CN109495441A - Access authentication method, device, relevant device and computer readable storage medium - Google Patents

Abstract

Embodiment of the disclosure provides a kind of access authentication method, device, relevant device and computer readable storage medium.This method is applied to vehicle, comprising: receives the signing certificate that Cloud Server is sent；In the case where determining that signing certificate is legal, encryption connection channel is constructed between vehicle and Cloud Server；By encryption connection channel, access authentication is carried out with Cloud Server.In embodiment of the disclosure, vehicle and Cloud Server are not direct progress access authentication, before access authentication, vehicle can carry out certificate verification to Cloud Server, and, access authentication procedure is realized by encryption connection channel, the security performance of access authentication procedure, which accesses, effectively to be guaranteed, therefore, compared with prior art, the security performance for the access authentication mode that embodiment of the disclosure provides, which accesses, effectively to be guaranteed, the leakage of vehicle data can be effectively avoided in this way, and vehicle is avoided illegally to be controlled.

Description

Access authentication method, device, relevant device and computer readable storage medium

Technical field

Embodiment of the disclosure is related to Vehicle Engineering technical field more particularly to a kind of access authentication method, device, correlation Equipment and computer readable storage medium.

Background technique

With the rapid development of Vehicle Engineering technical field, vehicle using more and more common, vehicle has become people Routine work and life in the important vehicles.

In many cases, vehicle needs to carry out data interaction with Cloud Server.Before carrying out data interaction, vehicle with Cloud Server carries out access authentication, and in the case where access authentication passes through, vehicle and Cloud Server carry out data communication again, to protect Demonstrate,prove the safety of data interaction.In this way, vehicle data can safely and reliably be uploaded to Cloud Server, Cloud Server can be safe Information is reliably distributed to vehicle.

However, existing access authentication mode and not safe enough, vehicle is possible to connect the cloud service of attacker's forgery Device, gently it will cause the leakages of vehicle data in this way, and it will cause vehicles illegally to be controlled for weight.

Summary of the invention

In a first aspect, embodiment of the disclosure provides a kind of access authentication method, it is applied to vehicle, which comprises

Receive the signing certificate that Cloud Server is sent；

In the case where determining that the signing certificate is legal, encryption is constructed between the vehicle and the Cloud Server Interface channel；

By the encryption connection channel, access authentication is carried out with the Cloud Server.

In some embodiments, described by the encryption connection channel, access authentication, packet are carried out with the Cloud Server It includes:

By the encryption connection channel, bilateral construction certification is carried out with the Cloud Server.

In some embodiments, the vehicle storage has private key；

It is described by the encryption connection channel, carry out bilateral construction certification with the Cloud Server, comprising:

Generate the request of the first access authentication；Wherein, the first authentication infrastructure data are carried in the first access authentication request With the first signed data, first signed data be the vehicle according to the first authentication infrastructure data and the private key into Row signature obtains；

By the encryption connection channel, Xiang Suoshu Cloud Server sends the first access authentication request；

After sending the first access authentication request, by the encryption connection channel, the Cloud Server is received The the second access authentication request sent；Wherein, the second authentication infrastructure data and second are carried in the second access authentication request Signed data；

According to the second authentication infrastructure data and the second signed data and the private in second access authentication request Key carries out sign test, and according to sign test as a result, determining whether the vehicle passes through the access authentication of the Cloud Server.

In some embodiments, in the first authentication infrastructure data include the first random number and stab at the first time, it is described It include the second random number and the second timestamp in second authentication infrastructure data；

It is described by the encryption connection channel, after receiving the second access authentication request that the Cloud Server is sent, The method also includes:

Anti-replay verification is carried out according to second random number and second timestamp, the feelings passed through are verified in anti-replay Under condition, the second authentication infrastructure data and the second signed data according in second access authentication request are executed, and The private key carries out the step of sign test.

It in some embodiments, include encrypted result in the second authentication infrastructure data；

It is described according to sign test as a result, after determining whether the vehicle passes through the access authentication of the Cloud Server, institute State method further include:

In the case where access authentication of the vehicle to the Cloud Server passes through, from the second authentication infrastructure data It is middle to obtain the encrypted result；

The encrypted result is decrypted using the private key, obtains key external member；

By the encryption connection channel, data communication is carried out using the key external member and the Cloud Server.

It in some embodiments, include the vehicles identifications of the vehicle in the first authentication infrastructure data.

In some embodiments, the vehicle includes safety chip, and the vehicles identifications and the private key are stored in described In safety chip.

Second aspect, embodiment of the disclosure provide a kind of access authentication method, are applied to Cloud Server, the method packet It includes:

Generate signing certificate；

The signing certificate is sent to vehicle；

In the case where the vehicle determines that the signing certificate is legal, between the Cloud Server and the vehicle Construct encryption connection channel；

By the encryption connection channel, access authentication is carried out with the vehicle.

In some embodiments, described by the encryption connection channel, access authentication is carried out with the vehicle, comprising:

By the encryption connection channel, bilateral construction certification is carried out with the vehicle.

In some embodiments, the Cloud Server is stored with public key；

It is described by the encryption connection channel, carry out bilateral construction certification with the vehicle, comprising:

By the encryption connection channel, the first access authentication request that the vehicle is sent is received；Wherein, described first The first authentication infrastructure data and the first signed data are carried in access authentication request；

According to the first authentication infrastructure data and the first signed data and the public affairs in first access authentication request Key carries out sign test, and according to sign test as a result, determining whether the Cloud Server passes through the access authentication of the vehicle；

In the case where access authentication of the Cloud Server to the vehicle passes through, the request of the second access authentication is generated； Wherein, the second authentication infrastructure data and the second signed data, second number of signature are carried in the second access authentication request It is signed to obtain according to the second authentication infrastructure data and the public key according to the vehicle；

By the encryption connection channel, Xiang Suoshu Cloud Server sends the second access authentication request.

In some embodiments, in the first authentication infrastructure data include the first random number and stab at the first time, it is described It include the second random number and the second timestamp in second authentication infrastructure data；

It is described by the encryption connection channel, it is described after receiving the first access authentication request that the vehicle is sent Method further include:

Anti-replay verification is carried out according to first random number and first time stamp, the feelings passed through are verified in anti-replay Under condition, the first authentication infrastructure data and the first signed data according in first access authentication request are executed, and The public key carries out the step of sign test.

In some embodiments, the second access authentication of the generation is requested, comprising:

Generate key external member；

The key external member is encrypted using the public key, obtains encrypted result；Wherein, second access authentication It include the encrypted result in second authentication infrastructure data of request；

It is described by the encryption connection channel, after Xiang Suoshu Cloud Server sends the second access authentication request, The method also includes:

In the case where access authentication of the vehicle to the Cloud Server passes through, by the encryption connection channel, Data communication is carried out using the key external member and the vehicle.

It in some embodiments, include the vehicles identifications of the vehicle in the first authentication infrastructure data, the cloud clothes Multiple public keys are stored in business device；

The first authentication infrastructure data and the first signed data according in first access authentication request, Yi Jisuo It states public key and carries out sign test, comprising:

In the public key for determining the Cloud Server storage, public key corresponding with the vehicles identifications；

According to the first authentication infrastructure data and the first signed data in first access authentication request, and determine Public key carry out sign test.

The third aspect, embodiment of the disclosure provide a kind of access authentication device, are applied to vehicle, and described device includes:

Receiving module, for receiving the signing certificate of Cloud Server transmission；

Module is constructed, in the case where determining that the signing certificate is legal, in the vehicle and the cloud service Encryption connection channel is constructed between device；

Authentication module, for carrying out access authentication with the Cloud Server by the encryption connection channel.

In some embodiments, the authentication module, is specifically used for:

By the encryption connection channel, bilateral construction certification is carried out with the Cloud Server.

In some embodiments, the vehicle storage has private key；

The authentication module, comprising:

Generation unit, for generating the request of the first access authentication；Wherein, first is carried in the first access authentication request Authentication infrastructure data and the first signed data, first signed data are the vehicle according to the first authentication infrastructure data It is signed with the private key；

Transmission unit, for by the encryption connection channel, Xiang Suoshu Cloud Server to send first access authentication Request；

Receiving unit, for by the encryption connection channel, receiving after sending the first access authentication request The second access authentication request that the Cloud Server is sent；Wherein, the second certification base is carried in the second access authentication request Plinth data and the second signed data；

Processing unit, for according to the second authentication infrastructure data and the second number of signature in second access authentication request According to and the private key carry out sign test, and according to sign test as a result, determining that the vehicle is to the access authentication of the Cloud Server It is no to pass through.

In some embodiments, in the first authentication infrastructure data include the first random number and stab at the first time, it is described It include the second random number and the second timestamp in second authentication infrastructure data；

Described device further include:

Correction verification module, for receiving the second access that the Cloud Server is sent and recognizing by the encryption connection channel After card request, anti-replay verification is carried out according to second random number and second timestamp, is passed through in anti-replay verification In the case where, trigger the processing unit.

It in some embodiments, include encrypted result in the second authentication infrastructure data；

Described device further include:

Obtain module, for according to sign test as a result, determine the vehicle to the access authentication of the Cloud Server whether By later, in the case where access authentication of the vehicle to the Cloud Server passes through, the second authentication infrastructure data It is middle to obtain the encrypted result；

Deciphering module obtains key external member for the encrypted result to be decrypted using the private key；

Communication module, for being carried out using the key external member and the Cloud Server by the encryption connection channel Data communication.

It in some embodiments, include the vehicles identifications of the vehicle in the first authentication infrastructure data.

In some embodiments, the vehicle includes safety chip, and the vehicles identifications and the private key are stored in described In safety chip.

Fourth aspect, embodiment of the disclosure provide a kind of access authentication device, are applied to Cloud Server, described device packet It includes:

Generation module, for generating signing certificate；

Sending module, for sending the signing certificate to vehicle；

Module is constructed, in the case where the vehicle determines that the signing certificate is legal, in the Cloud Server Encryption connection channel is constructed between the vehicle；

Authentication module, for carrying out access authentication with the vehicle by the encryption connection channel.

In some embodiments, the authentication module, is specifically used for:

By the encryption connection channel, bilateral construction certification is carried out with the vehicle.

In some embodiments, the Cloud Server is stored with public key；

The authentication module, comprising:

Receiving unit, for receiving the first access authentication request that the vehicle is sent by the encryption connection channel； Wherein, the first authentication infrastructure data and the first signed data are carried in the first access authentication request；

Processing unit, for according to the first authentication infrastructure data and the first number of signature in first access authentication request According to and the public key carry out sign test, and according to sign test as a result, determining that the Cloud Server is to the access authentication of the vehicle It is no to pass through；

Generation unit, for generating second in the case where access authentication of the Cloud Server to the vehicle passes through Access authentication request；Wherein, the second authentication infrastructure data and the second signed data, institute are carried in the second access authentication request The second signed data vehicle is stated to be signed to obtain according to the second authentication infrastructure data and the public key；

Transmission unit, for by the encryption connection channel, Xiang Suoshu Cloud Server to send second access authentication Request.

In some embodiments, in the first authentication infrastructure data include the first random number and stab at the first time, it is described It include the second random number and the second timestamp in second authentication infrastructure data；

Described device further include:

Correction verification module, for receiving the first access authentication that the vehicle is sent and asking by the encryption connection channel After asking, anti-replay verification is carried out according to first random number and first time stamp, the feelings passed through are verified in anti-replay Under condition, the processing unit is triggered.

In some embodiments, the generation unit, comprising:

Subelement is generated, for generating key external member；

It obtains subelement and obtains encrypted result for encrypting using the public key to the key external member；Wherein, It include the encrypted result in second authentication infrastructure data of the second access authentication request；

Described device further include:

Communication module, for by the encryption connection channel, Xiang Suoshu Cloud Server transmission second access to be recognized It is logical by the encryption connection in the case where access authentication of the vehicle to the Cloud Server passes through after card request Road carries out data communication using the key external member and the vehicle.

It in some embodiments, include the vehicles identifications of the vehicle in the first authentication infrastructure data, the cloud clothes Multiple public keys are stored in business device；

The processing unit, comprising:

Determine subelement, in the public key for determining the Cloud Server storage, public key corresponding with the vehicles identifications；

Sign test subelement, for according to the first authentication infrastructure data and the first signature in first access authentication request Data and identified public key carry out sign test.

5th aspect, embodiment of the disclosure provide a kind of relevant device, including processor, and memory is stored in described It is real when the computer program is executed by the processor on memory and the computer program that can run on the processor The step of existing above-mentioned access authentication method applied to vehicle, or realize the above-mentioned access authentication method applied to Cloud Server The step of.

6th aspect, embodiment of the disclosure provide a kind of computer readable storage medium, the computer-readable storage Computer program is stored on medium, the computer program realizes that the above-mentioned access applied to vehicle is recognized when being executed by processor The step of card method, or the step of realizing the above-mentioned access authentication method applied to Cloud Server.

Detailed description of the invention

Fig. 1 is one of the flow chart of access authentication method that embodiment of the disclosure provides；

Fig. 2 is the data communication process schematic diagram of vehicle and Cloud Server；

Fig. 3 is the two of the flow chart for the access authentication method that embodiment of the disclosure provides；

Fig. 4 is the three of the flow chart for the access authentication method that embodiment of the disclosure provides；

Fig. 5 is one of the structural block diagram for the access authentication device that embodiment of the disclosure provides；

Fig. 6 is the two of the structural block diagram for the access authentication device that embodiment of the disclosure provides；

Fig. 7 is the four of the flow chart for the access authentication method that embodiment of the disclosure provides；

Fig. 8 is the structural schematic diagram for the relevant device that embodiment of the disclosure provides.

Specific embodiment

Below in conjunction with the attached drawing in embodiment of the disclosure, the technical solution in embodiment of the disclosure is carried out clear Chu is fully described by, it is clear that described embodiment is disclosure a part of the embodiment, instead of all the embodiments.It is based on Embodiment in the disclosure, those of ordinary skill in the art are acquired every other without creative efforts Embodiment belongs to the range of disclosure protection.

Referring to Fig. 1, the flow chart of the access authentication method of embodiment of the disclosure offer is shown in figure.As shown in Figure 1, This method is applied to vehicle, and this method comprises the following steps:

Step 101, the signing certificate that Cloud Server is sent is received.

It should be noted that can be previously stored with root certificate in Cloud Server, which is the own of Cloud Server Root certificate.Wherein, root certificate may include root-key and root-crt two parts, and root-key is certificate and private key, root- It include root certificate holder information, CertPubKey and signing messages in crt.Cloud Server can use the card in root certificate Book private key generates signing certificate, and sends signing certificate to vehicle.

Specifically, in order to realize the transmission of signing certificate, transmission control protocol can be constructed between vehicle and Cloud Server (Transmission Control Protocol, TCP) interface channel, Cloud Server can be by TCP connection channels, to vehicle Send signing certificate.In this way, vehicle can receive the signing certificate that Cloud Server is sent by TCP connection channel.

It should be pointed out that being not directly to purchase since signing certificate is using the own root certificate generation of Cloud Server The commercial instruments (generally costly) bought, therefore cost is relatively low for signing certificate.

Step 102, in the case where determining that signing certificate is legal, encryption connection is constructed between vehicle and Cloud Server Channel.

It should be noted that the root-crt in the own root certificate of Cloud Server can be previously stored in vehicle, Root-crt can specifically be stored in factory's producing line into vehicle.By TCP connection channel, Cloud Server hair is received After the signing certificate sent, the root-crt that vehicle can use itself storage verifies signing certificate, to determine signature Whether certificate is legal.

In the case where determining the illegal situation of signing certificate, it is believed that send signing certificate may be attacker's forgery Cloud Server, in order to guarantee safety, vehicle can actively disconnect itself TCP connection channel between Cloud Server, whole The process of a access authentication method terminates.

In the case where determining that signing certificate is legal, it is believed that send signing certificate is believable Cloud Server, Vehicle can construct encryption connection channel at itself between Cloud Server.Specifically, encryption connection channel can pass for safety Defeated layer protocol (Transport Layer Security, TLS) interface channel.It is understood that TLS has the advantages that three is big:

One, all information are all that encryption is propagated, and third party can not steal；

Two, there is verification scheme, once being tampered, communicating pair can be found at once；

Three, it is equipped with letter of identity, prevents identity spoofed.

It should be pointed out that the type in secure connection channel is not limited to TLS interface channel, it specifically can be according to reality Situation determines that embodiment of the disclosure do not do any restriction to this.This programme in order to facilitate understanding by those skilled in the art, this It is illustrated in case where secure connection channel is TLS interface channel in disclosed embodiment.

Step 103, by encryption connection channel, access authentication is carried out with Cloud Server.

In some embodiments, by encryption connection channel, access authentication is carried out with Cloud Server, comprising:

By encryption connection channel, bilateral construction certification is carried out with Cloud Server.

It should be pointed out that in the case where vehicle and Cloud Server carry out bilateral construction certification, authentication result it is reliable Performance accesses effective guarantee.Certainly, vehicle and Cloud Server can also only carry out unidirectional access authentication, this is also feasible 's.

In embodiment of the disclosure, before vehicle and Cloud Server carry out access authentication, Cloud Server can be to vehicle Send signing certificate.Next, vehicle can determine whether signing certificate is legal, to carry out certificate verification to Cloud Server.? In the case that signing certificate is legal, this illustrates that the certificate verification of Cloud Server passes through, at this moment, between vehicle and Cloud Server can be with Encryption connection channel is constructed, vehicle and Cloud Server can carry out access authentication by encryption connection channel.As it can be seen that the disclosure In embodiment, vehicle and Cloud Server are not direct progress access authentication, and before access authentication, vehicle can be to cloud service Device carries out certificate verification, also, access authentication procedure is realized by encryption connection channel, the safety of access authentication procedure Can effectively it be guaranteed, therefore, compared with prior art, the safety for the access authentication mode that embodiment of the disclosure provides Performance, which accesses, effectively to be guaranteed, vehicle data (such as vehicle speed data, vehicle door status data, net can be effectively avoided in this way Network signal strength data, GPS data etc.) leakage, and vehicle is avoided illegally to be controlled.

In some embodiments, vehicle storage has private key；

By encryption connection channel, bilateral construction certification is carried out with Cloud Server, comprising:

Generate the request of the first access authentication；Wherein, the first authentication infrastructure data and the are carried in the request of the first access authentication One signed data, the first signed data are what vehicle was signed according to the first authentication infrastructure data and private key；

By encryption connection channel, the request of the first access authentication is sent to Cloud Server；

After sending the request of the first access authentication, by encryption connection channel, receives Cloud Server is sent second and connect Enter certification request；Wherein, the second authentication infrastructure data and the second signed data are carried in the request of the second access authentication；

According in the request of the second access authentication the second authentication infrastructure data and the second signed data and private key tested Label, and according to sign test as a result, determining whether vehicle passes through the access authentication of Cloud Server.

It, can be in order to realize the bilateral construction certification of vehicle and Cloud Server, in Cloud Server in embodiment of the disclosure It is stored with public key, the public key of Cloud Server storage and the private key of vehicle storage constitute unsymmetrical key and (belong to unsymmetrical key System).

After building TLS interface channel between vehicle and Cloud Server, the available first authentication infrastructure number of vehicle According to.Next, vehicle can sign according to the first authentication infrastructure data and private key, to obtain the first signed data, thus Generate the first access authentication request for carrying the first authentication infrastructure data and the first signed data.Later, vehicle can pass through TLS Interface channel sends the request of the first access authentication to Cloud Server.

After receiving the request of the first access authentication, Cloud Server can be according to first in the request of the first access authentication Authentication infrastructure data and the first signed data and public key carry out sign test, to obtain sign test result.

If the sign test result that Cloud Server obtains is not pass through, Cloud Server can determine that itself recognizes the access of vehicle Card does not pass through, and Cloud Server can directly refuse the request of the first access authentication, and the process of entire access authentication method terminates.

If the sign test result that Cloud Server obtains is to pass through, Cloud Server can determine itself access authentication to vehicle Pass through, the available second authentication infrastructure data of Cloud Server.Next, Cloud Server can be according to the second authentication infrastructure data It signs with public key, to obtain the second signed data, carries the second authentication infrastructure data and the second signed data to generate The second access authentication request.Later, Cloud Server can be sent the second access authentication to vehicle and be asked by TLS interface channel It asks.

After receiving the request of the second access authentication, vehicle can be according to the second certification in the request of the second access authentication Basic data and the second signed data and private key carry out sign test, to obtain sign test result.

If the sign test result that vehicle obtains is not pass through, vehicle can determine itself to the access authentication of Cloud Server not Pass through, vehicle can actively disconnect itself TLS interface channel between Cloud Server, the process knot of entire access authentication method Beam.

If the sign test result that vehicle obtains is to pass through, vehicle can determine that itself is logical to the access authentication of Cloud Server It crosses, so far, vehicle and Cloud Server have successfully completed bilateral construction certification.

As it can be seen that Cloud Server can request to carry out Cloud Server according to the first access authentication in embodiment of the disclosure Access authentication, vehicle can request to carry out access authentication to Cloud Server according to the second access authentication, in this way, vehicle and cloud service Device can easily realize that bilateral construction authenticates very much, also, the unfailing performance of bilateral construction authentication result accesses effectively Guarantee.

In some embodiments, in the first authentication infrastructure data include the first random number and stab at the first time, the second certification It include the second random number and the second timestamp in basic data；

Pass through encryption connection channel, after receiving the second access authentication request that Cloud Server is sent, this method further include:

According to the second random number and the second timestamp, the second access authentication is requested to carry out anti-replay verification, in anti-replay In the case that verification passes through, execute according to the second authentication infrastructure data and the second signed data in the request of the second access authentication, And private key carries out the step of sign test.

May include in embodiment of the disclosure, in the first authentication infrastructure data the first random number (being assumed to be Nonce1) and Stamp (being assumed to be Timestamp1) at the first time.In Cloud Server by TLS interface channel, receive vehicle transmission first is connect After entering certification request, Cloud Server can request to extract in the first authentication infrastructure data carried from the first access authentication Nonce1 and Timestamp1.Later, Cloud Server can carry out anti-replay verification according to Nonce1 and Timestamp1.It can be with Understand, the validity that anti-replay verification is specially verifying Nonce1 is carried out according to Nonce1 and Timestamp1, or really Determine whether Nonce1 in the unit time is previously used.

If Cloud Server determines anti-replay, verification passes through, this illustrates that Nonce1 is effective, Nonce1 in the unit time And have not been used, at this moment, Cloud Server can be according to the first authentication infrastructure data and first in the request of the first access authentication Signed data and public key carry out sign test, thus according to sign test as a result, determining whether Cloud Server leads to the access authentication of vehicle It crosses.

If Cloud Server determine anti-replay verification do not pass through, this illustrate Nonce1 be it is invalid, in the unit time Nonce1 is previously used, and at this moment, Cloud Server can determine that itself does not pass through the access authentication of vehicle, and Cloud Server can be straight Refusal the first access authentication request is connect, Cloud Server does not execute sign test operation, and the process of entire access authentication method terminates.

It similarly, may include the second random number (being assumed to be Nonce2) and the second timestamp in the second authentication infrastructure data (being assumed to be Timestamp2).In vehicle by TLS interface channel, the second access authentication request of Cloud Server transmission is received Later, vehicle can from the second access authentication request carry the second authentication infrastructure data in extract Nonce2 and Timestamp2.Later, vehicle can carry out anti-replay verification according to Nonce2 and Timestamp2.

If vehicle determines anti-replay, verification passes through, this illustrate Nonce2 be it is effective, Nonce2 is not in the unit time Be previously used, at this moment, vehicle can according to the second access authentication request in the second authentication infrastructure data and the second signed data, And private key carry out sign test, with according to sign test as a result, determine vehicle whether the access authentication of Cloud Server is passed through.

If vehicle determines anti-replay, verification does not pass through, this illustrates that Nonce2 is invalid, Nonce2 quilt in the unit time It used, at this moment, vehicle can determine that itself does not pass through the access authentication of Cloud Server, and vehicle does not execute sign test operation, vehicle Itself TLS interface channel between Cloud Server can also be actively disconnected, the process of entire access authentication method terminates.

As can be seen that in embodiment of the disclosure, in the bilateral construction verification process of vehicle and Cloud Server, cloud service Device can carry out anti-replay verification according to Nonce1 and Timestamp1, and vehicle can carry out anti-heavy according to Nonce2 and Timestamp2 Verification is put, i.e. vehicle and Cloud Server can carry out two-way anti-replay verification, can recognize that attacker is grabbed by network in this way The Replay Attack for wrapping (such as network packet capturing is carried out to vehicle data) and initiating, to be further ensured that bilateral construction authentication result Reliability.

It in some embodiments, include encrypted result in the second authentication infrastructure data；

According to sign test as a result, after determining whether vehicle passes through the access authentication of Cloud Server, this method further include:

In the case where access authentication of the vehicle to Cloud Server passes through, encryption knot is obtained from the second authentication infrastructure data Fruit；

It is decrypted using private key pair encryption result, obtains key external member；

By encryption connection channel, data communication is carried out using key external member and Cloud Server.

In embodiment of the disclosure, during generating the request of the second access authentication, key is can be generated in Cloud Server External member.Wherein, key external member can be used for the data communication of vehicle and Cloud Server, and key external member can define vehicle and cloud takes Business device used various algorithms, such as authentication algorithm, Encryption Algorithm, Diffie-Hellman etc. when being communicated.Specifically Ground, the Encryption Algorithm that key external member defines can be Advanced Encryption Standard (Advanced Encryption Standard, AES) Algorithm, it is to be understood that aes algorithm is a kind of symmetric encipherment algorithm.

It key external member is encrypted next, public key can be used in Cloud Server, obtains encrypted result, and will obtain Encrypted result is as the data in the second authentication infrastructure data.

In this way, vehicle can be asked from the second access authentication in the case where access authentication of the vehicle to Cloud Server passes through It asks in the second authentication infrastructure data of carrying and obtains encrypted result.After vehicle is decrypted using private key pair encryption result, vehicle Key external member can be obtained.At this moment, vehicle and Cloud Server all have key external member, and vehicle and Cloud Server can be used close Key external member carries out data communication, such as carries out encrypting and decrypting, signature sign test etc. to transmission data using key external member, to guarantee vehicle The safety of data transmitted between Cloud Server.

When it is implemented, as shown in Fig. 2, may include vehicle device gateway 211 and vehicle device in vehicle 210 using 212；Cloud service It may include cloud gateway 221 and cloud business system 222 in device 220；Vehicle device gateway 211 can pass through with cloud gateway 221 TLS interface channel 230 is attached.It is understood that cloud gateway 221 is the outermost module of Cloud Server 210, bear Duty is established with vehicle 210 and saves and connect, data and issuing message that reception vehicle device gateway 211 reports (such as controlling Vehicle 210 executes the vehicle control instruction of specific event) to vehicle device gateway 211.

Assuming that vehicle 210 needs to send data to Cloud Server 220, vehicle device can use key external member using 212, right After data to be sent are encrypted and signed, encryption and signature result are issued by vehicle device gateway 211.In this way, cloud gateway 211 can receive corresponding data by TLS interface channel 230, and the data received are transmitted to cloud business system 222.Later, key external member can be used in cloud business system 222, the data received is decrypted and sign test.Cloud service Device 220 sends process of the process of data referring to vehicle 210 to the transmission data of Cloud Server 220 to vehicle 210, herein not It repeats again.

As can be seen that during vehicle and Cloud Server carry out data communication, transmitting number in embodiment of the disclosure According to safety on the one hand can be guaranteed by key external member, on the other hand can be protected by encryption connection channel Card, the i.e. safety of transmission data are able to use double layer security policy and are guaranteed.

It in some embodiments, include the vehicles identifications of vehicle in the first authentication infrastructure data.Wherein, the vehicle mark of vehicle (i.e. Device ID) can be identified for equipment identities by knowing.

It should be noted that can store multiple public keys in Cloud Server, each public key is corresponding with a vehicles identifications.? Anti-replay verification is carried out according to the first random number and at the first time stamp, and anti-replay verifies in the case where passing through, Cloud Server can In public key according to the correspondence between vehicles identifications and public key, to determine Cloud Server storage, with the first authentication infrastructure data In the corresponding public key of vehicles identifications.Later, Cloud Server can be according to the first authentication infrastructure in the request of the first access authentication Data and the first signed data and identified public key carry out sign test.

It in some embodiments, can also include the private key ID for the private key that vehicle is stored in the first authentication infrastructure data (i.e. PrivateKeyID).

In embodiment of the disclosure, Cloud Server can store different public keys for different vehicle, and recognize according to first Vehicles identifications in card basic data obtain corresponding public key to carry out sign test and execute subsequent operation, even if a certain vehicle is corresponding Public key by attacker obtain other vehicles will not be impacted, can guarantee the safety of bilateral construction verification process in this way Property.

In some embodiments, vehicle includes safety chip, and vehicles identifications and private key are stored in safety chip.

Specifically, vehicles identifications and private key can be in the safety chips that vehicle manufacture link is injected into vehicle.It can manage Solution, safety chip can also be referred to as encryption chip, and safety chip is the storage chip for being specifically used to store confidential information, It supports to execute encrypting and decrypting instruction simultaneously.

In embodiment of the disclosure, since vehicles identifications and private key are stored in the safety chip of vehicle, attacker is by nothing Method gets vehicles identifications and private key, can prevent private key from leaking in this way, to guarantee the safety of private key, while avoiding attacker It gets the vehicle that disguises oneself as after vehicles identifications and sends information to Cloud Server.

The specific implementation process of embodiment of the disclosure is illustrated with a specific example below with reference to Fig. 3.

As shown in figure 3, Cloud Server is first against vehicle, (vehicle is to need to carry out appointing for data communication with Cloud Server One vehicle) generate identity Device ID, and corresponding public key and private key.Cloud Server is generated for vehicle Device ID and private key can be in the safety chips of vehicle manufacture link injection vehicle.In addition, Cloud Server is also stored for vehicle The public key generated, and is deleted the private key of generation, causes the private key of vehicle to leak to avoid being attacked due to Cloud Server.

Before vehicle and Cloud Server carry out bilateral construction certification, TCP company can be constructed between vehicle and Cloud Server Road is connected, Cloud Server can send signing certificate to vehicle by TCP connection channel；Wherein, signing certificate is based on cloud service The own root certificate of device generates.

After receiving signing certificate, vehicle determines whether signing certificate is legal.If signing certificate is illegal, vehicle Actively disconnect itself TCP connection channel between Cloud Server；If signing certificate is legal, vehicle is in itself and Cloud Server Between construct TLS interface channel.Next, vehicle is sent the first access authentication to Cloud Server and is asked by TLS interface channel It asks.Wherein, the first authentication infrastructure data and the first signed data, the first authentication infrastructure data are carried in the request of the first access authentication In include Device ID, PrivateKeyID, Nonce1 and Timestamp1, the first signed data is using private key to first Authentication infrastructure data are signed what (such as RSA signature) obtained.

After receiving the request of the first access authentication, Cloud Server carries out anti-replay according to Nonce1 and Timestamp1 Verification.In the case where anti-replay verifies unacceptable situation, Cloud Server refuses the request of the first access authentication；Pass through in anti-replay verification In the case where, Cloud Server carries out sign test according to the first authentication infrastructure data and the first signed data and public key.Sign test not In the case where, Cloud Server refuses the request of the first access authentication；In the case where sign test passes through, Cloud Server generates key External member encrypts key external member using public key, obtains encrypted result, and by TLS interface channel, sends second to vehicle Access authentication request.Wherein, the second authentication infrastructure data and the second signed data are carried in the request of the second access authentication, second recognizes Demonstrate,proving includes encrypted result, Nonce2 and Timestamp2 in basic data, and the second signed data is to be authenticated using public key to second Basic data is signed what (such as RSA signature) obtained.

After receiving the request of the second access authentication, vehicle carries out anti-replay school according to Nonce2 and Timestamp2 It tests.In the case where anti-replay verifies unacceptable situation, vehicle refuses the request of the second access authentication；The case where anti-replay verification passes through Under, in order to avoid the leakage bring security risk of the own root certificate of Cloud Server, vehicle can be according to the second authentication infrastructure Data and the second signed data and private key carry out sign test.In the unacceptable situation of sign test, vehicle refuses the second access authentication Request；In the case where sign test passes through, vehicle is obtained from the second authentication infrastructure data that the request of the second access authentication carries to be added It is close as a result, being decrypted using private key pair encryption result, to obtain key external member.Later, vehicle and Cloud Server are connected by TLS Road is connected, carries out data communication using key external member.

To sum up, compared with prior art, the security performance for the access authentication mode that embodiment of the disclosure provides accesses Effectively guarantee, the leakage of vehicle data can be effectively avoided in this way, and vehicle is avoided illegally to be controlled.

Referring to fig. 4, the flow chart of the access authentication method of embodiment of the disclosure offer is provided in figure.As shown in figure 4, This method is applied to Cloud Server, and this method comprises the following steps:

Step 401, signing certificate is generated；

Step 402, signing certificate is sent to vehicle；

Step 403, in the case where vehicle determines that signing certificate is legal, encryption is constructed between Cloud Server and vehicle Interface channel；

Step 404, by encryption connection channel, access authentication is carried out with vehicle.

In some embodiments, by encryption connection channel, access authentication is carried out with vehicle, comprising:

By encryption connection channel, bilateral construction certification is carried out with vehicle.

In some embodiments, Cloud Server is stored with public key；

By encryption connection channel, bilateral construction certification is carried out with vehicle, comprising:

By encryption connection channel, the first access authentication request that vehicle is sent is received；Wherein, the first access authentication is requested The first authentication infrastructure data of middle carrying and the first signed data；

According in the request of the first access authentication the first authentication infrastructure data and the first signed data and public key tested Label, and according to sign test as a result, determining whether Cloud Server passes through the access authentication of vehicle；

In the case where access authentication of the Cloud Server to vehicle passes through, the request of the second access authentication is generated；Wherein, second The second authentication infrastructure data and the second signed data are carried in access authentication request, the second signed data is that vehicle is recognized according to second What card basic data and public key were signed；

By encryption connection channel, the request of the second access authentication is sent to vehicle.

In some embodiments, in the first authentication infrastructure data include the first random number and stab at the first time, the second certification It include the second random number and the second timestamp in basic data；

Pass through encryption connection channel, after receiving the first access authentication request that vehicle is sent, this method further include:

It is held according to the first random number and stamp progress anti-replay verification at the first time in the case where anti-replay verification passes through The step gone according to the first authentication infrastructure data and the first signed data and public key progress sign test in the request of the first access authentication Suddenly.

In some embodiments, the request of the second access authentication is generated, comprising:

Generate key external member；

Key external member is encrypted using public key, obtains encrypted result；Wherein, the second of the second access authentication request is recognized Demonstrate,proving includes encrypted result in basic data；

Pass through encryption connection channel, after sending the request of the second access authentication to Cloud Server, this method further include:

In the case where access authentication of the vehicle to Cloud Server passes through, by encryption connection channel, key external member is used Data communication is carried out with vehicle.

In some embodiments, include the vehicles identifications of vehicle in the first authentication infrastructure data, be stored in Cloud Server Multiple public keys；

According in the request of the first access authentication the first authentication infrastructure data and the first signed data and public key tested Label, comprising:

In the public key for determining Cloud Server storage, public key corresponding with vehicles identifications；

According to the first authentication infrastructure data and the first signed data and identified public affairs in the request of the first access authentication Key carries out sign test.

In embodiment of the disclosure, before vehicle and Cloud Server carry out access authentication, Cloud Server can be to vehicle Send signing certificate.Next, vehicle can determine whether signing certificate is legal, to carry out certificate verification to Cloud Server.? In the case that signing certificate is legal, this illustrates that the certificate verification of Cloud Server passes through, at this moment, between vehicle and Cloud Server can be with Encryption connection channel is constructed, vehicle and Cloud Server can carry out access authentication by encryption connection channel.As it can be seen that the disclosure In embodiment, vehicle and Cloud Server are not direct progress access authentication, and before access authentication, vehicle can be to cloud service Device carries out certificate verification, also, access authentication procedure is realized by encryption connection channel, the safety of access authentication procedure Can effectively it be guaranteed, therefore, compared with prior art, the safety for the access authentication mode that embodiment of the disclosure provides Performance, which accesses, effectively to be guaranteed, vehicle data (such as vehicle speed data, vehicle door status data, net can be effectively avoided in this way Network signal strength data, GPS data etc.) leakage, and vehicle is avoided illegally to be controlled.

Referring to Fig. 5, the structural block diagram of the access authentication device 500 of embodiment of the disclosure offer is shown in figure.Such as Fig. 5 Shown, access authentication device 500 is applied to vehicle, and access authentication device 500 includes:

Receiving module 501, for receiving the signing certificate of Cloud Server transmission；

Module 502 is constructed, for being constructed between vehicle and Cloud Server in the case where determining that signing certificate is legal Encryption connection channel；

Authentication module 503, for carrying out access authentication with Cloud Server by encryption connection channel.

In some embodiments, authentication module is specifically used for:

By encryption connection channel, bilateral construction certification is carried out with Cloud Server.

In some embodiments, vehicle storage has private key；

Authentication module, comprising:

Generation unit, for generating the request of the first access authentication；Wherein, the first certification is carried in the request of the first access authentication Basic data and the first signed data, the first signed data are that vehicle sign according to the first authentication infrastructure data and private key It arrives；

Transmission unit, for sending the request of the first access authentication to Cloud Server by encryption connection channel；

Receiving unit, for by encryption connection channel, receiving Cloud Server after sending the request of the first access authentication The the second access authentication request sent；Wherein, the second authentication infrastructure data and the second signature are carried in the request of the second access authentication Data；

Processing unit, for according to the second access authentication request in the second authentication infrastructure data and the second signed data, And private key carries out sign test, and according to sign test as a result, determining whether vehicle passes through the access authentication of Cloud Server.

In some embodiments, in the first authentication infrastructure data include the first random number and stab at the first time, the second certification It include the second random number and the second timestamp in basic data；

Access authentication device 500 further include:

Correction verification module, for receiving the second access authentication that Cloud Server is sent and requesting it by encryption connection channel Afterwards, anti-replay verification is carried out according to the second random number and the second timestamp, in the case where anti-replay verification passes through, triggering processing Unit.

It in some embodiments, include encrypted result in the second authentication infrastructure data；

Access authentication device 500 further include:

Obtain module, for according to sign test as a result, after determining whether vehicle pass through the access authentication of Cloud Server, In the case where access authentication of the vehicle to Cloud Server passes through, encrypted result is obtained from the second authentication infrastructure data；

Deciphering module obtains key external member for being decrypted using private key pair encryption result；

Communication module, for carrying out data communication using key external member and Cloud Server by encryption connection channel.

It in some embodiments, include the vehicles identifications of vehicle in the first authentication infrastructure data.

In some embodiments, vehicle includes safety chip, and vehicles identifications and private key are stored in safety chip.

As it can be seen that vehicle and Cloud Server are not direct progress access authentication in embodiment of the disclosure, recognize in access Before card, vehicle can carry out certificate verification to Cloud Server, also, access authentication procedure is realized by encryption connection channel , the security performance of access authentication procedure, which accesses, effectively to be guaranteed, therefore, compared with prior art, embodiment of the disclosure The security performance of the access authentication mode of offer, which accesses, effectively to be guaranteed, can be effectively avoided in this way vehicle data (such as Vehicle speed data, vehicle door status data, network signal intensity data, GPS data etc.) leakage, and avoid vehicle Illegally controlled.

Referring to Fig. 6, the structural block diagram of the access authentication device 600 of embodiment of the disclosure offer is shown in figure.Such as Fig. 6 Shown, access authentication device 600 is applied to Cloud Server, and access authentication device 600 includes:

Generation module 601, for generating signing certificate；

Sending module 602, for sending signing certificate to vehicle；

Module 603 is constructed, in the case where vehicle determines that signing certificate is legal, between Cloud Server and vehicle Construct encryption connection channel；

Authentication module 604, for carrying out access authentication with vehicle by encryption connection channel.

In some embodiments, authentication module is specifically used for:

By encryption connection channel, bilateral construction certification is carried out with vehicle.

In some embodiments, Cloud Server is stored with public key；

Authentication module, comprising:

Receiving unit, for receiving the first access authentication request that vehicle is sent by encryption connection channel；Wherein, The first authentication infrastructure data and the first signed data are carried in the request of one access authentication；

Processing unit, for according to the first access authentication request in the first authentication infrastructure data and the first signed data, And public key carries out sign test, and according to sign test as a result, determining whether Cloud Server passes through the access authentication of vehicle；

Generation unit, for generating the second access authentication in the case where access authentication of the Cloud Server to vehicle passes through Request；Wherein, the second authentication infrastructure data and the second signed data are carried in the request of the second access authentication, the second signed data is Vehicle is signed according to the second authentication infrastructure data and public key；

Transmission unit, for sending the request of the second access authentication to vehicle by encryption connection channel.

In some embodiments, in the first authentication infrastructure data include the first random number and stab at the first time, the second certification It include the second random number and the second timestamp in basic data；

Access authentication device 600 further include:

Correction verification module, for passing through encryption connection channel, after receiving the first access authentication request that vehicle is sent, root Processing unit is triggered in the case where anti-replay verification passes through according to the first random number and stamp progress anti-replay verification at the first time.

In some embodiments, generation unit, comprising:

Subelement is generated, for generating key external member；

It obtains subelement and obtains encrypted result for encrypting using public key to key external member；Wherein, the second access It include encrypted result in second authentication infrastructure data of certification request；

Access authentication device 600 further include:

Communication module, for passing through encryption connection channel, after sending the request of the second access authentication to Cloud Server, In the case that vehicle passes through the access authentication of Cloud Server, by encryption connection channel, carried out using key external member and vehicle Data communication.

In some embodiments, include the vehicles identifications of vehicle in the first authentication infrastructure data, be stored in Cloud Server Multiple public keys；

Processing unit, comprising:

Determine subelement, in the public key for determining Cloud Server storage, public key corresponding with vehicles identifications；

Sign test subelement, for according to the first authentication infrastructure data and the first number of signature in the request of the first access authentication According to and identified public key carry out sign test.

As it can be seen that vehicle and Cloud Server are not direct progress access authentication in embodiment of the disclosure, recognize in access Before card, vehicle can carry out certificate verification to Cloud Server, also, access authentication procedure is realized by encryption connection channel , the security performance of access authentication procedure, which accesses, effectively to be guaranteed, therefore, compared with prior art, embodiment of the disclosure The security performance of the access authentication mode of offer, which accesses, effectively to be guaranteed, can be effectively avoided in this way vehicle data (such as Vehicle speed data, vehicle door status data, network signal intensity data, GPS data etc.) leakage, and avoid vehicle Illegally controlled.

Referring to Fig. 7, the flow chart of the access authentication method of embodiment of the disclosure offer is shown in figure.As shown in fig. 7, This method comprises the following steps:

Step 701, Cloud Server generates signing certificate；

Step 702, Cloud Server sends signing certificate to vehicle；

Step 703, vehicle receives the signing certificate that Cloud Server is sent；

Step 704, in the case where vehicle determines that signing certificate is legal, building encryption connects between vehicle and Cloud Server Connect road；

Step 705, access authentication is carried out by encryption connection channel, vehicle and Cloud Server.

In some embodiments, access authentication is carried out by encryption connection channel, vehicle and Cloud Server, comprising:

By encryption connection channel, vehicle and Cloud Server carry out bilateral construction certification.

In some embodiments, vehicle storage has private key, and Cloud Server is stored with public key；

By encryption connection channel, vehicle and Cloud Server carry out access authentication, comprising:

Vehicle generates the request of the first access authentication；Wherein, the first authentication infrastructure data are carried in the request of the first access authentication With the first signed data, the first signed data is what vehicle was signed according to the first authentication infrastructure data and private key；

Vehicle sends the request of the first access authentication by encryption connection channel, to Cloud Server；

Cloud Server receives the first access authentication request that vehicle is sent by encryption connection channel；

Cloud Server is according to the first authentication infrastructure data and the first signed data in the request of the first access authentication, Yi Jigong Key carries out sign test, and according to sign test as a result, determining whether Cloud Server passes through the access authentication of vehicle；

In the case where access authentication of the Cloud Server to vehicle passes through, Cloud Server generates the request of the second access authentication； Wherein, the second authentication infrastructure data and the second signed data are carried in the request of the second access authentication, the second signed data is vehicle It is signed according to the second authentication infrastructure data and public key；

Cloud Server sends the request of the second access authentication by encryption connection channel, to vehicle；

Vehicle receives the second access authentication request that Cloud Server is sent by encryption connection channel；

Vehicle according to the second access authentication request in the second authentication infrastructure data and the second signed data and private key into Row sign test, and according to sign test as a result, determining whether vehicle passes through the access authentication of Cloud Server.

In some embodiments, in the first authentication infrastructure data include the first random number and stab at the first time, the second certification It include the second random number and the second timestamp in basic data；

Cloud Server is by encryption connection channel, and after receiving the first access authentication request that vehicle is sent, this method is also Include:

According to the first random number and at the first time, stamp carries out anti-replay verification to Cloud Server, and the feelings passed through are verified in anti-replay Under condition, Cloud Server is executed according to the first authentication infrastructure data and the first signed data in the request of the first access authentication, and Public key carries out the step of sign test；

Vehicle is by encryption connection channel, and after receiving the second access authentication request that Cloud Server is sent, this method is also Include:

Vehicle carries out anti-replay verification according to the second random number and the second timestamp, the case where anti-replay verification passes through Under, execute vehicle according in the request of the second access authentication the second authentication infrastructure data and the second signed data and private key into The step of row sign test.

In some embodiments, Cloud Server generates the request of the second access authentication, comprising:

Cloud Server generates key external member；

Cloud Server encrypts key external member using public key, obtains encrypted result；Wherein, the second access authentication is requested The second authentication infrastructure data in include encrypted result；

Vehicle according to the second access authentication request in the second authentication infrastructure data and the second signed data and private key into Row sign test, and according to sign test as a result, after determining whether vehicle pass through the access authentication of Cloud Server, this method further include:

In the case where access authentication of the vehicle to Cloud Server passes through, vehicle is obtained from the second authentication infrastructure data to be added Close result；

Vehicle is decrypted using private key pair encryption result, obtains key external member；

By encryption connection channel, vehicle and Cloud Server use key external member progress data communication.

In some embodiments, include the vehicles identifications of vehicle in the first authentication infrastructure data, be stored in Cloud Server Multiple public keys；

Cloud Server is according to the first authentication infrastructure data and the first signed data in the request of the first access authentication, Yi Jigong Key carries out sign test, comprising:

Cloud Server determine Cloud Server storage public key in, public key corresponding with vehicles identifications；

Cloud Server is according to the first authentication infrastructure data and the first signed data in the request of the first access authentication, Yi Jisuo Determining public key carries out sign test.

In some embodiments, vehicle includes safety chip, and vehicles identifications and private key are stored in safety chip.

As it can be seen that vehicle and Cloud Server are not direct progress access authentication in embodiment of the disclosure, recognize in access Before card, vehicle can carry out certificate verification to Cloud Server, also, access authentication procedure is realized by encryption connection channel , the security performance of access authentication procedure, which accesses, effectively to be guaranteed, therefore, compared with prior art, embodiment of the disclosure The security performance of the access authentication mode of offer, which accesses, effectively to be guaranteed, can be effectively avoided in this way vehicle data (such as Vehicle speed data, vehicle door status data, network signal intensity data, GPS data etc.) leakage, and avoid vehicle Illegally controlled.

Embodiment of the disclosure also provides a kind of access authentication system, which includes above-mentioned access authentication Device 500 and above-mentioned access authentication device 600.

Related notion and specific embodiment in embodiment of the disclosure can be retouched with reference to any of the above-described embodiment The associated description in access authentication method stated, details are not described herein.

As it can be seen that vehicle and Cloud Server are not direct progress access authentication in embodiment of the disclosure, recognize in access Before card, vehicle can carry out certificate verification to Cloud Server, also, access authentication procedure is realized by encryption connection channel , the security performance of access authentication procedure, which accesses, effectively to be guaranteed, therefore, compared with prior art, embodiment of the disclosure The security performance of the access authentication mode of offer, which accesses, effectively to be guaranteed, can be effectively avoided in this way vehicle data (such as Vehicle speed data, vehicle door status data, network signal intensity data, GPS data etc.) leakage, and avoid vehicle Illegally controlled.

Referring to Fig. 8, the structural schematic diagram of the relevant device 800 of embodiment of the disclosure offer is shown in figure.It needs Bright, relevant device 800 can be vehicle or Cloud Server.As shown in figure 8, relevant device 800 includes: processor 801, receives Hair machine 802, memory 803, user interface 804 and bus interface.

When relevant device 800 is vehicle, processor 801 executes following process for reading the program in memory 803:

Receive the signing certificate that Cloud Server is sent；

In the case where determining that signing certificate is legal, encryption connection channel is constructed between vehicle and Cloud Server；

By encryption connection channel, access authentication is carried out with Cloud Server.

In some embodiments, processor 801 are specifically used for:

By encryption connection channel, bilateral construction certification is carried out with Cloud Server.

In some embodiments, vehicle storage has private key；

Processor 801, is specifically used for:

Generate the request of the first access authentication；Wherein, the first authentication infrastructure data and the are carried in the request of the first access authentication One signed data, the first signed data are what vehicle was signed according to the first authentication infrastructure data and private key；

By encryption connection channel, the request of the first access authentication is sent to Cloud Server；

After sending the request of the first access authentication, by encryption connection channel, receives Cloud Server is sent second and connect Enter certification request；Wherein, the second authentication infrastructure data and the second signed data are carried in the request of the second access authentication；

According in the request of the second access authentication the second authentication infrastructure data and the second signed data and private key tested Label, and according to sign test as a result, determining whether vehicle passes through the access authentication of Cloud Server.

In some embodiments, in the first authentication infrastructure data include the first random number and stab at the first time, the second certification It include the second random number and the second timestamp in basic data；

Processor 801, is also used to:

After by encryption connection channel, receiving the second access authentication request that Cloud Server is sent, according to second with Machine number and the second timestamp carry out anti-replay verification, in the case where anti-replay verification passes through, execute according to the second access authentication The step of the second authentication infrastructure data and the second signed data and private key in request carry out sign test.

It in some embodiments, include encrypted result in the second authentication infrastructure data；

Processor 801, is also used to:

According to sign test as a result, being taken in vehicle to cloud after determining whether vehicle pass through the access authentication of Cloud Server In the case that the access authentication of business device passes through, encrypted result is obtained from the second authentication infrastructure data；

It is decrypted using private key pair encryption result, obtains key external member；

By encryption connection channel, data communication is carried out using key external member and Cloud Server.

It in some embodiments, include the vehicles identifications of vehicle in the first authentication infrastructure data.

In some embodiments, vehicle includes safety chip, and vehicles identifications and private key are stored in safety chip.

When relevant device 800 is Cloud Server, processor 801 executes following for reading the program in memory 803 Process:

Generate signing certificate；

Signing certificate is sent to vehicle；

In the case where vehicle determines that signing certificate is legal, it is logical that encryption connection is constructed between Cloud Server and vehicle Road；

By encryption connection channel, access authentication is carried out with vehicle.

In some embodiments, processor 801 are specifically used for:

By encryption connection channel, bilateral construction certification is carried out with vehicle.

In some embodiments, Cloud Server is stored with public key；

Processor 801, is specifically used for:

By encryption connection channel, the first access authentication request that vehicle is sent is received；Wherein, the first access authentication is requested The first authentication infrastructure data of middle carrying and the first signed data；

According in the request of the first access authentication the first authentication infrastructure data and the first signed data and public key tested Label, and according to sign test as a result, determining whether Cloud Server passes through the access authentication of vehicle；

In the case where access authentication of the Cloud Server to vehicle passes through, the request of the second access authentication is generated；Wherein, second The second authentication infrastructure data and the second signed data are carried in access authentication request, the second signed data is that vehicle is recognized according to second What card basic data and public key were signed；

By encryption connection channel, the request of the second access authentication is sent to Cloud Server.

In some embodiments, in the first authentication infrastructure data include the first random number and stab at the first time, the second certification It include the second random number and the second timestamp in basic data；

Processor 801, is also used to:

It is held according to the first random number and stamp progress anti-replay verification at the first time in the case where anti-replay verification passes through The step gone according to the first authentication infrastructure data and the first signed data and public key progress sign test in the request of the first access authentication Suddenly.

In some embodiments, processor 801 are specifically used for:

Generate key external member；

Key external member is encrypted using public key, obtains encrypted result；Wherein, the second of the second access authentication request is recognized Demonstrate,proving includes encrypted result in basic data；

Processor 801, is also used to:

Passing through encryption connection channel, after sending the request of the second access authentication to Cloud Server, in vehicle to cloud service In the case that the access authentication of device passes through, by encryption connection channel, data communication is carried out using key external member and vehicle.

In some embodiments, include the vehicles identifications of vehicle in the first authentication infrastructure data, be stored in Cloud Server Multiple public keys；

Processor 801, is specifically used for:

In the public key for determining Cloud Server storage, public key corresponding with vehicles identifications；

According to the first authentication infrastructure data and the first signed data and identified public affairs in the request of the first access authentication Key carries out sign test.

In fig. 8, bus architecture may include the bus and bridge of any number of interconnection, specifically be represented by processor 801 One or more processors and the various circuits of memory that represent of memory 803 link together.Bus architecture can be with Various other circuits of such as peripheral equipment, voltage-stablizer and management circuit or the like are linked together, these are all these Well known to field, therefore, it will not be further described herein.Bus interface provides interface.Transceiver 802 can be Multiple element includes transmitter and receiver, provides the unit for communicating over a transmission medium with various other devices.Needle To different user equipmenies, user interface 804, which can also be, external the interface for needing equipment is inscribed, and the equipment of connection includes But be not limited to keypad, display, loudspeaker, microphone, control stick etc..

Processor 801, which is responsible for management bus architecture and common processing, memory 803, can store processor 801 and is holding Used data when row operation.

As it can be seen that vehicle and Cloud Server are not direct progress access authentication in embodiment of the disclosure, recognize in access Before card, vehicle can carry out certificate verification to Cloud Server, also, access authentication procedure is realized by encryption connection channel , the security performance of access authentication procedure, which accesses, effectively to be guaranteed, therefore, compared with prior art, embodiment of the disclosure The security performance of the access authentication mode of offer, which accesses, effectively to be guaranteed, can be effectively avoided in this way vehicle data (such as Vehicle speed data, vehicle door status data, network signal intensity data, GPS data etc.) leakage, and avoid vehicle Illegally controlled.

Embodiment of the disclosure also provides a kind of relevant device, including processor 801, and memory 803 is stored in memory On 803 and the computer program that can run on the processor 801, the computer program are realized when being executed by processor 801 Each process in the above-mentioned access authentication method embodiment applied to vehicle, or execute the above-mentioned access applied to Cloud Server Each process in authentication method embodiment, and identical technical effect can be reached, to avoid repeating, which is not described herein again.

Embodiment of the disclosure also provides a kind of computer readable storage medium, is stored on computer readable storage medium Computer program, the computer program realize that the above-mentioned access authentication method applied to vehicle is implemented when being executed by processor 801 Each process in example, or each process in the above-mentioned access authentication method embodiment applied to Cloud Server is executed, and energy Reach identical technical effect, to avoid repeating, which is not described herein again.Wherein, the computer readable storage medium, such as only Read memory (Read-Only Memory, abbreviation ROM), random access memory (Random Access Memory, abbreviation RAM), magnetic or disk etc..

The above, the only specific embodiment of the disclosure, but the protection scope of the disclosure is not limited thereto, it is any Those familiar with the art can easily think of the change or the replacement in the technical scope that the disclosure discloses, and should all contain It covers within the protection scope of the disclosure.Therefore, the protection scope of the disclosure should be subject to the protection scope in claims.

Claims (28)

1. a kind of access authentication method, which is characterized in that be applied to vehicle, which comprises

Receive the signing certificate that Cloud Server is sent；

In the case where determining that the signing certificate is legal, encryption connection is constructed between the vehicle and the Cloud Server Channel；

By the encryption connection channel, access authentication is carried out with the Cloud Server.

2. being taken with the cloud the method according to claim 1, wherein described by the encryption connection channel Business device carries out access authentication, comprising:

By the encryption connection channel, bilateral construction certification is carried out with the Cloud Server.

3. according to the method described in claim 2, it is characterized in that, the vehicle storage has private key；

It is described by the encryption connection channel, carry out bilateral construction certification with the Cloud Server, comprising:

Generate the request of the first access authentication；Wherein, the first authentication infrastructure data and the are carried in first access authentication request One signed data, first signed data are that the vehicle is signed according to the first authentication infrastructure data and the private key What name obtained；

By the encryption connection channel, Xiang Suoshu Cloud Server sends the first access authentication request；

After sending the first access authentication request, by the encryption connection channel, receives the Cloud Server and send The second access authentication request；Wherein, the second authentication infrastructure data and the second signature are carried in the second access authentication request Data；

According in second access authentication request the second authentication infrastructure data and the second signed data and the private key into Row sign test, and according to sign test as a result, determining whether the vehicle passes through the access authentication of the Cloud Server.

4. according to the method described in claim 3, it is characterized in that, including the first random number in the first authentication infrastructure data It is stabbed with first time, includes the second random number and the second timestamp in the second authentication infrastructure data；

It is described by the encryption connection channel, it is described after receiving the second access authentication request that the Cloud Server is sent Method further include:

Anti-replay verification is carried out according to second random number and second timestamp, the case where anti-replay verification passes through Under, execute the second authentication infrastructure data and the second signed data according in second access authentication request, Yi Jisuo State the step of private key carries out sign test.

5. according to the method described in claim 3, it is characterized in that, including encrypted result in the second authentication infrastructure data；

It is described according to sign test as a result, after determining whether the vehicle passes through the access authentication of the Cloud Server, the side Method further include:

In the case where access authentication of the vehicle to the Cloud Server passes through, obtained from the second authentication infrastructure data Take the encrypted result；

The encrypted result is decrypted using the private key, obtains key external member；

By the encryption connection channel, data communication is carried out using the key external member and the Cloud Server.

6. according to the method described in claim 3, it is characterized in that, including the vehicle in the first authentication infrastructure data Vehicles identifications.

7. according to the method described in claim 6, it is characterized in that, the vehicle includes safety chip, the vehicles identifications and The private key is stored in the safety chip.

8. a kind of access authentication method, which is characterized in that be applied to Cloud Server, which comprises

Generate signing certificate；

The signing certificate is sent to vehicle；

In the case where the vehicle determines that the signing certificate is legal, constructed between the Cloud Server and the vehicle Encryption connection channel；

By the encryption connection channel, access authentication is carried out with the vehicle.

9. according to the method described in claim 8, it is characterized in that, described by the encryption connection channel, with the vehicle Carry out access authentication, comprising:

By the encryption connection channel, bilateral construction certification is carried out with the vehicle.

10. according to the method described in claim 9, it is characterized in that, the Cloud Server is stored with public key；

It is described by the encryption connection channel, carry out bilateral construction certification with the vehicle, comprising:

By the encryption connection channel, the first access authentication request that the vehicle is sent is received；Wherein, first access The first authentication infrastructure data and the first signed data are carried in certification request；

According in first access authentication request the first authentication infrastructure data and the first signed data and the public key into Row sign test, and according to sign test as a result, determining whether the Cloud Server passes through the access authentication of the vehicle；

In the case where access authentication of the Cloud Server to the vehicle passes through, the request of the second access authentication is generated；Wherein, The second authentication infrastructure data and the second signed data are carried in the second access authentication request, second signed data is institute State what vehicle was signed according to the second authentication infrastructure data and the public key；

By the encryption connection channel, Xiang Suoshu Cloud Server sends the second access authentication request.

11. according to the method described in claim 10, it is characterized in that, including first random in the first authentication infrastructure data Number and first time stab, and include the second random number and the second timestamp in the second authentication infrastructure data；

It is described to pass through the encryption connection channel, after receiving the first access authentication request that the vehicle is sent, the method Further include:

Anti-replay verification is carried out according to first random number and first time stamp, the case where anti-replay verification passes through Under, execute the first authentication infrastructure data and the first signed data according in first access authentication request, Yi Jisuo State the step of public key carries out sign test.

12. according to the method described in claim 10, it is characterized in that, the second access authentication of the generation is requested, comprising:

Generate key external member；

The key external member is encrypted using the public key, obtains encrypted result；Wherein, the second access authentication request The second authentication infrastructure data in include the encrypted result；

It is described by the encryption connection channel, it is described after Xiang Suoshu Cloud Server sends the second access authentication request Method further include:

In the case where access authentication of the vehicle to the Cloud Server passes through, by the encryption connection channel, use The key external member and the vehicle carry out data communication.

13. according to the method described in claim 10, it is characterized in that, including the vehicle in the first authentication infrastructure data Vehicles identifications, be stored with multiple public keys in the Cloud Server；

The first authentication infrastructure data according in first access authentication request and the first signed data and the public affairs Key carries out sign test, comprising:

In the public key for determining the Cloud Server storage, public key corresponding with the vehicles identifications；

According to the first authentication infrastructure data and the first signed data and identified public affairs in first access authentication request Key carries out sign test.

14. a kind of access authentication device, which is characterized in that be applied to vehicle, described device includes:

Receiving module, for receiving the signing certificate of Cloud Server transmission；

Construct module, in the case where determining that the signing certificate is legal, the vehicle and the Cloud Server it Between construct encryption connection channel；

Authentication module, for carrying out access authentication with the Cloud Server by the encryption connection channel.

15. device according to claim 14, which is characterized in that the authentication module is specifically used for:

By the encryption connection channel, bilateral construction certification is carried out with the Cloud Server.

16. device according to claim 15, which is characterized in that the vehicle storage has private key；

The authentication module, comprising:

Generation unit, for generating the request of the first access authentication；Wherein, the first certification is carried in the first access authentication request Basic data and the first signed data, first signed data are the vehicle according to the first authentication infrastructure data and institute State what private key was signed；

Transmission unit, for by the encryption connection channel, Xiang Suoshu Cloud Server to send the first access authentication request；

Receiving unit, for after sending first access authentication request, by the encryption connection channel, described in reception The second access authentication request that Cloud Server is sent；Wherein, the second authentication infrastructure number is carried in the second access authentication request According to the second signed data；

Processing unit, for according to second access authentication request in the second authentication infrastructure data and the second signed data, And the private key carries out sign test, and according to sign test as a result, determine the vehicle to the access authentication of the Cloud Server whether Pass through.

17. device according to claim 16, which is characterized in that include first random in the first authentication infrastructure data Number and first time stab, and include the second random number and the second timestamp in the second authentication infrastructure data；

Described device further include:

Correction verification module, for receiving the second access authentication that the Cloud Server is sent and asking by the encryption connection channel After asking, anti-replay verification is carried out according to second random number and second timestamp, the feelings passed through are verified in anti-replay Under condition, the processing unit is triggered.

18. device according to claim 16, which is characterized in that include encryption knot in the second authentication infrastructure data Fruit；

Described device further include:

Obtain module, for according to sign test as a result, determining whether the vehicle passes through the access authentication of the Cloud Server Later, it in the case where access authentication of the vehicle to the Cloud Server passes through, is obtained in the second authentication infrastructure data Take the encrypted result；

Deciphering module obtains key external member for the encrypted result to be decrypted using the private key；

Communication module, for carrying out data using the key external member and the Cloud Server by the encryption connection channel Communication.

19. device according to claim 16, which is characterized in that include the vehicle in the first authentication infrastructure data Vehicles identifications.

20. device according to claim 19, which is characterized in that the vehicle includes safety chip, the vehicles identifications It is stored in the safety chip with the private key.

21. a kind of access authentication device, which is characterized in that be applied to Cloud Server, described device includes:

Generation module, for generating signing certificate；

Sending module, for sending the signing certificate to vehicle；

Module is constructed, in the case where the vehicle determines that the signing certificate is legal, in the Cloud Server and institute State building encryption connection channel between vehicle；

Authentication module, for carrying out access authentication with the vehicle by the encryption connection channel.

22. device according to claim 21, which is characterized in that the authentication module is specifically used for:

By the encryption connection channel, bilateral construction certification is carried out with the vehicle.

23. device according to claim 22, which is characterized in that the Cloud Server is stored with public key；

The authentication module, comprising:

Receiving unit, for receiving the first access authentication request that the vehicle is sent by the encryption connection channel；Its In, the first authentication infrastructure data and the first signed data are carried in the first access authentication request；

Processing unit, for according to first access authentication request in the first authentication infrastructure data and the first signed data, And the public key carries out sign test, and according to sign test as a result, determine the Cloud Server to the access authentication of the vehicle whether Pass through；

Generation unit, in the case where access authentication of the Cloud Server to the vehicle passes through, generating the second access Certification request；Wherein, the second authentication infrastructure data and the second signed data are carried in second access authentication request, described the The two signed datas vehicle is signed to obtain according to the second authentication infrastructure data and the public key；

Transmission unit, for by the encryption connection channel, Xiang Suoshu Cloud Server to send the second access authentication request.

24. device according to claim 23, which is characterized in that include first random in the first authentication infrastructure data Number and first time stab, and include the second random number and the second timestamp in the second authentication infrastructure data；

Described device further include:

Correction verification module, for receiving the first access authentication that the vehicle is sent and requesting it by the encryption connection channel Afterwards, anti-replay verification is carried out according to first random number and first time stamp, in the case where anti-replay verification passes through, Trigger the processing unit.

25. device according to claim 23, which is characterized in that the generation unit, comprising:

Subelement is generated, for generating key external member；

It obtains subelement and obtains encrypted result for encrypting using the public key to the key external member；Wherein, described It include the encrypted result in second authentication infrastructure data of the second access authentication request；

Described device further include:

Communication module, for by the encryption connection channel, Xiang Suoshu Cloud Server to send second access authentication and asks After asking, in the case where access authentication of the vehicle to the Cloud Server passes through, by the encryption connection channel, make Data communication is carried out with the key external member and the vehicle.

26. device according to claim 23, which is characterized in that include the vehicle in the first authentication infrastructure data Vehicles identifications, be stored with multiple public keys in the Cloud Server；

The processing unit, comprising:

Determine subelement, in the public key for determining the Cloud Server storage, public key corresponding with the vehicles identifications；

Sign test subelement, for according to the first authentication infrastructure data and the first number of signature in first access authentication request According to and identified public key carry out sign test.

27. a kind of relevant device, which is characterized in that including processor, memory is stored on the memory and can be described The computer program run on processor realizes such as claim 1 to 13 when the computer program is executed by the processor Any one of described in access authentication method the step of.

28. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program realizes the access authentication side as described in any one of claims 1 to 13 when the computer program is executed by processor The step of method.