CN104469763A - Authentication information transmission method and device - Google Patents

Authentication information transmission method and device Download PDF

Info

Publication number
CN104469763A
CN104469763A CN201310418682.3A CN201310418682A CN104469763A CN 104469763 A CN104469763 A CN 104469763A CN 201310418682 A CN201310418682 A CN 201310418682A CN 104469763 A CN104469763 A CN 104469763A
Authority
CN
China
Prior art keywords
authentication information
centroid
terminal
sends
opposite end
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310418682.3A
Other languages
Chinese (zh)
Other versions
CN104469763B (en
Inventor
赵毅
房家奕
赵丽
冯媛
李凤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Gohigh Data Networks Technology Co ltd
Datang Gaohong Zhilian Technology Chongqing Co ltd
China Academy of Telecommunications Technology CATT
Original Assignee
BEIJING DATANG GAOHONG DATA NETWORK TECHNOLOGY Co Ltd
China Academy of Telecommunications Technology CATT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING DATANG GAOHONG DATA NETWORK TECHNOLOGY Co Ltd, China Academy of Telecommunications Technology CATT filed Critical BEIJING DATANG GAOHONG DATA NETWORK TECHNOLOGY Co Ltd
Priority to CN201310418682.3A priority Critical patent/CN104469763B/en
Publication of CN104469763A publication Critical patent/CN104469763A/en
Application granted granted Critical
Publication of CN104469763B publication Critical patent/CN104469763B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses an authentication information transmission method and device. The method comprises the following steps that: a central node receives authentication information for performing identification on terminals covered by the central node transmitted by the terminals; and the central node forwards the received authentication information of each terminal to all terminals covered by the central node or processes the received authentication information and transmits the processed authentication information to all terminals covered by the central node. In the embodiment of the invention, the authentication information needing interaction during communication of the terminals is forwarded by using the central node, so that the system resource overhead needed by carrying of the authentication information in a message sent during communication of the terminals is lowered greatly, and the resource utilization ratio of a system is increased.

