CN112019517A - Internet of vehicles authentication method and road side unit - Google Patents
Internet of vehicles authentication method and road side unit Download PDFInfo
- Publication number
- CN112019517A CN112019517A CN202010773439.3A CN202010773439A CN112019517A CN 112019517 A CN112019517 A CN 112019517A CN 202010773439 A CN202010773439 A CN 202010773439A CN 112019517 A CN112019517 A CN 112019517A
- Authority
- CN
- China
- Prior art keywords
- vehicle
- service
- unit
- request message
- road side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Abstract
The embodiment of the invention provides an Internet of vehicles authentication method and a road side unit, relates to the technical field of Internet of vehicles, and can avoid multiple times of authentication of vehicles when a plurality of vehicle services are called, so that the expenditure of vehicle authentication is reduced. The method comprises the following steps: the road side unit receives a service request message sent by the vehicle-mounted unit; the service request message comprises an identity identifier of the vehicle-mounted unit and a first service identifier set; the first service identification set comprises at least one first service identification, and the first service identification is used for indicating the vehicle service requested by the vehicle-mounted unit; and if the road side unit determines that the identity identification and the first service identification set accord with a set formula, determining that the vehicle-mounted unit passes the authentication. The invention is used for the authentication of the Internet of vehicles.
Description
Technical Field
The invention relates to the technical field of Internet of vehicles, in particular to an Internet of vehicles authentication method and a road side unit.
Background
With the development of traffic roads and the increasing number of vehicles, efficient and intelligent traffic transportation strategies become more important. In order to provide an efficient and intelligent transportation strategy, intelligent transportation is developed. In the intelligent traffic field, the car networking technology can provide high-efficient, safe guide for the vehicle to the operation of vehicle provides diversified vehicle service.
At present, when a vehicle accesses the internet of vehicles to call various vehicle services, authentication with a Road Side Unit (RSU) is required, and service providers providing the vehicle services need to be authenticated one by one, which causes high cost of vehicle authentication and complex authentication process.
Disclosure of Invention
The embodiment of the invention provides an Internet of vehicles authentication method and a road side unit, which can avoid multiple times of authentication of a vehicle when a plurality of vehicle services are called, and reduce the expense of vehicle authentication.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, a vehicle networking authentication method is provided and applied to a vehicle networking system, wherein the vehicle networking system comprises an on-board unit, a road side unit and at least one vehicle service provider; the method comprises the following steps: the road side unit receives a service request message sent by the vehicle-mounted unit; the service request message comprises an identity identifier of the vehicle-mounted unit and a first service identifier set; the first service identification set comprises at least one first service identification, and the first service identification is used for indicating the vehicle service requested by the vehicle-mounted unit; and if the road side unit determines that the identity identification and the first service identification set accord with a set formula, determining that the vehicle-mounted unit passes the authentication.
In a second aspect, there is provided a road side unit comprising: the receiving module is used for receiving a service request message sent by the vehicle-mounted unit; the service request message comprises an identity identifier of the vehicle-mounted unit and a first service identifier set; the first service identification set comprises at least one first service identification, and the first service identification is used for indicating the vehicle service requested by the vehicle-mounted unit; and the authentication module is used for determining that the vehicle-mounted unit passes the authentication when the identity identifier received by the receiving module and the first service identifier set are determined to accord with a set formula.
In a third aspect, a road side unit is provided, comprising: a memory, a processor, a bus, and a communication interface; the memory is used for storing computer execution instructions, and the processor is connected with the memory through a bus; when the road side unit runs, the processor executes the computer execution instructions stored in the memory, so that the road side unit executes the vehicle networking authentication method provided by the first aspect.
In a fourth aspect, a computer-readable storage medium is provided, comprising: the computer executes the instructions, and when the computer executes the instructions to run on the computer, the computer executes the internet of vehicles authentication method provided by the first aspect.
The vehicle networking authentication method provided by the embodiment of the invention is applied to a vehicle networking system, wherein the vehicle networking system comprises a vehicle-mounted unit, a road side unit and at least one vehicle service provider; the method comprises the following steps: the road side unit receives a service request message sent by the vehicle-mounted unit; the service request message comprises an identity identifier of the vehicle-mounted unit and a first service identifier set; the first service identification set comprises at least one first service identification, and the first service identification is used for indicating the vehicle service requested by the vehicle-mounted unit; and if the road side unit determines that the identity identification and the first service identification set accord with a set formula, determining that the vehicle-mounted unit passes the authentication. In the vehicle network authentication method provided by the embodiment of the invention, when a vehicle calls a vehicle service, a vehicle-mounted unit sends a service request message to a road side unit, and the road side unit completes the authentication of the vehicle according to information carried by the service request message; the service request message comprises the identity of the vehicle and a first service identifier set of the vehicle service needing to be called, when the identity of the vehicle and the first service identifier set accord with a set formula, the road side unit completes authentication of the vehicle, at the moment, the vehicle can call the corresponding vehicle service through the road side unit, namely, the vehicle only needs to carry out authentication once to the road side unit when calling multiple vehicle services, and does not need to carry out authentication to each vehicle service provider any more, so that the authentication times when the vehicle calls the vehicle service are reduced, and the expense of vehicle authentication is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic view of a communication architecture of a car networking system according to an embodiment of the present invention;
fig. 2 is a first schematic flowchart of a vehicle networking authentication method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a second method for authenticating the internet of vehicles according to an embodiment of the present invention;
fig. 4 is a third schematic flowchart of a vehicle networking authentication method according to an embodiment of the present invention;
fig. 5 is a fourth schematic flowchart of a vehicle networking authentication method according to an embodiment of the present invention;
fig. 6 is a first schematic structural diagram of a roadside unit according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a roadside unit according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a roadside unit according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of another roadside unit according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that, in the embodiments of the present invention, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
For the convenience of clearly describing the technical solutions of the embodiments of the present invention, in the embodiments of the present invention, the words "first", "second", and the like are used for distinguishing the same items or similar items with basically the same functions and actions, and those skilled in the art can understand that the words "first", "second", and the like are not limited in number or execution order.
Along with the rapid development of transportation, the improvement of transportation efficiency and the guarantee of road driving safety are important links in transportation. The conventional vehicle driving strategy is generally that a driver makes corresponding driving behaviors (such as braking, turning and the like) according to traffic conditions in a visual field, and the driving strategy made by the driver may not be an optimal strategy due to the limits of instinct and reaction speed of the driver. In order to make an optimal driving strategy, the technology of intelligent transportation vehicle networking is developed. The vehicle network technology can make corresponding driving strategies according to various information (such as road surface states, front and rear vehicle distances, traffic signal light indication and the like) of road traffic, and provides an efficient and safe driving scheme for vehicles. In addition, in order to improve the driving experience of the vehicle, the car networking technology can also provide various services (such as navigation, parking space searching and the like) for the vehicle, and the vehicle can realize various services through data interaction between the road side unit and the vehicle service provider.
When a vehicle performs data interaction with a road side unit and a vehicle service provider, the vehicle needs to be authenticated in order to ensure the safety, accuracy and real-time performance of data. In the current authentication scheme, when a vehicle uses multiple vehicle services, authentication needs to be performed not only to the road side unit, but also to providers of the vehicle services one by one, and the authentication process is complex. And because the vehicle has higher mobility, the current authentication scheme cannot meet the requirement of low time delay when the vehicle requests service.
In view of the foregoing problems, an embodiment of the present invention provides a communication architecture of a car networking system, as shown in fig. 1, including: an On Board Unit (OBU), a roadside unit, at least one Vehicular Service Provider (VSP), and a Trusted Authority (TA).
The vehicle-mounted unit is a vehicle-mounted communication platform and can perform data interaction with the road side unit, the vehicle service provider, the trust authority and other vehicle-mounted units; the on-board unit may obtain the driving strategy from the road side unit, may obtain corresponding vehicle services from a vehicle service provider, and may obtain driving information of other vehicles from other on-board units. Of course, the vehicle-mounted unit may also include other functions in the conventional technical means in the field, and the description of the embodiment of the present invention is omitted.
The road side unit can perform data interaction with road side intelligent equipment (such as laser radar, traffic signal indicator lights and the like) to acquire road traffic information, such as vehicle positions, road traffic quantity and the like; the road side unit can also perform data interaction with the vehicle-mounted unit, the vehicle service provider and the trust authority; the road side unit can acquire vehicle running information such as running speed, position and the like from the vehicle-mounted unit; the service information provided by the vehicle service provider can be obtained from the vehicle service provider and authenticated; a service identification corresponding to the registered vehicle service may also be obtained from the trust authority. Of course, the roadside unit may also be used as a data center for calculating various acquired information and acquiring a transportation strategy, such as a driving strategy of a vehicle.
Vehicle service providers are used to provide vehicle services such as navigation services, parking lot search services, and the like; the vehicle service provider can perform data interaction with the vehicle-mounted unit to realize the authentication of the vehicle-mounted unit; and the system can also perform data interaction with the road side unit to realize authentication to the road side unit, so that service is provided for the vehicle-mounted unit through the road side unit.
The trust authority is used for providing encryption service for the vehicle-mounted unit, the road side unit and the vehicle service provider and providing an encryption key for the vehicle-mounted unit, the road side unit and the vehicle service provider; the trust mechanism is also used for providing registration service for the vehicle-mounted unit and the road side unit, and avoids illegal access of the vehicle-mounted unit and the road side unit to the Internet of vehicles.
It should be noted that, the on-board unit, the road side unit and the vehicle service provider provided by the embodiment of the present invention are all installed with a tamper-resistant device (TPD) for ensuring data security of each node of the vehicle networking device. Various data information in the on-board unit, the road side unit and the vehicle service provider are stored in corresponding anti-tampering equipment.
It should be noted that, because the on-board unit provides a platform for vehicle communication, the on-board unit herein refers to a vehicle; the vehicle service provider herein actually means a server that provides a service. The vehicle-mounted unit and the road side unit may communicate with each other through a mobile cellular network, may also communicate with each other through a Dedicated Short Range Communication (DSRC) technology, and may also communicate with each other through other manners, which is not limited in the embodiment of the present invention. The road side unit can communicate with a vehicle service provider and a trust mechanism through a wired network, and can also communicate through a wireless network such as a mobile cellular network and the like; the vehicle unit may communicate with the vehicle service provider and the trust authority over a wireless network.
According to the communication architecture of the car networking system, an embodiment of the present invention provides a vehicle authentication method, as shown in fig. 2, including:
s101, the vehicle-mounted unit sends a service request message to the road side unit.
The service request message comprises an identity identifier of the vehicle-mounted unit and a first service identifier set; the first set of service identities comprises at least one first service identity indicating a vehicle service requested by the on-board unit.
Specifically, the service request message sent by the on-board unit may be mm,mmIncluding the time stamp t of the service request message transmissionmInitial service request message rmFirst key λiSigning service request message SmAnd anonymous identity PID, i.e. m, of the on-board unitm={rm,tm,λi,Sm,PID}。
When the on-board unit requests a plurality of vehicle services, the service identifiers of the plurality of vehicle services may be set into the initial service request message, i.e. the initial service request message includes at least one first service identifier, the initial service request message rm=RSID,
RSIDNamely a first service identification set, and the SID is a second service identification set, and the second service identification set includes service identifications corresponding to vehicle services provided by all vehicle service providers.
After the on-board unit generates the initial service request message, the on-board unit also needs to sign the initial service request message, so that the roadside unit can trace the on-board unit requesting the service. On-board unit to initial service request message rmAfter signing, a signed service request message S can be obtainedm,SmCan be as follows:
Sm=H3(PID||tm||λi||rm)·ci+ski;
ski=k·H2(PID)modp+ri;
PID={PID1,PID2};
PID1=ri·P;
wherein H3As a hash function, H3:{0,1}*×{0,1}*×G×{0,1}*→Zp,ZpIs [1, p-1 ]]The group G is a cyclic addition group of order P, and P is a generator of the group G; skiPrivate key generated for on-board unit, k being trustA master key generated by the organization; the PID is an anonymous identity generated by the vehicle-mounted unit, and comprises the PID1And PID2,riIs a random number, and is a random number,
is a positive integer set; VID is the identity, P, generated by the trust authority for the on-board unitpubA public key generated for a trust authority; h1As a hash function, H1:G→Zp;λiFirst key generated for the on-board unit from the generator P for signing the service request message SmEncryption is performed.
It should be noted that, the on-board unit stores a second set of service identifiers, and the first service identifier may be determined by the on-board unit from the second set of service identifiers stored therein. The process of generating the service request message by the on-board unit can be completed by the tamper-resistant device installed therein, such as the generation of the anonymous identity of the on-board unit and the signature of the initial service request message; the vehicle-mounted unit is used for sending the service request message generated by the tamper-proof equipment to the road side unit.
S102, the road side unit receives the service request message sent by the vehicle-mounted unit.
Specifically, after receiving the service request message, the rsu may send an initial service request message r carried by the rsumAnd obtaining a first service identification set, namely obtaining first service identifications corresponding to a plurality of vehicle services requested by the vehicle-mounted unit. Of course, the road side unit may also obtain the anonymous identity PID of the vehicle-mounted unit, signature service request message S from the service request messagemTime stamp t of service request message transmissionmAnd a first key lambdai。
S103, if the road side unit determines that the identity identification and the first service identification set accord with a set formula, determining that the vehicle-mounted unit passes authentication.
Specifically, the road side unit stores a second service identification set, the second service identification set comprises at least one second service identification, and the second service identification is used for indicating vehicle service provided by at least one vehicle service provider.
After obtaining the first service identifier set and the anonymous identity identifier PID of the on-board unit, the road side unit needs to determine whether the on-board unit has the authority to invoke the corresponding vehicle service, that is, to authenticate the on-board unit. The authentication of the road side unit to the vehicle-mounted unit can be carried out by the following set formula:
Sm·P=H3(PID||tm||λi||rm)·λi+PID1+H2(PID)·Ppub;
wherein S ismFor signing service request messages, P is the generator of group G, PID and PID1Signature information for the on-board unit, which may also be referred to as anonymous identity, t, generated by the on-board unitmIs a time stamp, lambda, of a service request messageiFirst secret key, r, generated for the on-board unitmFor initial service request messages, PpubPublic keys generated for trust authorities, H2And H3Is a hash function;
H2:G→Zp,H3:{0,1}*×{0,1}*×G×{0,1}*→Zp。
Zpis [1, p-1 ]]The group G is a cyclic addition group of order p.
And if each parameter in the service request message meets the set formula, determining that the vehicle-mounted unit passes the authentication. The derivation of the above setting formula can be as follows:
Sm·P=[H3(PID||tm||λi||rm)·ci+ski]·P
=H3(PID||tm||λi||rm)·ci·P+ski·P
=H3(PID||tm||λi||rm)·λi+[k·H2(PID)modp+ri]·P。
=H3(PID||tm||λi||rm)·λi+H2(PID)Ppub·modp+PID1
=H3(PID||tm||λi||rm)·λi+H2(PID)Ppub+PID1
in the elliptic curve algorithm, the public key PpubCan be determined by the master key k and the generator P, i.e. k · P ═ Ppub. The mod calculation in elliptic curve algorithms is to make the number multiplied by P fall within the finite field ZPIn due to finite field ZPThe value in (1) is multiplied by P and then mod calculation is carried out, and the result is the same as the result of directly multiplying the value by P, so the mod calculation is not carried out in the derivation process. Meanwhile, reducing the modp calculation can also reduce the algorithm overhead.
It should be noted that, like the on-board unit, the authentication process of the road side unit to the on-board unit is also completed by the tamper-proof device installed therein. After the on-board unit sends the service request message to the road side unit, if the on-board unit does not obtain the corresponding vehicle service within the time limit of the second threshold, the on-board unit may send the service request message to the road side unit again, and update the timestamp of the service request message.
And S104, if the road side unit determines that the identity identifier and the first service identifier set do not accord with a set formula, determining that the vehicle-mounted unit fails to authenticate.
Specifically, if each parameter in the service request message does not satisfy the above-described setting formula, it may be determined that the in-vehicle unit authentication has failed.
It should be noted that, when the roadside unit fails to authenticate the vehicle-mounted unit, the roadside unit may return a first response message to the vehicle-mounted unit, indicating that the vehicle-mounted unit fails to authenticate. Optionally, when the authentication of the vehicle-mounted unit fails, the roadside unit may determine the reason of the authentication failure, for example, the service called by the vehicle-mounted unit does not exist; when the road side unit determines the reason of the authentication failure of the vehicle-mounted unit, the reason of the failure can be sent to the vehicle-mounted unit through a first response message.
In the embodiment of the invention, the road side unit stores the second service identification set, the service request message sent by the vehicle-mounted unit comprises the first service identification set, and the road side unit can check the service request message through a set formula and can finish the authentication of the vehicle-mounted unit when the set formula is established. In the set formula, the road side unit checks the first service identification set, the authentication process of requesting multiple vehicle services for the vehicle-mounted unit is completed once, only one message overhead is needed, the vehicle-mounted unit does not need to authenticate each corresponding vehicle service provider one by one, the message overhead is reduced, and the authentication efficiency of the vehicle-mounted unit is improved.
Optionally, as shown in fig. 3, after step S103, the method further includes:
s105, if the road side unit determines that the time difference between the time stamp of the service request message and the current time is larger than or equal to a first threshold value, discarding the service request message.
Specifically, due to the influence of factors such as network delay and signal quality, after the vehicle-mounted unit sends the service request message, the receiving delay of the rsu may be relatively large, and at this time, the vehicle-mounted unit may have left the coverage of the rsu, or no longer needs corresponding vehicle service. Therefore, after receiving the service request message, the road side unit may determine a time difference between the time of transmission of the service request message and the current time, that is, a time difference between the time stamp of the service request message and the current time. The timestamp of the service request message is used for indicating the time of sending the service request message, and the current time is used for indicating the time of receiving the service request message by the road side unit.
If the time difference is greater than or equal to the first threshold, the road side unit discards the service request message and no longer provides vehicle service for the vehicle-mounted unit.
It should be noted that, in a possible implementation manner, after discarding the service request message, the roadside unit may return a second response message to the on-board unit, where the second response message is used to indicate that the service request fails. Of course, if the on board unit has left the coverage of the rsu, the rsu no longer returns the second response message to the on board unit. Step S105 may be executed after the rsu completes authentication of the on-board unit, or may be executed after the rsu service request message, that is, before step S103, which is not limited in the embodiment of the present invention.
According to the embodiment of the invention, the road side unit judges whether to provide the vehicle service for the vehicle-mounted unit or not according to the timestamp of the service request message, the time difference of the current time and the first threshold, so that unnecessary message overhead caused by the fact that the vehicle-mounted unit leaves the coverage range of the road side unit or does not need corresponding vehicle service any more due to the influence of factors such as network delay and the like can be avoided.
Optionally, as shown in fig. 4, before step S101, the method further includes:
s201, the vehicle service provider sends an authentication request message to the road side unit.
Wherein the authentication request message includes a third service identification indicating the vehicle service provided by the vehicle service provider.
Specifically, in the embodiment of the present invention, the road side unit not only needs to authenticate the on-board unit, but also needs to authenticate the vehicle service provider, so that the on-board unit can call the vehicle service provided by the vehicle service provider through the road side unit.
When the vehicle service provider sends the authentication request message to the road side unit, the third service identifier carried by the vehicle service provider needs to be encrypted, if the third service identifier is an SID1The secret key is KsThe encrypted third service identifier may be identified as Ks(SID1)。
It should be noted that, here, the key KsAssigned to the vehicle service providers by the trust authority according to the generator P of the group G, different vehicle service providers having different keys Ks。
S202, the road side unit receives an authentication request message sent by at least one vehicle service provider.
Specifically, a public key P distributed by a trust authority is stored in the road side unitpubAfter receiving the authentication request message, the rsu may use the public key PpubAnd decrypting the encrypted third service identifier to obtain the third service identifier.
S203, if the road side unit determines that the third service identifier is matched with the second service identifier set, the vehicle service provider is determined to pass the authentication.
Specifically, the second service identification set SID ═ { SID ═ SID1,SID2,SID3,...,SIDwThat is, the second service id set may include a plurality of second service ids, which are SID ids respectively1,SID2,SID3,...,SIDwWhen the vehicle service provider provides only one vehicle service, w may be used to indicate the number of vehicle service providers; when a vehicle service provider provides multiple vehicle services, w may be used to indicate the number of vehicle services.
If the third service identifier carried in the authentication request message can be determined in the second service identifier set, it is determined that the vehicle service provider is authenticated, and if the third service identifier is 0215sr and the second service identifier set SID {0151sr, 5115sr, 2691sr, 0215sr }, the roadside unit may determine that the second service identifier set includes the third service identifier, and the roadside unit may authenticate the vehicle service provider.
It should be noted that, if the vehicle networking architecture includes a plurality of vehicle service providers, all of the vehicle service providers need to authenticate the road side unit, and after the authentication is passed, the vehicle service may be provided to the vehicle mounted unit.
The embodiment of the invention provides a process of authenticating a vehicle service provider by a road side unit, and can avoid the information leakage of a vehicle-mounted unit caused by the fact that an illegal vehicle service provider provides vehicle service to the vehicle-mounted unit.
Optionally, as shown in fig. 5, before step S201, the method further includes:
s301, initializing a trust authority.
Specifically, in the embodiment of the present invention, an initialization process is a process in which a trust authority generates system parameters, and the system parameters are specifically generated by an elliptic curve of a finite field, and the specific process is as follows:
randomly selecting a large prime number q, and constructing a finite field F consisting of the large prime number pqElliptic curve E above, elliptic curve E is as follows:
E:y2=x3+mx+n(modq) m,n∈Fq。
and m and n are parameters on the elliptic curve E.
The trust mechanism can select a generation element P of P-order on the elliptic curve E and construct a cyclic addition group G according to the generation element P.
The trust authority selects a random number k as the master key of the system, and the public key can be Ppub,Ppub=k×P;
Is a positive integer set.
The trust authority may also generate three hash functions H1,H2,H3And H is1:G→Zp,H2:G→Zp,H3:{0,1}*×{0,1}*×G{0,1}*→Zp,ZpIs an integer set.
The system parameter D may be: d ═ q, P, m, n, Ppub,H1,H2,H3}。
S302, the vehicle service provider registers with the trust authority.
In particular, a first registration message may be sent to the trust authority upon registration of the vehicle service provider, and the first registration message may include a hardware identification of the vehicle service provider. The vehicle service provider is actually a server providing the vehicle service, and therefore, the hardware identifier of the vehicle service provider can also be the hardware identifier of the server.
After receiving the first registration message, the trust authority may generate a corresponding second service identifier according to a hardware identifier of the vehicle service provider carried by the trust authority, where the second service identifier may be used to indicate the vehicle service provided by the vehicle service provider.
And after the trust authority generates the second service identifier, returning the second service identifier to the vehicle service provider, namely completing the registration of the vehicle service provider.
It should be noted that, when the trust authority returns the second service identifier to the vehicle service provider, the system parameter may also be sent to the vehicle service provider at the same time. Since multiple vehicle service providers may be included in the vehicle networking architecture, during registration of a vehicle service provider, the trust authority may generate multiple second service identifications, and thus generate a second set of service identifications. After the trust authority generates the second service identifier set, the second service identifier set may be sent to the road side unit.
S303, registering the vehicle-mounted unit with the trust authority.
Specifically, the registration process of the on board unit is the same as the registration process of the vehicle service provider, and the on board unit may send a second registration message to the trust authority, where the second registration message may include a hardware identifier of the on board unit.
After receiving the second registration message, the trust authority may generate a corresponding identity VID according to a hardware identifier of the vehicle-mounted unit carried by the trust authority, where the identity VID may be used to indicate an identity of the vehicle-mounted unit.
After the trust organization generates the identification VID, the identification VID is returned to the vehicle-mounted unit, namely the registration of the vehicle service provider is completed.
It should be noted that, when the trust authority returns the identity VID to the on-board unit, the system parameter, the master key k, and the second service identifier set may also be simultaneously sent to the on-board unit. Optionally, the trust authority may further return a password PWD to the on-board unit, so that when the on-board unit accesses the corresponding tamper-resistant device, the tamper-resistant device authenticates the on-board unit according to the identity and the password of the on-board unit; when the tamper-proof device passes the authentication (the identity and the password of the vehicle-mounted unit are correct), the vehicle-mounted unit can access the stored data information.
According to the embodiment of the invention, the vehicle-mounted unit and the vehicle service provider are registered by the trust authority, corresponding identification information is provided for the vehicle-mounted unit and the vehicle service provider, the condition that the illegal vehicle-mounted unit and the illegal vehicle service provider are accessed into the vehicle network, further information leakage of the vehicle-mounted unit is caused, illegal services provided by the illegal vehicle service provider are avoided, and the accuracy and the safety of the information in the vehicle network are ensured.
The Internet of vehicles authentication method provided by the embodiment of the invention comprises the following steps: the road side unit receives a service request message sent by the vehicle-mounted unit; the service request message comprises an identity identifier of the vehicle-mounted unit and a first service identifier set; the first service identification set comprises at least one first service identification, and the first service identification is used for indicating the vehicle service requested by the vehicle-mounted unit; and if the road side unit determines that the identity identification and the first service identification set accord with a set formula, determining that the vehicle-mounted unit passes the authentication. In the vehicle network authentication method provided by the embodiment of the invention, when a vehicle calls a vehicle service, a vehicle-mounted unit sends a service request message to a road side unit, and the road side unit completes the authentication of the vehicle according to information carried by the service request message; the service request message comprises the identity of the vehicle and a first service identifier set of the vehicle service needing to be called, when the identity of the vehicle and the first service identifier set accord with a set formula, the road side unit completes authentication of the vehicle, at the moment, the vehicle can call the corresponding vehicle service through the road side unit, namely, the vehicle only needs to carry out authentication once to the road side unit when calling multiple vehicle services, and does not need to carry out authentication to each vehicle service provider any more, so that the authentication times when the vehicle calls the vehicle service are reduced, and the expense of vehicle authentication is reduced.
As shown in fig. 6, an embodiment of the present invention provides a roadside unit 40, including:
a receiving module 401, configured to receive a service request message sent by an onboard unit; the service request message comprises an identity identifier of the vehicle-mounted unit and a first service identifier set; the first set of service identities comprises at least one first service identity indicating a vehicle service requested by the on-board unit.
And the authentication module 402 is configured to determine that the onboard unit passes the authentication when it is determined that the identity and the first service identifier set received by the receiving module 401 conform to a set formula.
The above-mentioned setting formula is:
Sm·P=H3(PID||tm||λi||rm)·λi+PID1+H2(PID)·Ppub;
wherein S ismFor signing service request messages, P is the generator of group G, PIDiAnd
signature information for the on-board unit, tmIs a time stamp, lambda, of a service request messageiFirst secret key, r, generated for the on-board unitmFor initial service request messages, PpubPublic keys generated for trust authorities, H2And H3Is a hash function.
H2:G→Zp,H3:{0,1}*×{0,1}*×G×{0,1}*→Zp。
ZpIs [1, p-1 ]]The group G is a cyclic addition group of order p.
Optionally, as shown in fig. 7, the roadside unit 40 further includes a storage module 403.
A storage module 403, configured to store the second service identifier set; the second set of service identities includes at least one second service identity indicating vehicle services provided by at least one vehicle service provider.
A receiving module 401, further configured to receive an authentication request message sent by at least one vehicle service provider; the authentication request message includes a third service identification indicating a vehicle service provided by the vehicle service provider.
The authentication module 402 is further configured to determine that the vehicle service provider is authenticated when it is determined that the third service identifier received by the receiving module 401 matches the second service identifier set.
Optionally, as shown in fig. 8, the roadside unit 40 further includes a detection module 404.
A detecting module 404, configured to discard the service request message when determining that a time difference between the timestamp of the service request message and the current time is greater than or equal to a first threshold.
The embodiment of the invention provides a road side unit, which comprises: the receiving module is used for receiving a service request message sent by the vehicle-mounted unit; the service request message comprises an identity identifier of the vehicle-mounted unit and a first service identifier set; the first service identification set comprises at least one first service identification, and the first service identification is used for indicating the vehicle service requested by the vehicle-mounted unit; and the authentication module is used for determining that the vehicle-mounted unit passes the authentication when the identity identifier received by the receiving module and the first service identifier set are determined to accord with a set formula. The road side unit provided by the embodiment of the invention completes vehicle authentication according to the information carried by the service request message after receiving the service request message sent by the vehicle-mounted unit; the service request message comprises the identity of the vehicle and a first service identifier set of the vehicle service needing to be called, when the identity of the vehicle and the first service identifier set accord with a set formula, the road side unit completes authentication of the vehicle, at the moment, the vehicle can call the corresponding vehicle service through the road side unit, namely, the vehicle only needs to carry out authentication once to the road side unit when calling multiple vehicle services, and does not need to carry out authentication to each vehicle service provider any more, so that the authentication times when the vehicle calls the vehicle service are reduced, and the expense of vehicle authentication is reduced.
Referring to fig. 9, an embodiment of the present invention further provides another roadside unit, which includes a memory 51, a processor 52, a bus 53, and a communication interface 54; the memory 51 is used for storing computer execution instructions, and the processor 52 is connected with the memory 51 through a bus 53; when the road side unit is running, the processor 52 executes the computer execution instructions stored by the memory 51 to cause the road side unit to perform the vehicle networking authentication method as provided in the above embodiments.
In particular implementations, processor 52(52-1 and 52-2) may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 9, for example, as one embodiment. And as an example, the road side unit may include a plurality of processors 52, such as processor 52-1 and processor 52-2 shown in fig. 9. Each of the processors 52 may be a single-Core Processor (CPU) or a multi-Core Processor (CPU). Processor 52 may refer herein to one or more devices, circuits, and/or processing cores that process data (e.g., computer program instructions).
The memory 51 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 51 may be self-contained and coupled to the processor 52 via a bus 53. The memory 51 may also be integrated with the processor 52.
In a specific implementation, the memory 51 is used for storing data in the present application and computer-executable instructions corresponding to software programs for executing the present application. The processor 52 may perform various functions of the road side unit by running or executing software programs stored in the memory 51 and invoking data stored in the memory 51.
The communication interface 54 is any device, such as a transceiver, for communicating with other devices or communication networks, such as a control system, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), and the like. The communication interface 54 may include a receiving unit implementing a receiving function and a transmitting unit implementing a transmitting function.
The bus 53 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an extended ISA (enhanced industry standard architecture) bus, or the like. The bus 53 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
The embodiment of the invention further provides a computer-readable storage medium, which includes a computer execution instruction, and when the computer execution instruction runs on a computer, the computer is enabled to execute the internet of vehicles authentication method provided by the above embodiment.
The embodiment of the invention also provides a computer program which can be directly loaded into the memory and contains software codes, and the computer program can realize the internet of vehicles authentication method provided by the embodiment after being loaded and executed by the computer.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical function division, and there may be other division ways in actual implementation. For example, various elements or components may be combined or may be integrated into another device, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. Units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed to a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partially contributed to by the prior art, or all or part of the technical solutions may be embodied in the form of a software product, where the software product is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. The Internet of vehicles authentication method is applied to an Internet of vehicles system, wherein the Internet of vehicles system comprises an on-board unit, a road side unit and at least one vehicle service provider; the method comprises the following steps:
the road side unit receives a service request message sent by the vehicle-mounted unit; the service request message comprises an identity of the vehicle-mounted unit and a first service identity set; the first service identification set comprises at least one first service identification, and the first service identification is used for indicating the vehicle service requested by the vehicle-mounted unit;
and if the road side unit determines that the identity identification and the first service identification set accord with a set formula, determining that the vehicle-mounted unit passes the authentication.
2. The internet of vehicles authentication method of claim 1, wherein the internet of vehicles system further comprises a trust authority; the set formula is as follows:
Sm·P=H3(PID||tm||λi||rm)·λi+PID1+H2(PID)·Ppub;
wherein S ismFor signing service request messages, P is the generator of group G, PID and PID1Signature information for the on-board unit, tmIs a time stamp, lambda, of the service request messageiA first key, r, generated for said on-board unitmFor initial service request messages, PpubPublic key generated for said trust authority, H2And H3Is a hash function;
H2:G→Zp,H3:{0,1}*×{0,1}*×G×{0,1}*→Zp;
Zpis [1, p-1 ]]The group G is a cyclic addition group of order p.
3. The Internet of vehicles authentication method of claim 2, wherein the road side unit stores a second service identification set, the second service identification set includes at least one second service identification, the second service identification is used for indicating the vehicle service provided by the at least one vehicle service provider; before the roadside unit receives the service request message sent by the vehicle-mounted unit, the method further comprises the following steps:
the road side unit receives an authentication request message sent by the at least one vehicle service provider; the authentication request message comprises a third service identification indicating the vehicle service provided by the vehicle service provider;
and if the road side unit determines that the third service identifier is matched with the second service identifier set, determining that the vehicle service provider passes the authentication.
4. The internet of vehicles authentication method of claim 3, further comprising:
and if the road side unit determines that the time difference between the time stamp of the service request message and the current time is greater than or equal to a first threshold value, discarding the service request message.
5. A road side unit is applied to a vehicle networking system, and the vehicle networking system comprises an on-board unit, the road side unit and at least one vehicle service provider; the roadside unit includes:
the receiving module is used for receiving the service request message sent by the vehicle-mounted unit; the service request message comprises an identity of the vehicle-mounted unit and a first service identity set; the first service identification set comprises at least one first service identification, and the first service identification is used for indicating the vehicle service requested by the vehicle-mounted unit;
and the authentication module is used for determining that the vehicle-mounted unit passes the authentication when the identity identifier received by the receiving module and the first service identifier set are determined to accord with a set formula.
6. The road side unit of claim 5, wherein the internet of vehicles system further comprises a trust authority; the set formula is as follows:
Sm·P=H3(PID||tm||λi||rm)·λi+PID1+H2(PID)·Ppub;
wherein S ismFor signing service request messages, P is the generator of group G, PID and PID1Signature information for the on-board unit, tmIs a time stamp, lambda, of the service request messageiA first key, r, generated for said on-board unitmFor initial service request messages, PpubPublic key generated for said trust authority, H2And H3Is a hash function;
H2:G→Zp,H3:{0,1}*×{0,1}*×G×{0,1}*→Zp;
Zpis [1, p-1 ]]The group G is a cyclic addition group of order p.
7. The roadside unit of claim 6, further comprising a storage module;
the storage module is used for storing a second service identification set; the second service identification set comprises at least one second service identification indicating vehicle services provided by the at least one vehicle service provider;
the receiving module is further used for receiving an authentication request message sent by the at least one vehicle service provider; the authentication request message comprises a third service identification indicating the vehicle service provided by the vehicle service provider;
the authentication module is further configured to determine that the vehicle service provider is authenticated when it is determined that the third service identifier received by the receiving module matches the second service identifier set.
8. The roadside unit of claim 7, further comprising a detection module;
the detection module is used for discarding the service request message when the time difference between the time stamp of the service request message and the current time is larger than or equal to a first threshold value.
9. A road side unit is characterized by comprising a memory, a processor, a bus and a communication interface; the memory is used for storing computer execution instructions, and the processor is connected with the memory through the bus; when the road side unit is running, the processor executes the computer-executable instructions stored by the memory to cause the road side unit to perform the internet of vehicles authentication method of any one of claims 1-4.
10. A computer-readable storage medium, comprising computer-executable instructions that, when executed on a computer, cause the computer to perform the internet of vehicles authentication method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010773439.3A CN112019517B (en) | 2020-08-04 | 2020-08-04 | Internet of vehicles authentication method and road side unit |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010773439.3A CN112019517B (en) | 2020-08-04 | 2020-08-04 | Internet of vehicles authentication method and road side unit |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112019517A true CN112019517A (en) | 2020-12-01 |
| CN112019517B CN112019517B (en) | 2022-04-26 |
Family
ID=73500156
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010773439.3A Active CN112019517B (en) | 2020-08-04 | 2020-08-04 | Internet of vehicles authentication method and road side unit |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112019517B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114429711A (en) * | 2021-12-23 | 2022-05-03 | 联通智网科技股份有限公司 | Message distribution method, device, storage medium and server |
| CN114786136A (en) * | 2022-04-15 | 2022-07-22 | 深圳汇辰软件有限公司 | Authentication method and device for road side unit, electronic equipment and storage medium |
| CN114844687A (en) * | 2022-04-15 | 2022-08-02 | 深圳汇辰软件有限公司 | Authentication method, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140195102A1 (en) * | 2013-01-09 | 2014-07-10 | Martin D. Nathanson | Vehicle communications via wireless access vehicle environment |
| CN108322486A (en) * | 2018-05-07 | 2018-07-24 | 安徽大学 | Authentication protocol towards multiserver framework under a kind of car networking cloud environment |
| WO2018227039A1 (en) * | 2017-06-09 | 2018-12-13 | Convida Wireless, Llc | Efficient vehicular services |
| CN109391631A (en) * | 2018-11-28 | 2019-02-26 | 重庆邮电大学 | It is a kind of with the car networking anonymous authentication system and method controllably linked |
-
2020
- 2020-08-04 CN CN202010773439.3A patent/CN112019517B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140195102A1 (en) * | 2013-01-09 | 2014-07-10 | Martin D. Nathanson | Vehicle communications via wireless access vehicle environment |
| WO2018227039A1 (en) * | 2017-06-09 | 2018-12-13 | Convida Wireless, Llc | Efficient vehicular services |
| US20200228948A1 (en) * | 2017-06-09 | 2020-07-16 | Convida Wireless, Llc | Efficient vehicular services |
| CN108322486A (en) * | 2018-05-07 | 2018-07-24 | 安徽大学 | Authentication protocol towards multiserver framework under a kind of car networking cloud environment |
| CN109391631A (en) * | 2018-11-28 | 2019-02-26 | 重庆邮电大学 | It is a kind of with the car networking anonymous authentication system and method controllably linked |
Non-Patent Citations (2)
| Title |
|---|
| 刘辉等: "车联网云环境下多服务器架构的匿名认证及密钥协商协议", 《南京信息工程大学学报(自然科学版)》 * |
| 谢永等: "面向车联网的多服务器架构的匿名双向认证与密钥协商协议", 《计算机研究与发展》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114429711A (en) * | 2021-12-23 | 2022-05-03 | 联通智网科技股份有限公司 | Message distribution method, device, storage medium and server |
| CN114429711B (en) * | 2021-12-23 | 2022-11-29 | 联通智网科技股份有限公司 | Message distribution method, device, storage medium and server |
| CN114786136A (en) * | 2022-04-15 | 2022-07-22 | 深圳汇辰软件有限公司 | Authentication method and device for road side unit, electronic equipment and storage medium |
| CN114844687A (en) * | 2022-04-15 | 2022-08-02 | 深圳汇辰软件有限公司 | Authentication method, electronic equipment and storage medium |
| CN114786136B (en) * | 2022-04-15 | 2024-02-13 | 深圳成谷科技有限公司 | Authentication method and device for road side unit, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112019517B (en) | 2022-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112019517B (en) | Internet of vehicles authentication method and road side unit | |
| Kumar et al. | SEBAP: a secure and efficient biometric‐assisted authentication protocol using ECC for vehicular cloud computing | |
| CN109194610B (en) | Vehicle-mounted fog data lightweight anonymous access authentication method based on block chain assistance | |
| Guette et al. | Using tpms to secure vehicular ad-hoc networks (vanets) | |
| EP3142291B1 (en) | On-vehicle network system, fraud-detection electronic control unit, and method for tackling fraud | |
| US11546173B2 (en) | Methods, application server, IoT device and media for implementing IoT services | |
| US20230007478A1 (en) | Method, apparatus, and system for vehicle-to-vehicle communications | |
| CN112435028B (en) | Block chain-based Internet of things data sharing method and device | |
| KR101954507B1 (en) | Method and apparatus for generating certificate of a vehicle | |
| CN109379403B (en) | Control method and device of Internet of things equipment, server and terminal equipment | |
| US20230362607A1 (en) | Method and system for addition of assurance information to v2x messaging | |
| US20220398149A1 (en) | Minimizing transport fuzzing reactions | |
| CN112740617B (en) | Certificate list updating method and device | |
| KR102172287B1 (en) | Vehicle communication network system and operating method of the same | |
| KR101803651B1 (en) | Authentication method for connection of vehicle cloud service | |
| JP2018006782A (en) | Data providing system, data providing apparatus, on-vehicle computer, data providing method, and computer program | |
| WO2023091722A1 (en) | Robust over the air reprogramming | |
| Groza et al. | CarINA-Car sharing with IdeNtity based Access control re-enforced by TPM | |
| JP6672243B2 (en) | Data providing system, data providing device, data providing method, and data providing program | |
| CN111866808B (en) | Identity authentication method, device and storage medium | |
| CN113038417A (en) | Method and device for managing anonymous certificate of V2X in Internet of vehicles, storage medium and equipment | |
| CN113472541A (en) | Certificate switching method and device | |
| CN116155625B (en) | Key exchange method, device, electronic equipment, storage medium and program product | |
| WO2023051090A1 (en) | Method for authenticating electronic part, and terminal and electronic part | |
| CN109067806B (en) | Mobile storage-based secure communication method and system in Internet of vehicles environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |