CN109714171B

CN109714171B - Safety protection method, device, equipment and medium

Info

Publication number: CN109714171B
Application number: CN201811614183.0A
Authority: CN
Inventors: 乔旭
Original assignee: Apollo Zhilian Beijing Technology Co Ltd
Current assignee: Apollo Intelligent Connectivity Beijing Technology Co Ltd
Priority date: 2018-12-27
Filing date: 2018-12-27
Publication date: 2022-09-23
Anticipated expiration: 2038-12-27
Also published as: CN109714171A

Abstract

The embodiment of the invention discloses a safety protection method, a safety protection device, safety protection equipment and a safety protection medium, and relates to the field of automobiles. The method comprises the following steps: obtaining a vehicle identification and an authentication seed from a vehicle; and sending an authentication request comprising the vehicle identification, the authentication seed and the equipment identification of the vehicle access equipment to a server, and unlocking the access authority of the vehicle access equipment to the vehicle by the server according to the vehicle identification, the authentication seed and the equipment identification of the vehicle access equipment. The embodiment of the invention provides a safety protection method, a safety protection device, equipment and a medium, which realize the safety protection of network information in a whole vehicle.

Description

Safety protection method, device, equipment and medium

Technical Field

The embodiment of the invention relates to the field of automobiles, in particular to a safety protection method, a safety protection device, safety protection equipment and a safety protection medium.

Background

An On-Board Diagnostic (OBD) interface of an automobile is exposed and connected to an interface of a Controller Area Network (CAN) bus in the automobile. The OBD interface is designed primarily for vehicle fault diagnosis. And reading the fault code of the automobile through the OBD interface, and quickly positioning the fault of the automobile.

At present, the OBD interface of most vehicles is directly connected with the CAN bus in the vehicle. The OBD interface, as a node on the CAN bus, CAN not only listen to messages on the bus, but also forge messages (e.g., sensor information or Control commands) to trick an Electronic Control Unit (ECU), so that the ECU executes some dangerous actions to change the current state of the vehicle.

For example, a hacker may attack a wireless device (e.g., a Head Up Display (HUD) that is commercially available at present) connected to the OBD interface, and remotely send a malicious vehicle control instruction (e.g., an instruction to forcibly shut down an engine of a vehicle running at a high speed, maliciously turn a steering wheel, etc.) to the wireless device, thereby achieving the purpose of casualty of the vehicle.

Disclosure of Invention

The embodiment of the invention provides a safety protection method, a safety protection device, safety protection equipment and a safety protection medium, which are used for realizing safety protection on network information inside a whole vehicle.

In a first aspect, an embodiment of the present invention provides a security protection method, which is applied to a vehicle access device, and the method includes:

obtaining a vehicle identification and an authentication seed from a vehicle;

sending an authentication request including the vehicle identification, the authentication seed, and a device identification of the vehicle access device to a server, instructing the server to perform the following: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result of the decrypted authentication identifier and the inquired authentication identifier.

In a second aspect, an embodiment of the present invention further provides a security protection method, applied to a server, where the method includes:

receiving an authentication request which is sent by a vehicle access device and comprises a vehicle identifier, an authentication seed and the vehicle access device identifier;

legality authentication is carried out on the vehicle access equipment based on the vehicle access equipment identification included in the authentication request;

if the authentication is successful, inquiring an authentication key and an authentication identifier of the vehicle according to the vehicle identifier;

decrypting the authentication seed according to the authentication key to obtain a decrypted authentication identifier;

and comparing the inquired authentication identification with the decrypted authentication identification, and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result.

In a third aspect, an embodiment of the present invention further provides a safety protection method, which is applied to a vehicle, and the method includes:

responding to an access request of a vehicle access device, sending a vehicle identification and an authentication seed of a local vehicle to the vehicle access device, and sending the received vehicle identification, the authentication seed and the vehicle access device identification to a server by the vehicle access device, wherein the server executes the following steps: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; generating an access instruction according to a comparison result of the decrypted authentication identifier and the inquired authentication identifier;

and unlocking the access authority of the vehicle access equipment to the local vehicle according to the access instruction.

In a fourth aspect, an embodiment of the present invention further provides a security protection method applied to a key injection device, where the method includes:

sending a key injection request including a vehicle identification and an authentication identification to a vehicle;

generating an authentication key according to the vehicle identification and the authentication identification returned by the vehicle;

and sending a key writing instruction to the vehicle based on the authentication key, so that the vehicle can write the authentication key.

In a fifth aspect, an embodiment of the present invention further provides a safety protection device, where the safety protection device includes:

the information acquisition module is used for acquiring a vehicle identifier and an authentication seed from a vehicle;

an authentication request module for sending an authentication request including the vehicle identification, the authentication seed and a device identification of the vehicle access device to a server, instructing the server to perform the following: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result of the decrypted authentication identifier and the inquired authentication identifier.

In a sixth aspect, an embodiment of the present invention further provides a safety protection device, including:

the authentication request receiving module is used for receiving an authentication request which is sent by the vehicle access equipment and comprises a vehicle identifier, an authentication seed and the vehicle access equipment identifier;

the authentication module is used for carrying out validity authentication on the vehicle access equipment based on the vehicle access equipment identification included in the authentication request; the query module is used for querying the authentication key and the authentication identifier of the vehicle according to the vehicle identifier if the authentication is successful;

the authentication identifier decryption module is used for decrypting the authentication seed according to the authentication key to obtain a decrypted authentication identifier;

and the permission unlocking module is used for comparing the inquired authentication identification with the decrypted authentication identification and unlocking the access permission of the vehicle access equipment to the vehicle according to the comparison result.

In a seventh aspect, an embodiment of the present invention further provides a safety protection device, including:

the response access request module is used for responding to an access request of the vehicle access device, sending the vehicle identification and the authentication seed of the local vehicle to the vehicle access device, and sending the received vehicle identification, the authentication seed and the vehicle access device identification to the server by the vehicle access device for the server to execute the following steps: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; sending an access instruction to the vehicle access device according to a comparison result of the decrypted authentication identifier and the inquired authentication identifier;

and the access authority unlocking module is used for unlocking the access authority of the vehicle access equipment to the local vehicle according to the access instruction sent by the vehicle access equipment.

In an eighth aspect, an embodiment of the present invention further provides a safety protection device, including:

the key injection module is used for sending a key injection request comprising a vehicle identifier and an authentication identifier to the vehicle;

the authentication key generation module is used for generating an authentication key according to the vehicle identifier and the authentication identifier returned by the vehicle;

and the authentication key writing module is used for sending a key writing instruction to the vehicle based on the authentication key so that the vehicle can execute the writing operation of the authentication key.

In a ninth aspect, an embodiment of the present invention further provides an apparatus, where the apparatus includes:

one or more processors;

a storage device for storing one or more programs,

when executed by the one or more processors, cause the one or more processors to implement a method of safeguarding as described in any of the embodiments of the invention.

In a tenth aspect, the embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the security protection method according to any one of the embodiments of the present invention.

The embodiment of the invention firstly executes the following contents when the vehicle access equipment accesses the vehicle: the vehicle access device acquires a vehicle identifier and an authentication seed from the vehicle;

the vehicle access device sends an authentication request including the vehicle identification, the authentication seed and a device identification of the vehicle access device to a server, and instructs the server to perform the following: carrying out legality authentication on the vehicle access equipment according to the equipment identification, if the authentication is successful, inquiring an authentication key and an authentication identification which are associated with the vehicle identification according to the vehicle identification, and decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identification; and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result of the decrypted authentication identifier and the inquired authentication identifier.

The execution content realizes the legality authentication of the vehicle access equipment based on the equipment identification of the vehicle access equipment; and based on the comparison of the authentication identification, the authentication identification in the vehicle is prevented from being illegally tampered, so that the safety verification of the accessed vehicle is realized.

In addition, the authentication key is stored in the server in the access verification process, and then the vehicle access equipment and the server perform data interaction, so that the authentication key does not need to be issued to the vehicle access equipment, the transmission of the authentication key is reduced, and the safety of the authentication key is improved.

Drawings

FIG. 1 is a schematic diagram of a topology structure of a vehicle network in the prior art;

FIG. 2 is a flowchart of a security protection method according to an embodiment of the present invention;

fig. 3 is a schematic diagram of a topology structure of a vehicle network according to an embodiment of the present invention;

fig. 4 is a flowchart of a security protection method according to a second embodiment of the present invention;

fig. 5 is a flowchart of a security protection method according to a third embodiment of the present invention;

fig. 6 is a flowchart of a safety protection method according to a fourth embodiment of the present invention;

fig. 7 is a signaling diagram of a key injection device and a vehicle gateway according to a fifth embodiment of the present invention;

fig. 8 is a signaling diagram of a vehicle access device and a vehicle gateway according to a fifth embodiment of the present invention;

fig. 9 is a schematic structural diagram of a safety protection device according to a sixth embodiment of the present invention;

fig. 10 is a schematic structural diagram of a safety protection device according to a seventh embodiment of the present invention;

fig. 11 is a schematic structural diagram of a safety protection device according to an eighth embodiment of the present invention

Fig. 12 is a schematic structural diagram of a safety protection device according to a ninth embodiment of the present invention;

fig. 13 is a schematic structural diagram of an apparatus provided in the tenth embodiment of the present invention.

Detailed Description

The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It should be further noted that, for the convenience of description, only some of the structures associated with the present invention are shown in the drawings, not all of them.

Referring to fig. 1, according to the topology of the entire vehicle network of the present vehicle, the OBD interface is directly connected to the in-vehicle CAN network, and the vehicle Gateway (GW) is an Electronic Control Unit (ECU) node connecting various functions of each network segment.

Example one

Fig. 2 is a flowchart of a security protection method according to an embodiment of the present invention. The embodiment can be applied to the conditions of carrying out legality verification on the vehicle access equipment and safety verification on the accessed vehicle when the vehicle access equipment accesses the vehicle. The method may be performed by a safety device, which may be implemented in software and/or hardware. Typically, the apparatus may be a vehicle access device, wherein the vehicle access device may be any device that accesses network information inside a vehicle, and may specifically be a vehicle diagnostic apparatus. Referring to fig. 2, the safety protection method provided by this embodiment includes:

and S110, acquiring the vehicle identification and the authentication seed from the vehicle.

Specifically, the authentication seed is obtained by encrypting an authentication identifier of the vehicle by the vehicle according to an authentication key of the vehicle.

The Vehicle identifier may be any information uniquely identifying the Vehicle, and specifically may be a Vehicle Identification Number or a Vehicle frame Number (VIN), or may be a gateway identifier uniquely identifying a Vehicle gateway.

The authentication identification can be a vehicle identification number or a vehicle frame number, and can also be a gateway identification for uniquely identifying a vehicle gateway. However, the contents of the vehicle identification and the authentication identification are different, and if the authentication identification is a vehicle identification number, the vehicle identification is a gateway identification; if the authentication identification is the gateway identification, the vehicle identification is the vehicle identification number.

In particular, a vehicle identification and an authentication seed may be obtained from an electronic control unit of the vehicle. Namely, the safeguard method is disposed in the electronic control unit of the vehicle.

However, in the process of implementing the present invention, the inventor finds that if the safety protection method is deployed in the electronic control unit, the safety protection method needs to be deployed for each electronic control unit, and because there are many electronic control units with each function in the vehicle, the workload of safety protection is large.

In order to solve the problem, referring to fig. 3, the OBD interface may be connected to the Gateway, the protection method of the OBD interface is deployed on the Gateway, and the Gateway forwards a message entering the OBD interface to different network segments, so that the normal diagnosis function of the OBD interface is not affected.

On the basis of deploying the protection method of the OBD interface on Gateway, the obtaining of the vehicle identification and the authentication seed from the vehicle comprises the following steps:

and acquiring a vehicle identifier and an authentication seed from a vehicle gateway in the vehicle, wherein the authentication seed is obtained by encrypting the authentication identifier of the vehicle by the vehicle gateway according to an authentication key of the vehicle.

On the basis of the connection between the OBD interface and the Gateway, the OBD interface protection method is deployed on the Gateway, so that the verification of the equipment for vehicle data access based on the OBD interface at the Gateway can be realized, the illegal access equipment can be intercepted, and the safety protection of electronic control units of all network segments connected with the Gateway can be further realized.

Generally, there is only one vehicle gateway in a vehicle, and the workload of safety protection deployment on one vehicle gateway is far less than that on each electronic control unit. And the safety protection of each electronic control unit in the vehicle is also realized.

S120, sending an authentication request comprising the vehicle identification, the authentication seed and the equipment identification of the vehicle access equipment to a server, and instructing the server to execute the following steps: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result of the decrypted authentication identifier and the inquired authentication identifier.

In particular, the vehicle access device may be a vehicle access device. After obtaining the vehicle identifier and the authentication seed from the vehicle, the safety protection device of this embodiment sends an authentication request including the vehicle identifier, the authentication seed, and the device identifier of the vehicle access device to the server, and requests the server to perform legitimacy authentication on the safety protection device of this embodiment and to perform security authentication verification on the access vehicle.

Optionally, the server may generate the access instruction according to a comparison result between the decrypted authentication identifier and the queried authentication identifier. The server can directly send the access instruction to the vehicle, and the access instruction can also be forwarded to the vehicle by the vehicle access device.

The access instruction may be an access permission instruction, an access prohibition instruction, or an instruction including decryption information.

When the access instruction generated by the server is forwarded to the vehicle by the vehicle access equipment, in order to prevent the vehicle access equipment from tampering the access instruction, the access instruction can be encrypted by using a set encryption algorithm after the server generates the access instruction; then the encrypted access instruction is sent to the vehicle access equipment, and the vehicle access equipment sends the encrypted access instruction to the vehicle for the vehicle to decrypt the encrypted access instruction based on the encryption algorithm; and unlocking the access authority of the vehicle access equipment to the vehicle according to the decrypted access instruction.

According to the technical scheme of the embodiment of the invention, when the vehicle access equipment accesses the vehicle, the following contents are firstly executed: the vehicle access device acquires a vehicle identifier and an authentication seed from the vehicle;

the vehicle access device sends an authentication request including the vehicle identification, the authentication seed and a device identification of the vehicle access device to a server, and instructs the server to perform the following: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result of the decrypted authentication identifier and the inquired authentication identifier.

To prevent interception of the authentication seed by an illegal device, the authentication key is then cracked based on a large number of intercepted authentication seeds. The authentication seed is obtained by encrypting the authentication identification of the vehicle and the random number by the vehicle according to the authentication key of the vehicle.

Further, on the basis that the authentication seed is obtained by encrypting the authentication identification of the vehicle and the random number by the vehicle according to the authentication key of the vehicle, accessing the vehicle based on the received access instruction comprises:

and sending the random number obtained by decryption included in the access instruction to the vehicle, and unlocking the access authority of the vehicle access equipment to the vehicle by the vehicle according to a comparison result of the random number for generating the authentication seed and the random number obtained by decryption, wherein the random number obtained by decryption is obtained by decrypting the authentication seed by the server according to the inquired authentication key.

To determine the security of a vehicle gateway, the authentication identity is a gateway identity of the vehicle.

Wherein a comparison of the decrypted gateway identification with the queried gateway identification may verify whether the vehicle gateway has been tampered with, thereby determining the security of the vehicle gateway.

Example two

Fig. 4 is a flowchart of a security protection method according to a second embodiment of the present invention. The method may be performed by a safety device, which may be implemented in software and/or hardware. Typically, the device may be a vehicle enterprise server. Referring to fig. 4, the safety protection method provided in this embodiment includes:

s210, receiving an authentication request which is sent by the vehicle access device and comprises a vehicle identification, an authentication seed and the vehicle access device identification.

Wherein the vehicle access device identification is a device identification of the vehicle access device.

S220, carrying out validity authentication on the vehicle access equipment based on the vehicle access equipment identification included in the authentication request.

Specifically, matching a vehicle access device identifier included in the authentication request with a legal vehicle access device identifier associated with the vehicle identifier; and if the matching is consistent, determining that the vehicle access equipment is legal.

The safety protection device of this embodiment stores a legal vehicle access device identifier associated with the vehicle identifier.

And S230, if the authentication is successful, inquiring the authentication key and the authentication identification of the vehicle according to the vehicle identification.

The safety protection device of the embodiment stores a vehicle identifier, and an authentication key and an authentication identifier stored in association with the vehicle identifier.

S240, decrypting the authentication seed according to the authentication key to obtain a decrypted authentication identifier.

And the authentication seed is obtained by encrypting the authentication identifier according to the authentication key.

And S250, comparing the inquired authentication identification with the decrypted authentication identification, and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result.

Wherein, the queried authentication identifier is obtained in step S230. The decrypted authentication identity is obtained in step S240.

Specifically, unlocking the access right of the vehicle access device to the vehicle according to the comparison result comprises:

and if the comparison is consistent, unlocking the access authority of the vehicle access equipment to the vehicle.

According to the technical scheme of the embodiment of the invention, the vehicle access equipment is legally authenticated based on the vehicle access equipment identification, and the vehicle is safely verified according to the authentication identification obtained by inquiry and the decrypted authentication identification. Thus realizing the mutual authentication of the vehicle access device and the access vehicle.

In order to reduce the workload of the deployment of the safety protection method, the receiving the vehicle identification and the authentication seed acquired by the vehicle access device from the vehicle includes:

and receiving a vehicle identification and an authentication seed which are acquired by the vehicle access equipment from the vehicle gateway, wherein the authentication seed is obtained by encrypting the authentication identification of the vehicle by the vehicle gateway according to an authentication key of the vehicle.

In order to avoid cracking of an authentication key based on an authentication seed, the decrypting of the authentication seed according to the authentication key to obtain a decrypted authentication identifier includes:

and decrypting the authentication seed according to the authentication key to obtain a decrypted authentication identifier and a decrypted random number.

Further, on the basis that the authentication seed is decrypted by the authentication key to obtain a decrypted authentication identifier and a decrypted random number, the comparing and querying the obtained authentication identifier and the decrypted authentication identifier, and unlocking the access right of the vehicle access device to the vehicle according to a comparison result includes:

and comparing the inquired authentication identification with the decrypted authentication identification, and sending the decrypted random number to the vehicle access equipment according to the comparison result so that the vehicle access equipment can unlock the access authority of the vehicle.

In order to realize the verification of the vehicle gateway, the authentication identification is the gateway identification of the vehicle.

The same nouns referred to in this embodiment as those referred to in the above embodiments are the same in concept, such as vehicle identification and authentication seed. The present embodiment does not repeatedly limit the repeated nouns.

EXAMPLE III

Fig. 5 is a flowchart of a security protection method according to a third embodiment of the present invention. The method may be performed by a safety device, which may be implemented in software and/or hardware. Typically, the device may be a vehicle. Referring to fig. 5, the safety protection method provided in this embodiment includes:

s310, responding to an access request of the vehicle access device, and sending the vehicle identification and the authentication seed of the local vehicle to the vehicle access device.

Specifically, the authentication seed is obtained by encrypting the authentication identification of the vehicle by the local vehicle according to the authentication key of the vehicle. The local vehicle is a vehicle to be visited.

Transmitting, by the vehicle access device, the received vehicle identification, the authentication seed, and the vehicle access device identification to a server for the server to perform: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; and sending an access instruction to the vehicle access equipment according to the comparison result of the decrypted authentication identifier and the inquired authentication identifier.

To realize the verification of the vehicle gateway, the authentication identification is the gateway identification of the local vehicle.

Optionally, the authentication seed may be obtained by encrypting, by the vehicle gateway of the local vehicle, the authentication identifier of the vehicle according to the authentication key of the vehicle; the authentication seed may also be obtained by encrypting the authentication identifier of the vehicle and the random number by the vehicle gateway of the local vehicle according to the authentication key of the vehicle.

And S320, unlocking the access authority of the vehicle access equipment to the local vehicle according to the access instruction.

Specifically, the unlocking the access right of the vehicle access device to the local vehicle according to the access instruction includes:

and if the access instruction is to allow access, unlocking the access authority of the vehicle access equipment to the local vehicle.

On the basis that the authentication seed is obtained by encrypting the authentication identifier of the vehicle and the random number by the vehicle gateway of the local vehicle according to the authentication key of the vehicle, the unlocking of the access authority of the vehicle access device to the local vehicle according to the access instruction comprises the following steps:

and if the random number obtained by decryption included in the access instruction is consistent with the random number for generating the authentication seed, unlocking the access authority of the vehicle access equipment to the local vehicle.

According to the technical scheme of the embodiment of the invention, the vehicle identification and the authentication seed of the local vehicle are sent to the vehicle access equipment by responding to the access request of the vehicle access equipment; and then unlocking the access authority of the vehicle access equipment to the local vehicle according to the access instruction. Therefore, the access of the local vehicle is limited, and the safety of the network information in the vehicle is improved.

Further, before the sending the vehicle identifier and the authentication seed of the local vehicle to the vehicle access device in response to the access request of the vehicle access device, the method further includes:

responding to a key injection request of the key injection equipment, sending a vehicle identifier and an authentication identifier to the key injection equipment, and generating an authentication key by the key injection equipment according to the vehicle identifier and the authentication identifier;

storing the authentication key.

In order to avoid plaintext transmission of the authentication key, before storing the authentication key, the method further includes:

receiving a key factor sent by key injection equipment, wherein the key factor is generated by the key injection equipment according to an authentication key and a set specification;

generating the authentication key based on the specification and the received key factor.

In particular, the specification may be a secure hardware extension specification.

In order to implement successful verification of authentication key injection, after storing the authentication key, the method further includes:

and responding to a verification request which is sent by key injection equipment and comprises encrypted data, decrypting the encrypted data by using a stored authentication key, feeding back a decrypted random number to the key injection equipment, comparing the decrypted random number with the random number for generating the encrypted data by the key injection equipment, and carrying out key injection successful verification according to a comparison result, wherein the encrypted data is obtained by encrypting the key injection equipment based on the authentication key.

Example four

Fig. 6 is a flowchart of a security protection method according to a fourth embodiment of the present invention. The method may be performed by a safety device, which may be implemented in software and/or hardware. Typically, the apparatus may be a key injection device, in particular a personal computer. Referring to fig. 6, the safety protection method provided in this embodiment includes:

and S410, sending a key injection request comprising a vehicle identification and an authentication identification to the vehicle.

And S420, generating an authentication key according to the vehicle identification and the authentication identification returned by the vehicle.

The safety protection device of the embodiment generates an authentication key according to the vehicle identifier and the authentication identifier, so that each vehicle has a unique authentication key. Even if the authentication key of one vehicle is broken, the intruder still cannot acquire the authentication keys of other vehicles.

Specifically, the generating of the authentication key according to the vehicle identifier and the authentication identifier returned by the vehicle comprises: setting operation results of the vehicle identification and the authentication identification are used as authentication keys; alternatively, the first and second liquid crystal display panels may be,

and generating an authentication key according to the vehicle identifier, the authentication identifier and the random number returned by the vehicle.

And S430, sending a key writing instruction to the vehicle based on the authentication key, so that the vehicle can write the authentication key.

According to the technical scheme of the embodiment of the invention, the authentication key is generated according to the vehicle identifier and the authentication identifier returned by the vehicle. Because the vehicle identification is a unique identification of the vehicle, each vehicle is made to have a unique authentication key. Thus, even if the authentication key of one vehicle is cracked, the intruder still cannot acquire the authentication keys of other vehicles.

In order to avoid the security risk brought by the plaintext transmission of the authentication key, after the authentication key is generated according to the vehicle identifier and the authentication identifier returned by the vehicle, the method further includes:

generating a key factor according to the generated authentication key and the set specification;

accordingly, the sending of the key-writing instruction to the vehicle based on the authentication key comprises:

and sending a key writing instruction to the vehicle based on the generated key factor, so that the vehicle generates the authentication key based on the specification and the key factor and stores the authentication key.

In order to implement the verification that the authentication key is successfully written into the vehicle, the method further includes, after sending a key writing instruction to the vehicle based on the authentication key for the vehicle to perform a writing operation on the authentication key:

encrypting the random number according to the authentication key to generate encrypted data;

sending a verification request including the encrypted data to the vehicle, the encrypted data being decrypted by the vehicle using the stored authentication key;

and comparing the decrypted random number with the random number for generating the encrypted data, and performing key injection successful verification according to the comparison result.

The same nouns referred to in this embodiment as those referred to in the above embodiments are the same in concept, such as vehicle identification and authentication seed. This embodiment does not repeatedly limit the repeated nouns.

EXAMPLE five

Fig. 7 is a signaling diagram of a key injection device and a vehicle gateway according to a fifth embodiment of the present invention; fig. 8 is a signaling diagram of a vehicle access device and a vehicle gateway according to a fifth embodiment of the present invention. This embodiment is an alternative proposed on the basis of the above-described embodiments. Referring to fig. 7 and 8, the safety protection method provided in this embodiment includes:

and after the vehicle is produced, the key injection device requests the VIN of the vehicle and the Gateway identification of the Gateway from the Gateway through the OBD interface of the vehicle when the vehicle is off line.

The Gateway responds to the VIN of the vehicle and the Gateway identification.

The key injection device generates an authentication key of an OBD interface of the vehicle according to the VIN and the Gateway identification of the Gateway, then generates a key factor according to the authentication key, and sends a key writing instruction and the key factor to the Gateway.

Specifically, the key factor is a five-bit parameter suitable for the hardware encryption module in Gateway.

And the Gateway receives the key factor, transmits the key factor into the hardware encryption module, generates and stores the authentication key by the hardware encryption module, and successfully writes the key into the response key injection equipment.

The key injection device generates a random number, encrypts the random number according to the authentication key, and sends a key verification instruction and the encrypted random number to the Gateway.

And after receiving the key verification instruction and the encrypted random number, the Gateway decrypts the encrypted random number by using the stored authentication key and returns the decrypted random number to the key injection equipment.

The key injection equipment receives the decrypted random number, compares the decrypted random number with the random number generated by the key injection equipment, and if the decrypted random number is consistent with the random number generated by the key injection equipment, the fact that the authentication key of Gateway is successfully written is determined; the VIN of the vehicle, the Gateway identification of the Gateway, and the authentication key are then uploaded to the private server of the vehicle factory.

When the vehicle access equipment accesses the CAN network in the vehicle through the vehicle OBD interface, the access authentication is carried out, and the specific flow is as follows:

the vehicle access device accesses the Gateway through a vehicle OBD interface and requests the VIN of the vehicle through a unified diagnostic service protocol.

Gateway responds to the VIN of the vehicle based on the unified diagnostic service agreement.

The vehicle access device requests an authentication seed for the Gateway, wherein the authentication seed is encrypted by the Gateway using an authentication key based on the Gateway identification and the random number.

The Gateway response authenticates the seed.

And after receiving the authentication seed, the vehicle access equipment sends the VIN of the vehicle, the authentication seed and the identification of the vehicle access equipment to a private server of the vehicle enterprise.

After receiving the VIN, the authentication seed and the identification of the vehicle access equipment, the private server inquires a gateway identification and an authentication key which are stored in a database in a correlation mode through the VIN; then, the authentication seed is decrypted by using the authentication key to obtain a gateway identifier and a random number of a plaintext; comparing the decrypted gateway identification with the inquired gateway identification, and if the decrypted gateway identification is consistent with the inquired gateway identification, returning the decrypted random number to the vehicle access equipment;

the vehicle access device sends the decrypted random number to the Gateway for authentication.

The Gateway compares the received decrypted random number with a random number generated by the Gateway; and if the comparison is consistent, the authentication is successful, and the access right of the vehicle access equipment to the vehicle is unlocked. The vehicle access device CAN access the CAN network in the vehicle through the OBD interface.

According to the technical scheme of the embodiment of the invention, a security protection mechanism is additionally arranged on the Gateway, so that a hacker CAN be prevented from monitoring data of a CAN network in a vehicle through an OBD interface and cracking a CAN bus control protocol; the method comprises the steps of preventing illegal equipment from carrying out illegal diagnosis through an OBD interface to crack a security access algorithm in a secure UDS protocol, modifying important parameters of an electronic control unit, or brushing malicious programs into the electronic control unit; preventing hackers from remotely attacking the vehicle by means of aftermarket OBD wireless devices.

By deploying the security protection method on the Gateway, the normal functions of the Gateway are not affected, and the cost is not increased. And the normal function of the electronic control unit in the vehicle is not influenced, and the code of the electronic control unit is not changed.

In addition, the vehicle VIN is read through the OBD interface without influencing the vehicle management.

It should be noted that, after the technical teaching of the present embodiment, a person skilled in the art may motivate a combination of any one of the implementation manners described in the above embodiments to implement the validity verification on the vehicle access device and the security verification on the accessed vehicle when the vehicle access device accesses the vehicle.

EXAMPLE six

Fig. 9 is a schematic structural diagram of a safety protection device according to a sixth embodiment of the present invention. Referring to fig. 9, the present embodiment provides a safety protection device including: an information acquisition module 101 and an authentication request module 102.

The information acquisition module 101 is configured to acquire a vehicle identifier and an authentication seed from a vehicle, where the authentication information is obtained by encrypting, by the vehicle, the vehicle identifier of the vehicle according to an authentication key of the vehicle;

an authentication request module 102, configured to send an authentication request including the vehicle identifier, the authentication seed, and a device identifier of the vehicle access device to a server, instruct the server to perform the following: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result of the decrypted authentication identifier and the inquired authentication identifier.

Further, the information acquisition module includes: an information acquisition unit.

The information acquisition unit is used for acquiring a vehicle identifier and an authentication seed from a vehicle gateway in a vehicle, wherein the authentication seed is obtained by encrypting the vehicle identifier of the vehicle by the vehicle gateway according to an authentication key of the vehicle.

Further, the authentication seed is obtained by encrypting the authentication identification of the vehicle and the random number by the vehicle according to the authentication key of the vehicle;

correspondingly, the device further comprises:

and the decryption module is used for sending an authentication request comprising the vehicle identification, the authentication seed and the equipment identification of the vehicle access equipment to the server, then sending the decrypted random number returned by the server to the vehicle, and unlocking the access authority of the vehicle access equipment to the vehicle according to a comparison result of the random number generating the authentication seed and the decrypted random number, wherein the decrypted random number is obtained by decrypting the authentication seed by the server according to the inquired authentication key.

Further, the authentication identifier is a gateway identifier of the vehicle.

EXAMPLE seven

Fig. 10 is a schematic structural diagram of a safety protection device according to a seventh embodiment of the present invention. Referring to fig. 10, the safety shield apparatus provided in this embodiment includes: the system comprises an authentication request receiving module 201, an authentication module 202, an authentication identifier decryption module 203 and an authority unlocking module 204.

The authentication request receiving module 201 is configured to receive an authentication request which includes a vehicle identifier, an authentication seed, and a vehicle access device identifier and is sent by a vehicle access device;

an authentication module 202, configured to perform validity authentication on the vehicle access device based on the vehicle access device identifier included in the authentication request; the query module is used for querying the authentication key and the authentication identifier of the vehicle according to the vehicle identifier if the authentication is successful;

the authentication identifier decryption module 203 is configured to decrypt the authentication seed according to the authentication key to obtain a decrypted authentication identifier;

and the permission unlocking module 204 is used for comparing the inquired authentication identification with the decrypted authentication identification and unlocking the access permission of the vehicle access equipment to the vehicle according to the comparison result.

According to the technical scheme of the embodiment of the invention, the vehicle access equipment is legally authenticated based on the vehicle access equipment identifier, and the vehicle is safely verified according to the authenticated identifier obtained by inquiry and the decrypted authenticated identifier. Thus realizing the mutual authentication of the vehicle access device and the access vehicle.

Further, the authentication request receiving module includes: and an authentication request receiving module unit.

The vehicle access device comprises an authentication request receiving module unit and a control module unit, wherein the authentication request receiving module unit is used for receiving a vehicle identifier and an authentication seed which are acquired by the vehicle access device from a vehicle gateway, and the authentication seed is obtained by encrypting the authentication identifier of the vehicle by the vehicle gateway according to an authentication key of the vehicle.

Further, the authentication identifier decryption module includes: and an authentication identifier decryption unit.

And the authentication identifier decryption unit is used for decrypting the authentication seed according to the authentication key to obtain a decrypted authentication identifier and a decrypted random number.

Accordingly, the rights unlocking module comprises: and an authority unlocking unit.

The permission unlocking unit is used for comparing the inquired authentication identification with the decrypted authentication identification, and sending the decrypted random number to the vehicle access equipment according to the comparison result, so that the vehicle access equipment can unlock the access permission of the vehicle.

Further, the authentication identifier is a gateway identifier of the vehicle.

Example eight

Fig. 11 is a schematic structural diagram of a safety device according to an eighth embodiment of the present invention. Referring to fig. 11, a safety shield apparatus provided in an embodiment of the present invention includes: the module 301 is unlocked in response to the access request and the access right 302.

The response access request module 301 is configured to send, in response to an access request of a vehicle access device, a vehicle identifier and an authentication seed of a local vehicle to the vehicle access device, where the vehicle access device sends the received vehicle identifier, the authentication seed, and the vehicle access device identifier to a server, where the server performs the following: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; according to the comparison result of the decrypted authentication identification and the inquired authentication identification, sending an access instruction to the vehicle access equipment;

and the access right unlocking module 302 is configured to unlock the access right of the vehicle access device to the local vehicle according to the access instruction sent by the vehicle access device.

Further, the authentication seed is obtained by encrypting the authentication identification of the vehicle and the random number by the vehicle gateway of the local vehicle according to the authentication key of the vehicle.

Further, the authentication identifier is a gateway identifier of the local vehicle.

Further, the authentication seed is obtained by encrypting the authentication identifier and the random number of the vehicle by the vehicle gateway of the local vehicle according to the authentication key of the vehicle;

accordingly, the access right unlocking module comprises:

and the access authority unlocking unit is used for unlocking the access authority of the vehicle access equipment to the local vehicle if the random number obtained by decryption included in the access instruction is consistent with the random number for generating the authentication seed.

Further, the apparatus further comprises:

the response key injection module is used for responding to the key injection request of the key injection equipment before the vehicle identification and the authentication seed of the local vehicle are sent to the vehicle access equipment in response to the access request of the vehicle access equipment, sending the vehicle identification and the authentication identification to the key injection equipment, and generating an authentication key by the key injection equipment according to the vehicle identification and the authentication identification;

and the key storage module is used for storing the authentication key.

Further, the apparatus further comprises: a key factor receiving module and a key decryption module.

The key factor receiving module is configured to receive a key factor sent by a key injection device before the authentication key is stored, where the key factor is generated by the key injection device according to the authentication key and a setting specification;

and the key decryption module is used for generating the authentication key according to the specification and the received key factor.

Example nine

Fig. 12 is a schematic structural diagram of a safety device according to a ninth embodiment of the present invention. Referring to fig. 12, the safety shield apparatus provided in this embodiment includes: a key injection module 401, an authentication key generation module 402, and an authentication key writing module 403.

The key injection module 401 is configured to send a key injection request including a vehicle identifier and an authentication identifier to a vehicle;

an authentication key generation module 402, configured to generate an authentication key according to the vehicle identifier and the authentication identifier returned by the vehicle;

and an authentication key writing module 403, configured to send a key writing instruction to the vehicle based on the authentication key, so that the vehicle performs a writing operation on the authentication key.

Further, the apparatus further comprises: and a key factor generation module.

The key factor generation module is used for generating a key factor according to the generated authentication key and the set specification after generating the authentication key according to the vehicle identifier and the authentication identifier returned by the vehicle;

correspondingly, the authentication key writing module comprises an authentication key writing unit.

And the authentication key writing unit is used for sending a key writing instruction to the vehicle based on the generated key factor, so that the vehicle generates the authentication key based on the specification and the key factor and stores the authentication key.

The safety protection device provided by the embodiment of the invention can execute the safety protection method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.

Example ten

Fig. 13 is a schematic structural diagram of an apparatus provided in the tenth embodiment of the present invention. FIG. 13 illustrates a block diagram of an exemplary device 12 suitable for use in implementing embodiments of the present invention. The device 12 shown in fig. 13 is only an example and should not impose any limitation on the functionality and scope of use of embodiments of the present invention.

As shown in FIG. 13, device 12 is embodied in the form of a general purpose computing device. The components of device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.

Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.

Device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by device 12 and includes both volatile and nonvolatile media, removable and non-removable media.

The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30 and/or cache memory 32. Device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 13 and commonly referred to as a "hard drive"). Although not shown in FIG. 13, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.

A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in memory 28, such program modules 42 including but not limited to an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may include an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.

Device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with device 12, and/or with any devices (e.g., network card, modem, etc.) that enable device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the device 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 20. As shown, the network adapter 20 communicates with the other modules of the device 12 over the bus 18. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, to name a few.

The processing unit 16 executes various functional applications and data processing, such as implementing the security methods provided by embodiments of the present invention, by executing programs stored in the system memory 28.

EXAMPLE eleven

The eleventh embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the security protection method according to any one of the first to third embodiments of the present invention.

Computer storage media for embodiments of the present invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).

It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims

1. A safety protection method is applied to a vehicle access device, and is characterized by comprising the following steps:

obtaining a vehicle identification and an authentication seed from a vehicle;

sending an authentication request including the vehicle identification, the authentication seed, and a device identification of the vehicle access device to a server, instructing the server to perform the following: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result of the decrypted authentication identification and the inquired authentication identification; the authentication identification is a gateway identification of the vehicle.

2. The method of claim 1, wherein the obtaining a vehicle identification and an authentication seed from a vehicle comprises:

3. The method of claim 1, wherein the authentication seed is obtained by the vehicle encrypting an authentication identifier of the vehicle and a random number according to an authentication key of the vehicle;

correspondingly, after the sending of the authentication request including the vehicle identification, the authentication seed and the device identification of the vehicle access device to the server, the method further includes: and sending the decrypted random number returned by the server to the vehicle, and unlocking the access authority of the vehicle access equipment to the vehicle by the vehicle according to a comparison result of the random number for generating the authentication seed and the random number obtained by decryption, wherein the random number obtained by decryption is obtained by decrypting the authentication seed by the server according to the inquired authentication key.

4. A safety protection method is applied to a server, and is characterized by comprising the following steps:

comparing the inquired authentication identification with the decrypted authentication identification, and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result; the authentication identification is a gateway identification of the vehicle.

5. The method of claim 4, wherein receiving the vehicle identification and the authentication seed obtained by the vehicle access device from the vehicle comprises:

6. The method according to claim 4, wherein the decrypting the authentication seed according to the authentication key to obtain a decrypted authentication identifier comprises:

decrypting the authentication seed according to the authentication key to obtain a decrypted authentication identifier and a decrypted random number;

correspondingly, comparing the authentication identification obtained by inquiry with the decrypted authentication identification, and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result, comprising the following steps:

7. A safety protection method is applied to a vehicle, and is characterized by comprising the following steps:

in response to an access request of a vehicle access device, transmitting a vehicle identification and an authentication seed of a local vehicle to the vehicle access device, and transmitting the received vehicle identification, the authentication seed and the vehicle access device identification to a server by the vehicle access device, so that the server performs the following steps: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; generating an access instruction according to a comparison result of the decrypted authentication identifier and the inquired authentication identifier; the authentication identification is a gateway identification of the local vehicle;

8. The method of claim 7, wherein the authentication seed is obtained by a vehicle gateway of the local vehicle encrypting an authentication identification of the vehicle according to an authentication key of the vehicle.

9. The method of claim 7, wherein the authentication seed is obtained by encrypting an authentication identifier of the vehicle and a random number by a vehicle gateway of the local vehicle according to an authentication key of the vehicle;

correspondingly, the unlocking the access right of the vehicle access equipment to the local vehicle according to the access instruction comprises the following steps:

10. The method of claim 7, wherein prior to sending the vehicle identification and authentication seed of the local vehicle to the vehicle access device in response to the vehicle access device's access request, further comprising:

storing the authentication key.

11. The method of claim 10, wherein prior to storing the authentication key, further comprising:

12. A security protection method applied to a key injection device is characterized by comprising the following steps:

sending a key injection request including a vehicle identification and an authentication identification to a vehicle; the authentication identification is a gateway identification of the local vehicle;

generating an authentication key according to the vehicle identifier and the authentication identifier returned by the vehicle;

sending a key writing instruction to the vehicle based on the authentication key for the vehicle to perform writing operation on the authentication key;

the authentication key is used for enabling a vehicle gateway in the vehicle to encrypt an authentication identifier of the vehicle according to the authentication key to obtain an authentication seed;

the vehicle identification is used for enabling a server to inquire an authentication key and an authentication identification which are associated with the vehicle identification according to the vehicle identification after the vehicle access equipment is authenticated to be legal; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result of the decrypted authentication identifier and the inquired authentication identifier.

13. The method of claim 12, wherein after generating the authentication key according to the vehicle identifier and the authentication identifier returned by the vehicle, the method further comprises:

correspondingly, the sending of the key writing instruction to the vehicle based on the authentication key comprises:

14. A safety shield apparatus, comprising:

an authentication request module, configured to send an authentication request including the vehicle identifier, the authentication seed, and a device identifier of the vehicle access device to a server, instruct the server to perform the following: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result of the decrypted authentication identification and the inquired authentication identification; the authentication identification is a gateway identification of the vehicle.

15. The apparatus of claim 14, wherein the authentication seed is obtained by the vehicle encrypting an authentication identifier of the vehicle and a random number according to an authentication key of the vehicle;

correspondingly, the device further comprises:

16. A safety shield apparatus, comprising:

the authentication module is used for carrying out legality authentication on the vehicle access equipment based on the vehicle access equipment identifier included in the authentication request; the query module is used for querying the authentication key and the authentication identification of the vehicle according to the vehicle identification if the authentication is successful;

the authority unlocking module is used for comparing the inquired authentication identification with the decrypted authentication identification and unlocking the access authority of the vehicle access equipment to the vehicle according to the comparison result; the authentication identification is a gateway identification of the vehicle.

17. The apparatus of claim 16, wherein the authentication identity decryption module comprises:

the authentication identifier decryption unit is used for decrypting the authentication seed according to the authentication key to obtain a decrypted authentication identifier and a decrypted random number;

accordingly, the permission unlocking module comprises:

and the permission unlocking unit is used for comparing the inquired authentication identification with the decrypted authentication identification, and sending the decrypted random number to the vehicle access equipment according to the comparison result so that the vehicle access equipment can unlock the access permission of the vehicle.

18. A safety shield apparatus, comprising:

the response access request module is used for responding to an access request of the vehicle access device, sending the vehicle identification and the authentication seed of the local vehicle to the vehicle access device, and sending the received vehicle identification, the authentication seed and the vehicle access device identification to the server by the vehicle access device for the server to execute the following steps: carrying out legality authentication on the vehicle access equipment according to the equipment identification; if the authentication is successful, inquiring an authentication key and an authentication identifier associated with the vehicle identifier according to the vehicle identifier; decrypting the authentication seed by adopting the inquired authentication key to obtain a decrypted authentication identifier; according to the comparison result of the decrypted authentication identification and the inquired authentication identification, sending an access instruction to the vehicle access equipment; the authentication identification is a gateway identification of the local vehicle;

19. A safety shield apparatus, comprising:

the authentication key generation module is used for generating an authentication key according to the vehicle identifier and the authentication identifier returned by the vehicle; the authentication identification is a gateway identification of the local vehicle;

the authentication key writing module is used for sending a key writing instruction to the vehicle based on the authentication key so that the vehicle can execute the writing operation of the authentication key;

20. The apparatus of claim 19, further comprising:

accordingly, the authentication key writing module comprises:

and the authentication key writing unit is used for sending a key writing instruction to the vehicle based on the generated key factor, so that the vehicle can generate and store the authentication key based on the specification and the key factor.

21. A computer device, the device comprising:

one or more processors;

a storage device for storing one or more programs,

when executed by the one or more processors, cause the one or more processors to implement a method of safeguarding as recited in any of claims 1-3, 4-6, 7-11, or 12-13.

22. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of safeguarding as claimed in any one of claims 1 to 3, 4 to 6, 7 to 11 or 12 to 13.