Description

A kind of authentication information transmission method and device
Technical field
The present invention relates to communication technical field, particularly a kind of authentication information transmission method and device.
Background technology
By DSRC(Dedicated Short Range Communications, special short-range communication technology), by car and car, direct communication between car and road infrastructure, real-time perception Vehicle peripheral condition also provides the car networking technology of timely road safety early warning to be a study hotspot of our times various countries solving road safety problem.
Based on car and car, the car networking of direct communication between car and road infrastructure has non-stop layer, the features such as self-organizing, the wireless network that tradition controls based on center, such as GSM(Global System of Mobilecommunication, global system for mobile communications), 3G(3rd-Generation Mobile communication, G mobile communication), LTE(Long Term Evolution, Long Term Evolution) in network, ripe security assurance information mechanism cannot use within such networks, make based on car and car, the car of Che Yu road direct communication is networked the security threat be more easily subject to from malicious node.
The DSRC agreement for car and car, direct communication between car and road infrastructure that IEEE WAVE vehicle environmental wireless access working group formulates is made up of underlying protocol (802.11p) and upper-layer protocol (1609 protocol family) two parts, wherein, define car and car in 1609.2 protocol families, the authentication of communication information and encryption mechanism between car and infrastructure, prevent electronics from swindling, eavesdropping.Encryption mechanism car and car, carry out point-to-point communication between car and road infrastructure time just need to use; The road safety message that vehicle and infrastructure send wishes that vehicles all in coverage and trackside infrastructure can both receive, therefore the road safety message that vehicle and trackside infrastructure send does not need encryption, receiving terminal is only needed to carry out authentication to the sender of message, to determine the validity of message.
SAE J2735 message set storehouse defines the multiple message format for supporting road safety to apply, wherein the most important thing is basic security message (BSM), this message is used for sending the car status information supporting that car and workshop road safety are applied, as current time, vehicle location, speed and some other basic car status information.Position each other and movement can be followed the tracks of by BSM interacting message frequently between vehicle, thus enable driver take appropriate driving behavior to avoid possible collision.Receiving node must ensure that received BSM message effectively and be not tampered, and the information in received BSM can be utilized to realize road safety application.
In 1609.2 protocol families, following authentication mode is provided to the message received:
The sending node of message has the certificate that a private signature key and contain the public keys that its private signature key is associated.Sending node uses private key to carry out digital signature to the message sent, and digital signature information is carried in sent message; Receiving node uses the PKI of sending node corresponding to this receipt message to verify the digital signature information of carrying in message, with judge the sending node of message whether to have in message transmission content sending permission and judge the validity of message.
The digital signature information of node to sent out message is all carried in every bar message that current each node sends, and contain the certificate of the PKI be associated with its private key, this certificate also comprise utilize CA(CertificateAuthority, certificate management authority) issue the signature of PKI to certificate.When a node receives the message of other nodes transmission, the PKI first issued according to CA is verified the certificate comprised in this message, to determine the validity of certificate; After being verified certificate, use the validity of PKI to the message received be associated with the private key that sending node uses comprised in certificate to verify, after being verified, the road safety information comprised is sent to high-rise process in this message.
At present, the sending method of certificate is main in the following ways: by car and car, between car and infrastructure direct communication improve in the car networked system of traffic safety, the fail safe of interactive information and credibility in order to ensure car and car, between car and infrastructure, all carry the signing messages of message and the certificate of correspondence in the message that Current demands sender node sends at every bar, other vehicles that receiving terminal node (vehicle or infrastructure) receives every bar or the road safety message that trackside infrastructure sends all carry out authentication.
The certificate comprised in the message that node sends is mainly used to verify the identity of sending node, in certificate except comprising the signature of above-mentioned sending node PKI, CA, the information such as also comprise the mark (ID) of sending node, the sequence number of certificate, the title of certificate issuing authority and recipient's authentication certificate can be made whether to have been cancelled.
In addition, the scope restricted information (for infrastructure, the scope restricted information about position is very important) about time, content, position is also comprised in certificate; For protection privacy, vehicle uses a certificate usually only at finite time effectively (as 5-10 minute), thus its track can not be followed the tracks of easily for a long time by the road safety information of broadcast.When vehicle conversion certificate time, it also can change other marks in its road safety message sent, as the source MAC in BSM message, interim ID, sequence number etc.
Certificate can be adopted to be provided above-mentioned sender's PKI in two ways and carries out CA authentication.In show certificate, they are respectively by independently territory instruction in certificate, as sender's PKI territory of a 224bit and the CA signature of 256bit; In implicit certificate, sender's PKI and carry out CA authentication and implicitly provided by reconstruction domain.Receiving node can use the value of CA PKI and reconstruction domain to recover sender's PKI, can verify books body in this process and identify, but implicit certificate requires that sender and CA use the key of equal length, and the length of reconstruction domain equals the length of key.Make implicit certificate can save 50-60 byte relative to show certificate owing to using reconstruction domain in implicit certificate to replace sender's PKI and CA signature field.Owing to can realize obvious saving, 1609 working groups are considering implicit certificate to be set to optional mode.The load of process depends on implementation to a certain extent, but it has been generally acknowledged that the processing requirements of explicit certificate and implicit certificate is substantially suitable.
The length of show certificate is generally 100 multibytes, even if less implicit certificate is also very large relative to indicating the length of the information of vehicle-state (length is generally 50 ~ 150 bytes) in BSM.
Inventor is realizing in process of the present invention, finds that the delivery plan of existing certificate at least exists following defect:
The message that vehicle and trackside infrastructure send all needs to carry out digital signature to allow the vehicle receiving this message determine the validity of this message.In prior art, when terminal communicates with opposite end, send the sender's PKI carried in certificate in message according to opposite end to verify opposite end identity, but the transmission of certificate occupies a large amount of transfer resources, thus make transmission message occupy a large amount of transmission channel resources, therefore significantly reduce the utilance of system resource.
Summary of the invention
Embodiments provide a kind of authentication information transmission method and device, in order to save the resource utilization of channel resource and raising system.
Provide a kind of authentication information transmission method in the embodiment of the present invention, comprising:
Centroid receives the authentication information for carrying out authentication to terminal that its terminal covered sends;
All terminals that described Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed.
Preferably, comprise further: described Centroid sends to the Centroid adjacent with described Centroid after the authentication information of each terminal received is transmitted to or is processed.
Preferably, comprise further: described Centroid receives the authentication information of the terminal of the adjacent center coverage that adjacent center node sends;
, there is blind area to prevent cell edge place in all terminals that described Centroid sends to described Centroid to cover after the authentication information of the terminal of the adjacent center coverage of reception is transmitted to or is processed.
Preferably, described authentication information comprises sender's PKI, then terminal receive opposite end do not carry the message of authentication information time, according to verifying opposite end identity from the sender's PKI the authentication information of the opposite end that Centroid receives of storing, thus ensure the fail safe of not carrying the message of authentication information and the credibility of the opposite end received.
Preferably, described authentication information also comprises the mark of sender and/or the signature of certificate management authority CA, then Deictic Center node carries out authentication according to the mark of the sender in described authentication information and/or the signature of CA to this terminal.
Preferably, described authentication information comprises the one or more content in sender's certificate.
Preferably, before all terminals that described Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed, comprise further:
Signature based on CA in the authentication system of cellular network or the terminal authentication information of reception carries out authentication to each terminal received;
The all terminals sending to described Centroid to cover after the authentication information of terminal being transmitted to or being processed after being verified, thus the fail safe and the credibility that ensure the authentication information of the terminal received.
Preferably, described authentication information is sender's certificate, all terminals that described Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed, and comprising:
By all terminals that the partial content in sender's certificate of each terminal received or sender's certificate sends to described Centroid to cover.
Preferably, described sender's certificate comprises CA signature, by all terminals that the partial content in sender's certificate of each terminal received sends to described Centroid to cover, comprising:
By all terminals that the sender's certificate of terminal removing CA signature sends to described Centroid to cover, with the system resource overhead needed for the authentication information reducing transmitting terminal.
Preferably, the terminal that described Centroid will send to described Centroid to cover after the authentication information process of each terminal received, comprising:
The signature utilizing the private cipher key of Centroid to do is added in the authentication information of each terminal received, or the PKI of Centroid and the signature that utilizes the private cipher key of Centroid to do;
By all terminals that the authentication information of each terminal of the reception after process sends to described Centroid to cover.
Preferably, all terminals that described Centroid sends to described Centroid to cover after the authentication information of described terminal is transmitted to or is processed, comprising:
Described Centroid is according to setting-up time interval or event triggered fashion, the all terminals authentication information of each terminal received being sent to or sends to described Centroid to cover after processing, by the authentication information of terminal according to setting-up time interval or the unified all terminals being handed down to described Centroid and covering of event triggered fashion, to improve network resource utilization.
Preferably, described Centroid in the following manner in any one, all terminals sending to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed:
Broadcast mode; Multicast mode; Multicast; Point-to-point mode.
In the above embodiment of the present invention, Appropriate application channel resource can be reached, improve the object of resource utilization ratio.
Provide a kind of authentication information transmission method in the embodiment of the present invention, comprising:
The authentication information being used for carrying out described terminal authentication is sent to the Centroid covering described terminal by terminal;
Terminal receives the authentication information of all terminals of the described Centroid covering that described Centroid sends and stores.
Preferably, comprise further:
Terminal receives the authentication information of all terminals of the adjacent center coverage that described Centroid sends and stores.
Preferably, the authentication information that described terminal sends comprises the PKI of sender.
Preferably, the authentication information that described terminal sends also comprises the signature of sender's mark and/or certificate management authority CA.
Preferably, the authentication information that described terminal sends comprises the one or more content in sender's certificate.
Preferably, authentication information is sent to the Centroid covering described terminal by terminal, comprising:
Authentication information is sent to according to setting-up time interval or event triggered fashion the Centroid covering described terminal by terminal.
Sender's certificate in the authentication information that terminal uses is usually only effective in effective time, adopts this mode can send to Centroid the sender's certificate upgraded in time, ensure that the validity of sender's certificate.
Preferably, the authentication information of the terminal that described Centroid sends also comprises the signature of described Centroid, or comprises PKI and the signature of described Centroid.
Provide a kind of method that terminal carries out authentication in the embodiment of the present invention, comprising:
Receive the message of not carrying authentication information that opposite end sends;
According to verifying described opposite end identity from the authentication information of the opposite end that Centroid receives of storing.
In the above embodiment of the present invention, system resource overhead required in the message sent when authentication information being carried at terminal and terminal communication can be reduced, thus improve the resource utilization of system.
Preferably, the authentication information of described opposite end comprises the PKI of the sender of opposite end, and the authentication information according to opposite end is verified opposite end identity, comprising:
According to the sender's PKI in the authentication information of opposite end, opposite end identity is verified, in order to ensure fail safe and the credibility of the message that opposite end sends.
Preferably, the authentication information of the terminal that described Centroid sends also comprises the signature of Centroid, or comprises PKI and the signature of Centroid, and described terminal comprises after receiving the authentication information of the terminal that described Centroid sends further:
Based on the signature of the Centroid in described authentication information or the PKI of Centroid and signature, authentication is carried out to described Centroid, thus ensure fail safe and the credibility of the authentication information of the terminal that Centroid sends;
After being verified, receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
According to said method, provide a kind of Centroid in the embodiment of the present invention, comprising:
Receiver module, for receiving the authentication information for carrying out authentication to terminal that its terminal covered sends;
Sending module, for all terminals sending to described Centroid to cover after the authentication information receiving each terminal is transmitted to or is processed.
Preferably, described sending module sends to the Centroid adjacent with described Centroid after being further used for the authentication information of each terminal received to be transmitted to or to process.
Preferably, described receiver module is further used for the authentication information of the terminal receiving the adjacent center coverage that adjacent center node sends;
The all terminals sending to described Centroid to cover after described sending module is further used for the authentication information of the terminal of the adjacent center coverage of reception to be transmitted to or to process.
Preferably, described authentication information comprises sender's PKI.
Preferably, described authentication information also comprises the mark of sender and/or the signature of certificate management authority CA.
Preferably, described authentication information comprises the one or more content in sender's certificate.
Preferably, comprise further:
Authentication module, carries out authentication for the signature based on CA in the authentication system of cellular network or the terminal authentication information of reception to each terminal received;
Described sending module is further used for after being verified, all terminals sending to described Centroid to cover after the authentication information of described terminal is transmitted to or is processed.
