CN106506149A - Key generation method and system between a kind of TBOX terminals and TSP platforms - Google Patents
Key generation method and system between a kind of TBOX terminals and TSP platforms Download PDFInfo
- Publication number
- CN106506149A CN106506149A CN201610972935.5A CN201610972935A CN106506149A CN 106506149 A CN106506149 A CN 106506149A CN 201610972935 A CN201610972935 A CN 201610972935A CN 106506149 A CN106506149 A CN 106506149A
- Authority
- CN
- China
- Prior art keywords
- key
- tbox
- encryption chip
- terminals
- master key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides key generation method between a kind of TBOX terminals and TSP platforms, generates security encryption chip master key;Security encryption chip master key is stored to TSP platforms;By the programming of security encryption chip master key to TBOX terminals;The present invention also provides key generation system between a kind of TBOX terminals and TSP platforms;The key generating mode fully combines existing hardware device, produces unique key, and generating process is complicated, cracks difficulty.
Description
Technical field
The present invention relates to key generation method and system between a kind of TBOX terminals and TSP platforms.
Background technology
Car networking system is by car, vehicle-mounted TBOX terminals, TSP service platforms, mobile phone A PP of user side or PC
Four part of WEB user sides constitutes, and user can be controlled from the interface of software to vehicle using mobile phone A PP or WEB user sides
System, for example:Issue the orders such as car locking, switch air-conditioning, close door vehicle window, it is possible to by mobile phone A PP or WEB user sides
Check the relevant information of vehicle, carry out some vehicle-states check, fault diagnosis etc..Detailed process is that user uses mobile phone A PP
Or the instruction that WEB user sides send passes through network transmission to TSP platforms, is then forwarded to TBOX terminals, TBOX terminals pass through car
CAN order be handed down to vehicle, be controlled.TBOX terminals are by CAN, locating module, inertia measurement sensing
After the collection vehicle state such as device module, TSP platforms are sent to by cordless communication network, TSP platforms be then forwarded to mobile phone A PP or
Person's WEB user sides, client can be carried out state and check or fault diagnosis.
Its shortcoming for existing:As multiple links adopt plaintext communication, easily suffer that hacker attacks is destroyed, cause following after
Really:
The data communicated between TBOX terminals and TSP platforms are ravesdropping, and crack.Vehicle personal information is illegally accessed.
TBOX terminals and TSP platform authentications go wrong, and TBOX terminals are connected to illegal center, and vehicle is illegally controlled
System, causes traffic accidents:For example electromotor, throttle, ABS, air-conditioning, car door car window etc. are controlled.TSP platforms are connected to
Illegal TBOX, receives deceptive information.
Explanation of nouns:
TBOX terminals:Telematics BOX, referred to as vehicle-mounted TBOX, are mainly used in collection vehicle relevant information, comprising:Position
Then information passed by confidence breath, attitude information, car status information (by connecting CAN on car) etc. by radio communication
It is sent to TSP platforms.User can be by issuing a command to TBOX ends under TSP platforms using the WEB user sides of mobile phone A PP and PC simultaneously
End, is controlled operation, such as close door, switch air-conditioning etc. to vehicle.
TSP platforms:TSP service platforms, for receiving the data of TBOX terminals upload, carry out Treatment Analysis, and by user
The wagon control instruction message issued from the WEB user sides of mobile phone A PP or PC is sent to TBOX terminals.
Mobile phone A PP/PC WEB user sides:The application that installs in the application user end/PC that installs on mobile phone
Program user end.
Key:Key.
HMAC:HMAC is related Hash operation message authentication code (the Hash-based Message of key
Authentication Code), HMAC computings utilize hash algorithm, with a key and a message as input, generate one
Eap-message digest is used as output.HMAC needs the hash function using an encryption, such as SHA (256).
SHA:Secure Hash Algorithm (Secure Hash Algorithm), is primarily adapted for use in DSS
Digital Signature Algorithm (the Digital Signature defined inside (Digital Signature Standard DSS)
Algorithm DSA).
SHA(256):SHA algorithms based on 256bit length keys.
AES:Advanced Encryption Standard (English:Advanced Encryption Standard, abbreviation:AES), in cryptography
In also known as Rijndael enciphered methods, be a kind of block encryption standard that Federal Government is adopted, be a kind of symmetric encryption
Algorithm.This standard is used for substituting original DES, and widely the whole world is used.
AES(128):Aes algorithm based on 128bit length keys.
Security encryption chip:Built-in security AES, is connected by the MCU of the interfaces such as SPI or UART and TBOX terminals,
Can realize including:Obtain security encryption chip serial number, data encryption, data deciphering, random generate numeral, preserve key and
The functions such as random number.
Key Management server (KMS):Abbreviation hardware encryption equipment, the generation of responsible key, distribution, storage, backup, pipe
Reason, destruction etc., while be responsible for the encryption and decryption of the message of TSP platforms.
Content of the invention
The technical problem to be solved in the present invention, is to provide key generation method between a kind of TBOX terminals and TSP platforms
And system, effectively can be prevented because of the interaction flow quilt between TBOX terminals and TSP platforms by the key generation method
Attack and communication data occur and be cracked leakage, vehicle is maliciously controlled.
One of present invention is realized in:Key generation method between a kind of TBOX terminals and TSP platforms, including as follows
Step:
Step 1, generation security encryption chip master key;
Step 2, security encryption chip master key is stored to TSP platforms;
Step 3, by the programming of security encryption chip master key to TBOX terminals.
