Summary of the invention
Embodiments provide a kind of authentication information transmission method and device, in order to save the resource utilization of channel resource and raising system.
Provide a kind of authentication information transmission method in the embodiment of the present invention, comprising:
Centroid receives the authentication information for carrying out authentication to terminal that its terminal covered sends;
All terminals that described Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed.
Preferably, comprise further: described Centroid sends to the Centroid adjacent with described Centroid after the authentication information of each terminal received is transmitted to or is processed.
Preferably, comprise further: described Centroid receives the authentication information of the terminal of the adjacent center coverage that adjacent center node sends;
, there is blind area to prevent cell edge place in all terminals that described Centroid sends to described Centroid to cover after the authentication information of the terminal of the adjacent center coverage of reception is transmitted to or is processed.
Preferably, described authentication information comprises sender's PKI, then terminal receive opposite end do not carry the message of authentication information time, according to verifying opposite end identity from the sender's PKI the authentication information of the opposite end that Centroid receives of storing, thus ensure the fail safe of not carrying the message of authentication information and the credibility of the opposite end received.
Preferably, described authentication information also comprises the mark of sender and/or the signature of certificate management authority CA, then Deictic Center node carries out authentication according to the mark of the sender in described authentication information and/or the signature of CA to this terminal.
Preferably, described authentication information comprises the one or more content in sender's certificate.
Preferably, before all terminals that described Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed, comprise further:
Signature based on CA in the authentication system of cellular network or the terminal authentication information of reception carries out authentication to each terminal received;
The all terminals sending to described Centroid to cover after the authentication information of terminal being transmitted to or being processed after being verified, thus the fail safe and the credibility that ensure the authentication information of the terminal received.
Preferably, described authentication information is sender's certificate, all terminals that described Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed, and comprising:
By all terminals that the partial content in sender's certificate of each terminal received or sender's certificate sends to described Centroid to cover.
Preferably, described sender's certificate comprises CA signature, by all terminals that the partial content in sender's certificate of each terminal received sends to described Centroid to cover, comprising:
By all terminals that the sender's certificate of terminal removing CA signature sends to described Centroid to cover, with the system resource overhead needed for the authentication information reducing transmitting terminal.
Preferably, the terminal that described Centroid will send to described Centroid to cover after the authentication information process of each terminal received, comprising:
The signature utilizing the private cipher key of Centroid to do is added in the authentication information of each terminal received, or the PKI of Centroid and the signature that utilizes the private cipher key of Centroid to do;
By all terminals that the authentication information of each terminal of the reception after process sends to described Centroid to cover.
Preferably, all terminals that described Centroid sends to described Centroid to cover after the authentication information of described terminal is transmitted to or is processed, comprising:
Described Centroid is according to setting-up time interval or event triggered fashion, the all terminals authentication information of each terminal received being sent to or sends to described Centroid to cover after processing, by the authentication information of terminal according to setting-up time interval or the unified all terminals being handed down to described Centroid and covering of event triggered fashion, to improve network resource utilization.
Preferably, described Centroid in the following manner in any one, all terminals sending to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed:
Broadcast mode; Multicast mode; Multicast; Point-to-point mode.
In the above embodiment of the present invention, Appropriate application channel resource can be reached, improve the object of resource utilization ratio.
Provide a kind of authentication information transmission method in the embodiment of the present invention, comprising:
The authentication information being used for carrying out described terminal authentication is sent to the Centroid covering described terminal by terminal;
Terminal receives the authentication information of all terminals of the described Centroid covering that described Centroid sends and stores.
Preferably, comprise further:
Terminal receives the authentication information of all terminals of the adjacent center coverage that described Centroid sends and stores.
Preferably, the authentication information that described terminal sends comprises the PKI of sender.
Preferably, the authentication information that described terminal sends also comprises the signature of sender's mark and/or certificate management authority CA.
Preferably, the authentication information that described terminal sends comprises the one or more content in sender's certificate.
Preferably, authentication information is sent to the Centroid covering described terminal by terminal, comprising:
Authentication information is sent to according to setting-up time interval or event triggered fashion the Centroid covering described terminal by terminal.
Sender's certificate in the authentication information that terminal uses is usually only effective in effective time, adopts this mode can send to Centroid the sender's certificate upgraded in time, ensure that the validity of sender's certificate.
Preferably, the authentication information of the terminal that described Centroid sends also comprises the signature of described Centroid, or comprises PKI and the signature of described Centroid.
Provide a kind of method that terminal carries out authentication in the embodiment of the present invention, comprising:
Receive the message of not carrying authentication information that opposite end sends;
According to verifying described opposite end identity from the authentication information of the opposite end that Centroid receives of storing.
In the above embodiment of the present invention, system resource overhead required in the message sent when authentication information being carried at terminal and terminal communication can be reduced, thus improve the resource utilization of system.
Preferably, the authentication information of described opposite end comprises the PKI of the sender of opposite end, and the authentication information according to opposite end is verified opposite end identity, comprising:
According to the sender's PKI in the authentication information of opposite end, opposite end identity is verified, in order to ensure fail safe and the credibility of the message that opposite end sends.
Preferably, the authentication information of the terminal that described Centroid sends also comprises the signature of Centroid, or comprises PKI and the signature of Centroid, and described terminal comprises after receiving the authentication information of the terminal that described Centroid sends further:
Based on the signature of the Centroid in described authentication information or the PKI of Centroid and signature, authentication is carried out to described Centroid, thus ensure fail safe and the credibility of the authentication information of the terminal that Centroid sends;
After being verified, receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
According to said method, provide a kind of Centroid in the embodiment of the present invention, comprising:
Receiver module, for receiving the authentication information for carrying out authentication to terminal that its terminal covered sends;
Sending module, for all terminals sending to described Centroid to cover after the authentication information receiving each terminal is transmitted to or is processed.
Preferably, described sending module sends to the Centroid adjacent with described Centroid after being further used for the authentication information of each terminal received to be transmitted to or to process.
Preferably, described receiver module is further used for the authentication information of the terminal receiving the adjacent center coverage that adjacent center node sends;
The all terminals sending to described Centroid to cover after described sending module is further used for the authentication information of the terminal of the adjacent center coverage of reception to be transmitted to or to process.
Preferably, described authentication information comprises sender's PKI.
Preferably, described authentication information also comprises the mark of sender and/or the signature of certificate management authority CA.
Preferably, described authentication information comprises the one or more content in sender's certificate.
Preferably, comprise further:
Authentication module, carries out authentication for the signature based on CA in the authentication system of cellular network or the terminal authentication information of reception to each terminal received;
Described sending module is further used for after being verified, all terminals sending to described Centroid to cover after the authentication information of described terminal is transmitted to or is processed.
Preferably, described authentication information is sender's certificate, all terminals of described sending module specifically for sending to described Centroid to cover the partial content in sender's certificate of each terminal received or sender's certificate.
Preferably, described sender's certificate comprises CA signature, all terminals of described sending module specifically for sending to described Centroid to cover in sender's certificate of the terminal removing CA signature.
Preferably, comprise further:
Processing module, for adding the signature utilizing the private cipher key of Centroid to do in the authentication information of each terminal received, or the PKI of Centroid and the signature that utilizes the private cipher key of Centroid to do;
All terminals that described sending module sends to described Centroid to cover specifically for the authentication information of each terminal by the reception after processing module process.
Preferably, described sending module specifically for:
According to setting-up time interval or event triggered fashion, all terminals authentication information of each terminal received being sent to or sends to described Centroid to cover after processing.
Preferably, described sending module in the following manner in any one, all terminals sending to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed:
Broadcast mode; Multicast mode; Multicast; Point-to-point mode.
The embodiment of the present invention additionally provides a kind of Centroid, comprises processor and data transceiver interface, wherein:
Described processor be configured to for: receive its cover terminal send the authentication information for carrying out authentication to terminal, all terminals sending to described Centroid to cover after the authentication information receiving each terminal is transmitted to or is processed;
Described data transceiver interface is for realizing the data communication between described processor and terminal.
According to said method, provide a kind of terminal in the embodiment of the present invention, comprising:
Sending module, for sending to the authentication information described terminal being carried out to authentication the Centroid covering described terminal;
Receiver module, for receiving the authentication information of all terminals of the described Centroid covering that described Centroid sends and storing.
Preferably, described receiver module is further used for the authentication information of all terminals receiving the adjacent center coverage that described Centroid sends and stores.
Preferably, the authentication information that described sending module sends comprises the PKI of sender.
Preferably, the authentication information that described sending module sends also comprises the signature of sender's mark and/or certificate management authority CA.
Preferably, the authentication information that described sending module sends comprises the one or more content in sender's certificate.
Preferably, described sending module specifically for:
Authentication information is sent to according to setting-up time interval or event triggered fashion the Centroid covering described terminal.
Preferably, the authentication information that described receiver module receives also comprises the signature of described Centroid, or comprises PKI and the signature of described Centroid.
Preferably, described receiver module is further used for the message of not carrying authentication information receiving opposite end transmission;
Described terminal comprises further:
Authentication module, for receive at receiver module that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
Preferably, the authentication information of described opposite end comprises the PKI of the sender of opposite end, authentication module specifically for receive at receiver module opposite end send do not carry the message of authentication information time, according to store from Centroid receive opposite end authentication information sender's PKI opposite end identity is verified.
Preferably, described receiver module receives the signature that the authentication information of terminal that described Centroid sends also comprises Centroid, or comprises PKI and the signature of Centroid, described authentication module specifically for:
Based on the signature of the Centroid in described authentication information or the PKI of Centroid and signature, authentication is carried out to described Centroid;
After being verified, receiver module receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
The present invention also provides a kind of terminal, comprises processor and data transceiver interface, wherein:
Described processor is configured to for the authentication information described terminal being carried out to authentication is sent to the Centroid covering described terminal, receives the authentication information of all terminals of the described Centroid covering that described Centroid sends and stores;
Described data transceiver interface is for realizing the data communication between described processor and other terminal and Centroid.
The authentication information transmission method that the embodiment of the present invention provides and device, utilize Centroid to the mode needing mutual authentication information to forward when terminal and terminal communication, significantly reduce system resource overhead required in the message sent when authentication information being carried at terminal and terminal communication, thus improve the resource utilization of system.
Embodiment
The embodiment of the present invention is applied to communication system, and equipment relevant to the embodiment of the present invention in this system mainly comprises: Centroid, terminal.Utilize Centroid to the mode needing mutual authentication information to forward when terminal and terminal communication, significantly reduce system resource overhead required in the message sent when authentication information being carried at terminal and terminal communication, thus improve the resource utilization of system.
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in detail.
See Fig. 1, the flow process of the authentication information transmission method that the embodiment of the present invention provides, specific implementation step comprises:
Step 101, Centroid receive the authentication information for verifying terminal identity that its terminal covered sends.
Authentication information can be any type of information for carrying out authentication to terminal.
Preferably, authentication information at least comprises sender's PKI.Further preferably, authentication information also comprises the mark of sender and/or the signature of certificate management authority CA.
Current sender's certificate has the information for verifying terminal identity, except comprising above-mentioned sender's PKI, the signature of CA and/or the mark (ID) of sender, also, comprise the sequence number of certificate, the title of certificate issuing authority and the information such as recipient's authentication certificate can be made whether to have been cancelled.Preferably, authentication information comprises the one or more content in sender's certificate, and sender's PKI is the content that must comprise.
In addition, also comprise the information such as scope restriction about time, content, position in certificate, can determine whether as required to be added authentication information.Certainly, authentication information can comprise the full content of certificate.
All terminals that step 102, described Centroid send to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed.
When the authentication information of Centroid to terminal processes, can be in authentication information, add some information as required, or delete redundant information unnecessary in the authentication information of terminal, certainly, can also be other processing mode.
The embodiment of the present invention utilizes Centroid to the mode needing mutual authentication information to forward when terminal and terminal communication, significantly reduce system resource overhead required in the message sent when authentication information being carried at terminal and terminal communication, thus improve the resource utilization of system.
In enforcement, all terminals that Centroid sends to this Centroid to cover after can in the following way the authentication information of each terminal received being transmitted to or being processed:
1) send according to setting-up time interval mode
The authentication information of Centroid receiving terminal in setting-up time interval, when arriving setting-up time, all terminals that the authentication information of each terminal received in this time interval sends to or sends to this Centroid to cover after processing by Centroid.
Adopt this mode that the authentication information of multiple terminal can be realized to issue according to setting-up time interval is unified, to improve network resource utilization.
2) send according to event triggered fashion
Concrete triggering mode can be, when the terminal number of new this Centroid of access reaches certain numerical value, issues, can improve network resource utilization by unified for the authentication information of all terminals be currently received.
3) send mode immediately
As long as Centroid receives the authentication information that terminal sends, then all terminals sending to described Centroid to cover after the authentication information of this terminal received being transmitted to or being processed.
In enforcement, this Centroid in the following manner in any one, all terminals authentication information of each terminal received being sent to or sends to described Centroid to cover after processing:
Broadcast mode; Multicast mode; Multicast; Point-to-point mode.Wherein, broadcast can be broadcasted for MBMS, car networking dedicated broadcast, system broadcasts etc., to reach Appropriate application channel resource, improves the object of resource utilization ratio.
According to another preferred implementation of the present invention, this Centroid sends to the Centroid adjacent with this Centroid after the authentication information of each terminal received is transmitted to or is processed, and occurs blind area to prevent cell edge place.
Preferably, the method also comprises: this Centroid receives the authentication information of the terminal of the adjacent center coverage that adjacent center node sends; The all terminals sending to this Centroid to cover after the authentication information of the terminal of the adjacent center coverage of reception is transmitted to or is processed.
For the authentication information that the terminal regardless of Shi Cong center coverage receives, or the authentication information of the terminal from the reception of adjacent center node, before all terminals sending to described Centroid to cover after the authentication information of terminal is transmitted to or is processed, also comprise:
Based on the signature of CA in the authentication system of cellular network or the terminal authentication information of reception, authentication is carried out to this terminal; Send again after being verified.
Usually, Centroid carries out authentication based on the signature of CA to counterpart terminal.The authentication mode of Centroid to terminal also can adopt other modes, as the authentication system by means of existing cellular network, once determine that terminal is that the legal of cellular network accesses terminal, so thinks that the authentication information that this terminal sends is exactly believable.
The authentication information of all terminals that Centroid sends to described Centroid to cover is identical.
This authentication information is sender's certificate or sender's certification portions content, all terminals that the partial content in sender's certificate of each terminal received or sender's certificate sends to described Centroid to cover by this Centroid.
When authentication information is sender's certification portions content, all terminals that sender's certificate of the terminal removing CA signature sends to this Centroid to cover by this Centroid.
When the authentication information of Centroid to terminal processes, adopt following either type:
1) in the authentication information of terminal, add the signature utilizing the private cipher key of Centroid to do;
It should be noted that, if when the PKI of Centroid is known information, then specify in specification or agreement or notify in the system broadcasts of Centroid, so Centroid does not need to add the PKI of this Centroid when all terminals covered to this Centroid send authentication information.
2) PKI adding Centroid in the authentication information of terminal and the signature utilizing the private cipher key of Centroid to do.
It should be noted that, now the known information of PKI right and wrong of Centroid, therefore Centroid is when all terminals covered to this Centroid send authentication information, needs the PKI adding this Centroid.
Based on the signature utilizing the private cipher key of Centroid to do added, or the signature that the PKI of Centroid and the private cipher key of Centroid are done, terminal can carry out authentication to this Centroid, thus ensures fail safe and the credibility of the authentication information of the terminal that Centroid sends.
The embodiment of the present invention does not do concrete restriction for the send mode of above-mentioned authentication information.
See Fig. 2, the flow process of the authentication information transmission method of the end side that the embodiment of the present invention provides, specific implementation step comprises:
Step 201, by being used for, the Centroid covering this terminal is sent to the authentication information that this terminal carries out authentication.
Authentication information can be any type of information for carrying out authentication to terminal.
Preferably, authentication information at least comprises sender's PKI.Further preferably, authentication information also comprises the mark of sender and/or the signature of certificate management authority CA.
Current sender's certificate has the information for verifying terminal identity, except comprising above-mentioned sender's PKI, the signature of CA and/or the mark (ID) of sender, also, comprise the sequence number of certificate, the title of certificate issuing authority and the information such as recipient's authentication certificate can be made whether to have been cancelled.Preferably, authentication information comprises the one or more content in sender's certificate, if comprise sender's certificate content, then this content is sender's PKI.
In addition, also comprise the information such as scope restriction about time, content, position in certificate, can determine whether as required to be added authentication information.Certainly, authentication information can comprise the full content of certificate.
Concrete, authentication information is sent to according to setting-up time interval or event triggered fashion the Centroid covering this terminal by this terminal.
Usually, if there is the overlapping time of 30 seconds the effective time of the certificate in the authentication information sent before and after terminal, so terminal can send to Centroid the certificate that the next one that carries respective PKI will use according to setting-up time interval within the overlapping time of every two certificates.
For protection privacy, terminal uses a certificate usually only effective in finite time; Specify in 1609.2 agreements that the certificate of each terminal concentrates any one moment to only have a certificate to be effective.This principle section effective time can loosened as adjacent two certificates can allow the overlap of a short time; make certificate can within the time period of overlap random transition thus protect privacy better, also can make in addition to allow terminal have the flexibility ratio of certain delayed transformation certificate when a serious event occurs.
Step 202, receive all terminals that described Centroid that described Centroid sends covers authentication information and store.
Preferably, the method also comprises: this terminal receives the authentication information of all terminals of the adjacent center coverage that this Centroid sends and stores.
In this step, based on the signature utilizing the private cipher key of Centroid to do added, or the signature that the PKI of Centroid and the private cipher key of Centroid are done, terminal can carry out authentication to this Centroid, thus ensures fail safe and the credibility of the authentication information of the terminal that Centroid sends.
It should be noted that, if when the PKI of Centroid is known information, then specify in specification or agreement or notify in the system broadcasts of Centroid, so Centroid does not need to add the PKI of this Centroid when all terminals covered to this Centroid send authentication information.
See Fig. 3, the terminal that the embodiment of the present invention provides carries out the method flow of authentication, and specific implementation step comprises:
The message of not carrying authentication information that step 301, reception opposite end send.
Step 302, described opposite end identity is verified from the authentication information of the opposite end that Centroid receives according to storage.
In this step, the authentication information of described opposite end comprises the PKI of the sender of opposite end, verifies opposite end identity according to the sender's PKI in the authentication information of opposite end.
In above-described embodiment, terminal receive opposite end send do not carry the message of authentication information time, according to verifying described opposite end identity from the authentication information of the opposite end that Centroid receives of storing, utilize the authentication information of the opposite end from Centroid reception stored to carry out authentication to opposite end to make terminal, do not need to carry authentication information in the message that such terminal and terminal send, thus significantly reduce the network resource overhead carrying authentication information when to send message between terminal and terminal and cause, considerably improve the efficiency communicated between terminal with terminal.
If step 303, according to verifying described opposite end identity from the authentication information of the opposite end that Centroid receives of storing, if be verified, then proceeds to step 304; If checking is not passed through, then proceed to step 305.
The message delivery not carrying authentication information that described opposite end by authentication sends processes to high level by step 304, this terminal.
The message of not carrying authentication information that described opposite end not by authentication sends abandons by step 305, this terminal.
Further, receive opposite end send do not carry the message of authentication information time, if also do not store the authentication information of this opposite end, then by opposite end send message directly abandon.
Can be found out by above flow process, in the above embodiment of the present invention, Centroid receives the authentication information for carrying out authentication to terminal that its all terminals covered send; All terminals that this Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed.Utilize Centroid to the mode needing mutual authentication information to forward when terminal and terminal communication in the embodiment of the present invention, significantly reduce system resource overhead required in the message sent when authentication information being carried at terminal and terminal communication, thus improve the resource utilization of system.
In the embodiment of the present invention, Centroid can be possess the equipment of base station functions or have the management equipment of authentication information forwarding capability, and such as, Centroid can be: grand (Macro) base station or micro-(Pico) base station or family (femto) base station; Terminal equipment is the equipment at least possessing physical layer transmission function, such as vehicle node or trackside infrastructure node.
Below for the communication system that base station and vehicle node are formed, and the present invention is described in detail in conjunction with specific embodiments:
Embodiment one: base station receives the authentication information for carrying out authentication to vehicle node that its vehicle node covered sends, this base station sends to all vehicle node of this base station coverage after the authentication information of each vehicle node received is transmitted to or is processed, wherein, base station carries out authentication based on the authentication system of cellular network to vehicle node.
Fig. 4 a is the network architecture schematic diagram in embodiment one provided by the invention, if comprise 3 vehicle node a, b, c under the A of base station.As shown in Figure 4 b, step is as follows for the flow process of embodiment one:
After step one, vehicle node a, b, c access base station A, the authentication information being used for carrying out vehicle node a, b, c authentication is sent to the base station A covering vehicle node a, b, c by vehicle node a, b, c.
In this step, authentication information is sent to according to setting-up time interval or event triggered fashion the base station A covering vehicle node a, b, c by vehicle node a, b, c.
Usually, if the overlapping time having 30 seconds effective time of send before and after vehicle node a, b, c two sender's certificates, so vehicle node a, b, c can send to base station A the certificate that the next one that carries respective PKI will use within the overlapping time of every two certificates.
Step 2, base station A receive its vehicle node a covered, b, c send for after carrying out the authentication information of authentication to vehicle node a, b, c, and the authentication system based on cellular network carries out authentication to vehicle node.
In this step, base station A carries out authentication based on the authentication system of cellular network to vehicle node, as base station A verifies based on the identity of mark to vehicle node of vehicle node, proceed to step 3 after being verified, checking is not by then abandoning the authentication information not by authentication.
The vehicle node a that step 3, base station A send to it to cover after the authentication information (sender's certificate) of vehicle node a, b, c is transmitted to or is processed, b, c.
It should be noted that, base station A send to each vehicle node a, b, c be identical authentication information.Be specifically as follows the authentication information of vehicle node a, b, c to be placed in a packet and send.
Preferably, in the authentication information of vehicle node, add the signature utilizing the private cipher key of base station A to do, or the PKI of base station A and the signature that utilizes the private cipher key of base station A to do; To the signature utilizing the private cipher key of base station A to do be added, or the authentication information of the vehicle node of the PKI of base station A and the signature that utilizes the private cipher key of this base station A to do send to this base station A to cover vehicle node a, b, c.
It should be noted that, if when the PKI of base station A is known information, as specified in specification or agreement or notifying in the system broadcasts of base station A, so base station A does not need at the vehicle node a covered to it, b, c the PKI adding base station A when sending authentication information.
In concrete enforcement, if vehicle node a, b have passed authentication, vehicle node c is not by authentication, and so base station A is by all vehicle node a comprising vehicle node a, the authentication information of vehicle node of b sends to this base station A to cover according to setting-up time interval and by system broadcasts mode, b, c.
Above-mentioned preferred embodiment in, in the authentication information of vehicle node a, b, add the signature utilizing the private cipher key of base station A to do, or the PKI of base station A and the signature that utilizes the private cipher key of base station A to do; To the signature utilizing the private cipher key of base station A to do be added, or the authentication information of the vehicle node of the PKI of base station A and the signature that utilizes the private cipher key of base station A to do send to this base station A to cover according to setting-up time interval and by system broadcasts mode all vehicle node a, b, c.
Step 4, vehicle node a, b, c receive the authentication information of the vehicle node of this base station coverage that base station A sends and store.
When what step 5, vehicle node a, b, c received that opposite end sends does not carry the message of authentication information, according to verifying opposite end identity from the authentication information of opposite end covering vehicle node a, the base station A of b, c receives of storing.
In this step, vehicle node a, b, c verify opposite end identity according to the sender's PKI in the authentication information of opposite end.Be specifically as follows, whether unanimously relatively send according to sender's PKI and transmission message generation signing messages and opposite end of opposite end the signing messages that the employing opposite end private key that carries in message does, if two signing messages are consistent, then think that opposite end is trusted terminal, otherwise think that opposite end is insincere terminal.
Preferably, the authentication information of vehicle node that base station A sends also comprises the signature of base station A, or the PKI of base station A and signature, and vehicle node a, b, c also comprise after receiving the authentication information of the vehicle node that this base station sends:
Based on the signature of this base station A, or the PKI of base station A and signature authentication is carried out to this base station A;
After being verified, receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from this base station A according to storing being verified opposite end identity.
In concrete enforcement, vehicle node c receive cover this vehicle node base station A send comprise vehicle node a, b certificate authentication information and after storing, first adopt the signature of the base station A carried in this authentication information, or the PKI of base station A and signature authentication is carried out to this base station A, after being verified, vehicle node c receive opposite end vehicle node a, b send do not carry the message of authentication information time, according to store from this base station A receive opposite end vehicle node a, b authentication information respectively opposite end identity is verified.
If step 6 vehicle node a, b, c are verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then proceed to step 7; Do not pass through if vehicle node a, b, c verify opposite end identity respectively according to the authentication information of the opposite end vehicle node a received from this base station A, b, then proceed to step 8.
The message delivery not carrying authentication information that opposite end by authentication sends processes to high level by step 7, vehicle node a, b, c.
The message of not carrying authentication information that opposite end not by authentication sends abandons by step 8, vehicle node a, b, c.
Further, vehicle node a, b, c directly abandon the message of not carrying authentication information that the opposite end of the authentication information of the opposite end do not received sends.
In concrete enforcement, if vehicle node c is verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message delivery not carrying authentication information that the opposite end by authentication sends is processed to high level, do not pass through if vehicle node c verifies opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message of not carrying authentication information that opposite end vehicle node a, the b not by authentication sends is abandoned, vehicle node a, the operation of b and the class of operation of vehicle node c are seemingly, but owing to there is no the authentication information of vehicle node c in the authentication information that base station A is sent by system broadcasts form according to setting-up time interval, therefore vehicle node a, b, can only according to the vehicle node a received from this base station A stored, in the authentication information of b, authentication information is each other verified the message of not carrying authentication information that opposite end sends, the message delivery not carrying authentication information that opposite end by authentication sends is processed to high level, the message of not carrying authentication information that opposite end not by authentication sends is abandoned, and vehicle node a, b receive opposite end send do not carry the message of authentication information time, if also do not store the authentication information of opposite end, then the message that opposite end sends directly is abandoned, as the vehicle node c that receives is sent do not carry the message of authentication information time, directly the message of not carrying authentication information that vehicle node c sends is abandoned.
Embodiment two: base station receives the authentication information for verifying vehicle node identity that its vehicle node covered sends, this base station sends to all vehicle node of this base station coverage after the authentication information of each vehicle node received is transmitted to or is processed, wherein, base station carries out authentication based on the signature of CA in the authentication information of the vehicle node received to vehicle node.
Fig. 4 c is the network architecture schematic diagram in embodiment two provided by the invention, if comprise 3 vehicle node a, b, c under the A of base station, as shown in figure 4d, step is as follows for the flow process of embodiment two:
After step one, vehicle node a, b, c access base station A, the authentication information being used for carrying out vehicle node a, b, c authentication is sent to the base station A covering vehicle node a, b, c by vehicle node a, b, c.
The embodiment of this step is as described in step one in embodiment one.
Step 2, base station A receive its vehicle node a covered, b, c send for after carrying out the authentication information of authentication to vehicle node a, b, c, and the identity of signature to vehicle node based on CA in authentication information is verified.
In this step, base station A verifies based on the identity of signature to vehicle node of CA in the authentication information of the vehicle node received, and proceed to step 3 after being verified, checking is not by then abandoning the authentication information not by authentication.
The vehicle node a that step 3, base station A send to it to cover after the authentication information (sender's certificate) of vehicle node a, b, c is transmitted to or is processed, b, c.
It should be noted that, base station A send to each vehicle node a, b, c be identical authentication information.
Preferably, in the authentication information of vehicle node a, b, add the signature utilizing the private cipher key of base station A to do, or the PKI of base station A and the signature that utilizes the private cipher key of base station A to do; To the signature utilizing the private cipher key of base station A to do be added, or the authentication information of the vehicle node of the PKI of base station A and the signature that utilizes the private cipher key of base station A to do send to this base station A to cover according to setting-up time interval and by system broadcasts mode all vehicle node a, b, c.
It should be noted that, if when the PKI of base station A is known information, as specified in specification or agreement or notifying in the system broadcasts of base station A, so base station A does not need at the vehicle node a covered to it, b, c the PKI adding base station A when sending authentication information.
In concrete enforcement, if vehicle node a, b have passed authentication, vehicle node c not by authentication, so base station A send to this base station A to cover according to setting-up time interval and by the MBMS forms of broadcasting authentication information of vehicle node a, b vehicle node a, b, c.
Above-mentioned preferred embodiment in, in the authentication information of vehicle node a, b, add the signature utilizing the private cipher key of this base station A to do, or the PKI of this base station A and the signature that utilizes the private cipher key of this base station A to do; To the signature utilizing the private cipher key of this base station A to do be added, or the PKI of this base station A and the vehicle node a of signature utilizing the private cipher key of this base station A to do, the authentication information of b send to this base station A to cover according to setting-up time interval and by the MBMS forms of broadcasting vehicle node a, b, c.
Step 4, vehicle node a, b, c receive the authentication information of the vehicle node of this base station A covering that this base station A sends and store.
When what step 5, vehicle node a, b, c received that opposite end sends does not carry the message of authentication information, according to verifying opposite end identity from the authentication information of opposite end covering vehicle node a, the base station A of b, c receives of storing.
In this step, vehicle node a, b, c verify opposite end identity according to the sender's PKI in the authentication information of opposite end.
Preferably, the authentication information of the vehicle node that this base station A sends also comprises the signature of this base station A, or the PKI of base station A and signature are (when the PKI of base station is known information, base station A does not need when sending authentication information to all vehicle node of this base station coverage the PKI adding this base station, namely the signature utilizing the private cipher key of this base station to do only is carried in this authentication information), vehicle node a, b, c also comprise after receiving the authentication information of the vehicle node that this base station A sends:
Based on the signature of this base station A, or the PKI of base station A and signature authentication is carried out to this base station A;
After being verified, receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from this base station A according to storing being verified opposite end identity.
In concrete enforcement, vehicle node c receive cover this vehicle node base station A send comprise vehicle node a, b certificate authentication information after, first adopt the signature of the base station A carried in this authentication information, or the PKI of base station A and signature authentication is carried out to this base station A, after being verified, vehicle node c receive opposite end vehicle node a, b send do not carry the message of authentication information time, according to store from this base station A receive opposite end vehicle node a, b authentication information respectively opposite end identity is verified.
If step 6 vehicle node a, b, c are verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then proceed to step 7; Do not pass through if vehicle node a, b, c verify opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then proceed to step 8.
The message delivery not carrying authentication information that opposite end by authentication sends processes to high level by step 7, vehicle node a, b, c.
The message of not carrying authentication information that opposite end not by authentication sends abandons by step 8, vehicle node a, b, c.
Further, vehicle node a, b, c directly abandon the message of not carrying authentication information that the opposite end of the authentication information of the opposite end do not received sends.
In concrete enforcement, if vehicle node c is verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message delivery not carrying authentication information that the opposite end by authentication sends is processed to high level, do not pass through if vehicle node c verifies opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message of not carrying authentication information that opposite end vehicle node a, the b not by authentication sends is abandoned, vehicle node a, the operation of b and the class of operation of vehicle node c are seemingly, but owing to there is no the authentication information of vehicle node c in the authentication information that base station A sends, therefore vehicle node a, b, can only according to the vehicle node a received from base station A stored, in the authentication information of b, authentication information is each other verified the message of not carrying authentication information that opposite end sends, the message delivery not carrying authentication information that opposite end by authentication sends is processed to high level, the message of not carrying authentication information that opposite end not by authentication sends is abandoned, and vehicle node a, b receive opposite end send do not carry the message of authentication information time, if also do not store the authentication information of opposite end, then the message that opposite end sends directly is abandoned, as the vehicle node c that receives is sent do not carry the message of authentication information time, directly the message of not carrying authentication information that vehicle node c sends is abandoned.
Embodiment three: base station receives the authentication information for verifying vehicle node identity that its vehicle node covered sends, the authentication information of each vehicle node received sends to or sends to all vehicle node of this base station coverage after processing by this base station, wherein, sender's certificate of the vehicle node removing CA signature is sent to all vehicle node of this base station coverage by base station; Base station is verified based on the identity of signature to vehicle node of CA in the authentication system of cellular network or authentication information.
Fig. 4 e is the network architecture schematic diagram in embodiment three provided by the invention, if comprise 3 vehicle node a, b, c under the A of base station, as shown in fig. 4f, step is as follows for the flow process of embodiment three:
After step one, vehicle node a, b, c access base station A, vehicle node a, b, c send to the authentication information that vehicle node a, b, c identity are verified the base station A covering vehicle node a, b, c by being used for.
The embodiment of this step is as described in step one in embodiment one.
Step 2, base station A receive its vehicle node a covered, b, c send for after the authentication information verified vehicle node a, b, c identity, verify based on the identity of signature to vehicle node of CA in the authentication system of cellular network or authentication information.
In this step, base station A verifies based on the authentication system of cellular network or the identity of signature to vehicle node of CA, proceeds to step 3 after being verified, and checking is not by then abandoning the authentication information not by authentication.
All vehicle node a that the authentication information (removing sender's certificate of CA signature) of vehicle node a, b, c sends to it to cover by step 3, base station A, b, c.
It should be noted that, base station A send to each vehicle node a, b, c be identical authentication information.
In this step, base station A removes the signature of CA of sender's certificate of vehicle node a, b, c, by the vehicle node a removing the vehicle node a of the signature of CA, sender's certificate (here for removing other information in vehicle node a, b, c sender certificate after CA signature) of b, c sends to this base station A to cover, b, c.
Preferably, in the authentication information of vehicle node a, b, add the signature utilizing the private cipher key of base station A to do, or the PKI of base station A and the signature that utilizes the private cipher key of base station A to do; To the signature utilizing the private cipher key of base station A to do be added, or the authentication information of the vehicle node of the PKI of base station A and the signature that utilizes the private cipher key of base station A to do send to this base station A to cover according to setting-up time interval and by system broadcasts mode all vehicle node a, b, c.
In concrete enforcement, if vehicle node a, b have passed authentication, vehicle node c not by authentication, so base station A by comprising vehicle node a, the authentication information of vehicle node of b sends to vehicle node a, b, c of this base station coverage according to setting-up time interval by car networking dedicated broadcast form.
Above-mentioned preferred embodiment in, in the authentication information of vehicle node a, b, add the signature of base station A, or the PKI of this base station A and the signature that utilizes the private cipher key of this base station A to do; To the signature of base station A be added, or the authentication information of the vehicle node of the PKI of this base station A and the signature that utilizes the private cipher key of this base station A to do send to this base station A to cover according to setting-up time interval and by car networking dedicated broadcast form vehicle node a, b, c.
Step 4, vehicle node a, b, c receive the authentication information of the vehicle node of this base station A covering that this base station A sends and store.
When what step 5, vehicle node a, b, c received that opposite end sends does not carry the message of authentication information, according to verifying opposite end identity from the authentication information of opposite end covering vehicle node a, the base station A of b, c receives of storing.
In this step, vehicle node a, b, c verify opposite end identity according to the sender's PKI in the authentication information of the opposite end stored.
Preferably, the authentication information of vehicle node that this base station A sends also comprises the signature of base station A, or the PKI of base station A and signature, and vehicle node a, b, c also comprise after receiving the authentication information of the vehicle node that base station A sends:
Based on the signature of the base station A received, or the PKI of base station A and signature authentication is carried out to this base station;
After being verified, receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from base station A according to storing being verified opposite end identity.
In concrete enforcement, vehicle node c receive cover this vehicle node base station A send comprise vehicle node a, b certificate authentication information after, first adopt the signature of the base station A carried in this authentication information, or the PKI of base station A and signature authentication is carried out to this base station A, after being verified, vehicle node c receive opposite end vehicle node a, b send do not carry the message of authentication information time, according to store from this base station A receive opposite end vehicle node a, b authentication information respectively opposite end identity is verified.
If step 6 vehicle node a, b, c are verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then proceed to step 7; Do not pass through if vehicle node a, b, c verify opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then proceed to step 8.
The message delivery not carrying authentication information that opposite end by authentication sends processes to high level by step 7, vehicle node a, b, c.
The message of not carrying authentication information that opposite end not by authentication sends abandons by step 8, vehicle node a, b, c.
Further, vehicle node a, b, c directly abandon the message of not carrying authentication information that the opposite end of the authentication information of the opposite end do not received sends.
In concrete enforcement, if vehicle node c is verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message delivery not carrying authentication information that the opposite end by authentication sends is processed to high level, do not pass through if vehicle node c verifies opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message of not carrying authentication information that opposite end vehicle node a, the b not by authentication sends is abandoned, vehicle node a, the operation of b and the class of operation of vehicle node c are seemingly, but owing to there is no the authentication information of vehicle node c in the authentication information that base station A is sent by car networking dedicated broadcast form according to setting-up time interval, therefore vehicle node a, b, can only according to the vehicle node a received from base station A stored, in the authentication information of b, authentication information is each other verified the message of not carrying authentication information that opposite end sends, the message delivery not carrying authentication information that opposite end by authentication sends is processed to high level, the message of not carrying authentication information that opposite end not by authentication sends is abandoned, and vehicle node a, b receive opposite end send do not carry the message of authentication information time, if also do not store the authentication information of opposite end, then the message that opposite end sends directly is abandoned, as the vehicle node c that receives is sent do not carry the message of authentication information time, directly the message of not carrying authentication information that vehicle node c sends is abandoned.
Embodiment four: all vehicle node sending to this base station coverage after the authentication information of the vehicle node by authentication that adjacent base station sends by base station is transmitted to or processes, wherein, the sender's certificate removing the vehicle node of the signature of CA is sent to all vehicle node of this base station coverage by base station, and base station is verified based on the authentication system of cellular network or the identity of signature to vehicle node of CA.
Fig. 4 g is the network architecture schematic diagram in embodiment four provided by the invention, if comprise 3 vehicle node a, b, c under the A of base station, comprise 2 vehicle node d, e under the B of base station, as shown in figure 4h, step is as follows for the flow process of embodiment four:
After step one, vehicle node a, b, c, d, e access base station, the authentication information being used for carrying out vehicle node a, b, c, d, e authentication is sent to base station A or B covering vehicle node a, b, c, d, e by vehicle node a, b, c, d, e.
In this step, authentication information is sent to base station A or B covering vehicle node a, b, c, d, e by vehicle node a, b, c, d, e according to setting-up time interval.
Usually, if the overlapping time having 30 seconds effective time of send before and after vehicle node a, b, c, d, e two certificates, so vehicle node a, b, c, d, e can send to base station A or B the certificate that the next one that carries respective PKI will use within the overlapping time of every two certificates.
The authentication information for verifying vehicle node a, b, c, d, e identity that step 2, base station A or B receive its vehicle node a covered, b, c, d, e send, and the authentication information of vehicle node that the adjacent base station that receiving neighbor bs sends covers, then base station A or B verifies based on the identity of signature to vehicle node of CA in the authentication system of cellular network or authentication information.
In this step, base station A or B verify based on the identity of signature to vehicle node of CA in the authentication system of cellular network or authentication information, and proceed to step 3 after being verified, checking is not by then abandoning the authentication information not by authentication.
The vehicle node a that step 3, base station A or B send to it to cover after the authentication information (removing sender's certificate of CA signature) of each vehicle node received is transmitted to or is processed, b, c, d, e.
In this step, what the authentication information of the vehicle node that the adjacent base station of reception covers by base station A or B and its vehicle node a covered of its reception, b, c, d, e sent be used for the authentication information that vehicle node a, b, c, d, e identity are verified is sent to or processes after send to base station A or B to cover all vehicle node.
It should be noted that, what each base station sent to it to cover each vehicle node is identical authentication information, but sending authentication information between different base stations can be different, as a base station have collected the authentication information of 5 vehicle node, so authentication information of its 5 vehicle node at most only collected to the authentication information that it covers the transmission of each vehicle node; And another base station have collected the authentication information of 10 vehicle node, so this base station can comprise at most the authentication information of 10 vehicle node collected to the authentication information that it covers the transmission of each vehicle node.
In this step, base station A or B removes the signature of CA of sender's certificate of vehicle node a, b, c, d, e, by the vehicle node a removing the vehicle node a of CA signature, sender's certificate (here for removing other information in vehicle node a, b, c, d, e sender certificate after CA signature) of b, c, d, e sends to base station A or B to cover, b, c, d, e.
Preferably, in the authentication information of vehicle node, add the signature of base station, or the PKI of base station and signature; To the signature of base station be added, or the authentication information of the PKI of base station and the vehicle node of signature send to base station A or B to cover vehicle node a, b, c, d, e.
In concrete enforcement, base station A, B adopt CA signature respectively to its cover and the vehicle node receiving authentication information carries out authentication.If vehicle node a, b have passed the checking of base station A, vehicle node c is not by the checking of base station A, vehicle node d, e have passed the checking of base station B, and so base station A and base station B sends to the vehicle node of adjacent base station and its covering after the authentication information each via checking being transmitted to according to setting-up time interval by the MBMS forms of broadcasting or being processed by interface.That is: base station A will send to vehicle node a, b, c of adjacent base station B and its covering by interface after being transmitted to according to setting-up time interval by the MBMS forms of broadcasting or being processed by the vehicle node a of checking, the authentication information of b; Base station B will send to vehicle node d, the e of adjacent base station A and its covering by interface after being transmitted to according to setting-up time interval by the MBMS forms of broadcasting or being processed by the vehicle node d of checking, the authentication information of e.
Step 4, vehicle node a, b, c, d, e receive the authentication information of the vehicle node of base station A or the B transmission covering this vehicle node and store.
When what step 5, vehicle node a, b, c, d, e received that opposite end sends does not carry the message of authentication information, the authentication information of opposite end received from base station A or B covering this vehicle node according to storing being verified opposite end identity.
In this step, vehicle node a, b, c, d, e verify opposite end identity according to the sender's PKI in the authentication information of the opposite end stored.
Preferably, the authentication information of vehicle node that base station sends also comprises the signature of base station, or the PKI of base station and signature, and vehicle node a, b, c, d, e also comprise after receiving the authentication information of the vehicle node that base station A or B that cover this vehicle node sends:
Based on covering the signature of base station A or B of this vehicle node or the PKI of base station A or B and signature, authentication is carried out to base station A or B covering this vehicle node;
After being verified, receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from base station A or B covering this vehicle node according to storing being verified opposite end identity.
In concrete enforcement, vehicle node c receive cover this vehicle node base station A send comprise vehicle node a, b, d, e certificate authentication message and after storing, first adopt the signature of the base station A carried in this authentication message, or the PKI of base station A and signature authentication is carried out to base station A, after being verified, vehicle node c receive opposite end vehicle node a, b, d, e send do not carry the message of authentication information time, according to store from base station A receive opposite end vehicle node a, b, d, e authentication information respectively opposite end identity is verified.
If step 6 vehicle node a, b, c, d, e are verified opposite end identity respectively according to the authentication information of the opposite end vehicle node of base station A or the B reception from this vehicle node of covering stored, then proceed to step 7; Do not pass through if vehicle node a, b, c, d, e verify opposite end identity respectively according to the authentication information of the opposite end vehicle node of base station A or the B reception from this vehicle node of covering stored, then proceed to step 8.
The message delivery not carrying authentication information that opposite end by authentication sends processes to high level by step 7, vehicle node a, b, c, d, e.
The message of not carrying authentication information that opposite end not by authentication sends abandons by step 8, vehicle node a, b, c, d, e.
Further, the message of not carrying authentication information that vehicle node a, b, c, d, e opposite end to the authentication information not receiving opposite end send directly abandons.
In concrete enforcement, if vehicle node c is verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from base station A reception stored, b, d, e, then the message delivery not carrying authentication information that the opposite end by authentication sends is processed to high level, do not pass through if vehicle node c verifies opposite end identity respectively according to the authentication information of the opposite end vehicle node a from base station A reception stored, b, d, e, then the message of not carrying authentication information that the opposite end vehicle node a not by authentication, b, d, e send is abandoned, vehicle node a, b, d, the operation of e and the class of operation of vehicle node c are seemingly, but owing to there is no the authentication information of vehicle node c in the authentication information that base station A or B sends, therefore vehicle node a, b, d, e can only according to the vehicle node a stored, b, d, the authentication information of e is verified the message of not carrying authentication information that opposite end sends, the message delivery not carrying authentication information that opposite end by authentication sends is processed to high level, the message of not carrying authentication information that opposite end not by authentication sends is abandoned, and vehicle node a, b receive opposite end send do not carry the message of authentication information time, if also do not store the authentication information of opposite end, then the message that opposite end sends directly is abandoned, as the vehicle node c that receives is sent do not carry the message of authentication information time, directly the message of not carrying authentication information that vehicle node c sends is abandoned.
Based on identical technical conceive, the embodiment of the present invention additionally provides a kind of Centroid, a kind of terminal, the principle of dealing with problems due to this Centroid, terminal equipment is similar to method, and therefore the enforcement of equipment see the enforcement of method, can repeat part and repeat no more.
As shown in Figure 5, the Centroid that the embodiment of the present invention provides, can comprise:
Receiver module 501, for receiving the authentication information for carrying out authentication to terminal that its terminal covered sends;
Sending module 502, for all terminals sending to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed.
The dividing mode of above functional module is only the preferred implementation of one that the embodiment of the present invention provides, and the dividing mode of functional module is not construed as limiting the invention.
In enforcement, the Centroid adjacent with described Centroid is sent to after described sending module 502 is further used for the authentication information of each terminal received to be transmitted to or to process, and all terminals sending to described Centroid to cover after the authentication information of the terminal of the adjacent center coverage of reception is transmitted to or is processed.
In enforcement, described receiver module 501 is further used for the authentication information of the terminal receiving the adjacent center coverage that adjacent center node sends.
In concrete enforcement, when the authentication information of Centroid to terminal processes, can be in authentication information, add some information as required, or delete redundant information unnecessary in the authentication information of terminal, certainly, can also be other processing mode.
In concrete enforcement, authentication information can be any type of information for carrying out authentication to terminal.
Preferably, authentication information at least comprises sender's PKI.Further preferably, authentication information also comprises the mark of sender and/or the signature of certificate management authority CA.
Current sender's certificate has the information for verifying terminal identity, except comprising above-mentioned sender's PKI, the signature of CA and/or the mark (ID) of sender, also, comprise the sequence number of certificate, the title of certificate issuing authority and the information such as recipient's authentication certificate can be made whether to have been cancelled.Preferably, authentication information comprises the one or more content in sender's certificate, if comprise sender's certificate content, then this content is sender's PKI.
In addition, also comprise the information such as scope restriction about time, content, position in certificate, can determine whether as required to be added authentication information.Certainly, authentication information can comprise the full content of certificate.
In enforcement, can further include in Centroid:
Authentication module 503, carries out authentication for the signature based on CA in the authentication system of cellular network or the terminal authentication information of reception to each terminal received;
Described sending module 502 can also be further used for after being verified, all terminals sending to described Centroid to cover after the authentication information of terminal is transmitted to or is processed.
For the authentication information that the terminal regardless of Shi Cong center coverage receives, or the authentication information of the terminal from the reception of adjacent center node, before all terminals sending to described Centroid to cover after the authentication information of terminal is transmitted to or is processed, also comprise:
Based on the signature of CA in the authentication system of cellular network or the terminal authentication information of reception, authentication is carried out to this terminal; Send again after being verified.
Usually, Centroid carries out authentication based on the signature of CA to counterpart terminal.The authentication mode of Centroid to terminal also can adopt other modes, as the authentication system by means of existing cellular network, once determine that terminal is that the legal of cellular network accesses terminal, so thinks that the authentication information that this terminal sends is exactly believable.
In enforcement, described authentication information is sender's certificate, all terminals of described sending module 502 specifically for sending to described Centroid to cover the partial content in sender's certificate of each terminal received or sender's certificate.
In enforcement, described sender's certificate comprises CA signature, all terminals of described sending module 502 specifically for sending to described Centroid to cover in sender's certificate of the terminal removing CA signature.
It should be noted that, the authentication information of all terminals that Centroid sends to described Centroid to cover is identical.
In concrete enforcement, this authentication information is sender's certificate or sender's certification portions content, all terminals that the partial content in sender's certificate of each terminal received or sender's certificate sends to described Centroid to cover by this Centroid; When authentication information is sender's certification portions content, all terminals that sender's certificate of the terminal removing CA signature sends to this Centroid to cover by this Centroid.
In enforcement, can further include in Centroid:
Processing module 504, for adding the signature utilizing the private cipher key of Centroid to do in the authentication information of each terminal received, or the PKI of Centroid and the signature that utilizes the private cipher key of Centroid to do;
All terminals that described sending module 502 sends to described Centroid to cover specifically for the authentication information of each terminal by the reception after processing module process.
In concrete enforcement, when the authentication information of Centroid to terminal processes, adopt following either type:
1) in the authentication information of terminal, add the signature utilizing the private cipher key of Centroid to do;
It should be noted that, if when the PKI of Centroid is known information, then specify in specification or agreement or notify in the system broadcasts of Centroid, so Centroid does not need to add the PKI of this Centroid when all terminals covered to this Centroid send authentication information.
2) PKI adding Centroid in the authentication information of terminal and the signature utilizing the private cipher key of Centroid to do.
Based on the signature utilizing the private cipher key of Centroid to do added, or the signature that the PKI of Centroid and the private cipher key of Centroid are done, terminal can carry out authentication to this Centroid, thus ensures fail safe and the credibility of the authentication information of the terminal that Centroid sends.
In enforcement, described sending module 502 specifically for:
According to setting-up time interval or event triggered fashion, all terminals authentication information of each terminal received being sent to or sends to described Centroid to cover after processing.
In concrete enforcement, all terminals that Centroid sends to this Centroid to cover after can in the following way the authentication information of each terminal received being transmitted to or being processed:
1) send according to setting-up time interval mode
The authentication information of Centroid receiving terminal in setting-up time interval, when arriving setting-up time, all terminals that the authentication information of each terminal received in this time interval sends to or sends to this Centroid to cover after processing by Centroid.
Adopt this mode that the authentication information of multiple terminal can be realized to issue according to setting-up time interval is unified, to improve network resource utilization.
2) send according to event triggered fashion
Concrete triggering mode can be, when the terminal number of new this Centroid of access reaches numerical value, issues, can improve network resource utilization by unified for the authentication information of all terminals be currently received.
3) send mode immediately
As long as Centroid receives the authentication information that terminal sends, then all terminals sending to described Centroid to cover after the authentication information of this terminal received being transmitted to or being processed.
In enforcement, described sending module 502 in the following manner in any one, all terminals sending to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed:
Broadcast mode; Multicast mode; Multicast; Point-to-point mode.
Wherein, broadcast can be broadcasted for MBMS, car networking dedicated broadcast, system broadcasts etc., to reach Appropriate application channel resource, improves the object of resource utilization ratio.
As shown in Figure 6, the terminal that the embodiment of the present invention provides, can comprise:
Sending module 601, for sending to the authentication information described terminal being carried out to authentication the Centroid covering described terminal;
Receiver module 602, for receiving the authentication information of all terminals of the described Centroid covering that described Centroid sends and storing.
The dividing mode of above functional module is only the preferred implementation of one that the embodiment of the present invention provides, and the dividing mode of functional module is not construed as limiting the invention.
In enforcement, described receiver module 602 is further used for the authentication information of all terminals receiving the adjacent center coverage that described Centroid sends.
In enforcement, the authentication information that described sending module 601 sends comprises the PKI of sender.
In enforcement, the authentication information that described sending module 601 sends also comprises the signature of sender's mark and/or certificate management authority CA.
In enforcement, the authentication information that described sending module 601 sends comprises the one or more content in sender's certificate.
In enforcement, described sending module 601 specifically for:
Authentication information is sent to according to setting-up time interval or event triggered fashion the Centroid covering described terminal.
Usually, if there is the overlapping time of 30 seconds the effective time of the certificate in the authentication information sent before and after terminal, so terminal can send to Centroid the certificate that the next one that carries respective PKI will use according to setting-up time interval within the overlapping time of every two certificates.
For protection privacy, terminal uses a certificate usually only effective in finite time; Specify in 1609.2 agreements that the certificate of each terminal concentrates any one moment to only have a certificate to be effective.This principle section effective time can loosened as adjacent two certificates can allow the overlap of a short time; make certificate can within the time period of overlap random transition thus protect privacy better, also can make in addition to allow terminal have the flexibility ratio of certain delayed transformation certificate when a serious event occurs.
In enforcement, the authentication information that described receiver module 602 receives also comprises the signature of described Centroid, or comprises PKI and the signature of described Centroid.
In enforcement, described receiver module 602 can also be further used for the message of not carrying authentication information receiving opposite end transmission;
In enforcement, can further include in terminal:
Authentication module 603, for receive at receiver module that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
In enforcement, the authentication information of described opposite end comprises the PKI of the sender of opposite end, authentication module 603 specifically for receive at receiver module 602 opposite end send do not carry the message of authentication information time, according to store from Centroid receive opposite end authentication information sender's PKI opposite end identity is verified.
In enforcement, described receiver module 602 receives the signature that the authentication information of terminal that described Centroid sends also comprises Centroid, or comprises PKI and the signature of Centroid, described authentication module 603 specifically for:
Based on the signature of the Centroid in described authentication information or the PKI of Centroid and signature, authentication is carried out to described Centroid;
After being verified, receiver module 602 receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
The embodiment of the present invention additionally provides a kind of Centroid, comprises processor and data transceiver interface, wherein:
Described processor be configured to for: receive its cover terminal send the authentication information for carrying out authentication to terminal, all terminals sending to described Centroid to cover after the authentication information receiving each terminal is transmitted to or is processed;
Described data transceiver interface is for realizing the data communication between described processor and terminal.
The present invention also provides a kind of terminal, comprises processor and data transceiver interface, wherein:
Described processor is configured to for the authentication information described terminal being carried out to authentication is sent to the Centroid covering described terminal, receives the authentication information of all terminals of the described Centroid covering that described Centroid sends and stores;
Described data transceiver interface is for realizing the data communication between described processor and other terminal and Centroid.
The present invention describes with reference to according to the flow chart of the method for the embodiment of the present invention, equipment (system) and computer program and/or block diagram.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame.These computer program instructions can being provided to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computer or other programmable data processing device produce device for realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices is provided for the step realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
Although describe the preferred embodiments of the present invention, those skilled in the art once obtain the basic creative concept of cicada, then can make other change and amendment to these embodiments.So claims are intended to be interpreted as comprising preferred embodiment and falling into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.