Preferably, described authentication information is sender's certificate, all terminals of described sending module specifically for sending to described Centroid to cover the partial content in sender's certificate of each terminal received or sender's certificate.
Preferably, described sender's certificate comprises CA signature, all terminals of described sending module specifically for sending to described Centroid to cover in sender's certificate of the terminal removing CA signature.
Preferably, comprise further:
Processing module, for adding the signature utilizing the private cipher key of Centroid to do in the authentication information of each terminal received, or the PKI of Centroid and the signature that utilizes the private cipher key of Centroid to do;
All terminals that described sending module sends to described Centroid to cover specifically for the authentication information of each terminal by the reception after processing module process.
Preferably, described sending module specifically for:
According to setting-up time interval or event triggered fashion, all terminals authentication information of each terminal received being sent to or sends to described Centroid to cover after processing.
Preferably, described sending module in the following manner in any one, all terminals sending to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed:
Broadcast mode; Multicast mode; Multicast; Point-to-point mode.
The embodiment of the present invention additionally provides a kind of Centroid, comprises processor and data transceiver interface, wherein:
Described processor be configured to for: receive its cover terminal send the authentication information for carrying out authentication to terminal, all terminals sending to described Centroid to cover after the authentication information receiving each terminal is transmitted to or is processed;
Described data transceiver interface is for realizing the data communication between described processor and terminal.
According to said method, provide a kind of terminal in the embodiment of the present invention, comprising:
Sending module, for sending to the authentication information described terminal being carried out to authentication the Centroid covering described terminal;
Receiver module, for receiving the authentication information of all terminals of the described Centroid covering that described Centroid sends and storing.
Preferably, described receiver module is further used for the authentication information of all terminals receiving the adjacent center coverage that described Centroid sends and stores.
Preferably, the authentication information that described sending module sends comprises the PKI of sender.
Preferably, the authentication information that described sending module sends also comprises the signature of sender's mark and/or certificate management authority CA.
Preferably, the authentication information that described sending module sends comprises the one or more content in sender's certificate.
Preferably, described sending module specifically for:
Authentication information is sent to according to setting-up time interval or event triggered fashion the Centroid covering described terminal.
Preferably, the authentication information that described receiver module receives also comprises the signature of described Centroid, or comprises PKI and the signature of described Centroid.
Preferably, described receiver module is further used for the message of not carrying authentication information receiving opposite end transmission;
Described terminal comprises further:
Authentication module, for receive at receiver module that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
Preferably, the authentication information of described opposite end comprises the PKI of the sender of opposite end, authentication module specifically for receive at receiver module opposite end send do not carry the message of authentication information time, according to store from Centroid receive opposite end authentication information sender's PKI opposite end identity is verified.
Preferably, described receiver module receives the signature that the authentication information of terminal that described Centroid sends also comprises Centroid, or comprises PKI and the signature of Centroid, described authentication module specifically for:
Based on the signature of the Centroid in described authentication information or the PKI of Centroid and signature, authentication is carried out to described Centroid;
After being verified, receiver module receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
The present invention also provides a kind of terminal, comprises processor and data transceiver interface, wherein:
Described processor is configured to for the authentication information described terminal being carried out to authentication is sent to the Centroid covering described terminal, receives the authentication information of all terminals of the described Centroid covering that described Centroid sends and stores;
Described data transceiver interface is for realizing the data communication between described processor and other terminal and Centroid.
The authentication information transmission method that the embodiment of the present invention provides and device, utilize Centroid to the mode needing mutual authentication information to forward when terminal and terminal communication, significantly reduce system resource overhead required in the message sent when authentication information being carried at terminal and terminal communication, thus improve the resource utilization of system.
Accompanying drawing explanation
The authentication information transmission method schematic flow sheet that Fig. 1 provides for the embodiment of the present invention;
The terminal authentication information transmission method schematic flow sheet that Fig. 2 provides for the embodiment of the present invention;
Fig. 3 carries out the method flow schematic diagram of authentication for terminal that the embodiment of the present invention provides;
Fig. 4 a is the network architecture schematic diagram in embodiment one provided by the invention;
Fig. 4 b is the flow chart of embodiment one provided by the invention;
Fig. 4 c is the network architecture schematic diagram in embodiment two provided by the invention;
Fig. 4 d is the flow chart of embodiment two provided by the invention;
Fig. 4 e is the network architecture schematic diagram in embodiment three provided by the invention;
Fig. 4 f is the flow chart of embodiment three provided by the invention;
Fig. 4 g is the network architecture schematic diagram in embodiment four provided by the invention;
Fig. 4 h is the flow chart of embodiment four provided by the invention;
The Centroid structural representation that Fig. 5 provides for the embodiment of the present invention;
The terminal structure schematic diagram that Fig. 6 provides for the embodiment of the present invention.
Embodiment
The embodiment of the present invention is applied to communication system, and equipment relevant to the embodiment of the present invention in this system mainly comprises: Centroid, terminal.Utilize Centroid to the mode needing mutual authentication information to forward when terminal and terminal communication, significantly reduce system resource overhead required in the message sent when authentication information being carried at terminal and terminal communication, thus improve the resource utilization of system.
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in detail.
See Fig. 1, the flow process of the authentication information transmission method that the embodiment of the present invention provides, specific implementation step comprises:
Step 101, Centroid receive the authentication information for verifying terminal identity that its terminal covered sends.
Authentication information can be any type of information for carrying out authentication to terminal.
Preferably, authentication information at least comprises sender's PKI.Further preferably, authentication information also comprises the mark of sender and/or the signature of certificate management authority CA.
Current sender's certificate has the information for verifying terminal identity, except comprising above-mentioned sender's PKI, the signature of CA and/or the mark (ID) of sender, also, comprise the sequence number of certificate, the title of certificate issuing authority and the information such as recipient's authentication certificate can be made whether to have been cancelled.Preferably, authentication information comprises the one or more content in sender's certificate, and sender's PKI is the content that must comprise.
In addition, also comprise the information such as scope restriction about time, content, position in certificate, can determine whether as required to be added authentication information.Certainly, authentication information can comprise the full content of certificate.
All terminals that step 102, described Centroid send to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed.
When the authentication information of Centroid to terminal processes, can be in authentication information, add some information as required, or delete redundant information unnecessary in the authentication information of terminal, certainly, can also be other processing mode.
The embodiment of the present invention utilizes Centroid to the mode needing mutual authentication information to forward when terminal and terminal communication, significantly reduce system resource overhead required in the message sent when authentication information being carried at terminal and terminal communication, thus improve the resource utilization of system.
In enforcement, all terminals that Centroid sends to this Centroid to cover after can in the following way the authentication information of each terminal received being transmitted to or being processed:
1) send according to setting-up time interval mode
The authentication information of Centroid receiving terminal in setting-up time interval, when arriving setting-up time, all terminals that the authentication information of each terminal received in this time interval sends to or sends to this Centroid to cover after processing by Centroid.
Adopt this mode that the authentication information of multiple terminal can be realized to issue according to setting-up time interval is unified, to improve network resource utilization.
2) send according to event triggered fashion
Concrete triggering mode can be, when the terminal number of new this Centroid of access reaches certain numerical value, issues, can improve network resource utilization by unified for the authentication information of all terminals be currently received.
3) send mode immediately
As long as Centroid receives the authentication information that terminal sends, then all terminals sending to described Centroid to cover after the authentication information of this terminal received being transmitted to or being processed.
In enforcement, this Centroid in the following manner in any one, all terminals authentication information of each terminal received being sent to or sends to described Centroid to cover after processing:
Broadcast mode; Multicast mode; Multicast; Point-to-point mode.Wherein, broadcast can be broadcasted for MBMS, car networking dedicated broadcast, system broadcasts etc., to reach Appropriate application channel resource, improves the object of resource utilization ratio.
According to another preferred implementation of the present invention, this Centroid sends to the Centroid adjacent with this Centroid after the authentication information of each terminal received is transmitted to or is processed, and occurs blind area to prevent cell edge place.
Preferably, the method also comprises: this Centroid receives the authentication information of the terminal of the adjacent center coverage that adjacent center node sends; The all terminals sending to this Centroid to cover after the authentication information of the terminal of the adjacent center coverage of reception is transmitted to or is processed.
For the authentication information that the terminal regardless of Shi Cong center coverage receives, or the authentication information of the terminal from the reception of adjacent center node, before all terminals sending to described Centroid to cover after the authentication information of terminal is transmitted to or is processed, also comprise:
Based on the signature of CA in the authentication system of cellular network or the terminal authentication information of reception, authentication is carried out to this terminal; Send again after being verified.
Usually, Centroid carries out authentication based on the signature of CA to counterpart terminal.The authentication mode of Centroid to terminal also can adopt other modes, as the authentication system by means of existing cellular network, once determine that terminal is that the legal of cellular network accesses terminal, so thinks that the authentication information that this terminal sends is exactly believable.
The authentication information of all terminals that Centroid sends to described Centroid to cover is identical.
This authentication information is sender's certificate or sender's certification portions content, all terminals that the partial content in sender's certificate of each terminal received or sender's certificate sends to described Centroid to cover by this Centroid.
When authentication information is sender's certification portions content, all terminals that sender's certificate of the terminal removing CA signature sends to this Centroid to cover by this Centroid.
When the authentication information of Centroid to terminal processes, adopt following either type:
1) in the authentication information of terminal, add the signature utilizing the private cipher key of Centroid to do;
It should be noted that, if when the PKI of Centroid is known information, then specify in specification or agreement or notify in the system broadcasts of Centroid, so Centroid does not need to add the PKI of this Centroid when all terminals covered to this Centroid send authentication information.
2) PKI adding Centroid in the authentication information of terminal and the signature utilizing the private cipher key of Centroid to do.
It should be noted that, now the known information of PKI right and wrong of Centroid, therefore Centroid is when all terminals covered to this Centroid send authentication information, needs the PKI adding this Centroid.
Based on the signature utilizing the private cipher key of Centroid to do added, or the signature that the PKI of Centroid and the private cipher key of Centroid are done, terminal can carry out authentication to this Centroid, thus ensures fail safe and the credibility of the authentication information of the terminal that Centroid sends.
The embodiment of the present invention does not do concrete restriction for the send mode of above-mentioned authentication information.
See Fig. 2, the flow process of the authentication information transmission method of the end side that the embodiment of the present invention provides, specific implementation step comprises:
Step 201, by being used for, the Centroid covering this terminal is sent to the authentication information that this terminal carries out authentication.
Authentication information can be any type of information for carrying out authentication to terminal.
Preferably, authentication information at least comprises sender's PKI.Further preferably, authentication information also comprises the mark of sender and/or the signature of certificate management authority CA.
Current sender's certificate has the information for verifying terminal identity, except comprising above-mentioned sender's PKI, the signature of CA and/or the mark (ID) of sender, also, comprise the sequence number of certificate, the title of certificate issuing authority and the information such as recipient's authentication certificate can be made whether to have been cancelled.Preferably, authentication information comprises the one or more content in sender's certificate, if comprise sender's certificate content, then this content is sender's PKI.
In addition, also comprise the information such as scope restriction about time, content, position in certificate, can determine whether as required to be added authentication information.Certainly, authentication information can comprise the full content of certificate.
Concrete, authentication information is sent to according to setting-up time interval or event triggered fashion the Centroid covering this terminal by this terminal.
Usually, if there is the overlapping time of 30 seconds the effective time of the certificate in the authentication information sent before and after terminal, so terminal can send to Centroid the certificate that the next one that carries respective PKI will use according to setting-up time interval within the overlapping time of every two certificates.
For protection privacy, terminal uses a certificate usually only effective in finite time; Specify in 1609.2 agreements that the certificate of each terminal concentrates any one moment to only have a certificate to be effective.This principle section effective time can loosened as adjacent two certificates can allow the overlap of a short time; make certificate can within the time period of overlap random transition thus protect privacy better, also can make in addition to allow terminal have the flexibility ratio of certain delayed transformation certificate when a serious event occurs.
Step 202, receive all terminals that described Centroid that described Centroid sends covers authentication information and store.
Preferably, the method also comprises: this terminal receives the authentication information of all terminals of the adjacent center coverage that this Centroid sends and stores.
In this step, based on the signature utilizing the private cipher key of Centroid to do added, or the signature that the PKI of Centroid and the private cipher key of Centroid are done, terminal can carry out authentication to this Centroid, thus ensures fail safe and the credibility of the authentication information of the terminal that Centroid sends.
