CN100365533C - Method for authenticating, in particular, software components that can be loaded into a control unit of a motor vehicle - Google Patents
Method for authenticating, in particular, software components that can be loaded into a control unit of a motor vehicle Download PDFInfo
- Publication number
- CN100365533C CN100365533C CNB2004800190797A CN200480019079A CN100365533C CN 100365533 C CN100365533 C CN 100365533C CN B2004800190797 A CNB2004800190797 A CN B2004800190797A CN 200480019079 A CN200480019079 A CN 200480019079A CN 100365533 C CN100365533 C CN 100365533C
- Authority
- CN
- China
- Prior art keywords
- authentication
- software
- annex
- higher level
- software package
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000007246 mechanism Effects 0.000 claims abstract description 33
- 238000013461 design Methods 0.000 description 6
- 230000002349 favourable effect Effects 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
Abstract
The present invention relates to a method for authenticating software package, the software package is provided by software provider and includes software components that can be loaded into a terminal. The software components has authentication accessory which is checked to implement dependability checkout. Setting higher-up authentication mechanism to authenticate software package to improve safety. The characteristic of the method in that, after checking the software package provided by provider and including a first authentication accessory (XZ) except software components (SW, FSC) successfully, the measure implemented by the higher-up authentication mechanisms (15, 16) includes at least a second authentication accessory (IZ) to instead the first authentication accessory (XZ).
Description
Technical field
The present invention relates to authenticate the method that provides by software supplier, comprise the software package that can be loaded into the software component in the terminal device, wherein software component is assigned the authentication annex, check authentication annex is to carry out certificate authenticity in the terminal device, wherein be provided with higher level's authentication mechanism, be used for software package is carried out the authentication measure, to improve reliability.
Background technology
For example in DE 101 40 721 A1, disclose a kind of such method, be used to provide the software that uses by vehicle control apparatus.The basic task of these authentication methods is to guarantee that software component without permission and/or that be harmful to is not loaded in the terminal device of software control.This problem is very important at vehicular field, because modern vehicle is assigned the opertaing device of a large amount of software controls, their correct work is the prerequisite of vehicle safety operation.Wherein, the loading of undelegated software may be the huge safe factor that jeopardizes.And nowadays, a lot of power of modern vehicle and/or comfortable sign are based on software.That is, vehicle is assigned the hardware that is suitable for high power and/or comfortable level, but it is respectively according to client's hope, and the necessary commitment fee land used of possibility is controlled by software.Wherein, corresponding software can be loaded into respectively in the control corresponding equipment, perhaps by installed software in advance, for example by loading so-called removing code (Freischaltcode), activation.By loading and/or remove software without permission,,, may produce enormous economic loss under the situation of not paying specified costs then for the vehicular manufacturer if this carries out.On the other hand, enterprise and social structure based on the division of labor require a lot of important task transfers are arrived fittings supply merchant, workshop etc., making needs Verification System, be used for the strictness control of assurance on the one hand, support necessary dirigibility on the other hand again for user-friendly service management for the realization of terminal device software.
In known method, regulation, software signature mechanism (Softwaresignaturstelle), especially Software Production merchant, with the software component of private key to loading, for example program code and/or removing code are signed, and the software that be signed like this is forwarded to higher level's authentication mechanism, for example are positioned at the so-called authentication center (Trust-Center) at vehicular manufacturer place.Then, in authentication center, the signature of check software provider, and " authentication " signature." authentication " is to realize with the form of authentication center certificate annex, this annex preferably also comprises public-key cryptography and one or more effective restriction (Gueltigkeitsbeschraenkung) that is used for software component of software provider except the signature that private key generated by authentication center.
When the load software composition, at first check the authentication center signature by means of the authentication center public-key cryptography of preserving in the terminal device, check its signature by means of the software provider public-key cryptography that is transmitted subsequently, and under possible situation the encrypted part of decryption software bag, then, install software composition under the situation of effective restriction of considering to be transmitted by the authentication center certificate.
The shortcoming of this method is that each terminal device must be able to be handled signature/certificate authentication center and software provider.Because the different producers' different terminal equipment is a lot, and the different software supplier is a lot of equally, so this requires the very complicated structure of each terminal device.Perhaps with particular accessories supplier's technical relation, this can guarantee actual supply monopolization by formulating suitable standard.
Summary of the invention
Therefore, task of the present invention is to provide a kind of authentication method according to kind, do not damage safely so that improve the dirigibility of total system, and the structure of simplifying each system component.
The present invention finishes this task in the following manner: after the software package that is provided by software provider, also comprise the first authentication annex except software component successfully was provided, the measure of being carried out by higher level's authentication mechanism was included as software package and disposes at least one second authentication annex to replace the first authentication annex.This means that each terminal device has been exempted such task, promptly must explain and consider the authentication annex of software provider, promptly for example sign and/or certificate.They according to the present invention, be not the certificate, signature etc. of " authentication " software provider as common so far, but it is by central authorities-for example alternative by the authentication annex of authentication center-distributions.Therefore, terminal device only must with employed signature of authentication center and/or method of proof compatibility, and can correspondingly be configured more simply than former terminal device.Simultaneously, do not produce safety defect, because only after the authentication annex of check software provider, just carry out the distribution of central authorities' authentication annex.This also provides such possibility, i.e. the variation of the mandate that each software provider is provided for software is reacted very soon.
Notice that the notion here " replacement " and " substituting " authentication annex are meant substituting of function.Preferably, but not necessarily, also produce the physical replacement of corresponding data in the software package thereupon.By total system is set like this, make when software component is loaded into terminal device, only consider the authentication annex of authentication center and ignore software provider authentication annex, thereby realize according to task of the present invention by the authentication center check.
As previously described, the method according to this invention provides such possibility, i.e. higher level's authentication mechanism check software package comprises that the check software provider is for the current mandate that software component is provided.In the favourable development of the method according to this invention, also reality has realized this option.
Particularly advantageous is to construct the method according to this invention according to PKI design (public-key cryptography structure)., for example can stipulate for this reason, by the first authentication annex of software package that software provider provided at least in part by private key encryption and can be by the known public-key cryptography deciphering of higher level's authentication mechanism.This is corresponding to signature or certificate according to known PKI design.Wherein, the public-key cryptography of software provider can be sent to higher level's authentication mechanism in the scope of certificate, is perhaps otherwise known, makes to replace certificate, and the simple signature of software provider is just enough.
In the further developing of PKI design, in the further developing of the method according to this invention, can stipulate, this at least one second authentication annex by higher level's authentication mechanism at least in part with private key encryption and can be by public-key cryptography deciphering known in the terminal device.Here all right, if there is no for the encryption of secret reason, then public-key cryptography is transmitted in certificate.On the other hand, also possible is, public-key cryptography is kept in the storage area of inaccessible of terminal device, is promptly maintained secrecy.
The basic design of the method according to this invention allows high degree of flexibility.Especially possible is to realize the authentication system in higher level's authentication mechanism.Therefore, in a kind of favourable development, for example can stipulate that higher level's authentication mechanism is a plurality of authentication annexes of software package continuous dispensing, be that authentication annex that software package distributes is used to distributing for software package subsequently and carries out certificate authenticity before authenticating annex at time point early wherein.This allows for example can be constructed to two-stage or multistage signature and " authentication " system in higher level's authentication mechanism.
If use the design of such hierarchy authentication, it is favourable then carrying out certificate authenticities by a plurality of authentication annexes that use higher level's authentication mechanism during the executive software composition when being loaded into software component in the terminal device and/or in terminal device.This means, in other words, in terminal device, can understand or check multistage authentication step by step, wherein as advantageous effects of the present invention, only require with by employed signature of higher level's authentication mechanism or method of proof compatibility.
As mentioned above, have such possibility, promptly the authentication annex that is added by higher level's authentication mechanism comprises the functional data that relate to restriction related software composition.In a kind of favourable embodiment of the method according to this invention, this option is also realized by reality.Functional or effective restriction may relate to removing (Freischaltung) application-specific and the version (Versionsstand) of corresponding application programs under possible situation.In addition, to vehicle (for example passing through chassis number) or particular vehicle model or to one or more opertaing devices or opertaing device model (for example by opertaing device number), each people (for example by the personality chips card, as being integrated in the car key) or the GSM by automobile telephone are sticked into capable personalization is possible.And, can introduce interim effectively restriction.To this example for the limited validity of the funcall of time period, the duration of runs, milimeter number or (specific to using) specific quantity.And, can stipulate optionally effectively to limit, promptly about beta release (Demoversion) or have minimizing envelop of function version, specific to the restriction of using.At last, there are for example relevant, the regional effectively possibility of restriction with the vehicle current location.If terminal device is not or not only in first time during the load software composition, but also carry out validity check repeatedly at duration of work afterwards, then so effectively or functional limitations effective especially.Wherein, the Boolean type of a plurality of effective restrictions (boolsch) contact also is possible certainly.
Be loaded into the removing code that software component in the terminal device can comprise program code for example and/or be used for being installed in the program code of terminal device.
As above the terminal device of by the agency of is preferably the opertaing device of vehicle, and wherein notion " opertaing device " is meant opertaing device on the original meaning, that be used to control the particular vehicle parts, also refers to other comfortablenesses equipment, for example navigational system or infosystems.
Description of drawings
Provide other details of the present invention by the following detailed description and the accompanying drawing of the wherein exemplary expression preferred embodiment for the present invention.
In the accompanying drawing:
Fig. 1 represents to be used to carry out the block diagram of the authentication structures of the method according to this invention.
Embodiment
Represented a kind of structure among Fig. 1, this structure is suitable for carrying out a kind of embodiment of the method according to this invention in software administration is used, and this application especially is set for the work of opertaing device in the vehicle (FZG).Dotted line is represented is according to the information path in the method for prior art.
Central office according to prior art constructions is a so-called authentication center (TC) 10, and it is directly controlled by vehicle production person usually.TC 10 and external software supplier exchange message.Wherein, for example relate to external software signature mechanism (X-SWSS) 11, it is usually located at external software producer place, and the software producer is the software of production control device program instruction type (SW) for example.Also represented such possibility among Fig. 1, promptly related to the outside code mechanism (X-FSCS) 12 that removes, be provided for being installed in the vehicle control apparatus but the removing code (FSC) of inactive software by this removing mechanism.Universal used herein " software component " had both comprised that FSC also comprised programmed instruction, and other can be loaded into the software in the terminal device.According to prior art, software component is signed by outside supplier, for example by generating signature and/or certificate.This and the result that similarly signs usually is called " authentication annex " here, because they are suitable for when certificate authenticity the source of the software that check handles like this and not destroyed.According to its source of outside supplier, in Fig. 1, represent them with " XZ ".According to prior art, the authentication annex is by TC 10 check, and passes through to add other signatures and/or other certificates and to its affirmation when check successfully.Then, be loaded in the opertaing device of vehicle by the signature and the software component of " authentication " like this, wherein must check the authentication annex of TC 10 and the authentication annex of X-SWSS 11 or X-FSCS 12-use respectively necessary method specific to it.
Represent the method according to this invention with solid arrow among Fig. 1.It comprises that respectively SW or FSC and authentication annex XZ-offer in house software signature mechanism (I-SWSS) 15 or the inner code mechanism (I-FSCS) 16 that removes with software package 13 or 14-for X-SWSS 11 or X-FSCS 12.Internal mechanism I-SWSS 15 and I-FSCS 16 are preferably only by vehicle production person control, the especially part of the vehicle of hierarchy-authentication center FZG-TC17.
The authentication annex XZ of internal mechanism I-SWSS 15 and I-FSCS 16 check X-SWSS of external agency 11 and X-FSCS 12, and preferably carry out adjustment (Abgleich) with internal database, in internal database, preserve for example about external agency 11 and 12 information for the current mandate that software component is provided.When the check of success, replace external authentication annex XZ with internal authentication annex IZ.This preferably realizes by physically replacing the respective stored content.
The software package 18 or 19 that the result obtains revising, it comprises internal authentication annex IZ except SW or FSC, the internal authentication annex is verified in the opertaing device that software component is loaded into vehicle FZG the time and/or is verified repeatedly at the opertaing device duration of work.Especially, internal authentication annex IZ comprises the additional information about effective restriction of software component.
Realized by this way, employed opertaing device only must with the employed authentication method compatibility of internal mechanism, rather than as up to now, must be able to handle the employed authentication method of external agency.
Particularly preferably, the method according to this invention is moved automatically, the software component of wherein treating signature/verification is sent to internal server online, internal server is carried out the authentication check, and the software package that will be replied signature (re-signiert)/replied checking (re-zertifiziert) continues to be assigned to for example workshop, factory institute, online center etc., to be transferred to each self-corresponding opertaing device.
Certainly, embodiment described here only designs specific, a particularly advantageous embodiment of the present invention.Those skilled in the art within the scope of the invention can the many middle possibilities of revising of guide.Especially, the concrete structure of internal authentication annex IZ, its possible classification produce with and particular explanation in opertaing device can be the theme of various embodiments.
Claims (9)
1. method that is used to authenticate the software package that provides by software provider, described software package comprises the software component that can be loaded in the terminal device, wherein said software component has been assigned with the authentication annex, described authentication annex is verified to carry out the certificate authenticity in the described terminal device, wherein be provided with higher level's authentication mechanism, described higher level's authentication mechanism carries out the authentication measure to improve security to described software package, it is characterized in that, successfully checking by described software provider (11,12) provide, except described software component (SW, FSC) software package (13 that also comprises the first authentication annex (XZ) outside, 14) after, by described higher level's authentication mechanism (15,16) performed measure is included as described software package (13,14; 18,19) distribute at least one second authentication annex (IZ) to replace the described first authentication annex (XZ).
2. according to the method for claim 1, it is characterized in that described step by higher level's authentication mechanism (15,16) check software package (13,14) comprises that the described software provider of check (11,12) is for the current mandate that software component (SW, FSC) is provided.
3. according to each method in the aforementioned claim, it is characterized in that the first authentication annex (XZ) of the described software package (13,14) that is provided by software provider (11,12) is at least in part by the secret key encryption that is exclusively used in it and can be by the known public-key cryptography deciphering of described higher level's authentication mechanism (15,16).
4. according to the method for claim 1 or 2, it is characterized in that, described at least one second authentication annex (IZ) by described higher level's authentication mechanism (15,16) at least in part being exclusively used in its secret key encryption, and can be by public-key cryptography deciphering known in the described terminal device.
5. according to the method for claim 1 or 2, it is characterized in that, described software package is distributed a plurality of authentication annexes continuously by described higher level's authentication mechanism, is that the authentication annex that described software package distributes is used to carry out certificate authenticity before distributing the authentication annex for described software package subsequently at time point early wherein.
6. according to the method for claim 5, it is characterized in that, when carrying out described software component when being loaded into described software component in the described terminal device and/or in described terminal device, carry out certificate authenticity by a plurality of authentication annexes that utilize described higher level's authentication mechanism.
7. according to the method for claim 1 or 2, it is characterized in that the authentication annex (IZ) that described higher level's authentication mechanism is added comprises the data of the functional limitations that relates to related software composition (SW, FSC).
8. according to the method for claim 1 or 2, it is characterized in that described software component comprises program code (SW) and/or is used for being installed in the removing code (FSC) of the program code of terminal device.
9. according to the method for claim 1 or 2, it is characterized in that described terminal device is the opertaing device of vehicle.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE10330439 | 2003-07-04 | ||
| DE10330439.8 | 2003-07-04 | ||
| DE10354107.1 | 2003-11-19 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1816787A CN1816787A (en) | 2006-08-09 |
| CN100365533C true CN100365533C (en) | 2008-01-30 |
Family
ID=33521374
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004800190797A Active CN100365533C (en) | 2003-07-04 | 2004-06-22 | Method for authenticating, in particular, software components that can be loaded into a control unit of a motor vehicle |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100365533C (en) |
| DE (1) | DE10354107A1 (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101727533B (en) * | 2008-10-30 | 2014-06-18 | 新奥特硅谷视频技术有限责任公司 | Automatic BUG distribution method capable of adaptive parameter regulation |
| CN103544412B (en) * | 2013-10-16 | 2017-01-04 | 深圳全智达通信股份有限公司 | A kind of software package right control method and device |
| DE102015220226A1 (en) | 2015-10-16 | 2017-04-20 | Volkswagen Aktiengesellschaft | Method for certification by a control unit of a vehicle |
| DE102021129670A1 (en) | 2021-11-15 | 2023-05-17 | Bayerische Motoren Werke Aktiengesellschaft | Method, vehicle component and computer program for granting authorization for a vehicle component of a vehicle to execute a computer program |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020023223A1 (en) * | 2000-02-25 | 2002-02-21 | Ernst Schmidt | Authorization process using a certificate |
| US20020120856A1 (en) * | 2000-02-25 | 2002-08-29 | Ernst Schmidt | Signature process |
| DE10131394A1 (en) * | 2001-06-28 | 2003-02-06 | Daimler Chrysler Ag | Method for transmitting software modules |
| DE10140721A1 (en) * | 2001-08-27 | 2003-03-20 | Bayerische Motoren Werke Ag | Method for providing software for use by a control device of a vehicle |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| SE0100474D0 (en) * | 2001-02-14 | 2001-02-14 | Ericsson Telefon Ab L M | A security architecture |
| DE10141737C1 (en) * | 2001-08-25 | 2003-04-03 | Daimler Chrysler Ag | Secure communication method for use in vehicle has new or updated programs provided with digital signature allowing checking by external trust centre for detection of false programs |
-
2003
- 2003-11-19 DE DE10354107A patent/DE10354107A1/en not_active Ceased
-
2004
- 2004-06-22 CN CNB2004800190797A patent/CN100365533C/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020023223A1 (en) * | 2000-02-25 | 2002-02-21 | Ernst Schmidt | Authorization process using a certificate |
| US20020120856A1 (en) * | 2000-02-25 | 2002-08-29 | Ernst Schmidt | Signature process |
| DE10131394A1 (en) * | 2001-06-28 | 2003-02-06 | Daimler Chrysler Ag | Method for transmitting software modules |
| DE10140721A1 (en) * | 2001-08-27 | 2003-03-20 | Bayerische Motoren Werke Ag | Method for providing software for use by a control device of a vehicle |
Also Published As
| Publication number | Publication date |
|---|---|
| DE10354107A1 (en) | 2005-01-20 |
| CN1816787A (en) | 2006-08-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6557105B1 (en) | Apparatus and method for cryptographic-based license management | |
| CN1965527B (en) | Management of signing privileges for a cryptographic signing service | |
| KR101769057B1 (en) | Systems, methods, and computer program products for interfacing multiple service provider trusted service managers and secure elements | |
| CN102289627B (en) | Many owners of firmware images dispose | |
| CN103154956B (en) | For the method and apparatus of downloading digital copyright management module | |
| CN101088249B (en) | Method for securing a telecommunications terminal which is connected to a terminal user identification module | |
| CN103856322B (en) | Method and system for the embedded code and/or data safety that are designed for equipment to be sent to client | |
| JP2006504309A (en) | Device key | |
| WO1999021094A2 (en) | Reconfigurable secure hardware apparatus and method of operation | |
| CN106304040A (en) | The management method of Mobile solution, device | |
| JP2001236232A (en) | Ic card system and ic card and ic card processing method and recording medium | |
| CN111475845B (en) | Unstructured data identity authorized access system and method | |
| CN112511309B (en) | Method and device for directionally sharing supervision-oriented information on block chain and electronic equipment | |
| CN103390122B (en) | Application program transmitting method, application program operating method, sever and terminal | |
| CN102622559A (en) | Navigation software user authorization method and system | |
| CN111914293A (en) | Data access authority verification method and device, computer equipment and storage medium | |
| US7748043B2 (en) | Method for authenticating, in particular, software components that can be loaded into a control unit of a motor vehicle | |
| CN110245524A (en) | For the security provisions of system on chip (SOC) feature and the system of execution | |
| CN102202057B (en) | System and method for safely dumping data of mobile memory | |
| CN103186723A (en) | Digital content security cooperation method and system | |
| CN100365533C (en) | Method for authenticating, in particular, software components that can be loaded into a control unit of a motor vehicle | |
| US8750522B2 (en) | Method and security system for the secure and unequivocal encoding of a security module | |
| CN114143306A (en) | Block chain-based bid document transmission method and transmission device | |
| US20120321089A1 (en) | Method and System for Confidentially Providing Software Components | |
| CN111222929A (en) | Electronic invoice application method and device supporting dynamic file permission |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |