CN109617675B - Method and system for authenticating identifiers of both sides between charge and discharge facility and user terminal - Google Patents

Abstract

The invention relates to a method and a system for authenticating identifiers of both sides between a charging and discharging facility and a user, wherein the method comprises the following steps: generating identity codes of the charging and discharging facilities and the user side according to the identity codes of the charging and discharging facilities and the user side, generating public keys and private keys of the charging and discharging facilities and the user side according to the identity codes, further utilizing the public keys and the private keys to conduct bidirectional authentication between the charging and discharging facilities and the user side, determining unique public keys and private keys by utilizing identity codes of authentication entities based on the technical scheme, enabling the identity authentication to be established on the technical basis of identity encryption, effectively guaranteeing data transmission safety in the identity authentication process, simultaneously being applicable to offline encryption identity authentication between the charging and discharging facilities and users or terminal equipment, and improving universality.

Description

Method and system for authenticating identifiers of both sides between charge and discharge facility and user terminal

Technical Field

The invention relates to the field of safety authentication of new energy automobiles, in particular to a method and a system for authenticating identifiers of both sides between a charging and discharging facility and a user.

Background

The technology of new energy automobiles gradually develops to intelligent and pure electric drive, the number of registered users connected to an Internet of vehicles service platform built based on a power grid is continuously and greatly increased, and in order to meet the requirements of increasingly-growing users, more and more charging and discharging facilities are connected to the platform; therefore, the requirements for realizing the identity authentication technology between the charging and discharging facilities and the user side are also higher and higher.

The existing new energy automobile authentication mainly adopts the following method: the identity of a user is authenticated by swiping a specific charging card on a charging and discharging facility, and the identity authentication is performed by scanning a two-dimensional code on the charging and discharging facility through a mobile phone app; the charging card mode supports offline transaction charging of charging and discharging facilities, but the charging cards of different manufacturers and the charging and discharging facilities cannot mutually authenticate, so that users cannot use the charging card mode conveniently, authentication between the charging and discharging facilities and the charging cards can be realized, authentication between the charging and discharging facilities and the electric automobile cannot be realized, in addition, an authentication cipher algorithm of the charging card mode is a symmetric key algorithm, key management is complex, card reading equipment and a PSAM card are required to be additionally arranged on the charging and discharging facilities, and cost is high; the mobile phone app mode, a background service system of recharging service must guarantee online, and can not carry out charging authorization under offline environment only through mobile phone app authentication authorization, and the authentication mode must scan two-dimension codes on charging and discharging facilities, extract charging and discharging facility label information in the two-dimension codes, then send the two-dimension codes to the background service system together with own user name and password to authenticate identity, and no effective communication safety protection guarantee exists, in addition, a display screen is required to be additionally arranged on the charging and discharging facilities, so that the fault rate and the cost are high; the current new energy automobile authentication communication technology adopts a method that a control chip in charging pile equipment communicates with an ESAM chip through a GPIO interface and communicates with a metering and charging terminal of the charging pile equipment through a UART interface, but the method can only ensure that the complete communication between the inside of the charging pile and the charging terminal is realized, the identity authentication between the charging pile and a vehicle/user cannot be realized, and the communication safety in the authentication process cannot be ensured.

Disclosure of Invention

The invention provides a method and a system for authenticating two-party identifiers between a charge and discharge facility and a user, which aim to generate a public key and a private key of an identity authentication entity by using an identifier encryption technology, and realize bidirectional identity authentication between the multi-party authentication entities based on the generated public key and private key transmission authentication information, thereby effectively ensuring the security of authentication information transmission, being applicable to various identity authentication entities in the field of new energy automobiles and reducing the complexity and cost of authentication operation.

The invention aims at adopting the following technical scheme:

in a method for authenticating a two-party identity between a charging and discharging facility and a user, the improvement comprising:

respectively generating identity codes of the charging and discharging facility and the user terminal according to the identity codes of the charging and discharging facility and the user terminal;

generating public keys and private keys of the charging and discharging facilities and the user according to the identity codes of the charging and discharging facilities and the user;

and performing bidirectional authentication between the charging and discharging facility and the user by using the public key and the private key of the charging and discharging facility and the user.

Preferably, the client includes: electric automobile, mobile terminal and application platform.

Further, the identity of the charging and discharging facility is a charging and discharging facility equipment number, the identity of the electric automobile is a VIN (vehicle identification number), the identity of the mobile terminal is an IMEI (international mobile equipment identity) code, and the identity of the application platform is a platform name identification number.

Further, generating the identity codes of the charging and discharging facility and the user terminal according to the identity codes of the charging and discharging facility and the user terminal, including:

(1) The transcoding result of the version number is determined as follows:

(m+2)*16+n

wherein m is the main version number of the identification code, and n is the sub-version number of the identification code;

performing ASCII transcoding inverse transformation on the transcoding result of the version number to obtain a version number character;

(2) If the type of the authentication entity is a charging and discharging facility, determining that the corresponding type character is I, if the type of the authentication entity is an electric automobile, determining that the corresponding type character is V, if the type of the authentication entity is a mobile terminal, determining that the corresponding type character is U, and if the type of the authentication entity is an application platform, determining that the corresponding type character is P;

(3) If the adopted coding mode is ASCII coding, determining the character of the coding mode as 'A', and if the adopted coding mode is BCD coding, determining the character of the coding mode as 'B';

(4) If the total length of the identification code is less than or equal to 36, determining a transcoding result of the code length according to the following formula:

L/4+0x30

if the total length of the identification code is greater than 36, determining a transcoding result of the code length according to the following formula:

L/4+0x37

Wherein L is the total length of the identification code;

performing ASCII (integrated circuit code-based information) transcoding on a transcoding result of the coding length to obtain a length character;

(5) The 1 st bytecode of the validity period is determined as follows:

(Y-1970)/32

the 2 nd bytecode of the validity period is determined as follows:

(Y-1970)％32

the 3 rd byte code of the validity period is the month of the validity period of the identification code; the 4 th byte code of the validity period is the number of days of the validity period of the identification code;

the transcoding results of the 4 byte codes are respectively determined according to the following formulas:

(z>9)*0x07+z+0x30

wherein Y is the year of the validity period of the identification code, z is each byte code, and z >9 takes a value of 1, otherwise, 0;

respectively performing ASCII transcoding inverse transformation on the transcoding results of the 4 byte codes to obtain validity period characters;

(6) The identity of each authentication entity is used as an identity character of the identity code;

(7) The label of the root key generation system center is used as the root key generation center label character of the identification code;

(8) Performing CRC12 coding on all the characters obtained in the steps (1) to (7) and performing CODE64 transcoding to obtain check characters of the identification CODE;

(9) The output identity code is: version number characters, type characters, coding mode characters, length characters, validity period characters, identity identification characters, root keys, center characters and check characters;

Preferably, the generating the public key and the private key of the charging and discharging facility and the user terminal according to the identity codes of the charging and discharging facility and the user terminal includes:

taking the identification code of the charging and discharging facility as the public key of the charging and discharging facility, and determining the private key of the charging and discharging facility by adopting an SM9 identification cryptographic algorithm according to the public key of the charging and discharging facility;

the identification code of the user terminal is used as the public key of the user terminal, and the private key of each user terminal is determined by adopting an SM9 identification cipher algorithm according to the public key of the user terminal.

Preferably, the bidirectional authentication between the charging and discharging facility and the user terminal by using the public key and the private key of the charging and discharging facility and the user terminal includes:

the charging and discharging facility generates facility random numbers and sends charging and discharging facility data to a user side, wherein the charging and discharging facility data comprises facility random numbers, public keys of charging and discharging facilities and current time information;

after receiving the charging and discharging facility data sent by the charging and discharging facility, the user side generates a user side random number, digitally signs the charging and discharging facility data, and returns a signature value, a public key of the user side, the user side random number, the facility random number and current time information as user side response information to the charging and discharging facility;

After receiving the user terminal response information returned by the user terminal, the charging and discharging facility verifies the received signature value of the user terminal by using the public key of the user terminal, and verifies the validity of the user terminal response information; if the verification is successful, proving that the identity of the user terminal is legal and recording the public key of the user terminal; otherwise, interrupting the authentication process and the connection;

the charging and discharging facilities randomly generate key seeds, a public key of a user side is used for encrypting the key seeds to obtain key seed ciphertexts, a second digital signature is made by using the facility random number of the user side, the public key of the charging and discharging facilities and the current time information, and charging and discharging facility data are sent to the user side, wherein the charging and discharging facility data comprise a second digital signature value, the key seed ciphertexts, the facility random number, the public key of the charging and discharging facilities and the current time information;

after receiving the charging and discharging facility data sent by the charging and discharging facility, the user terminal verifies the validity of the charging and discharging facility data, if the charging and discharging facility data passes the verification, a secret key seed ciphertext is decrypted by using an authentication private key of the user terminal, a secret key seed in a plaintext state is obtained, the charging and discharging facility and the user terminal conduct secret key derivation according to the secret key seed in the plaintext state to obtain an encrypted communication session secret key, and the data communication is protected by adopting a symmetric algorithm according to the encrypted communication session secret key, otherwise, the authentication process and the connection are interrupted.

In a dual party identification authentication system between a charge and discharge facility and a user, the improvement comprising:

the coding module is used for generating identity codes of the charging and discharging facilities and the user side according to the identity codes of the charging and discharging facilities and the user side respectively;

the key generation module is used for generating public keys and private keys of the charging and discharging facilities and the user side according to the identity codes of the charging and discharging facilities and the user side;

and the authentication module is used for performing bidirectional authentication between the charging and discharging facility and the user by using the public key and the private key of the charging and discharging facility and the user.

Preferably, the client includes: electric automobile, mobile terminal and application platform.

Further, the identity of the charging and discharging facility is a charging and discharging facility equipment number, the identity of the electric automobile is a VIN (vehicle identification number), the identity of the mobile terminal is an IMEI (international mobile equipment identity) code, and the identity of the application platform is a platform name identification number.

Preferably, the encoding module is configured to:

(1) The transcoding result of the version number is determined as follows:

(m+2)*16+n

wherein m is the main version number of the identification code, and n is the sub-version number of the identification code;

performing ASCII transcoding inverse transformation on the transcoding result of the version number to obtain a version number character;

(2) If the type of the authentication entity is a charging and discharging facility, determining that the corresponding type character is I, if the type of the authentication entity is an electric automobile, determining that the corresponding type character is V, if the type of the authentication entity is a mobile terminal, determining that the corresponding type character is U, and if the type of the authentication entity is an application platform, determining that the corresponding type character is P;

(3) If the adopted coding mode is ASCII coding, determining the character of the coding mode as 'A', and if the adopted coding mode is BCD coding, determining the character of the coding mode as 'B';

(4) If the total length of the identification code is less than or equal to 36, determining a transcoding result of the code length according to the following formula:

L/4+0x30

if the total length of the identification code is greater than 36, determining a transcoding result of the code length according to the following formula:

L/4+0x37

wherein L is the total length of the identification code;

performing ASCII (integrated circuit code-based information) transcoding on a transcoding result of the coding length to obtain a length character;

(5) The 1 st bytecode of the validity period is determined as follows:

(Y-1970)/32

the 2 nd bytecode of the validity period is determined as follows:

(Y-1970)％32

the 3 rd byte code of the validity period is the month of the validity period of the identification code; the 4 th byte code of the validity period is the number of days of the validity period of the identification code;

The transcoding results of the 4 byte codes are respectively determined according to the following formulas:

(z>9)*0x07+z+0x30

wherein Y is the year of the validity period of the identification code, z is each byte code, and z >9 takes a value of 1, otherwise, 0;

respectively performing ASCII transcoding inverse transformation on the transcoding results of the 4 byte codes to obtain validity period characters;

(6) The identity of each authentication entity is used as an identity character of the identity code;

(7) The label of the root key generation system center is used as the root key generation center label character of the identification code;

(8) Performing CRC12 coding on all the characters obtained in the steps (1) to (7) and performing CODE64 transcoding to obtain check characters of the identification CODE;

(9) The output identity code is: version number characters, type characters, coding characters, length characters, validity period characters, identity identification characters, root keys, center characters and check characters.

Preferably, the key generation module is configured to:

taking the identification code of the charging and discharging facility as the public key of the charging and discharging facility, and determining the private key of the charging and discharging facility by adopting an SM9 identification cryptographic algorithm according to the public key of the charging and discharging facility;

the identification code of the user terminal is used as the public key of the user terminal, and the private key of each user terminal is determined by adopting an SM9 identification cipher algorithm according to the public key of the user terminal.

Preferably, the authentication module includes: a charging and discharging facility authentication unit and a user authentication unit;

the charging and discharging facility authentication unit generates a charging and discharging facility random number and sends charging and discharging facility data to the user side, wherein the charging and discharging facility data comprises the facility random number, a public key of the charging and discharging facility and current time information;

after receiving the data sent by the charging and discharging facility authentication unit, the user side authentication unit generates a user side random number, digitally signs the charging and discharging facility data, and returns a signature value, a public key of the user side, the user side random number, the facility random number and current time information as user side response information to the charging and discharging facility authentication unit;

after receiving the response information returned by the user side authentication unit, the charging and discharging facility authentication unit verifies the received signature value of the user side by using the public key of the user side, and verifies the validity of the response information of the user side; if the verification is successful, proving that the identity of the user terminal is legal and recording the public key of the user terminal; otherwise, interrupting the authentication process and the connection;

the charging and discharging facility authentication unit randomly generates a key seed, encrypts the key seed by using a public key of the user side to obtain a key seed ciphertext, uses a facility random number of the user side, the public key of the charging and discharging facility and current time information to make a second digital signature, and transmits charging and discharging facility data to the user side, wherein the charging and discharging facility data comprises a second digital signature value, the key seed ciphertext, the facility random number, the public key of the charging and discharging facility and the current time information to the user side authentication unit;

After receiving the data sent by the charging and discharging facility authentication unit, the user side authentication unit verifies the validity of the charging and discharging facility data, if the verification is passed, a secret key seed ciphertext is decrypted by using an authentication private key of the user side authentication unit to obtain a secret key seed in a plaintext state, the charging and discharging facility and the user side conduct secret key derivation according to the secret key seed in the plaintext state to obtain an encrypted communication session key, and the data communication is protected by adopting a symmetric algorithm according to the encrypted communication session key, otherwise, the authentication process and the connection are interrupted.

Compared with the closest prior art, the invention has the following beneficial effects:

by adopting the technical scheme of the invention, the identity codes of the charge-discharge facility and the user terminal are generated according to the identity marks of the charge-discharge facility and the user terminal, and then the public key and the private key of the charge-discharge facility and the user terminal are generated according to the identity codes, namely the public key and the private key for identity authentication are generated by a method of an identity key system, so that the safety and the reliability of authentication data transmission in the identity authentication process are ensured; and the public key and the private key are utilized to perform bidirectional authentication between the charging and discharging facilities and the user, so that the problems that the operation is complex, the cost is high, the offline environment is not feasible and the charging and discharging facilities and the metering and charging terminal are only limited in the traditional authentication method are solved, the bidirectional authentication among various authentication entities in the field of new energy automobiles can be realized, and the authentication universality and the authentication efficiency are effectively improved.

Drawings

FIG. 1 is a flow chart of a method for authenticating two-party identification between a charging and discharging device and a user according to an embodiment of the present invention;

fig. 2 is a detailed operation diagram of a method for authenticating both parties between a charging and discharging device and a user according to an embodiment of the present invention;

FIG. 3 is a diagram of an authentication network for a method for authenticating identity between a charging and discharging device and a user according to an embodiment of the present invention;

fig. 4 is a schematic diagram of a configuration of a two-party identification authentication system between a charging and discharging device and a user according to an embodiment of the present invention.

Detailed Description

The following detailed description of specific embodiments of the invention refers to the accompanying drawings.

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

According to the technical scheme, an identification password algorithm based on a national password SM9 algorithm is adopted to realize an authentication password system of multiparty identification, and meanwhile, the aims of bidirectional authentication, key management and encryption transmission between a charging and discharging facility, an electric vehicle and a mobile terminal in an offline scene based on an authentication negotiation mechanism can be achieved. Based on the technical targets, the technical scheme of the invention combines the ideas of management centering and application decentralization, and follows the SM9 algorithm standard of national security, thereby constructing a multiparty identification management and authentication model; through the set unified identification coding rule, the semantic problem of the user public key in the SM9 algorithm is solved, and identity authentication applicable to various authentication entities and application environments is further realized.

The invention provides a method and a system for authenticating identifiers of both sides between a charging and discharging facility and a user, which are described below.

Embodiment one:

fig. 1 shows a flowchart of a method for authenticating identifiers of both sides between a charging and discharging facility and a user in an embodiment of the present invention, and as shown in fig. 1, the method may include:

101. respectively generating identity codes of the charging and discharging facility and the user terminal according to the identity codes of the charging and discharging facility and the user terminal;

102. generating public keys and private keys of the charging and discharging facilities and the user according to the identity codes of the charging and discharging facilities and the user;

103. and performing bidirectional authentication between the charging and discharging facility and the user by using the public key and the private key of the charging and discharging facility and the user.

Wherein, the user side may include: electric automobile, mobile terminal and application platform.

The identity of the charging and discharging facility is a charging and discharging facility equipment number (serial number, 6 digits), the identity of the electric automobile is a VIN (license plate number, 24 digits in total) identification code, the identity of the mobile terminal is an IMEI code (or other mobile phone inherent information), and the identity of the application platform is a platform name identification code.

The invention unifies the identification rules of charging and discharging facilities, electric vehicles and users, and is convenient for grading, classifying and domain-dividing management of the identifications;

The unified identification coding rule is suitable for coding rules of various main bodies in the system, provides unique identification for users, and provides a Code64 transcoding method for transcoding the unique identification to convert the unique identification into printable characters;

specifically, the generating the identification codes of the charging and discharging facility and the user terminal according to the identification of the charging and discharging facility and the user terminal may include:

(1) The transcoding result of the version number is determined as follows:

(m+2)*16+n

wherein m is the main version number of the identification code, and n is the sub-version number of the identification code;

performing ASCII transcoding inverse transformation on the transcoding result of the version number to obtain a version number character;

(2) If the type of the authentication entity is a charging and discharging facility, determining that the corresponding type character is I, if the type of the authentication entity is an electric automobile, determining that the corresponding type character is V, if the type of the authentication entity is a mobile terminal, determining that the corresponding type character is U, and if the type of the authentication entity is an application platform, determining that the corresponding type character is P;

(3) If the adopted coding mode is ASCII coding, determining the character of the coding mode as 'A', and if the adopted coding mode is BCD coding, determining the character of the coding mode as 'B';

(4) If the total length of the identification code is less than or equal to 36, determining a transcoding result of the code length according to the following formula:

L/4+0x30

if the total length of the identification code is greater than 36, determining a transcoding result of the code length according to the following formula:

L/4+0x37

wherein L is the total length of the identification code;

performing ASCII (integrated circuit code-based information) transcoding on a transcoding result of the coding length to obtain a length character;

(5) The 1 st bytecode of the validity period is determined as follows:

(Y-1970)/32

the 2 nd bytecode of the validity period is determined as follows:

(Y-1970)％32

the 3 rd byte code of the validity period is the month of the validity period of the identification code; the 4 th byte code of the validity period is the number of days of the validity period of the identification code;

the transcoding results of the 4 byte codes are respectively determined according to the following formulas:

(z>9)*0x07+z+0x30

wherein Y is the year of the validity period of the identification code, z is each byte code, and z >9 takes a value of 1, otherwise, 0;

respectively performing ASCII transcoding inverse transformation on the transcoding results of the 4 byte codes to obtain validity period characters;

(6) The identity of each authentication entity is used as an identity character of the identity code;

(7) The label of the root key generation system center is used as the root key generation center label character of the identification code;

(8) Performing CRC12 coding on all the characters obtained in the steps (1) to (7) and performing CODE64 transcoding to obtain check characters of the identification CODE;

(9) The output identity code is: version number characters, type characters, coding mode characters, length characters, validity period characters, identity identification characters, root keys, center characters and check characters;

before acquiring the length character of the identification code, the method may include:

acquiring the total length of the current identity code, if the length is not a multiple of 4, filling the insufficient part with '=' or directly acquiring the length character of the identity code without supplementing; the identification coding rules are shown in table 1:

TABLE 1 identification code character configuration rule List

Wherein, code64 transcoding rules are as shown in Table 2:

table 2.Code64 transcoding rules table

The specific transcoding mode is as follows:

#define Code64_switch61(x)(x>61)？(‘*’+(x)-62):(‘a’+(x)-36)

#define Code64_switch35(x)(x>35)？(Code64_switch61(x)):(‘A’+(x)-10)

#define Code64_switch9(x) (x>9)？(Code64_switch35(x)):(‘0’+(x))

#define Code64(x) (x)？(Code64_switch9(x)):(‘@’)

the pad character is set to '='.

If the identification code of the charging and discharging facility i is: 1VA7 43CV 4205100000000001 11s1; the correspondence of the one character with the charge-discharge setting i information is as follows:

version number character 1: the current version is V1.1;

the type character is V: a charging and discharging facility;

the coding mode character is A: ascii encoding;

the length character is 7: total length 28 bytes;

the expiration date character is 43CV: expiration date 2099-12-31;

the identity character is 4205100000000001: the equipment number of the charging and discharging facility i is 4205100000000001;

The root key generation center reference character is 11: the root key generation center is numbered 11;

CRC12 CODE of check character s1:1VA7 43CV 4205100000000001 11 is 0xD981, the front 6bit is 0x36, the back 6bit is 0x01, and the CODE64 is transcoded into s1;

the charge and discharge facility identity code belongs to a device identity, and can contain the following fields except for necessary fields of a code rule:

a) Geographic information (the code of the urban area of the people's republic of China (GB/T2260-2007), 6 digits);

fig. 2 is a detailed operation flow chart of a method for identifying and authenticating two parties between a charge and discharge facility and a user in an embodiment of the present invention, and as shown in fig. 2, a key management mode of a multi-level domain is constructed based on a hierarchical public key trust mechanism proposed by the present invention, so as to implement flattening of a key management mechanism and support identity authentication across security domains.

Establishing a hierarchical identification key management system; designing a key management hierarchical structure according to the application scene requirement; based on the hierarchical public key trust mechanism based on the SM9 algorithm, a root Key Generation Center (KGC) and each subordinate key generation center are built, and trust relations are built.

The root key generation center is a key generation center corresponding to the main power grid, the subordinate key generation center comprises a charge-discharge facility operator key generation center, a charge-discharge platform operator key generation center, an electric automobile manufacturer key generation center and the like, after each key generation center receives an identification application of a corresponding authentication entity, a public key of the authentication entity is generated according to identity codes of the charge-discharge facility and a user side, and is distributed to the corresponding authentication entity, and then a corresponding private key is generated according to the public key;

Specifically, the generating the public key and the private key of the charging and discharging facility and the user terminal according to the identity codes of the charging and discharging facility and the user terminal may include:

taking the identification code of the charging and discharging facility as the public key of the charging and discharging facility, and determining the private key of the charging and discharging facility by adopting an SM9 identification cryptographic algorithm according to the public key of the charging and discharging facility;

the identification code of the user terminal is used as the public key of the user terminal, and the private key of each user terminal is determined by adopting an SM9 identification cipher algorithm according to the public key of the user terminal.

Fig. 3 is a diagram showing an authentication network structure of a two-party identification authentication method between a charging and discharging device and a user according to an embodiment of the present invention, and as shown in fig. 3, a charging and discharging device including an SE security chip and an electric vehicle are connected to each other through a PLC, a CAN bus, or an ethernet; the charging and discharging device and the mobile terminal are connected with each other through Bluetooth or NFC;

before the charge and discharge facility and the public key and the private key of the user are utilized to carry out the bidirectional authentication between the charge and discharge facility and the user, the method can comprise the following steps: the charging and discharging facility, the electric automobile and the mobile terminal are initialized as follows:

the charging and discharging facility operator KGC center issues an identification code PointID (SM 9 public key), an SM9 encryption and decryption private key and a signature private key to the charging and discharging facility, and stores the PointID, the SM9 encryption and decryption private key and the signature private key into the SE security chip.

The KGC center of the electric automobile manufacturer issues identification information UserID1 (SM 9 public key), SM9 encryption and decryption private key and signature private key to the electric automobile, and the identification information UserID1, the SM9 encryption and decryption private key and the signature private key are stored in the SE security chip.

The application platform KGC center issues an identification code UserID2 (SM 9 public key), an SM9 encryption and decryption private key and a signature private key to the mobile terminal, and the identification code UserID2, the SM9 encryption and decryption private key and the signature private key are stored in the mobile terminal safely.

Specifically, the performing, by using the public key and the private key of the charging and discharging facility and the user side, the bidirectional authentication between the charging and discharging facility and the user side may include:

the charging and discharging facility generates facility random numbers and sends the facility random numbers, public keys of the charging and discharging facilities and current time information to the user side;

after receiving the data sent by the charging and discharging facility, the user side generates a user side random number, digitally signs the data of the charging and discharging facility, and returns a signature value, a public key of the user side, the user side random number, the facility random number and current time information as response information to the charging and discharging facility;

after receiving the response information sent back by the user side, the charging and discharging facility verifies the received signature value of the user side by using the public key of the user side, and verifies the validity of the response information; if the verification is successful, proving that the identity of the user terminal is legal and recording the public key of the user terminal; otherwise, interrupting the authentication process and the connection;

The charging and discharging facilities randomly generate key seeds, a public key of a user side is used for encrypting the key seeds to obtain key seed ciphertext, a facility random number of the charging and discharging facilities, the public key of the charging and discharging facilities and current time information are used for making a second digital signature, and a second digital signature value, the key seed ciphertext, the facility random number, the public key of the charging and discharging facilities and the current time information are sent to the user side;

after receiving data sent by a charging and discharging facility, a user terminal verifies the validity of the data, if the data passes verification, a secret key seed ciphertext is decrypted by using an authentication private key of the user terminal, a secret key seed in a plaintext state is obtained, the charging and discharging facility and the user terminal conduct secret key derivation according to the secret key seed in the plaintext state to obtain an encrypted communication session key, the data communication is protected by adopting a symmetric algorithm according to the encrypted communication session key, and otherwise, the authentication process and connection are interrupted.

Embodiment two:

fig. 4 is a schematic structural diagram of a system for authenticating two parties between a charging and discharging device and a user according to an embodiment of the present invention, where, as shown in fig. 4, the system may include:

the coding module is used for generating identity codes of the charging and discharging facilities and the user side according to the identity codes of the charging and discharging facilities and the user side respectively;

The key generation module is used for generating public keys and private keys of the charging and discharging facilities and the user side according to the identity codes of the charging and discharging facilities and the user side;

and the authentication module is used for performing bidirectional authentication between the charging and discharging facility and the user by using the public key and the private key of the charging and discharging facility and the user.

Wherein, the user side may include: electric automobile, mobile terminal and application platform.

The identity of the charging and discharging facility is a charging and discharging facility equipment number, the identity of the electric automobile is a VIN (vehicle identification number) identification code, the identity of the mobile terminal is an IMEI (international mobile equipment identity) code, and the identity of the application platform is a platform name identification code.

Specifically, the coding module is used for: (1) determining a transcoding result for the version number as follows:

(m+2)*16+n

wherein m is the main version number of the identification code, and n is the sub-version number of the identification code;

performing ASCII transcoding inverse transformation on the transcoding result of the version number to obtain a version number character;

(2) If the type of the authentication entity is a charging and discharging facility, determining that the corresponding type character is I, if the type of the authentication entity is an electric automobile, determining that the corresponding type character is V, if the type of the authentication entity is a mobile terminal, determining that the corresponding type character is U, and if the type of the authentication entity is an application platform, determining that the corresponding type character is P;

(3) If the adopted coding mode is ASCII coding, determining the character of the coding mode as 'A', and if the adopted coding mode is BCD coding, determining the character of the coding mode as 'B';

(4) If the total length of the identification code is less than or equal to 36, determining a transcoding result of the code length according to the following formula:

L/4+0x30

if the total length of the identification code is greater than 36, determining a transcoding result of the code length according to the following formula:

L/4+0x37

wherein L is the total length of the identification code;

performing ASCII (integrated circuit code-based information) transcoding on a transcoding result of the coding length to obtain a length character;

(5) The 1 st bytecode of the validity period is determined as follows:

(Y-1970)/32

the 2 nd bytecode of the validity period is determined as follows:

(Y-1970)％32

the 3 rd byte code of the validity period is the month of the validity period of the identification code; the 4 th byte code of the validity period is the number of days of the validity period of the identification code;

the transcoding results of the 4 byte codes are respectively determined according to the following formulas:

(z>9)*0x07+z+0x30

wherein Y is the year of the validity period of the identification code, z is each byte code, and z >9 takes a value of 1, otherwise, 0;

respectively performing ASCII transcoding inverse transformation on the transcoding results of the 4 byte codes to obtain validity period characters;

(6) The identity of each authentication entity is used as an identity character of the identity code;

(7) The label of the root key generation system center is used as the root key generation center label character of the identification code;

(8) Performing CRC12 coding on all the characters obtained in the steps (1) to (7) and performing CODE64 transcoding to obtain check characters of the identification CODE;

(9) The output identity code is: version number characters, type characters, coding characters, length characters, validity period characters, identity identification characters, root keys, center characters and check characters.

Wherein, the key generation module is used for:

taking the identification code of the charging and discharging facility as the public key of the charging and discharging facility, and determining the private key of the charging and discharging facility by adopting an SM9 identification cryptographic algorithm according to the public key of the charging and discharging facility;

the identification code of the user terminal is used as the public key of the user terminal, and the private key of each user terminal is determined by adopting an SM9 identification cipher algorithm according to the public key of the user terminal.

Wherein, authentication module includes: a charging and discharging facility authentication unit and a user authentication unit;

the charging and discharging facility authentication unit generates a charging and discharging facility random number and sends the charging and discharging facility random number, a public key of the charging and discharging facility and current time information to the user authentication unit;

after receiving the data sent by the charging and discharging facility authentication unit, the user side authentication unit generates a user side random number, digitally signs the data of the charging and discharging facility authentication unit, and returns a signature value, a public key of the user side, the user side random number, the charging and discharging facility random number and current time information as response information to the charging and discharging facility authentication unit;

After receiving the response information returned by the user side authentication unit, the charging and discharging facility authentication unit verifies the received signature value of the user side by using the public key of the user side, and verifies the validity of the response information; if the verification is successful, proving that the identity of the user terminal is legal and recording the public key of the user terminal; otherwise, interrupting the authentication process and the connection;

the charge-discharge facility authentication unit randomly generates a key seed, encrypts the key seed by using a public key of the user side to obtain a key seed ciphertext, uses a self charge-discharge facility random number, a public key of the charge-discharge facility and current time information to make a second digital signature, and sends a second digital signature value, the key seed ciphertext, the charge-discharge facility random number, the public key of the charge-discharge facility and the current time information to the user side authentication unit;

after receiving the data sent by the charging and discharging facility authentication unit, the user side authentication unit verifies the validity of the data of the charging and discharging facility authentication unit, if the verification is passed, the authentication private key of the user side authentication unit is used for decrypting the key seed ciphertext to obtain the key seed in a plaintext state, the charging and discharging facility authentication unit and the user side authentication unit conduct key derivation according to the key seed in the plaintext state to obtain an encrypted communication session key, and the data communication is protected by adopting a symmetric algorithm according to the encrypted communication session key, otherwise, the authentication process and the connection are interrupted.

Embodiment III:

the charging and discharging facilities, the electric automobile and the mobile authentication flow are as follows:

before protocol transmission is carried out between the charging and discharging facility and the electric automobile as well as between the charging and discharging facility and the mobile terminal, the following initialization steps are carried out on the charging and discharging facility, the electric automobile and the mobile terminal:

the charging and discharging facility operator KGC center issues an identification code PointID (SM 9 public key), an SM9 encryption and decryption private key and a signature private key to the charging and discharging facility, and stores the PointID, the SM9 encryption and decryption private key and the signature private key into the SE security chip.

The KGC center of the electric automobile manufacturer issues identification information UserID1 (SM 9 public key), SM9 encryption and decryption private key and signature private key to the electric automobile, and the identification information UserID1, the SM9 encryption and decryption private key and the signature private key are stored in the SE security chip.

The application platform KGC center issues an identification code UserID2 (SM 9 public key), an SM9 encryption and decryption private key and a signature private key to the mobile terminal, and the identification code UserID2, the SM9 encryption and decryption private key and the signature private key are safely stored in the mobile terminal;

then the protocol transmission flow of the charge and discharge facilities, the electric automobile and the mobile terminal is as follows:

1) The mobile terminal and the electric automobile (hereinafter collectively referred to as a user terminal) establish communication connection with the charging and discharging facilities by using respective communication protocols, and request authentication access;

2) The charging and discharging facility generates a random number R1 through an embedded SE security chip, and the random number R1, SM9 public key identification information PointID of the charging and discharging facility and other information (such as time information and the like)

Packaging the random challenge data together to obtain random challenge data, and sending the random challenge data to a user terminal;

3) After the user receives random challenge, generating a random number R2, and carrying out digital signature on { R2, R1, pointID, userID and other } information by using an SM9 signature private key of the user to obtain a result S1; packaging the random number R2, the random numbers R1 and PointID, userID and the signature value S1 into challenge response data, and sending the challenge response data to a charging and discharging facility;

4) After the charging and discharging facility receives the challenge response, verifying the timeliness of R1 (only 1 time of matching+timeliness); verifying whether the charge and discharge facility identification PointID accords with the PointID; verifying the validity of the signature value S1 by using a user side identifier UserID; if the verification is successful, the identity of the user terminal is approved to be legal and the identity of the user terminal is recorded; if the verification is unsuccessful, the identity of the user terminal is considered to be illegal, and the connection is interrupted;

5) Then, if the charging and discharging facility needs to carry out encryption communication with the user side, the charging and discharging facility can randomly generate a key seed Key seed, and SM9 encryption is carried out by using the user side UserID to obtain a Cryptographic Key in a ciphertext state; the charge and discharge facility uses the SM9 signature private key of the charge and discharge facility to digitally sign { R1, R2, userID, cryptKey and other } information to obtain a result S2; transmitting R1, R2, userID, cryptKey and the signature value to the user side;

6) After receiving the response determination message, the user terminal verifies the timeliness of R1 and R2; verifying whether the user identifier userID accords with the user identifier; verifying the validity of the S2 signature value with the PointID; if the verification is passed, the user terminal approves the legal identity of the charging and discharging facility; otherwise, the identity of the charging and discharging facility is considered illegal, and the user side is disconnected.

7) The user end uses the SM9 decryption private key of the user end to decrypt the Cryptographic Key to obtain the KeySeed in the plaintext state.

8) If the steps are finished, the mutual authentication between the charging and discharging facilities and the user terminal is finished, and a key seed Key seed is synchronized.

9) On the basis of the key seed, if encryption communication is needed, key derivation can be carried out to obtain an encryption communication session key SessionKey. The derivatization mode is as follows:

10)SessionKey＝Hash(KeySeed||R1||R2||PointID||UserID)。

11 The encryption mode can adopt a symmetrical algorithm for encryption, and the working mode of the algorithm is configured according to the requirement.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.

Claims (10)

1. A method for authenticating a two-party identifier between a charging and discharging facility and a user, the method comprising:

respectively generating identity codes of the charging and discharging facility and the user terminal according to the identity codes of the charging and discharging facility and the user terminal;

Generating public keys and private keys of the charging and discharging facilities and the user according to the identity codes of the charging and discharging facilities and the user;

performing bidirectional authentication between the charging and discharging facility and the user by using the public key and the private key of the charging and discharging facility and the user;

generating the identity codes of the charging and discharging facility and the user terminal according to the identity codes of the charging and discharging facility and the user terminal, comprising:

(1) The transcoding result of the version number is determined as follows:

(m+2)*16+n

wherein m is the main version number of the identification code, and n is the sub-version number of the identification code;

performing ASCII transcoding inverse transformation on the transcoding result of the version number to obtain a version number character;

(2) If the type of the authentication entity is a charging and discharging facility, determining that the corresponding type character is I, if the type of the authentication entity is an electric automobile, determining that the corresponding type character is V, if the type of the authentication entity is a mobile terminal, determining that the corresponding type character is U, and if the type of the authentication entity is an application platform, determining that the corresponding type character is P;

(3) If the adopted coding mode is ASCII coding, determining the character of the coding mode as 'A', and if the adopted coding mode is BCD coding, determining the character of the coding mode as 'B';

(4) If the total length of the identification code is less than or equal to 36, determining a transcoding result of the code length according to the following formula:

L/4+0x30

if the total length of the identification code is greater than 36, determining a transcoding result of the code length according to the following formula:

L/4+0x37

wherein L is the total length of the identification code;

performing ASCII (integrated circuit code-based information) transcoding on a transcoding result of the coding length to obtain a length character;

(5) The 1 st bytecode of the validity period is determined as follows:

(Y-1970)/32

the 2 nd bytecode of the validity period is determined as follows:

(Y-1970)％32

the 3 rd byte code of the validity period is the month of the validity period of the identification code; the 4 th byte code of the validity period is the number of days of the validity period of the identification code;

the transcoding results of the 4 byte codes are respectively determined according to the following formulas:

(z>9)*0x07+z+0x30

wherein Y is the year of the validity period of the identification code, z is each byte code, when z is more than 9, (z is more than 9) takes a value of 1, otherwise, the value is 0;

respectively performing ASCII transcoding inverse transformation on the transcoding results of the 4 byte codes to obtain validity period characters;

(6) The identity of each authentication entity is used as an identity character of the identity code;

(7) The label of the root key generation system center is used as the root key generation center label character of the identification code;

(8) Performing CRC12 coding on all the characters obtained in the steps (1) to (7) and performing CODE64 transcoding to obtain check characters of the identification CODE;

(9) The output identity code is: version number characters, type characters, coding characters, length characters, validity period characters, identity identification characters, root keys, center characters and check characters.

2. The method of claim 1, wherein the client comprises: electric automobile, mobile terminal and application platform.

3. The method of claim 2, wherein the identity of the charging and discharging facility is a charging and discharging facility equipment number, the identity of the electric vehicle is a VIN identification code, the identity of the mobile terminal is an IMEI code, and the identity of the application platform is a platform name identification code.

4. The method of claim 1, wherein the generating the public key and the private key of the charging and discharging facility and the user terminal according to the identification codes of the charging and discharging facility and the user terminal comprises:

taking the identification code of the charging and discharging facility as the public key of the charging and discharging facility, and determining the private key of the charging and discharging facility by adopting an SM9 identification cryptographic algorithm according to the public key of the charging and discharging facility;

the identification code of the user terminal is used as the public key of the user terminal, and the private key of each user terminal is determined by adopting an SM9 identification cipher algorithm according to the public key of the user terminal.

5. The method of claim 1, wherein the performing the two-way authentication between the charging and discharging facility and the user terminal by using the public key and the private key of the charging and discharging facility and the user terminal comprises:

the charging and discharging facility generates facility random numbers and sends charging and discharging facility data to a user side, wherein the charging and discharging facility data comprises facility random numbers, public keys of charging and discharging facilities and current time information;

after receiving the charging and discharging facility data sent by the charging and discharging facility, the user side generates a user side random number, digitally signs the charging and discharging facility data, and returns a signature value, a public key of the user side, the user side random number, the facility random number and current time information as user side response information to the charging and discharging facility;

after receiving the user terminal response information returned by the user terminal, the charging and discharging facility verifies the received signature value of the user terminal by using the public key of the user terminal, and verifies the validity of the user terminal response information; if the verification is successful, proving that the identity of the user terminal is legal and recording the public key of the user terminal; otherwise, interrupting the authentication process and the connection;

the charging and discharging facilities randomly generate key seeds, a public key of a user side is used for encrypting the key seeds to obtain key seed ciphertexts, a second digital signature is made by using the facility random number of the user side, the public key of the charging and discharging facilities and the current time information, and charging and discharging facility data are sent to the user side, wherein the charging and discharging facility data comprise a second digital signature value, the key seed ciphertexts, the facility random number, the public key of the charging and discharging facilities and the current time information;

After receiving the charging and discharging facility data sent by the charging and discharging facility, the user terminal verifies the validity of the charging and discharging facility data, if the charging and discharging facility data passes the verification, a secret key seed ciphertext is decrypted by using an authentication private key of the user terminal, a secret key seed in a plaintext state is obtained, the charging and discharging facility and the user terminal conduct secret key derivation according to the secret key seed in the plaintext state to obtain an encrypted communication session secret key, and the data communication is protected by adopting a symmetric algorithm according to the encrypted communication session secret key, otherwise, the authentication process and the connection are interrupted.

6. A system for authenticating a two-party identity between a charging and discharging facility and a user, the system comprising:

the coding module is used for generating identity codes of the charging and discharging facilities and the user side according to the identity codes of the charging and discharging facilities and the user side respectively;

the key generation module is used for generating public keys and private keys of the charging and discharging facilities and the user side according to the identity codes of the charging and discharging facilities and the user side;

the authentication module is used for performing bidirectional authentication between the charging and discharging facility and the user by using the public key and the private key of the charging and discharging facility and the user;

the coding module is used for:

(1) The transcoding result of the version number is determined as follows:

(m+2)*16+n

Wherein m is the main version number of the identification code, and n is the sub-version number of the identification code;

performing ASCII transcoding inverse transformation on the transcoding result of the version number to obtain a version number character;

(2) If the type of the authentication entity is a charging and discharging facility, determining that the corresponding type character is I, if the type of the authentication entity is an electric automobile, determining that the corresponding type character is V, if the type of the authentication entity is a mobile terminal, determining that the corresponding type character is U, and if the type of the authentication entity is an application platform, determining that the corresponding type character is P;

(3) If the adopted coding mode is ASCII coding, determining the character of the coding mode as 'A', and if the adopted coding mode is BCD coding, determining the character of the coding mode as 'B';

(4) If the total length of the identification code is less than or equal to 36, determining a transcoding result of the code length according to the following formula:

L/4+0x30

if the total length of the identification code is greater than 36, determining a transcoding result of the code length according to the following formula:

L/4+0x37

wherein L is the total length of the identification code;

performing ASCII (integrated circuit code-based information) transcoding on a transcoding result of the coding length to obtain a length character;

(5) The 1 st bytecode of the validity period is determined as follows:

(Y-1970)/32

the 2 nd bytecode of the validity period is determined as follows:

(Y-1970)％32

the 3 rd byte code of the validity period is the month of the validity period of the identification code; the 4 th byte code of the validity period is the number of days of the validity period of the identification code;

the transcoding results of the 4 byte codes are respectively determined according to the following formulas:

(z>9)*0x07+z+0x30

wherein Y is the year of the validity period of the identification code, z is each byte code, when z is more than 9, (z is more than 9) takes a value of 1, otherwise, the value is 0;

respectively performing ASCII transcoding inverse transformation on the transcoding results of the 4 byte codes to obtain validity period characters;

(6) The identity of each authentication entity is used as an identity character of the identity code;

(7) The label of the root key generation system center is used as the root key generation center label character of the identification code;

(8) Performing CRC12 coding on all the characters obtained in the steps (1) to (7) and performing CODE64 transcoding to obtain check characters of the identification CODE;

(9) The output identity code is: version number characters, type characters, coding characters, length characters, validity period characters, identity identification characters, root keys, center characters and check characters.

7. The system of claim 6, wherein the client comprises: electric automobile, mobile terminal and application platform.

8. The system of claim 7, wherein the identity of the charging and discharging facility is a charging and discharging facility equipment number, the identity of the electric vehicle is a VIN identification code, the identity of the mobile terminal is an IMEI code, and the identity of the application platform is a platform name identification code.

9. The system of claim 6, wherein the key generation module is to:

taking the identification code of the charging and discharging facility as the public key of the charging and discharging facility, and determining the private key of the charging and discharging facility by adopting an SM9 identification cryptographic algorithm according to the public key of the charging and discharging facility;

the identification code of the user terminal is used as the public key of the user terminal, and the private key of each user terminal is determined by adopting an SM9 identification cipher algorithm according to the public key of the user terminal.

10. The system of claim 6, wherein the authentication module comprises: a charging and discharging facility authentication unit and a user authentication unit;

the charging and discharging facility authentication unit generates a charging and discharging facility random number and sends charging and discharging facility data to the user side, wherein the charging and discharging facility data comprises the facility random number, a public key of the charging and discharging facility and current time information;

after receiving the data sent by the charging and discharging facility authentication unit, the user side authentication unit generates a user side random number, digitally signs the charging and discharging facility data, and returns a signature value, a public key of the user side, the user side random number, the facility random number and current time information as user side response information to the charging and discharging facility authentication unit;

After receiving the response information returned by the user side authentication unit, the charging and discharging facility authentication unit verifies the received signature value of the user side by using the public key of the user side, and verifies the validity of the response information of the user side; if the verification is successful, proving that the identity of the user terminal is legal and recording the public key of the user terminal; otherwise, interrupting the authentication process and the connection;

the charging and discharging facility authentication unit randomly generates a key seed, encrypts the key seed by using a public key of the user side to obtain a key seed ciphertext, uses a facility random number of the user side, the public key of the charging and discharging facility and current time information to make a second digital signature, and transmits charging and discharging facility data to the user side, wherein the charging and discharging facility data comprises a second digital signature value, the key seed ciphertext, the facility random number, the public key of the charging and discharging facility and the current time information to the user side authentication unit;

after receiving the data sent by the charging and discharging facility authentication unit, the user side authentication unit verifies the validity of the charging and discharging facility data, if the verification is passed, a secret key seed ciphertext is decrypted by using an authentication private key of the user side authentication unit to obtain a secret key seed in a plaintext state, the charging and discharging facility and the user side conduct secret key derivation according to the secret key seed in the plaintext state to obtain an encrypted communication session key, and the data communication is protected by adopting a symmetric algorithm according to the encrypted communication session key, otherwise, the authentication process and the connection are interrupted.