It should be noted that, if when the PKI of Centroid is known information, then specify in specification or agreement or notify in the system broadcasts of Centroid, so Centroid does not need to add the PKI of this Centroid when all terminals covered to this Centroid send authentication information.
See Fig. 3, the terminal that the embodiment of the present invention provides carries out the method flow of authentication, and specific implementation step comprises:
The message of not carrying authentication information that step 301, reception opposite end send.
Step 302, described opposite end identity is verified from the authentication information of the opposite end that Centroid receives according to storage.
In this step, the authentication information of described opposite end comprises the PKI of the sender of opposite end, verifies opposite end identity according to the sender's PKI in the authentication information of opposite end.
In above-described embodiment, terminal receive opposite end send do not carry the message of authentication information time, according to verifying described opposite end identity from the authentication information of the opposite end that Centroid receives of storing, utilize the authentication information of the opposite end from Centroid reception stored to carry out authentication to opposite end to make terminal, do not need to carry authentication information in the message that such terminal and terminal send, thus significantly reduce the network resource overhead carrying authentication information when to send message between terminal and terminal and cause, considerably improve the efficiency communicated between terminal with terminal.
If step 303, according to verifying described opposite end identity from the authentication information of the opposite end that Centroid receives of storing, if be verified, then proceeds to step 304; If checking is not passed through, then proceed to step 305.
The message delivery not carrying authentication information that described opposite end by authentication sends processes to high level by step 304, this terminal.
The message of not carrying authentication information that described opposite end not by authentication sends abandons by step 305, this terminal.
Further, receive opposite end send do not carry the message of authentication information time, if also do not store the authentication information of this opposite end, then by opposite end send message directly abandon.
Can be found out by above flow process, in the above embodiment of the present invention, Centroid receives the authentication information for carrying out authentication to terminal that its all terminals covered send; All terminals that this Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed.Utilize Centroid to the mode needing mutual authentication information to forward when terminal and terminal communication in the embodiment of the present invention, significantly reduce system resource overhead required in the message sent when authentication information being carried at terminal and terminal communication, thus improve the resource utilization of system.
In the embodiment of the present invention, Centroid can be possess the equipment of base station functions or have the management equipment of authentication information forwarding capability, and such as, Centroid can be: grand (Macro) base station or micro-(Pico) base station or family (femto) base station; Terminal equipment is the equipment at least possessing physical layer transmission function, such as vehicle node or trackside infrastructure node.
Below for the communication system that base station and vehicle node are formed, and the present invention is described in detail in conjunction with specific embodiments:
Embodiment one: base station receives the authentication information for carrying out authentication to vehicle node that its vehicle node covered sends, this base station sends to all vehicle node of this base station coverage after the authentication information of each vehicle node received is transmitted to or is processed, wherein, base station carries out authentication based on the authentication system of cellular network to vehicle node.
Fig. 4 a is the network architecture schematic diagram in embodiment one provided by the invention, if comprise 3 vehicle node a, b, c under the A of base station.As shown in Figure 4 b, step is as follows for the flow process of embodiment one:
After step one, vehicle node a, b, c access base station A, the authentication information being used for carrying out vehicle node a, b, c authentication is sent to the base station A covering vehicle node a, b, c by vehicle node a, b, c.
In this step, authentication information is sent to according to setting-up time interval or event triggered fashion the base station A covering vehicle node a, b, c by vehicle node a, b, c.
Usually, if the overlapping time having 30 seconds effective time of send before and after vehicle node a, b, c two sender's certificates, so vehicle node a, b, c can send to base station A the certificate that the next one that carries respective PKI will use within the overlapping time of every two certificates.
Step 2, base station A receive its vehicle node a covered, b, c send for after carrying out the authentication information of authentication to vehicle node a, b, c, and the authentication system based on cellular network carries out authentication to vehicle node.
In this step, base station A carries out authentication based on the authentication system of cellular network to vehicle node, as base station A verifies based on the identity of mark to vehicle node of vehicle node, proceed to step 3 after being verified, checking is not by then abandoning the authentication information not by authentication.
The vehicle node a that step 3, base station A send to it to cover after the authentication information (sender's certificate) of vehicle node a, b, c is transmitted to or is processed, b, c.
It should be noted that, base station A send to each vehicle node a, b, c be identical authentication information.Be specifically as follows the authentication information of vehicle node a, b, c to be placed in a packet and send.
Preferably, in the authentication information of vehicle node, add the signature utilizing the private cipher key of base station A to do, or the PKI of base station A and the signature that utilizes the private cipher key of base station A to do; To the signature utilizing the private cipher key of base station A to do be added, or the authentication information of the vehicle node of the PKI of base station A and the signature that utilizes the private cipher key of this base station A to do send to this base station A to cover vehicle node a, b, c.
It should be noted that, if when the PKI of base station A is known information, as specified in specification or agreement or notifying in the system broadcasts of base station A, so base station A does not need at the vehicle node a covered to it, b, c the PKI adding base station A when sending authentication information.
In concrete enforcement, if vehicle node a, b have passed authentication, vehicle node c is not by authentication, and so base station A is by all vehicle node a comprising vehicle node a, the authentication information of vehicle node of b sends to this base station A to cover according to setting-up time interval and by system broadcasts mode, b, c.
Above-mentioned preferred embodiment in, in the authentication information of vehicle node a, b, add the signature utilizing the private cipher key of base station A to do, or the PKI of base station A and the signature that utilizes the private cipher key of base station A to do; To the signature utilizing the private cipher key of base station A to do be added, or the authentication information of the vehicle node of the PKI of base station A and the signature that utilizes the private cipher key of base station A to do send to this base station A to cover according to setting-up time interval and by system broadcasts mode all vehicle node a, b, c.
Step 4, vehicle node a, b, c receive the authentication information of the vehicle node of this base station coverage that base station A sends and store.
When what step 5, vehicle node a, b, c received that opposite end sends does not carry the message of authentication information, according to verifying opposite end identity from the authentication information of opposite end covering vehicle node a, the base station A of b, c receives of storing.
In this step, vehicle node a, b, c verify opposite end identity according to the sender's PKI in the authentication information of opposite end.Be specifically as follows, whether unanimously relatively send according to sender's PKI and transmission message generation signing messages and opposite end of opposite end the signing messages that the employing opposite end private key that carries in message does, if two signing messages are consistent, then think that opposite end is trusted terminal, otherwise think that opposite end is insincere terminal.
Preferably, the authentication information of vehicle node that base station A sends also comprises the signature of base station A, or the PKI of base station A and signature, and vehicle node a, b, c also comprise after receiving the authentication information of the vehicle node that this base station sends:
Based on the signature of this base station A, or the PKI of base station A and signature authentication is carried out to this base station A;
After being verified, receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from this base station A according to storing being verified opposite end identity.
In concrete enforcement, vehicle node c receive cover this vehicle node base station A send comprise vehicle node a, b certificate authentication information and after storing, first adopt the signature of the base station A carried in this authentication information, or the PKI of base station A and signature authentication is carried out to this base station A, after being verified, vehicle node c receive opposite end vehicle node a, b send do not carry the message of authentication information time, according to store from this base station A receive opposite end vehicle node a, b authentication information respectively opposite end identity is verified.
If step 6 vehicle node a, b, c are verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then proceed to step 7; Do not pass through if vehicle node a, b, c verify opposite end identity respectively according to the authentication information of the opposite end vehicle node a received from this base station A, b, then proceed to step 8.
The message delivery not carrying authentication information that opposite end by authentication sends processes to high level by step 7, vehicle node a, b, c.
The message of not carrying authentication information that opposite end not by authentication sends abandons by step 8, vehicle node a, b, c.
Further, vehicle node a, b, c directly abandon the message of not carrying authentication information that the opposite end of the authentication information of the opposite end do not received sends.
In concrete enforcement, if vehicle node c is verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message delivery not carrying authentication information that the opposite end by authentication sends is processed to high level, do not pass through if vehicle node c verifies opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message of not carrying authentication information that opposite end vehicle node a, the b not by authentication sends is abandoned, vehicle node a, the operation of b and the class of operation of vehicle node c are seemingly, but owing to there is no the authentication information of vehicle node c in the authentication information that base station A is sent by system broadcasts form according to setting-up time interval, therefore vehicle node a, b, can only according to the vehicle node a received from this base station A stored, in the authentication information of b, authentication information is each other verified the message of not carrying authentication information that opposite end sends, the message delivery not carrying authentication information that opposite end by authentication sends is processed to high level, the message of not carrying authentication information that opposite end not by authentication sends is abandoned, and vehicle node a, b receive opposite end send do not carry the message of authentication information time, if also do not store the authentication information of opposite end, then the message that opposite end sends directly is abandoned, as the vehicle node c that receives is sent do not carry the message of authentication information time, directly the message of not carrying authentication information that vehicle node c sends is abandoned.
Embodiment two: base station receives the authentication information for verifying vehicle node identity that its vehicle node covered sends, this base station sends to all vehicle node of this base station coverage after the authentication information of each vehicle node received is transmitted to or is processed, wherein, base station carries out authentication based on the signature of CA in the authentication information of the vehicle node received to vehicle node.
Fig. 4 c is the network architecture schematic diagram in embodiment two provided by the invention, if comprise 3 vehicle node a, b, c under the A of base station, as shown in figure 4d, step is as follows for the flow process of embodiment two:
After step one, vehicle node a, b, c access base station A, the authentication information being used for carrying out vehicle node a, b, c authentication is sent to the base station A covering vehicle node a, b, c by vehicle node a, b, c.
The embodiment of this step is as described in step one in embodiment one.
Step 2, base station A receive its vehicle node a covered, b, c send for after carrying out the authentication information of authentication to vehicle node a, b, c, and the identity of signature to vehicle node based on CA in authentication information is verified.
In this step, base station A verifies based on the identity of signature to vehicle node of CA in the authentication information of the vehicle node received, and proceed to step 3 after being verified, checking is not by then abandoning the authentication information not by authentication.
The vehicle node a that step 3, base station A send to it to cover after the authentication information (sender's certificate) of vehicle node a, b, c is transmitted to or is processed, b, c.
It should be noted that, base station A send to each vehicle node a, b, c be identical authentication information.
Preferably, in the authentication information of vehicle node a, b, add the signature utilizing the private cipher key of base station A to do, or the PKI of base station A and the signature that utilizes the private cipher key of base station A to do; To the signature utilizing the private cipher key of base station A to do be added, or the authentication information of the vehicle node of the PKI of base station A and the signature that utilizes the private cipher key of base station A to do send to this base station A to cover according to setting-up time interval and by system broadcasts mode all vehicle node a, b, c.
It should be noted that, if when the PKI of base station A is known information, as specified in specification or agreement or notifying in the system broadcasts of base station A, so base station A does not need at the vehicle node a covered to it, b, c the PKI adding base station A when sending authentication information.
In concrete enforcement, if vehicle node a, b have passed authentication, vehicle node c not by authentication, so base station A send to this base station A to cover according to setting-up time interval and by the MBMS forms of broadcasting authentication information of vehicle node a, b vehicle node a, b, c.
Above-mentioned preferred embodiment in, in the authentication information of vehicle node a, b, add the signature utilizing the private cipher key of this base station A to do, or the PKI of this base station A and the signature that utilizes the private cipher key of this base station A to do; To the signature utilizing the private cipher key of this base station A to do be added, or the PKI of this base station A and the vehicle node a of signature utilizing the private cipher key of this base station A to do, the authentication information of b send to this base station A to cover according to setting-up time interval and by the MBMS forms of broadcasting vehicle node a, b, c.
Step 4, vehicle node a, b, c receive the authentication information of the vehicle node of this base station A covering that this base station A sends and store.
When what step 5, vehicle node a, b, c received that opposite end sends does not carry the message of authentication information, according to verifying opposite end identity from the authentication information of opposite end covering vehicle node a, the base station A of b, c receives of storing.
In this step, vehicle node a, b, c verify opposite end identity according to the sender's PKI in the authentication information of opposite end.
Preferably, the authentication information of the vehicle node that this base station A sends also comprises the signature of this base station A, or the PKI of base station A and signature are (when the PKI of base station is known information, base station A does not need when sending authentication information to all vehicle node of this base station coverage the PKI adding this base station, namely the signature utilizing the private cipher key of this base station to do only is carried in this authentication information), vehicle node a, b, c also comprise after receiving the authentication information of the vehicle node that this base station A sends:
Based on the signature of this base station A, or the PKI of base station A and signature authentication is carried out to this base station A;
After being verified, receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from this base station A according to storing being verified opposite end identity.
In concrete enforcement, vehicle node c receive cover this vehicle node base station A send comprise vehicle node a, b certificate authentication information after, first adopt the signature of the base station A carried in this authentication information, or the PKI of base station A and signature authentication is carried out to this base station A, after being verified, vehicle node c receive opposite end vehicle node a, b send do not carry the message of authentication information time, according to store from this base station A receive opposite end vehicle node a, b authentication information respectively opposite end identity is verified.
If step 6 vehicle node a, b, c are verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then proceed to step 7; Do not pass through if vehicle node a, b, c verify opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then proceed to step 8.
The message delivery not carrying authentication information that opposite end by authentication sends processes to high level by step 7, vehicle node a, b, c.
The message of not carrying authentication information that opposite end not by authentication sends abandons by step 8, vehicle node a, b, c.
Further, vehicle node a, b, c directly abandon the message of not carrying authentication information that the opposite end of the authentication information of the opposite end do not received sends.
In concrete enforcement, if vehicle node c is verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message delivery not carrying authentication information that the opposite end by authentication sends is processed to high level, do not pass through if vehicle node c verifies opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message of not carrying authentication information that opposite end vehicle node a, the b not by authentication sends is abandoned, vehicle node a, the operation of b and the class of operation of vehicle node c are seemingly, but owing to there is no the authentication information of vehicle node c in the authentication information that base station A sends, therefore vehicle node a, b, can only according to the vehicle node a received from base station A stored, in the authentication information of b, authentication information is each other verified the message of not carrying authentication information that opposite end sends, the message delivery not carrying authentication information that opposite end by authentication sends is processed to high level, the message of not carrying authentication information that opposite end not by authentication sends is abandoned, and vehicle node a, b receive opposite end send do not carry the message of authentication information time, if also do not store the authentication information of opposite end, then the message that opposite end sends directly is abandoned, as the vehicle node c that receives is sent do not carry the message of authentication information time, directly the message of not carrying authentication information that vehicle node c sends is abandoned.
Embodiment three: base station receives the authentication information for verifying vehicle node identity that its vehicle node covered sends, the authentication information of each vehicle node received sends to or sends to all vehicle node of this base station coverage after processing by this base station, wherein, sender's certificate of the vehicle node removing CA signature is sent to all vehicle node of this base station coverage by base station; Base station is verified based on the identity of signature to vehicle node of CA in the authentication system of cellular network or authentication information.
Fig. 4 e is the network architecture schematic diagram in embodiment three provided by the invention, if comprise 3 vehicle node a, b, c under the A of base station, as shown in fig. 4f, step is as follows for the flow process of embodiment three:
After step one, vehicle node a, b, c access base station A, vehicle node a, b, c send to the authentication information that vehicle node a, b, c identity are verified the base station A covering vehicle node a, b, c by being used for.
The embodiment of this step is as described in step one in embodiment one.
Step 2, base station A receive its vehicle node a covered, b, c send for after the authentication information verified vehicle node a, b, c identity, verify based on the identity of signature to vehicle node of CA in the authentication system of cellular network or authentication information.
In this step, base station A verifies based on the authentication system of cellular network or the identity of signature to vehicle node of CA, proceeds to step 3 after being verified, and checking is not by then abandoning the authentication information not by authentication.
All vehicle node a that the authentication information (removing sender's certificate of CA signature) of vehicle node a, b, c sends to it to cover by step 3, base station A, b, c.
It should be noted that, base station A send to each vehicle node a, b, c be identical authentication information.
In this step, base station A removes the signature of CA of sender's certificate of vehicle node a, b, c, by the vehicle node a removing the vehicle node a of the signature of CA, sender's certificate (here for removing other information in vehicle node a, b, c sender certificate after CA signature) of b, c sends to this base station A to cover, b, c.
Preferably, in the authentication information of vehicle node a, b, add the signature utilizing the private cipher key of base station A to do, or the PKI of base station A and the signature that utilizes the private cipher key of base station A to do; To the signature utilizing the private cipher key of base station A to do be added, or the authentication information of the vehicle node of the PKI of base station A and the signature that utilizes the private cipher key of base station A to do send to this base station A to cover according to setting-up time interval and by system broadcasts mode all vehicle node a, b, c.
In concrete enforcement, if vehicle node a, b have passed authentication, vehicle node c not by authentication, so base station A by comprising vehicle node a, the authentication information of vehicle node of b sends to vehicle node a, b, c of this base station coverage according to setting-up time interval by car networking dedicated broadcast form.
Above-mentioned preferred embodiment in, in the authentication information of vehicle node a, b, add the signature of base station A, or the PKI of this base station A and the signature that utilizes the private cipher key of this base station A to do; To the signature of base station A be added, or the authentication information of the vehicle node of the PKI of this base station A and the signature that utilizes the private cipher key of this base station A to do send to this base station A to cover according to setting-up time interval and by car networking dedicated broadcast form vehicle node a, b, c.
Step 4, vehicle node a, b, c receive the authentication information of the vehicle node of this base station A covering that this base station A sends and store.
When what step 5, vehicle node a, b, c received that opposite end sends does not carry the message of authentication information, according to verifying opposite end identity from the authentication information of opposite end covering vehicle node a, the base station A of b, c receives of storing.
In this step, vehicle node a, b, c verify opposite end identity according to the sender's PKI in the authentication information of the opposite end stored.
Preferably, the authentication information of vehicle node that this base station A sends also comprises the signature of base station A, or the PKI of base station A and signature, and vehicle node a, b, c also comprise after receiving the authentication information of the vehicle node that base station A sends:
Based on the signature of the base station A received, or the PKI of base station A and signature authentication is carried out to this base station;
After being verified, receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from base station A according to storing being verified opposite end identity.
In concrete enforcement, vehicle node c receive cover this vehicle node base station A send comprise vehicle node a, b certificate authentication information after, first adopt the signature of the base station A carried in this authentication information, or the PKI of base station A and signature authentication is carried out to this base station A, after being verified, vehicle node c receive opposite end vehicle node a, b send do not carry the message of authentication information time, according to store from this base station A receive opposite end vehicle node a, b authentication information respectively opposite end identity is verified.
If step 6 vehicle node a, b, c are verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then proceed to step 7; Do not pass through if vehicle node a, b, c verify opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then proceed to step 8.
The message delivery not carrying authentication information that opposite end by authentication sends processes to high level by step 7, vehicle node a, b, c.
The message of not carrying authentication information that opposite end not by authentication sends abandons by step 8, vehicle node a, b, c.
Further, vehicle node a, b, c directly abandon the message of not carrying authentication information that the opposite end of the authentication information of the opposite end do not received sends.
In concrete enforcement, if vehicle node c is verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message delivery not carrying authentication information that the opposite end by authentication sends is processed to high level, do not pass through if vehicle node c verifies opposite end identity respectively according to the authentication information of the opposite end vehicle node a from this base station A reception stored, b, then the message of not carrying authentication information that opposite end vehicle node a, the b not by authentication sends is abandoned, vehicle node a, the operation of b and the class of operation of vehicle node c are seemingly, but owing to there is no the authentication information of vehicle node c in the authentication information that base station A is sent by car networking dedicated broadcast form according to setting-up time interval, therefore vehicle node a, b, can only according to the vehicle node a received from base station A stored, in the authentication information of b, authentication information is each other verified the message of not carrying authentication information that opposite end sends, the message delivery not carrying authentication information that opposite end by authentication sends is processed to high level, the message of not carrying authentication information that opposite end not by authentication sends is abandoned, and vehicle node a, b receive opposite end send do not carry the message of authentication information time, if also do not store the authentication information of opposite end, then the message that opposite end sends directly is abandoned, as the vehicle node c that receives is sent do not carry the message of authentication information time, directly the message of not carrying authentication information that vehicle node c sends is abandoned.
Embodiment four: all vehicle node sending to this base station coverage after the authentication information of the vehicle node by authentication that adjacent base station sends by base station is transmitted to or processes, wherein, the sender's certificate removing the vehicle node of the signature of CA is sent to all vehicle node of this base station coverage by base station, and base station is verified based on the authentication system of cellular network or the identity of signature to vehicle node of CA.
Fig. 4 g is the network architecture schematic diagram in embodiment four provided by the invention, if comprise 3 vehicle node a, b, c under the A of base station, comprise 2 vehicle node d, e under the B of base station, as shown in figure 4h, step is as follows for the flow process of embodiment four:
After step one, vehicle node a, b, c, d, e access base station, the authentication information being used for carrying out vehicle node a, b, c, d, e authentication is sent to base station A or B covering vehicle node a, b, c, d, e by vehicle node a, b, c, d, e.
In this step, authentication information is sent to base station A or B covering vehicle node a, b, c, d, e by vehicle node a, b, c, d, e according to setting-up time interval.
Usually, if the overlapping time having 30 seconds effective time of send before and after vehicle node a, b, c, d, e two certificates, so vehicle node a, b, c, d, e can send to base station A or B the certificate that the next one that carries respective PKI will use within the overlapping time of every two certificates.
The authentication information for verifying vehicle node a, b, c, d, e identity that step 2, base station A or B receive its vehicle node a covered, b, c, d, e send, and the authentication information of vehicle node that the adjacent base station that receiving neighbor bs sends covers, then base station A or B verifies based on the identity of signature to vehicle node of CA in the authentication system of cellular network or authentication information.
In this step, base station A or B verify based on the identity of signature to vehicle node of CA in the authentication system of cellular network or authentication information, and proceed to step 3 after being verified, checking is not by then abandoning the authentication information not by authentication.
The vehicle node a that step 3, base station A or B send to it to cover after the authentication information (removing sender's certificate of CA signature) of each vehicle node received is transmitted to or is processed, b, c, d, e.
In this step, what the authentication information of the vehicle node that the adjacent base station of reception covers by base station A or B and its vehicle node a covered of its reception, b, c, d, e sent be used for the authentication information that vehicle node a, b, c, d, e identity are verified is sent to or processes after send to base station A or B to cover all vehicle node.
It should be noted that, what each base station sent to it to cover each vehicle node is identical authentication information, but sending authentication information between different base stations can be different, as a base station have collected the authentication information of 5 vehicle node, so authentication information of its 5 vehicle node at most only collected to the authentication information that it covers the transmission of each vehicle node; And another base station have collected the authentication information of 10 vehicle node, so this base station can comprise at most the authentication information of 10 vehicle node collected to the authentication information that it covers the transmission of each vehicle node.
In this step, base station A or B removes the signature of CA of sender's certificate of vehicle node a, b, c, d, e, by the vehicle node a removing the vehicle node a of CA signature, sender's certificate (here for removing other information in vehicle node a, b, c, d, e sender certificate after CA signature) of b, c, d, e sends to base station A or B to cover, b, c, d, e.
Preferably, in the authentication information of vehicle node, add the signature of base station, or the PKI of base station and signature; To the signature of base station be added, or the authentication information of the PKI of base station and the vehicle node of signature send to base station A or B to cover vehicle node a, b, c, d, e.
In concrete enforcement, base station A, B adopt CA signature respectively to its cover and the vehicle node receiving authentication information carries out authentication.If vehicle node a, b have passed the checking of base station A, vehicle node c is not by the checking of base station A, vehicle node d, e have passed the checking of base station B, and so base station A and base station B sends to the vehicle node of adjacent base station and its covering after the authentication information each via checking being transmitted to according to setting-up time interval by the MBMS forms of broadcasting or being processed by interface.That is: base station A will send to vehicle node a, b, c of adjacent base station B and its covering by interface after being transmitted to according to setting-up time interval by the MBMS forms of broadcasting or being processed by the vehicle node a of checking, the authentication information of b; Base station B will send to vehicle node d, the e of adjacent base station A and its covering by interface after being transmitted to according to setting-up time interval by the MBMS forms of broadcasting or being processed by the vehicle node d of checking, the authentication information of e.
Step 4, vehicle node a, b, c, d, e receive the authentication information of the vehicle node of base station A or the B transmission covering this vehicle node and store.
When what step 5, vehicle node a, b, c, d, e received that opposite end sends does not carry the message of authentication information, the authentication information of opposite end received from base station A or B covering this vehicle node according to storing being verified opposite end identity.
In this step, vehicle node a, b, c, d, e verify opposite end identity according to the sender's PKI in the authentication information of the opposite end stored.
Preferably, the authentication information of vehicle node that base station sends also comprises the signature of base station, or the PKI of base station and signature, and vehicle node a, b, c, d, e also comprise after receiving the authentication information of the vehicle node that base station A or B that cover this vehicle node sends:
Based on covering the signature of base station A or B of this vehicle node or the PKI of base station A or B and signature, authentication is carried out to base station A or B covering this vehicle node;
After being verified, receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from base station A or B covering this vehicle node according to storing being verified opposite end identity.
In concrete enforcement, vehicle node c receive cover this vehicle node base station A send comprise vehicle node a, b, d, e certificate authentication message and after storing, first adopt the signature of the base station A carried in this authentication message, or the PKI of base station A and signature authentication is carried out to base station A, after being verified, vehicle node c receive opposite end vehicle node a, b, d, e send do not carry the message of authentication information time, according to store from base station A receive opposite end vehicle node a, b, d, e authentication information respectively opposite end identity is verified.
If step 6 vehicle node a, b, c, d, e are verified opposite end identity respectively according to the authentication information of the opposite end vehicle node of base station A or the B reception from this vehicle node of covering stored, then proceed to step 7; Do not pass through if vehicle node a, b, c, d, e verify opposite end identity respectively according to the authentication information of the opposite end vehicle node of base station A or the B reception from this vehicle node of covering stored, then proceed to step 8.
The message delivery not carrying authentication information that opposite end by authentication sends processes to high level by step 7, vehicle node a, b, c, d, e.
The message of not carrying authentication information that opposite end not by authentication sends abandons by step 8, vehicle node a, b, c, d, e.
Further, the message of not carrying authentication information that vehicle node a, b, c, d, e opposite end to the authentication information not receiving opposite end send directly abandons.
In concrete enforcement, if vehicle node c is verified opposite end identity respectively according to the authentication information of the opposite end vehicle node a from base station A reception stored, b, d, e, then the message delivery not carrying authentication information that the opposite end by authentication sends is processed to high level, do not pass through if vehicle node c verifies opposite end identity respectively according to the authentication information of the opposite end vehicle node a from base station A reception stored, b, d, e, then the message of not carrying authentication information that the opposite end vehicle node a not by authentication, b, d, e send is abandoned, vehicle node a, b, d, the operation of e and the class of operation of vehicle node c are seemingly, but owing to there is no the authentication information of vehicle node c in the authentication information that base station A or B sends, therefore vehicle node a, b, d, e can only according to the vehicle node a stored, b, d, the authentication information of e is verified the message of not carrying authentication information that opposite end sends, the message delivery not carrying authentication information that opposite end by authentication sends is processed to high level, the message of not carrying authentication information that opposite end not by authentication sends is abandoned, and vehicle node a, b receive opposite end send do not carry the message of authentication information time, if also do not store the authentication information of opposite end, then the message that opposite end sends directly is abandoned, as the vehicle node c that receives is sent do not carry the message of authentication information time, directly the message of not carrying authentication information that vehicle node c sends is abandoned.
Based on identical technical conceive, the embodiment of the present invention additionally provides a kind of Centroid, a kind of terminal, the principle of dealing with problems due to this Centroid, terminal equipment is similar to method, and therefore the enforcement of equipment see the enforcement of method, can repeat part and repeat no more.
As shown in Figure 5, the Centroid that the embodiment of the present invention provides, can comprise:
Receiver module 501, for receiving the authentication information for carrying out authentication to terminal that its terminal covered sends;
Sending module 502, for all terminals sending to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed.
The dividing mode of above functional module is only the preferred implementation of one that the embodiment of the present invention provides, and the dividing mode of functional module is not construed as limiting the invention.
In enforcement, the Centroid adjacent with described Centroid is sent to after described sending module 502 is further used for the authentication information of each terminal received to be transmitted to or to process, and all terminals sending to described Centroid to cover after the authentication information of the terminal of the adjacent center coverage of reception is transmitted to or is processed.
In enforcement, described receiver module 501 is further used for the authentication information of the terminal receiving the adjacent center coverage that adjacent center node sends.
In concrete enforcement, when the authentication information of Centroid to terminal processes, can be in authentication information, add some information as required, or delete redundant information unnecessary in the authentication information of terminal, certainly, can also be other processing mode.
In concrete enforcement, authentication information can be any type of information for carrying out authentication to terminal.
Preferably, authentication information at least comprises sender's PKI.Further preferably, authentication information also comprises the mark of sender and/or the signature of certificate management authority CA.
Current sender's certificate has the information for verifying terminal identity, except comprising above-mentioned sender's PKI, the signature of CA and/or the mark (ID) of sender, also, comprise the sequence number of certificate, the title of certificate issuing authority and the information such as recipient's authentication certificate can be made whether to have been cancelled.Preferably, authentication information comprises the one or more content in sender's certificate, if comprise sender's certificate content, then this content is sender's PKI.
In addition, also comprise the information such as scope restriction about time, content, position in certificate, can determine whether as required to be added authentication information.Certainly, authentication information can comprise the full content of certificate.
In enforcement, can further include in Centroid:
Authentication module 503, carries out authentication for the signature based on CA in the authentication system of cellular network or the terminal authentication information of reception to each terminal received;
Described sending module 502 can also be further used for after being verified, all terminals sending to described Centroid to cover after the authentication information of terminal is transmitted to or is processed.
For the authentication information that the terminal regardless of Shi Cong center coverage receives, or the authentication information of the terminal from the reception of adjacent center node, before all terminals sending to described Centroid to cover after the authentication information of terminal is transmitted to or is processed, also comprise:
Based on the signature of CA in the authentication system of cellular network or the terminal authentication information of reception, authentication is carried out to this terminal; Send again after being verified.
Usually, Centroid carries out authentication based on the signature of CA to counterpart terminal.The authentication mode of Centroid to terminal also can adopt other modes, as the authentication system by means of existing cellular network, once determine that terminal is that the legal of cellular network accesses terminal, so thinks that the authentication information that this terminal sends is exactly believable.
In enforcement, described authentication information is sender's certificate, all terminals of described sending module 502 specifically for sending to described Centroid to cover the partial content in sender's certificate of each terminal received or sender's certificate.
In enforcement, described sender's certificate comprises CA signature, all terminals of described sending module 502 specifically for sending to described Centroid to cover in sender's certificate of the terminal removing CA signature.
It should be noted that, the authentication information of all terminals that Centroid sends to described Centroid to cover is identical.
In concrete enforcement, this authentication information is sender's certificate or sender's certification portions content, all terminals that the partial content in sender's certificate of each terminal received or sender's certificate sends to described Centroid to cover by this Centroid; When authentication information is sender's certification portions content, all terminals that sender's certificate of the terminal removing CA signature sends to this Centroid to cover by this Centroid.
In enforcement, can further include in Centroid:
Processing module 504, for adding the signature utilizing the private cipher key of Centroid to do in the authentication information of each terminal received, or the PKI of Centroid and the signature that utilizes the private cipher key of Centroid to do;
All terminals that described sending module 502 sends to described Centroid to cover specifically for the authentication information of each terminal by the reception after processing module process.
In concrete enforcement, when the authentication information of Centroid to terminal processes, adopt following either type:
1) in the authentication information of terminal, add the signature utilizing the private cipher key of Centroid to do;
It should be noted that, if when the PKI of Centroid is known information, then specify in specification or agreement or notify in the system broadcasts of Centroid, so Centroid does not need to add the PKI of this Centroid when all terminals covered to this Centroid send authentication information.
2) PKI adding Centroid in the authentication information of terminal and the signature utilizing the private cipher key of Centroid to do.
Based on the signature utilizing the private cipher key of Centroid to do added, or the signature that the PKI of Centroid and the private cipher key of Centroid are done, terminal can carry out authentication to this Centroid, thus ensures fail safe and the credibility of the authentication information of the terminal that Centroid sends.
In enforcement, described sending module 502 specifically for:
According to setting-up time interval or event triggered fashion, all terminals authentication information of each terminal received being sent to or sends to described Centroid to cover after processing.
In concrete enforcement, all terminals that Centroid sends to this Centroid to cover after can in the following way the authentication information of each terminal received being transmitted to or being processed:
1) send according to setting-up time interval mode
The authentication information of Centroid receiving terminal in setting-up time interval, when arriving setting-up time, all terminals that the authentication information of each terminal received in this time interval sends to or sends to this Centroid to cover after processing by Centroid.
Adopt this mode that the authentication information of multiple terminal can be realized to issue according to setting-up time interval is unified, to improve network resource utilization.
2) send according to event triggered fashion
Concrete triggering mode can be, when the terminal number of new this Centroid of access reaches numerical value, issues, can improve network resource utilization by unified for the authentication information of all terminals be currently received.
3) send mode immediately
As long as Centroid receives the authentication information that terminal sends, then all terminals sending to described Centroid to cover after the authentication information of this terminal received being transmitted to or being processed.
In enforcement, described sending module 502 in the following manner in any one, all terminals sending to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed:
Broadcast mode; Multicast mode; Multicast; Point-to-point mode.
Wherein, broadcast can be broadcasted for MBMS, car networking dedicated broadcast, system broadcasts etc., to reach Appropriate application channel resource, improves the object of resource utilization ratio.
As shown in Figure 6, the terminal that the embodiment of the present invention provides, can comprise:
Sending module 601, for sending to the authentication information described terminal being carried out to authentication the Centroid covering described terminal;
Receiver module 602, for receiving the authentication information of all terminals of the described Centroid covering that described Centroid sends and storing.
The dividing mode of above functional module is only the preferred implementation of one that the embodiment of the present invention provides, and the dividing mode of functional module is not construed as limiting the invention.
In enforcement, described receiver module 602 is further used for the authentication information of all terminals receiving the adjacent center coverage that described Centroid sends.
In enforcement, the authentication information that described sending module 601 sends comprises the PKI of sender.
In enforcement, the authentication information that described sending module 601 sends also comprises the signature of sender's mark and/or certificate management authority CA.
In enforcement, the authentication information that described sending module 601 sends comprises the one or more content in sender's certificate.
In enforcement, described sending module 601 specifically for:
Authentication information is sent to according to setting-up time interval or event triggered fashion the Centroid covering described terminal.
Usually, if there is the overlapping time of 30 seconds the effective time of the certificate in the authentication information sent before and after terminal, so terminal can send to Centroid the certificate that the next one that carries respective PKI will use according to setting-up time interval within the overlapping time of every two certificates.
For protection privacy, terminal uses a certificate usually only effective in finite time; Specify in 1609.2 agreements that the certificate of each terminal concentrates any one moment to only have a certificate to be effective.This principle section effective time can loosened as adjacent two certificates can allow the overlap of a short time; make certificate can within the time period of overlap random transition thus protect privacy better, also can make in addition to allow terminal have the flexibility ratio of certain delayed transformation certificate when a serious event occurs.
In enforcement, the authentication information that described receiver module 602 receives also comprises the signature of described Centroid, or comprises PKI and the signature of described Centroid.
In enforcement, described receiver module 602 can also be further used for the message of not carrying authentication information receiving opposite end transmission;
In enforcement, can further include in terminal:
Authentication module 603, for receive at receiver module that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
In enforcement, the authentication information of described opposite end comprises the PKI of the sender of opposite end, authentication module 603 specifically for receive at receiver module 602 opposite end send do not carry the message of authentication information time, according to store from Centroid receive opposite end authentication information sender's PKI opposite end identity is verified.
In enforcement, described receiver module 602 receives the signature that the authentication information of terminal that described Centroid sends also comprises Centroid, or comprises PKI and the signature of Centroid, described authentication module 603 specifically for:
Based on the signature of the Centroid in described authentication information or the PKI of Centroid and signature, authentication is carried out to described Centroid;
After being verified, receiver module 602 receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
The embodiment of the present invention additionally provides a kind of Centroid, comprises processor and data transceiver interface, wherein:
Described processor be configured to for: receive its cover terminal send the authentication information for carrying out authentication to terminal, all terminals sending to described Centroid to cover after the authentication information receiving each terminal is transmitted to or is processed;
Described data transceiver interface is for realizing the data communication between described processor and terminal.
The present invention also provides a kind of terminal, comprises processor and data transceiver interface, wherein:
Described processor is configured to for the authentication information described terminal being carried out to authentication is sent to the Centroid covering described terminal, receives the authentication information of all terminals of the described Centroid covering that described Centroid sends and stores;
Described data transceiver interface is for realizing the data communication between described processor and other terminal and Centroid.
The present invention describes with reference to according to the flow chart of the method for the embodiment of the present invention, equipment (system) and computer program and/or block diagram.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame.These computer program instructions can being provided to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computer or other programmable data processing device produce device for realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices is provided for the step realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
Although describe the preferred embodiments of the present invention, those skilled in the art once obtain the basic creative concept of cicada, then can make other change and amendment to these embodiments.So claims are intended to be interpreted as comprising preferred embodiment and falling into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.

Claims (44)

1. an authentication information transmission method, is characterized in that, comprising:
Centroid receives the authentication information for carrying out authentication to terminal that its terminal covered sends;
All terminals that described Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed.
2. the method for claim 1, is characterized in that, also comprises:
Described Centroid sends to the Centroid adjacent with described Centroid after the authentication information of each terminal received is transmitted to or is processed.
3. method as claimed in claim 2, is characterized in that, also comprise:
Described Centroid receives the authentication information of the terminal of the adjacent center coverage that adjacent center node sends;
All terminals that described Centroid sends to described Centroid to cover after the authentication information of the terminal of the adjacent center coverage of reception is transmitted to or is processed.
4. the method for claim 1, is characterized in that, described authentication information comprises sender's PKI.
5. method as claimed in claim 4, it is characterized in that, described authentication information also comprises the mark of sender and/or the signature of certificate management authority CA.
6. the method for claim 1, is characterized in that, described authentication information comprises the one or more content in sender's certificate.
7. the method as described in as arbitrary in claim 1 ~ 6, is characterized in that, before all terminals that described Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed, also comprises:
Signature based on CA in the authentication system of cellular network or the terminal authentication information of reception carries out authentication to each terminal received;
The all terminals sending to described Centroid to cover after the authentication information of terminal being transmitted to or being processed after being verified.
8. the method as described in as arbitrary in claim 1 ~ 6, it is characterized in that, described authentication information is sender's certificate, all terminals that described Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed, and comprising:
By all terminals that the partial content in sender's certificate of each terminal received or sender's certificate sends to described Centroid to cover.
9. method as claimed in claim 8, is characterized in that, described sender's certificate comprises CA signature, by all terminals that the partial content in sender's certificate of each terminal received sends to described Centroid to cover, comprising:
By all terminals that sender's certificate of the terminal removing CA signature sends to described Centroid to cover.
10. the method as described in as arbitrary in claim 1 ~ 6, is characterized in that, the terminal sending to described Centroid to cover after the authentication information process of each terminal that described Centroid will receive, comprising:
The signature utilizing the private cipher key of Centroid to do is added in the authentication information of each terminal received, or the PKI of Centroid and the signature that utilizes the private cipher key of Centroid to do;
By all terminals that the authentication information of each terminal of the reception after process sends to described Centroid to cover.
11. as arbitrary in claim 1 ~ 6 as described in method, it is characterized in that all terminals that described Centroid sends to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed comprise:
Described Centroid according to setting-up time interval or event triggered fashion, all terminals authentication information of each terminal received being sent to or sends to described Centroid to cover after processing.
12. the method as described in as arbitrary in claim 1 ~ 6, is characterized in that, described Centroid in the following manner in any one, all terminals sending to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed:
Broadcast mode; Multicast mode; Multicast; Point-to-point mode.
13. 1 kinds of authentication information transmission methods, is characterized in that, comprising:
The authentication information being used for carrying out described terminal authentication is sent to the Centroid covering described terminal by terminal;
Terminal receives the authentication information of all terminals of the described Centroid covering that described Centroid sends and stores.
14. methods as claimed in claim 13, is characterized in that, also comprise:
Terminal receives the authentication information of all terminals of the adjacent center coverage that described Centroid sends and stores.
15. methods as claimed in claim 13, is characterized in that, the authentication information that described terminal sends comprises the PKI of sender.
16. methods as claimed in claim 15, is characterized in that, the authentication information that described terminal sends also comprises the signature of sender's mark and/or certificate management authority CA.
17. methods as claimed in claim 13, is characterized in that, the authentication information that described terminal sends comprises the one or more content in sender's certificate.
18. as arbitrary in claim 13 ~ 17 as described in method, it is characterized in that, authentication information is sent to the Centroid covering described terminal by terminal, comprising:
Authentication information is sent to according to setting-up time interval or event triggered fashion the Centroid covering described terminal by terminal.
19. as arbitrary in claim 13 ~ 17 as described in method, it is characterized in that, the authentication information of the terminal that described Centroid sends also comprises the signature of described Centroid, or comprises PKI and the signature of described Centroid.
20. 1 kinds of terminals carry out the method for authentication, it is characterized in that, comprising:
Receive the message of not carrying authentication information that opposite end sends;
According to verifying described opposite end identity from the authentication information of the opposite end that Centroid receives of storing.
21. methods as claimed in claim 20, it is characterized in that, the authentication information of described opposite end comprises the PKI of the sender of opposite end, and the authentication information according to opposite end is verified opposite end identity, comprising:
According to the sender's PKI in the authentication information of opposite end, opposite end identity is verified.
22. methods as claimed in claim 20, it is characterized in that, the authentication information of the terminal that described Centroid sends also comprises the signature of Centroid, or comprises PKI and the signature of Centroid, described terminal also comprises after receiving the authentication information of the terminal that described Centroid sends:
Based on the signature of the Centroid in described authentication information or the PKI of Centroid and signature, authentication is carried out to described Centroid;
After being verified, receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
23. 1 kinds of Centroids, is characterized in that, comprising:
Receiver module, for receiving the authentication information for carrying out authentication to terminal that its terminal covered sends;
Sending module, for all terminals sending to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed.
24. Centroids as claimed in claim 23, is characterized in that, send to the Centroid adjacent with described Centroid after described sending module is further used for the authentication information of each terminal received to be transmitted to or to process.
25. Centroids as claimed in claim 24, is characterized in that, described receiver module is further used for the authentication information of the terminal receiving the adjacent center coverage that adjacent center node sends;
The all terminals sending to described Centroid to cover after described sending module is further used for the authentication information of the terminal of the adjacent center coverage of reception to be transmitted to or to process.
26. Centroids as claimed in claim 23, it is characterized in that, described authentication information comprises sender's PKI.
27. Centroids as claimed in claim 26, is characterized in that, described authentication information also comprises the mark of sender and/or the signature of certificate management authority CA.
28. Centroids as claimed in claim 23, it is characterized in that, described authentication information comprises the one or more content in sender's certificate.
29. as arbitrary in claim 23 ~ 28 as described in Centroid, it is characterized in that, comprise further:
Authentication module, carries out authentication for the signature based on CA in the authentication system of cellular network or the terminal authentication information of reception to each terminal received;
Described sending module is further used for after being verified, all terminals sending to described Centroid to cover after the authentication information of terminal is transmitted to or is processed.
30. as arbitrary in claim 23 ~ 28 as described in Centroid, it is characterized in that, described authentication information is sender's certificate, all terminals of described sending module specifically for sending to described Centroid to cover the partial content in sender's certificate of each terminal received or sender's certificate.
31. Centroids as claimed in claim 30, is characterized in that, described sender's certificate comprises CA signature, all terminals of described sending module specifically for sending to described Centroid to cover in sender's certificate of the terminal removing CA signature.
32. as arbitrary in claim 23 ~ 28 as described in Centroid, it is characterized in that, comprise further:
Processing module, for adding the signature utilizing the private cipher key of Centroid to do in the authentication information of each terminal received, or the PKI of Centroid and the signature that utilizes the private cipher key of Centroid to do;
All terminals that described sending module sends to described Centroid to cover specifically for the authentication information of each terminal by the reception after processing module process.
33. as arbitrary in claim 23 ~ 28 as described in Centroid, it is characterized in that, described sending module specifically for:
According to setting-up time interval or event triggered fashion, all terminals authentication information of each terminal received being sent to or sends to described Centroid to cover after processing.
34. the Centroid as described in as arbitrary in claim 23 ~ 28, is characterized in that, described sending module in the following manner in any one, all terminals sending to described Centroid to cover after the authentication information of each terminal received is transmitted to or is processed:
Broadcast mode; Multicast mode; Multicast; Point-to-point mode.
35. 1 kinds of terminals, is characterized in that, comprising:
Sending module, for sending to the authentication information described terminal being carried out to authentication the Centroid covering described terminal;
Receiver module, for receiving the authentication information of all terminals of the described Centroid covering that described Centroid sends and storing.
36. terminals as claimed in claim 35, is characterized in that, described receiver module is further used for the authentication information of all terminals receiving the adjacent center coverage that described Centroid sends and stores.
37. terminals as claimed in claim 35, is characterized in that, the authentication information that described sending module sends comprises the PKI of sender.
38. terminals as claimed in claim 37, is characterized in that, the authentication information that described sending module sends also comprises the signature of sender's mark and/or certificate management authority CA.
39. terminals as claimed in claim 35, is characterized in that, the authentication information that described sending module sends comprises the one or more content in sender's certificate.
40. as arbitrary in claim 35 ~ 39 as described in terminal, it is characterized in that, described sending module specifically for:
Authentication information is sent to according to setting-up time interval or event triggered fashion the Centroid covering described terminal.
41. the terminal as described in as arbitrary in claim 35 ~ 39, is characterized in that, the authentication information that described receiver module receives also comprises the signature of described Centroid, or comprises PKI and the signature of described Centroid.
42. as arbitrary in claim 35 ~ 39 as described in terminal, it is characterized in that, described receiver module be further used for receive opposite end send the message of not carrying authentication information;
Described terminal comprises further:
Authentication module, for receive at receiver module that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
43. terminals as claimed in claim 42, it is characterized in that, the authentication information of described opposite end comprises the PKI of the sender of opposite end, authentication module specifically for receive at receiver module opposite end send do not carry the message of authentication information time, according to store from Centroid receive opposite end authentication information sender's PKI opposite end identity is verified.
44. terminals as claimed in claim 42, is characterized in that, described receiver module receives the signature that the authentication information of terminal that described Centroid sends also comprises Centroid, or comprises PKI and the signature of Centroid, described authentication module specifically for:
Based on the signature of the Centroid in described authentication information or the PKI of Centroid and signature, authentication is carried out to described Centroid;
After being verified, receiver module receive that opposite end sends do not carry the message of authentication information time, the authentication information of opposite end received from Centroid according to storing being verified described opposite end identity.
CN201310418682.3A 2013-09-13 2013-09-13 A kind of authentication information transmission method and device Active CN104469763B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310418682.3A CN104469763B (en) 2013-09-13 2013-09-13 A kind of authentication information transmission method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310418682.3A CN104469763B (en) 2013-09-13 2013-09-13 A kind of authentication information transmission method and device

Publications (2)

Publication Number Publication Date
CN104469763A true CN104469763A (en) 2015-03-25
CN104469763B CN104469763B (en) 2018-07-17

Family

ID=52914976

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310418682.3A Active CN104469763B (en) 2013-09-13 2013-09-13 A kind of authentication information transmission method and device

Country Status (1)

Country Link
CN (1) CN104469763B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105280003A (en) * 2015-09-29 2016-01-27 北京航空航天大学 Method for transmitting intersection signal lamp information to vehicle from road side
WO2017133624A1 (en) * 2016-02-04 2017-08-10 中兴通讯股份有限公司 Method and device for broadcasting vehicle-to-everything communications (v2x) message and method for establishing mbms bearer
CN107710797A (en) * 2015-06-29 2018-02-16 高通股份有限公司 Method and apparatus for the cluster management in the collaborative security systems of DSRC
CN108604988A (en) * 2016-05-03 2018-09-28 华为技术有限公司 A kind of certificate notification method and device
US11546176B2 (en) * 2020-08-26 2023-01-03 Rockwell Collins, Inc. System and method for authentication and cryptographic ignition of remote devices

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465725A (en) * 2007-12-18 2009-06-24 中国电子科技集团公司第五十研究所 Key distribution method for public key system based on identification
CN101834834A (en) * 2009-03-09 2010-09-15 华为软件技术有限公司 Authentication method, device and system
CN101981892A (en) * 2008-03-25 2011-02-23 高通股份有限公司 Systems and methods for group key distribution and management for wireless communications systems
CN102291796A (en) * 2011-09-02 2011-12-21 中国联合网络通信集团有限公司 Service data transmission method, system and management control center

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465725A (en) * 2007-12-18 2009-06-24 中国电子科技集团公司第五十研究所 Key distribution method for public key system based on identification
CN101981892A (en) * 2008-03-25 2011-02-23 高通股份有限公司 Systems and methods for group key distribution and management for wireless communications systems
CN101834834A (en) * 2009-03-09 2010-09-15 华为软件技术有限公司 Authentication method, device and system
CN102291796A (en) * 2011-09-02 2011-12-21 中国联合网络通信集团有限公司 Service data transmission method, system and management control center

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PATRICK SCHALLER等: "BAP:Broadcast Authentication Using Cryptographic Puzzles", 《ACNS 2007》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107710797A (en) * 2015-06-29 2018-02-16 高通股份有限公司 Method and apparatus for the cluster management in the collaborative security systems of DSRC
CN107710797B (en) * 2015-06-29 2020-08-18 高通股份有限公司 Method and apparatus for cluster management in a DSRC cooperative security system
CN105280003A (en) * 2015-09-29 2016-01-27 北京航空航天大学 Method for transmitting intersection signal lamp information to vehicle from road side
WO2017133624A1 (en) * 2016-02-04 2017-08-10 中兴通讯股份有限公司 Method and device for broadcasting vehicle-to-everything communications (v2x) message and method for establishing mbms bearer
CN108604988A (en) * 2016-05-03 2018-09-28 华为技术有限公司 A kind of certificate notification method and device
US10833874B2 (en) 2016-05-03 2020-11-10 Huawei Technologies Co., Ltd. Certificate notification method and apparatus
CN108604988B (en) * 2016-05-03 2021-01-05 华为技术有限公司 Certificate notification method and device
US11546176B2 (en) * 2020-08-26 2023-01-03 Rockwell Collins, Inc. System and method for authentication and cryptographic ignition of remote devices

Also Published As

Publication number Publication date
CN104469763B (en) 2018-07-17

Similar Documents

Publication Publication Date Title
Muhammad et al. Survey on existing authentication issues for cellular-assisted V2X communication
CN108702786B (en) Communication method, device and system
US10548005B2 (en) Method for security of user equipment connection identifier in wireless communication system and apparatus therefor
US10979904B2 (en) Method for securing connection identifier of user equipment in wireless communication system and apparatus therefor
CN107079237B (en) Method and apparatus for selectively storing and deleting received data packets in a mobile content delivery network
EP2789118B1 (en) Probabilistic key distribution in vehicular networks with infrastructure support
EP3637672B1 (en) V2x communication device and secured communication method thereof
US11019520B2 (en) Mobile ITS station and method for operating mobile ITS station
CN104469763A (en) Authentication information transmission method and device
Ivanov et al. Cyber security standards and issues in V2X communications for Internet of Vehicles
CN105207754A (en) Information sending method, information receiving method, device and system
US11184344B2 (en) Authorization of user equipment for mobile communications network that has previously been authorized by trusted traffic authority
CN105282688A (en) Information transmission method and road side unit
Hao et al. A cooperative message authentication protocol in VANETs
WO2011054286A1 (en) Key generation method, device and system
WO2021075854A1 (en) Method and user equipment for determining whether base station is genuine or rouge in wireless network
CN106961682A (en) A kind of group based on mobile relay is to path mobile handoff authentication method
AU2018279551B2 (en) Service data transmission method and apparatus
US11523278B2 (en) Method for secured communication and apparatus therefor
Wang et al. Secure cooperative communication scheme for vehicular heterogeneous networks
Bissmeyer et al. Security in hybrid vehicular communication based on ITS-G5, LTE-V, and mobile edge computing
Fu et al. Review on the application of freeway CVIS communication technology
Zieglowski et al. An Overview on Vehicular Communication Standards
Liu et al. A Cross-Layer MAC Aware Pseudonym (MAP) Scheme for the VANET
Rathor Study of Rail Transit System Communication Network (BCN/TCN) and Related Sub-Systems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee after: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY

Patentee after: BEIJING GOHIGH DATA NETWORKS TECHNOLOGY Co.,Ltd.

Address before: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee before: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY

Patentee before: BEIJING GOHIGH DATA NETWORKS TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right

Effective date of registration: 20211227

Address after: 400040 No. 35, Jinghe Road, Huxi street, high tech Zone, Shapingba District, Chongqing

Patentee after: Datang Gaohong Zhilian Technology (Chongqing) Co.,Ltd.

Address before: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee before: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY

Patentee before: BEIJING GOHIGH DATA NETWORKS TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right