparatus
US20210067961A1 (en) Secure simultaneous authentication of equals anti-clogging mechanism
CN113872986B (en) Power distribution terminal authentication method and device and computer equipment
CN111177676A (en) Verification system, verification method, and non-transitory computer-readable recording medium
CN114979170A (en) Intelligent spectrum sharing system, method and device, electronic equipment and storage medium
CN117501656A (en) Decentralised identity with user biometric
US11321323B2 (en) Method and system for searching for at least a specific datum in a user unit
US20220417245A1 (en) Authentication system, communication device, information device, and authentication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21963638

Country of ref document: EP

Kind code of ref document: A1