Further, a security encryption chip is provided with the TBOX terminals, the step 1 is further specially:
Random generation Che Qi group root master key GRKey on TSP platforms;
Vehicle sub-brand name master key VBMKey is generated by hmac algorithm;Wherein Che Qi groups root master key GRKey conducts
Input message, vehicle brand identify VBId as key;
Security encryption chip production firm master key SCVMKey is generated by hmac algorithm;Wherein security encryption chip factory
Trade mark knows SCVId as key, and vehicle sub-brand name master key VBMKey is used as input message;
Primary key SCMORKey is generated by hmac algorithm;Wherein security encryption chip serial number SCSNo as key,
Security encryption chip production firm master key SCVMKey is used as input message;
Using primary key SCMORKey as security encryption chip master key.
Further, the TSP platforms are provided with a hardware encryption equipment, and the hardware encryption equipment is provided with USB encryption locks,
When USB encryption locks insert hardware encryption equipment, start to generate security encryption chip master key.
Further, described primary key SCMORKey is further specially as security encryption chip master key:Cut
16 byte of 16 byte of starting and end of primary key SCMORKey is taken, the security encryption chip master key of 32 bytes is constituted
SCMKey.
Further, the step 3 is further specially:
Security encryption chip master key SCMKey is sent to PC configuration tools after encryption by TSP platforms;
After the data deciphering that PC configuration tools will be received, programming is into security encryption chip.
Further, the cipher mode and manner of decryption are AES, and security encryption chip serial number SCSNo is made
For key.
The two of the present invention are realized in:Key generation system between a kind of TBOX terminals and TSP platforms, including as follows
Module:
Key production module, generates security encryption chip master key;
Memory module, security encryption chip master key is stored to TSP platforms;
Programming module, by the programming of security encryption chip master key to TBOX terminals.
Further, a security encryption chip is provided with the TBOX terminals, the key production module is further concrete
For:
Random generation Che Qi group root master key GRKey on TSP platforms;
Vehicle sub-brand name master key VBMKey is generated by hmac algorithm;Wherein Che Qi groups root master key GRKey conducts
Input message, vehicle brand identify VBId as key;
Security encryption chip production firm master key SCVMKey is generated by hmac algorithm;Wherein security encryption chip factory
Trade mark knows SCVId as key, and vehicle sub-brand name master key VBMKey is used as input message;
Primary key SCMORKey is generated by hmac algorithm;Wherein security encryption chip serial number SCSNo as key,
Security encryption chip production firm master key SCVMKey is used as input message;
Using primary key SCMORKey as security encryption chip master key.
Further, the TSP platforms are provided with a hardware encryption equipment, and the hardware encryption equipment is provided with USB encryption locks,
When USB encryption locks insert hardware encryption equipment, start to generate security encryption chip master key.
Further, described primary key SCMORKey is further specially as security encryption chip master key:Cut
16 byte of 16 byte of starting and end of primary key SCMORKey is taken, the security encryption chip master key of 32 bytes is constituted
SCMKey.
Further, the programming module is further specially:
Security encryption chip master key SCMKey is sent to PC configuration tools after encryption by TSP platforms;
After the data deciphering that PC configuration tools will be received, programming is into security encryption chip.
Further, the cipher mode and manner of decryption are AES, and security encryption chip serial number SCSNo is made
For key.
The invention has the advantages that:Between a kind of TBOX terminals of the present invention and TSP platforms key generation method and it is
System, the key generating mode fully combine existing hardware device, produce unique key, and generating process is complicated,
Crack difficulty;Realize the safety encryption that interaction is communicated between TBOX terminals and TSP platforms, be prevented from illegal TBOX terminals and access
Legal TSP platforms, and prevent legal TBOX terminals from accessing illegal TBOX platforms, finally prevent because of TBOX terminals and
Interaction flow between TSP platforms is attacked and communication data occurs and be cracked leakage, and vehicle is maliciously controlled.
Description of the drawings
The present invention is further illustrated in conjunction with the embodiments with reference to the accompanying drawings.
Fig. 1 is the inventive method execution flow chart.
Fig. 2 is TBOX terminal security chip keys product processes in the present invention.
Fig. 3 is TBOX terminal security chip master key conveying flows in the present invention.
Fig. 4 is TBOX terminals and TSP platform two-way authentication flow processs in the present invention.
Fig. 5 is up-downgoing session key product process in the present invention.
Fig. 6 is up-downgoing session counter product process in the present invention.
Fig. 7 sends message for TBOX terminals in the present invention and gives TSP platforms.
Fig. 8 sends message for TSP platforms in the present invention and gives TBOX terminals.
Specific embodiment
As shown in figure 1, key generation method between TBOX terminals of the present invention and TSP platforms, comprises the steps:
Step 1, TSP platforms are provided with a hardware encryption equipment, and the hardware encryption equipment is provided with USB encryption locks, as USB plus
During close lock insertion hardware encryption equipment, start to generate security encryption chip master key;Random generation Che Qi groups root on TSP platforms
Master key GRKey;
Vehicle sub-brand name master key VBMKey is generated by hmac algorithm;Wherein Che Qi groups root master key GRKey conducts
Input message, vehicle brand identify VBId as key;
Security encryption chip production firm master key SCVMKey is generated by hmac algorithm;Wherein security encryption chip factory
Trade mark knows SCVId as key, and vehicle sub-brand name master key VBMKey is used as input message;
Primary key SCMORKey is generated by hmac algorithm;Wherein security encryption chip serial number SCSNo as key,
Security encryption chip production firm master key SCVMKey is used as input message;
Using primary key SCMORKey as security encryption chip master key, described using primary key SCMORKey as peace
Full encryption chip master key is further specially:16 byte of 16 byte of starting and end of primary key SCMORKey is intercepted,
Constitute the security encryption chip master key SCMKey of 32 bytes;
Step 2, security encryption chip master key is stored to TSP platforms;
Security encryption chip master key SCMKey is sent to PC configuration tools after encryption by step 3, TSP platforms;
After the data deciphering that PC configuration tools will be received, programming is into security encryption chip, the cipher mode and decryption
Mode is AES, using security encryption chip serial number SCSNo as key.
Key generation system between TBOX terminals of the present invention and TSP platforms, including such as lower module:
Key production module, TSP platforms are provided with a hardware encryption equipment, and the hardware encryption equipment is provided with USB encryption locks,
When USB encryption locks insert hardware encryption equipment, start to generate security encryption chip master key;Random generation car on TSP platforms
Enterprise group root master key GRKey;
Vehicle sub-brand name master key VBMKey is generated by hmac algorithm;Wherein Che Qi groups root master key GRKey conducts
Input message, vehicle brand identify VBId as key;
Security encryption chip production firm master key SCVMKey is generated by hmac algorithm;Wherein security encryption chip factory
Trade mark knows SCVId as key, and vehicle sub-brand name master key VBMKey is used as input message;
Primary key SCMORKey is generated by hmac algorithm;Wherein security encryption chip serial number SCSNo as key,
Security encryption chip production firm master key SCVMKey is used as input message;
Using primary key SCMORKey as security encryption chip master key, described using primary key SCMORKey as peace
Full encryption chip master key is further specially:16 byte of 16 byte of starting and end of primary key SCMORKey is intercepted,
The security encryption chip master key SCMKey of 32 bytes is constituted, in the TBOX terminals, a security encryption chip is provided with;
Memory module, security encryption chip master key is stored to TSP platforms;
Security encryption chip master key SCMKey is sent to PC configuration tools after encryption by programming module, TSP platforms;
After the data deciphering that PC configuration tools will be received, programming is into security encryption chip, the cipher mode and decryption
Mode is AES, using security encryption chip serial number SCSNo as key.
A kind of specific embodiment of the present invention and the specifically used method of key:
The present invention thinking be:1st, the transmission between TBOX terminals and TSP platforms, using coded communication, safe key
The mode of access authentication.Specially:Increase by 1 module that can realize secure cryptographic algorithm in TBOX terminals, corresponding
Increase by 1 Key Management server (KMS), abbreviation hardware encryption equipment at the communication access service of TSP platforms.By such side
Method suffers that data crack leakage and illegal control command is issued protecting TBOX terminals not to be linked into the illegal center of distal end,
Support vehicles safety.2nd, the inventive method mainly uses symmetry cipher mode.
1 system general frame
System mainly (increased Key Management server by TBOX terminals (increased security encryption chip), TSP platforms
(KMS), also referred to as hardware encryption equipment), car, four part of the WEB user sides composition on mobile phone A PP or PC.
TBOX terminals:It is mainly used in collection vehicle relevant information, TSP platforms is sent to by radio communication then.Simultaneously
The WEB user sides of mobile phone A PP and PC can be controlled operation, example by issuing a command to TBOX terminals under TSP platforms to vehicle
Such as close door etc..Increase by 1 design in original TBOX terminals, internal MCU is connected by a SPI mouth or UART mouths
To a security encryption chip, it is possible to achieve include:Obtain security encryption chip serial number, data encryption, data deciphering, random
Numeral is generated, the function such as key and random number is preserved.The safety chip at this place supports general International Algorithmic, including 3DES, AES,
SHA etc..
TSP platforms:Be responsible for receiving the data that TBOX terminals are uploaded, carry out Treatment Analysis, and by user from mobile phone A PP or
It is wagon control instruction message that WEB user sides are issued, is sent to TBOX terminals.Increase in original TSP Platform Designings:At end
End wireless network increases by 1 Key Management server (KMS), abbreviation hardware encryption equipment where accessing.Hardware encryption equipment is responsible for
The generation of key, distribution, storage, backup, management, destruction etc., while be responsible for the encryption and decryption to mutual message.Hardware encryption equipment
It is furnished with key administrator USB encryption locks (one or more), only when all of USB encryption locks are inserted into hardware encryption equipment
Afterwards, hardware encryption equipment just can obtain enough mandates, carry out key generation.Prevent because lack of standardization management cause illegal key with
Meaning is generated.
Car:Where user finally realizes that the thing of function control, TBOX terminals are installed, there is provided TBOX terminal supplying powers.
TBOX terminals can collect the various information of vehicle, including:Position, attitude, vehicle interior status data etc. are (total by CAN
Line).
In such a system, inside the security encryption chip of the hardware encryption equipment of TSP platform sides and TBOX end sides
Corresponding encryption key is stored, the end-to-end encryption mechanism that communicates between TSP platforms and TBOX terminals is realized, following main to realize
Security function:
Two-way authentication function between TSP platforms and TBOX terminals.
The encrypted transmission of crucial sensitive data.
The completeness check of information data.
In order to realize function above, it is necessary first to generate the master key of each distinctive security encryption chip of TBOX terminals,
And safely transfer secret key, write security encryption chip.
Afterwards, safe and reliable company to be set up by a series of process of two-way authentications between TBOX terminals and TSP platforms
Connect, and generate interim session key.
Finally, TBOX terminals can carry out the communication of safe encryption by interim session key.
Session key after a conversation end cancels automatically, during next one session initiation, then carries out two-way authentication,
New Session key establishment.
AES used in this method is mainly used:AES (128) and hmac algorithm (all of hmac algorithm
SHA (256) is all adopted as internal hashing algorithm).
The method of calling of hmac algorithm is HMAC (key, data).Key is key, and data is input message.
The master key product process of security encryption chip is as follows:
For different TBOX terminals, because its different vehicle for being available to different depots is used, therefore according to car
Enterprise is different, vehicle sub-brand name is different, and the security encryption chip producer that depot's requirement is customized is different, the sequence of each security encryption chip
Row number is different, generates the security encryption chip master key of different TBOX terminals.
As shown in Fig. 2 idiographic flow is described as follows:
Che Qi groups root master key is generated:Operator's operation hardware encryption equipment generates safety chip master key.The first step
It is, by key administrator's USB encryption locks (one or more) the insertion hardware encryption equipment of depot.
Hardware encryption equipment is detected and has obtained highest administrator mandate.
Hardware encryption equipment is by internal physical noise source randomizer, the random Che Qi groups root for generating 32 bytes
Master key GRKey, and preserve.Subsequently such as need to use, it is not necessary to regenerate.
Vehicle sub-brand name master key is generated:Hardware encryption equipment identifies VBId (16 byte) according to vehicle brand and calculates vehicle
Brand master key VBMKey (64 byte).The algorithm for using is HMAC, and the mode of calculating is to identify VBId (16 using vehicle brand
Byte) used as key, Che Qi groups root master key GRKey (32 byte) are used as input message, method of calling:HMAC (VBId,
GRKey).
Security encryption chip production firm master key is generated:Hardware encryption equipment is according to safety chip identification of the manufacturer SCVId (16
Byte) calculate security encryption chip production firm master key SCVMKey (64 byte).The algorithm for using is HMAC, the side of calculating
Formula is to use safety chip identification of the manufacturer SCVId (16 byte) as key, and vehicle sub-brand name master key VBMKey (64 byte) is made
For being input into message, method of calling:HMAC (SCVId, VBMKey).
Security encryption chip master key is generated:Hardware encryption equipment is according to calculating safety chip master key SCMKey (32 words
Section).First by safety chip serial number SCSNo (16 byte) as key, security encryption chip production firm master key
SCVMKey (64 byte) is input into as message, and adopts hmac algorithm, generates 64 byte primary key SCMORKey, called side
Formula is HMAC (SCSNo, SCVMKey).Second step, intercepts 16 words of the 16 initial bytes and most end of primary key SCMORKey
Section, constitutes the safety chip master key SCMKey of 32 bytes.
Security encryption chip master key is transmitted:Safety chip master key SCMKey is passed to TBOX terminals by hardware encryption equipment
On security encryption chip carry out write preservation.With regard to the specific conveying flow of security encryption chip, as shown in Figure 3.
So far, after security encryption chip master key is generated, carry out transmitting the security encryption chip for being saved in TBOX terminals.
Security encryption chip master key SCMKey is actually a key group, is divided into two parts, 16 byte of each length, this
Two keys are respectively:
MACKey:The key value of MAC value calculating is exclusively used in, key when interacting for subsequent packet in hmac algorithm is used;
Wherein MACKey is the content of 16 bytes before SCMKey.AESKey:The key value of cryptographic operation is exclusively used in, for follow-up report
Key during text interaction in aes algorithm is used;AESKey is exactly the content of 16 bytes behind SCMKey.
2nd, security encryption chip master key conveying flow:Key conveying flow to security encryption chip, needs in TBOX
Terminal is carried out when production, as shown in Figure 3.
The whole machine production start parameter configurations of TBOX:TBOX terminals complete final assembly production, by the PC used in production
Configuration tool, proceeds by parameter configuration.(PC configuration tools are communicated by the serial ports on PC and the connection of TBOX terminals, real
Existing correlation function)
Operative configuration security encryption chip master key function:Producing line operator are using the configuration safety in PC configuration tools
Encryption chip master key SCMkey functions, press functional keyss.
Request security encryption chip serial number:PC configuration tools are said the word by serial ports and give TBOX terminals, are asked for safety and are added
Close chip serial number SCSNo.
Obtain security encryption chip serial number:TBOX terminals receive the order of PC configuration tools, obtain to security encryption chip
After taking security encryption chip serial number SCSNo, PC configuration tools are sent to.
Transmit Sequence Number TSP platforms are given with terminal item number information:PC configuration tools are by the TBOX end product material for being produced
Number and security encryption chip serial number SCSNo packings after, TSP platforms that distal end is sent to by network.
TSP platform query-related informations:TSP platforms are inquired corresponding by background system according to TBOX end product item numbers
Depot's title and vehicle information, safety chip encryption trade name, send these information and security encryption chip sequence
Number SCSNo carries out security encryption chip master key SCMkey calculating to the hardware encryption equipment (Key Management server) of TSP platforms.
Security encryption chip master key calculation:The information that Key Management server is transmitted according to TSP platforms, inquires car enterprise
Group root master key GRKey (32 byte), vehicle brand mark VBId (16 byte), safety chip identification of the manufacturer SCVId (16 words
Section) and security encryption chip master key calculation is carried out according to the security encryption chip serial number SCSNo of TSP platforms transmission.
Security encryption chip master key encryption:The security encryption chip master key SCMkey that Key Management server will be generated
TSP platforms are sent to after being encrypted using security encryption chip serial number SCSNo (16 byte).Cipher mode is AES
(128) security encryption chip serial number SCSNo (16 byte), is used as key.
The key of encryption returns configuration tool:TSP platforms by encryption after safety chip master key issue PC configuration tools,
PC configuration tools are handed down to TBOX terminals by serial ports.
The secret key decryption of encryption:Encryption of the TBOX terminals using security encryption chip serial number SCSNo as key to issuing
Key be decrypted, manner of decryption is AES (128).
Security encryption chip master key writes:Security encryption chip master key is write security encryption chip by TBOX terminals.
Complete to write, return successfully:TBOX terminals " return " key" arranges successful response and gives PC configuration tools, completes safety
Encryption chip master key programming.
Two-way authentication flow process is as follows:
TBOX terminals and TSP platforms are mutually setting up communication connection, before carrying out data interaction, it is necessary to carry out two-way authentication,
To ensure the legitimacy of terminal and platform.
Two-way authentication is the effective means protected by secure data, its safety operation comprising two aspects:
TSP platforms need to provide legitimacy of the authentication information for TBOX client checks TSP platforms to TBOX terminals.
TBOX terminals are also required to provide the legitimacy that authentication information verifies TBOX terminals for TSP platforms to TSP platforms simultaneously.
Before each new session start, server should carry out two-way authentication with terminal.Complete two-way authentication it
Afterwards, equipment will provide the corresponding access rights to equipment to platform.Two-way authentication based on AES can be in the safety of checking both sides
The initial value SOC of a common session key and sequence counter is produced after key.SOC was mainly used within the session cycle
Anti-replay mechanism, often once encrypted using session key/decrypt computing before, it is necessary to the value of SOC is added 1.
As shown in figure 4, obtaining safety chip serial number and generating 8 randoms number:TBOX terminals are from built-in safety encryption
The serial number SCSNo (16 byte) of security encryption chip, and the random number TBOXrnd_ of 8 bytes is obtained in chip
8byte.
TBOX terminals send certification request:TBOX terminals using security encryption chip serial number SCSNo and 8 bytes with
Machine number TBOXrnd_8byte, and TBOX terminal serial numbers generation TBOX terminal device authentication request messages, issue TSP platforms.
Request is issued hardware encryption equipment by TSP platforms:TSP platforms receive the certification request report from TBOX terminal units
Text, is sent to hardware encryption equipment.
Hardware encryption equipment generates random number:Hardware encryption equipment generate 32 bytes random number KMSrnd_32byte with
And 8 byte random number KMSrnd_8byte.
Hardware encryption equipment generates character string:Hardware encryption equipment generation character string KMS_S (KMSrnd_8byte, TSPId,
TBOXrnd_8byte, SCSNo, KMSrnd_32byte), TSPId is platform identification code.
Hardware encryption equipment encrypted characters string:Hardware encryption equipment obtains safety according to security encryption chip serial number SCSNo and adds
Close chip master key is simultaneously encrypted to KMS_S, and after character string KMS_S is encrypted, the encrypted characters string ENKMS_S of formation is issued
TSP platforms.AES is AES (128).
TSP platforms issue encrypted characters string and give TBOX terminals:Encrypted characters string ENKMS_S is sent to TBOX by TSP platforms
Terminal.
Encrypted characters string is decrypted:TBOX terminals are decrypted character string ENKMS_S according to safety chip master key and obtain KMS_S,
Then the value of SCSNo and TBOXrnd_8byte is therefrom obtained, and is verified.
Check results process:If check results pass through, then proceed two-way authentication, otherwise authentification failure, terminate stream
Journey.
TBOX terminals generate session key and session counter:The safety chip master key of TBOX generates 32 bytes
Random number TBOXrnd_32byte, and uplink session key KSET_ is generated using TBOXrnd_32byte and KMSrnd_32byte
U and uplink session sequence counter initial value SOC_U, descending session key KSET_D and descending conversation order enumerator initial value SOC_
D.The generating algorithm of session key and session counter is referring to Fig. 6 and Fig. 5.
TBOX terminals generate character string and encrypt:TBOX terminals generation character string TBOX_SS (KM Srnd_8byte,
TSPId, TBOXrnd_32byte, SCSNo, KMSrnd_32byte), and using TBOX terminals safety chip master key to word
Symbol string TBOX_SS is encrypted, and generates encrypted characters string ENTBOX_SS.AES adopts AES (128).
TBOX terminals send encrypted characters string:Encrypted characters string ENTBOX_SS is dealt into TSP platforms by TBOX terminals.
TSP platforms forward character string to hardware encryption equipment:TSP platforms are dealt into encrypted characters string ENTBOX_SS in platform
The hardware encryption equipment in portion.
Hardware encryption equipment verifies random number value:Hardware encryption equipment decrypts character string according to security encryption chip master key
ENTBOX_SS, obtains character string TBOX_SS, and verifies the value of KMSrnd_32byte and KMSrnd_8byte.
Verification random number outcome:If verification passes through, proceed certification;If do not passed through, two-way authentication fails,
Terminate certification.
Hardware encryption equipment generates session key:Hardware encryption equipment is according to TBOXrnd_32byte and KMSrnd_32byte
Generate uplink session key KSET_U and uplink session sequence counter initial value SOC_U, descending session key KSET_D and descending
Conversation order enumerator initial value SOC_D, and preserve.The generating algorithm of session key and session counter such as Fig. 5 and Fig. 6 institutes
Show.
Two-way authentication is set up:Two-way authentication is set up, and can start to interact using encrypted message.
Session key and the product process of session counter
What up-downgoing session key was generated is the key group of 32 bytes, is divided into two parts, is respectively used to MAC calculating
Calculate with AES encryption.
What up-downgoing session counter was generated is the number of 16 bytes.
As shown in figure 5, cryptographic Hash 1 is calculated:Value D1 that HMAC (MACKey, TBOXrnd_32byte) is calculated using algorithm
(64).
Cryptographic Hash 2 is calculated:Value D2 (64) that HMAC (MACKey, KMSrnd_32byte) is calculated using algorithm.
XOR value is calculated:Using value and the value XOR of D2 of D1, D3 (64) is generated.
Up key is generated:Initial 16 bytes of D3 are taken as KSET_ENC_U, are used for uplink session AES encryption,
16 bytes of D3 most ends are taken as KSET_MAC_U, is calculated for uplink session HMAC and is used as KEY.Two 16 bytes
Key composition uplink session key KSET_U (32 byte).
Accumulated value is calculated:Using the value and the value of D2 of D1, Accumulating generation D4 (64)
Descending key is generated:Initial 16 bytes of D4 are taken as KSET_ENC_D, are used for descending session AES encryption,
16 bytes of D4 most ends are taken as KSET_MAC_D, is calculated for descending session HMAC and is used as KEY.Two 16 bytes
Key constitute descending session key KSET_D (32 byte).
As shown in fig. 6, up-downgoing session counter product process
Secret value 1 is calculated:Value S1 (88) that AES (AESKey, TBOXrnd_32byte) is calculated using algorithm.
Secret value 2 is calculated:Value S2 (88) that AES (AESKey, KMSrnd_32byte) is calculated using algorithm.
Cumulative and calculating:Using the value and the value of S2 of S1, Accumulating generation S3 (88).
Session counter is generated:Initial 16 bytes of S3 are taken as SOC_U, uplink session sequence counter, S3 most ends are taken
16 bytes of tail as SOC_D, as descending conversation order enumerator.
5th, after TBOX terminals and the two-way authentication of TSP platforms are set up, communication can be encrypted, as described in Fig. 7 and Fig. 8:
As shown in fig. 7, send session counter adding up:The clear data that TBOX terminals will need to upload to TSP platforms
TBOX_SENDDATA is ready to, and by uplink session enumerator SOC_U values+1.
Send message encryption:TBOX terminals use uplink session key KSET_U encrypting plaintext data SOC_U+TBOX_
SENDDATA, obtains encryption data ENTBOX_SENDDATA, using encryption data ENTBOX_SENDDATA as encrypted message
Body part.
Calculate cryptographic Hash:TBOX terminals calculate the cryptographic Hash of encryption data ENTBOX_SENDDATA using hmac algorithm, and
It is attached to behind encrypted message text, forms complete encrypted message.
Send encrypted message:It is flat to TSP that TBOX terminal units send encrypted message and security encryption chip serial number SCSNo
Platform, TSP platforms send encrypted message and security encryption chip serial number SCSNo to hardware encryption equipment.
Message is received, integrity is verified:Hardware encryption equipment by uplink session enumerator SOC_U+1, first using hmac algorithm
The integrity of encrypted message is verified, whether the cryptographic Hash for verifying the afterbody of encrypted message is correct.
Check results:Check results pass through, then enter decryption link, otherwise it is assumed that message is imperfect, abandon.
Decrypted message:Hardware encryption equipment decrypts the body part of encrypted message using uplink session key KSET_ENC_U,
Return in plain text to TSP platforms, be analyzed process.
As shown in figure 8, send session counter adding up:The clear data TSP_ that TSP platforms will need to send encryption
SENDDATA and security encryption chip serial number SCSNo issue hardware encryption equipment, and hardware encryption equipment is by descending session counter
The value+1 of value SOC_D.
Send message encryption:Hardware encryption equipment uses descending session key KSET_ENC_D encrypting plaintext data SOC_D+
TSP_SENDDATA, obtains encryption data ENTSP_SENDDATA, using encryption data ENTSP_SENDDATA as encrypted message
Body part.
Calculate cryptographic Hash:Hardware encryption equipment calculates the cryptographic Hash of encryption data ENTSP_SENDDATA using hmac algorithm,
It is attached to behind encrypted message body part, generates complete message, and return to TSP platforms.
Send encrypted message:Encrypted message is issued TBOX terminals by TSP platforms.
Message is received, integrity is verified:TBOX terminals are by the value+1 of descending session counter value SOC_D, and use HMAC
Calculating the cryptographic Hash of encrypted message text, the subsidiary value of contrast encrypted message afterbody afterwards, if correct checks message to algorithm
Integrity.
Check results:Check results pass through, then enter decryption link, otherwise it is assumed that message is imperfect, abandon.
Decrypted message:TBOX terminals decrypt the text value of encrypted message using descending session key KSET_ENC_D, obtain
In plain text.
The value of session key and up-downgoing session counter SOC in the chip will continuously effective, until session is due under
Row situation and terminate:
Security encryption chip the reason such as is restarted because of TBOX terminals and is powered down reset.
TBOX terminal disconnections connect with TSP platforms again.
TBOX terminals are cancelled using cipher mode and the connection of TSP platforms, use clear-text way instead.
Although the foregoing describing the specific embodiment of the present invention, those familiar with the art should manage
Solution, the specific embodiment described by us are merely exemplary, rather than for the restriction to the scope of the present invention, are familiar with this
Equivalent modification and change that the technical staff in field is made in the spirit according to the present invention, should all cover the present invention's
In scope of the claimed protection.
Claims (12)
1. key generation method between a kind of TBOX terminals and TSP platforms, it is characterised in that:Comprise the steps:
Step 1, generation security encryption chip master key;
Step 2, security encryption chip master key is stored to TSP platforms;
Step 3, by the programming of security encryption chip master key to TBOX terminals.
2. key generation method between a kind of TBOX terminals according to claim 1 and TSP platforms, it is characterised in that:Institute
State and in TBOX terminals, be provided with a security encryption chip, the step 1 is further specially:
Random generation Che Qi group root master key GRKey on TSP platforms;
Vehicle sub-brand name master key VBMKey is generated by hmac algorithm;Wherein Che Qi groups root master key GRKey is used as input
Message, vehicle brand identify VBId as key;
Security encryption chip production firm master key SCVMKey is generated by hmac algorithm;Wherein security encryption chip manufacturer marks
SCVId is known as key, vehicle sub-brand name master key VBMKey is used as input message;
Primary key SCMORKey is generated by hmac algorithm;Wherein security encryption chip serial number SCSNo is used as key, safety
Encryption chip production firm master key SCVMKey is used as input message;
Using primary key SCMORKey as security encryption chip master key.
3. key generation method between a kind of TBOX terminals and TSP platforms as claimed in claim 1 or 2, it is characterised in that:Institute
State TSP platforms and be provided with a hardware encryption equipment, the hardware encryption equipment is provided with USB encryption locks, when USB encryption locks insert hardware
During encryption equipment, start to generate security encryption chip master key.
4. key generation method between a kind of TBOX terminals and TSP platforms as claimed in claim 2, it is characterised in that:Described
Primary key SCMORKey is further specially as security encryption chip master key:Intercept rising for primary key SCMORKey
16 byte of 16 bytes that begin and end, constitutes the security encryption chip master key SCMKey of 32 bytes.
5. key generation method between a kind of TBOX terminals and TSP platforms as claimed in claim 4, it is characterised in that:Described
Step 3 is further specially:
Security encryption chip master key SCMKey is sent to PC configuration tools after encryption by TSP platforms;
After the data deciphering that PC configuration tools will be received, programming is into security encryption chip.
6. key generation method between a kind of TBOX terminals and TSP platforms as claimed in claim 5, it is characterised in that:Described
Cipher mode and manner of decryption are AES, using security encryption chip serial number SCSNo as key.
7. key generation system between a kind of TBOX terminals and TSP platforms, it is characterised in that:Including such as lower module:
Key production module, generates security encryption chip master key;
Memory module, security encryption chip master key is stored to TSP platforms;
Programming module, by the programming of security encryption chip master key to TBOX terminals.
8. key generation system between a kind of TBOX terminals according to claim 7 and TSP platforms, it is characterised in that:Institute
State and in TBOX terminals, be provided with a security encryption chip, the key production module is further specially:
Random generation Che Qi group root master key GRKey on TSP platforms;
Vehicle sub-brand name master key VBMKey is generated by hmac algorithm;Wherein Che Qi groups root master key GRKey is used as input
Message, vehicle brand identify VBId as key;
Security encryption chip production firm master key SCVMKey is generated by hmac algorithm;Wherein security encryption chip manufacturer marks
SCVId is known as key, vehicle sub-brand name master key VBMKey is used as input message;
Primary key SCMORKey is generated by hmac algorithm;Wherein security encryption chip serial number SCSNo is used as key, safety
Encryption chip production firm master key SCVMKey is used as input message;
Using primary key SCMORKey as security encryption chip master key.
9. key generation method between a kind of TBOX terminals and TSP platforms as claimed in claim 7 or 8, it is characterised in that:Institute
State TSP platforms and be provided with a hardware encryption equipment, the hardware encryption equipment is provided with USB encryption locks, when USB encryption locks insert hardware
During encryption equipment, start to generate security encryption chip master key.
10. key generation system between a kind of TBOX terminals and TSP platforms as claimed in claim 8, it is characterised in that:Described
Primary key SCMORKey is further specially as security encryption chip master key:Intercept rising for primary key SCMORKey
16 byte of 16 bytes that begin and end, constitutes the security encryption chip master key SCMKey of 32 bytes.
A kind of 11. key generation systems between TBOX terminals and TSP platforms as claimed in claim 10, it is characterised in that:Institute
State programming module to be further specially:
Security encryption chip master key SCMKey is sent to PC configuration tools after encryption by TSP platforms;
After the data deciphering that PC configuration tools will be received, programming is into security encryption chip.
A kind of 12. key generation systems between TBOX terminals and TSP platforms as claimed in claim 11, it is characterised in that:Institute
State cipher mode and manner of decryption is AES, using security encryption chip serial number SCSNo as key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610972935.5A CN106506149B (en) | 2016-11-07 | 2016-11-07 | Key generation method and system between a kind of TBOX terminal and TSP platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610972935.5A CN106506149B (en) | 2016-11-07 | 2016-11-07 | Key generation method and system between a kind of TBOX terminal and TSP platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106506149A true CN106506149A (en) | 2017-03-15 |
| CN106506149B CN106506149B (en) | 2019-10-22 |
Family
ID=58323669
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610972935.5A Active CN106506149B (en) | 2016-11-07 | 2016-11-07 | Key generation method and system between a kind of TBOX terminal and TSP platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106506149B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107483539A (en) * | 2017-07-14 | 2017-12-15 | 宝沃汽车(中国)有限公司 | The key management method of car networking |
| CN108629192A (en) * | 2018-04-17 | 2018-10-09 | 杭州鸿泉物联网技术股份有限公司 | A kind of authorization data processing method and processing device |
| CN108898026A (en) * | 2018-06-28 | 2018-11-27 | 泰康保险集团股份有限公司 | Data ciphering method and device |
| CN110490008A (en) * | 2018-05-14 | 2019-11-22 | 英韧科技(上海)有限公司 | Safety device and safety chip |
| CN112445496A (en) * | 2019-08-30 | 2021-03-05 | 北汽福田汽车股份有限公司 | Flash method and system for vehicle electric control unit, mobile terminal and vehicle-mounted interactive terminal |
| CN114429276A (en) * | 2021-12-22 | 2022-05-03 | 北京握奇智能科技有限公司 | System and method for realizing bus management based on APP and intelligent equipment |
| CN114697082A (en) * | 2022-03-09 | 2022-07-01 | 中易通科技股份有限公司 | Production and application method of encryption and decryption device in server-free environment |
| CN114884662A (en) * | 2022-05-06 | 2022-08-09 | 深圳创维-Rgb电子有限公司 | Chip key programming method and device, display equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101686225A (en) * | 2008-09-28 | 2010-03-31 | 中国银联股份有限公司 | Methods of data encryption and key generation for on-line payment |
| CN102186169A (en) * | 2010-04-30 | 2011-09-14 | 北京华大智宝电子系统有限公司 | Identity authentication method, device and system |
| CN103400062A (en) * | 2013-07-30 | 2013-11-20 | 深圳创维数字技术股份有限公司 | Method and system for authorized use of software |
| CN104363266A (en) * | 2014-10-23 | 2015-02-18 | 北京远特科技有限公司 | Remote vehicle control method, TSP (telematics service provider) backstage system and vehicular terminal |
-
2016
- 2016-11-07 CN CN201610972935.5A patent/CN106506149B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101686225A (en) * | 2008-09-28 | 2010-03-31 | 中国银联股份有限公司 | Methods of data encryption and key generation for on-line payment |
| CN102186169A (en) * | 2010-04-30 | 2011-09-14 | 北京华大智宝电子系统有限公司 | Identity authentication method, device and system |
| CN103400062A (en) * | 2013-07-30 | 2013-11-20 | 深圳创维数字技术股份有限公司 | Method and system for authorized use of software |
| CN104363266A (en) * | 2014-10-23 | 2015-02-18 | 北京远特科技有限公司 | Remote vehicle control method, TSP (telematics service provider) backstage system and vehicular terminal |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107483539A (en) * | 2017-07-14 | 2017-12-15 | 宝沃汽车(中国)有限公司 | The key management method of car networking |
| CN108629192B (en) * | 2018-04-17 | 2020-04-10 | 杭州鸿泉物联网技术股份有限公司 | Authorization data processing method and device |
| CN108629192A (en) * | 2018-04-17 | 2018-10-09 | 杭州鸿泉物联网技术股份有限公司 | A kind of authorization data processing method and processing device |
| CN110490008B (en) * | 2018-05-14 | 2021-08-10 | 英韧科技(上海)有限公司 | Security device and security chip |
| CN110490008A (en) * | 2018-05-14 | 2019-11-22 | 英韧科技(上海)有限公司 | Safety device and safety chip |
| US11308241B2 (en) | 2018-05-14 | 2022-04-19 | Innogrit Technologies Co., Ltd. | Security data generation based upon software unreadable registers |
| CN108898026A (en) * | 2018-06-28 | 2018-11-27 | 泰康保险集团股份有限公司 | Data ciphering method and device |
| CN112445496A (en) * | 2019-08-30 | 2021-03-05 | 北汽福田汽车股份有限公司 | Flash method and system for vehicle electric control unit, mobile terminal and vehicle-mounted interactive terminal |
| CN114429276A (en) * | 2021-12-22 | 2022-05-03 | 北京握奇智能科技有限公司 | System and method for realizing bus management based on APP and intelligent equipment |
| CN114429276B (en) * | 2021-12-22 | 2024-07-05 | 北京握奇智能科技有限公司 | System and method for realizing bus management based on APP and intelligent equipment |
| CN114697082A (en) * | 2022-03-09 | 2022-07-01 | 中易通科技股份有限公司 | Production and application method of encryption and decryption device in server-free environment |
| CN114697082B (en) * | 2022-03-09 | 2023-11-07 | 中易通科技股份有限公司 | Production and application method of encryption and decryption device in server-free environment |
| CN114884662A (en) * | 2022-05-06 | 2022-08-09 | 深圳创维-Rgb电子有限公司 | Chip key programming method and device, display equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106506149B (en) | 2019-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106357400B (en) | Establish the method and system in channel between TBOX terminal and TSP platform | |
| CN106572106B (en) | Method for transmitting message between TBOX terminal and TSP platform | |
| CN106506149B (en) | Key generation method and system between a kind of TBOX terminal and TSP platform | |
| CN108055235B (en) | Control method of intelligent lock, related equipment and system | |
| CN100499452C (en) | Device and method for securely transmitting authorization data | |
| CN111028397B (en) | Authentication method and device, and vehicle control method and device | |
| US8799657B2 (en) | Method and system of reconstructing a secret code in a vehicle for performing secure operations | |
| US9479329B2 (en) | Motor vehicle control unit having a cryptographic device | |
| JP2014204444A (en) | Method and device for detecting manipulation of sensor and/or sensor data of the sensor | |
| CN109035519B (en) | Biological feature recognition device and method | |
| CN106912046B (en) | One-way key fob and vehicle pairing | |
| CN101251883B (en) | Method for performing safety controllable remote upgrade for software protecting device | |
| CN106341392B (en) | II interface security communication protection device of electric car OBD, system and method | |
| CN104322003A (en) | Cryptographic authentication and identification method using real-time encryption | |
| CN110855616B (en) | Digital key generation system | |
| CN114267100B (en) | Unlocking authentication method and device, security chip and electronic key management system | |
| CN112182551B (en) | PLC equipment identity authentication system and PLC equipment identity authentication method | |
| CN110383755A (en) | The network equipment and trusted third party's equipment | |
| CN101651538A (en) | Method for safe transmission of data based on creditable password module | |
| CN100410829C (en) | Granting an access to a computer-based object | |
| CN109451504A (en) | Internet of Things mould group method for authenticating and system | |
| CN103378966A (en) | Secret key programming on safety dynamic piece | |
| JPH0244389A (en) | Ic card apparatus | |
| CN110113153B (en) | NFC secret key updating method, terminal and system | |
| CN100561913C (en) | A kind of method of access code equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |