CN112600668A - Key agreement method, device, electronic equipment and storage medium - Google Patents

Key agreement method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112600668A
CN112600668A CN202011479617.8A CN202011479617A CN112600668A CN 112600668 A CN112600668 A CN 112600668A CN 202011479617 A CN202011479617 A CN 202011479617A CN 112600668 A CN112600668 A CN 112600668A
Authority
CN
China
Prior art keywords
cloud
key
vehicle
vehicle end
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011479617.8A
Other languages
Chinese (zh)
Inventor
王颖
陈维鑫
王智
熊伟
丛建国
韩毅
单宏寅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ingeek Information Security Consulting Associates Co ltd
Original Assignee
Ingeek Information Security Consulting Associates Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ingeek Information Security Consulting Associates Co ltd filed Critical Ingeek Information Security Consulting Associates Co ltd
Priority to CN202011479617.8A priority Critical patent/CN112600668A/en
Publication of CN112600668A publication Critical patent/CN112600668A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The embodiment of the application provides a key agreement method, a device, an electronic device and a storage medium, and the key agreement method, the device, the electronic device and the storage medium send target encryption algorithm information to a cloud end, and when preset response information sent by the cloud end is received, the key agreement is carried out with the cloud end according to the target encryption algorithm information, so that the interactive data volume between a vehicle end and the cloud end in the key agreement process is reduced, the flow consumption and the time required by the agreement are reduced, and the user experience is favorably improved.

Description

Key agreement method, device, electronic equipment and storage medium
Technical Field
The embodiment of the application relates to the technical field of vehicles, in particular to a key agreement method, a key agreement device, electronic equipment and a storage medium.
Background
The vehicle end and the cloud end negotiate an encryption key in the handshake process, and the data transmitted between the vehicle end and the cloud end are encrypted by adopting the encryption key, so that the method is an effective measure for preventing the data from being falsified and improving the data security in the data transmission process.
In the prior art, the vehicle end sends information of all types of protocol versions and information of encryption algorithms supported by the vehicle end to the cloud end, the cloud end selects one protocol version and one encryption algorithm from the base, and feeds back a result selected by the final end to the vehicle end, and the vehicle end and the cloud end perform key agreement according to the finally selected protocol version and the encryption algorithm.
However, in the prior art, contents such as certificate issuance and information exchange are involved in the key agreement process between the vehicle end and the cloud end, which may generate a large amount of data interaction, data downloading, etc., resulting in a large consumption of network traffic and time, and affecting the user experience.
Disclosure of Invention
Embodiments of the present application provide a key agreement method, an apparatus, an electronic device, and a storage medium, so as to solve the problem in the prior art that traffic and time consumption are high.
In a first aspect, an embodiment of the present application provides a key agreement method, which is applied to a vehicle end, and the method includes:
sending appointed target encryption algorithm information to a cloud;
and when receiving preset response information sent by the cloud, performing key negotiation with the cloud according to the target encryption algorithm information.
Optionally, the target encryption algorithm information at least includes a target elliptic curve algorithm and a target signature algorithm; before performing key agreement with the cloud, the method further includes:
and performing identity verification with the cloud according to the target elliptic curve algorithm and the target signature algorithm.
Optionally, the vehicle end pre-stores a vehicle end original private key and a vehicle end hardware identification code; the identity verification with the cloud terminal according to the target elliptic curve algorithm and the target signature algorithm comprises the following steps:
generating a vehicle-end temporary public key and a vehicle-end temporary private key according to the target elliptic curve algorithm;
according to the target signature algorithm, adopting the original private key of the vehicle end to sign vehicle end data consisting of a vehicle end random number, the vehicle end hardware identification code and the vehicle end temporary public key to obtain a vehicle end data signature;
and sending the vehicle end random number, the vehicle end temporary public key and the vehicle end data signature to the cloud end for the cloud end to verify the identity of the vehicle end.
Optionally, the vehicle end also stores an original public key of the vehicle end in advance; the method further comprises the following steps:
carrying out original public key exchange with the cloud to obtain a cloud original public key;
and when receiving the cloud random number, the cloud temporary public key and the cloud data signature, verifying the cloud data signature according to the cloud original public key.
Optionally, the target encryption algorithm information further includes a target encryption suite; and the key agreement with the cloud terminal is carried out according to the target encryption algorithm information, and the key agreement comprises the following steps:
and carrying out key agreement with the cloud end to obtain a key matched with the target encryption suite.
Optionally, the performing key agreement with the cloud to obtain a key matched with the target encryption suite includes:
generating a first Diffie-Hellman key according to the vehicle-end temporary private key and the cloud temporary public key;
generating a first negotiation key, a first encryption and decryption key and a first initialization vector by adopting a key generation function according to the first Diffie-Hellman key, the vehicle-end temporary public key, the cloud temporary public key, the vehicle-end random number, the cloud random number and the vehicle-end hardware identification code;
generating a first check value by adopting a check function according to the first negotiation key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number and the vehicle end hardware identification code;
and if the received second check value sent by the cloud end is consistent with the first check value, determining the first encryption and decryption key and the first initialization vector as the encryption and decryption key of the vehicle end.
In a second aspect, an embodiment of the present application provides a key agreement method, which is applied to a cloud, and the method includes:
receiving appointed target encryption algorithm information sent by a vehicle end;
when the target encryption algorithm corresponding to the target encryption algorithm information is determined to be selected, sending preset response information to the vehicle end;
and carrying out key agreement with the vehicle end according to the target encryption algorithm information.
Optionally, the target encryption algorithm information at least includes a target elliptic curve algorithm and a target signature algorithm; before performing key agreement with the vehicle end, the method further includes:
and performing identity verification with the vehicle end according to the target elliptic curve algorithm and the target signature algorithm.
Optionally, a cloud original public key, a cloud original private key and a vehicle-end hardware identification code are stored in the cloud end in advance; the identity verification with the vehicle end according to the target elliptic curve algorithm and the target signature algorithm comprises the following steps:
carrying out original public key interaction with the vehicle end to obtain an original public key of the vehicle end;
generating a cloud temporary public key and a cloud temporary private key according to the target elliptic curve algorithm;
according to the target signature algorithm, the cloud data consisting of a cloud random number, the vehicle-end hardware identification code and the cloud temporary public key is signed by adopting the cloud original private key to obtain a cloud data signature;
verifying the received vehicle end data signature according to the vehicle end original public key;
and after the vehicle end data signature passes verification, sending the cloud random number, the cloud temporary public key and the cloud data signature to the vehicle end.
Optionally, the target encryption algorithm information further includes a target encryption suite; and the key agreement with the vehicle end is carried out according to the target encryption algorithm information, and the key agreement comprises the following steps:
and carrying out key agreement with the vehicle end to obtain a key matched with the target encryption suite.
Optionally, the performing key agreement with the vehicle end to obtain a key matched with the target encryption suite includes:
generating a second Diffie-Hellman key according to the cloud temporary private key and the vehicle-end temporary public key;
generating a second negotiation key, a second encryption and decryption key and a second initialization vector by adopting a key generation function according to the second diffie-hellman key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number and the vehicle end hardware identification code;
generating a second check value by adopting a check function according to the second negotiation key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number and the vehicle end hardware identification code;
and if the received first check value sent by the vehicle end is consistent with the second check value, determining the second encryption and decryption key and the second initialization vector as the encryption and decryption key of the cloud end.
In a third aspect, an embodiment of the present application provides a key agreement device, including:
the first processing module is used for sending appointed target encryption algorithm information to the cloud end;
and the second processing module is used for carrying out key agreement with the cloud end according to the target encryption algorithm information when receiving preset response information sent by the cloud end.
In a fourth aspect, an embodiment of the present application provides a key agreement device, including:
the first processing module is used for receiving the appointed target encryption algorithm information sent by the vehicle end; when the target encryption algorithm corresponding to the target encryption algorithm information is determined to be selected, sending preset response information to the vehicle end;
and the second processing module is used for carrying out key agreement with the vehicle end according to the target encryption algorithm information.
In a fifth aspect, the present application provides a vehicle end, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the key agreement method according to the first aspect when executing the program.
In a sixth aspect, an embodiment of the present application provides a cloud, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the key agreement method according to the second aspect.
In a seventh aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the key agreement method according to the first aspect.
In an eighth aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the key agreement method according to the second aspect.
According to the key agreement method and device, the electronic equipment and the storage medium, the target encryption algorithm information is sent to the cloud end, and when the preset response information sent by the cloud end is received, the key agreement is carried out with the cloud end according to the target encryption algorithm information, so that the interactive data volume between the vehicle end and the cloud end in the key agreement process is reduced, the flow consumption and the time required by the agreement are reduced, and the user experience is improved.
Drawings
Fig. 1 is a schematic structural diagram of a key agreement system according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a key agreement method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of an authentication phase in a key agreement method according to a second embodiment of the present application;
fig. 4 is a schematic flowchart of a key agreement stage in a key agreement method according to a third embodiment of the present application;
fig. 5 is a schematic structural diagram of a key agreement device according to a fourth embodiment of the present application;
fig. 6 is a schematic structural diagram of a key agreement device according to a fifth embodiment of the present application;
fig. 7 is a schematic structural view of a vehicle end according to a sixth embodiment of the present application;
fig. 8 is a schematic structural diagram of a cloud according to a seventh embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be further noted that, for the convenience of description, only some of the structures related to the present application are shown in the drawings, not all of the structures.
The main ideas of the technical scheme are as follows: based on the technical problems in the prior art, the embodiment of the application provides a technical scheme for key agreement, and on one hand, by filling the vehicle-end original public key in the vehicle-end in advance, the process of issuing the original public key by the cloud end in the key agreement process in the prior art is omitted. On the other hand, in the handshake phase of the key coordination process, the vehicle end is controlled to only send information such as a pre-specified encryption mode, a signature algorithm, a protocol version and the like to the cloud end, and after the cloud end responds, the vehicle end and the cloud end establish an encryption channel without sending information of all types of encryption modes and protocol version information supported by the vehicle end to the cloud end. Through the improvement of the two aspects, the data volume required to be transmitted in the key negotiation process is reduced, the time and flow consumption are saved, and the user experience is improved.
Fig. 1 is a schematic structural diagram of a key agreement system provided in the embodiment of the present application, and as shown in fig. 1, the key agreement system in this embodiment includes a cloud and a vehicle end, where the cloud may be a server, the vehicle end may be an electronic device in a vehicle, and the cloud and the vehicle end may be in communication connection via a network (e.g., a 5G network), and when the vehicle end uses a digital key, the vehicle end and the cloud are disconnected each time, and then key agreement needs to be performed again before reconnection.
Example one
Fig. 2 is a schematic flowchart of a key agreement method provided in an embodiment of the present application, where the method of the present embodiment may be executed by a key agreement device provided in the embodiment of the present application, and the device may be implemented in a software and/or hardware manner and may be integrated in an electronic device such as a server and an intelligent terminal. As shown in fig. 2, the key agreement method of this embodiment includes:
s101, sending target protocol version information and target encryption algorithm information to a cloud.
In this step, in order to reduce data flow between the cloud and the vehicle end in the key agreement process, the vehicle end sends the specified target protocol version information and the specified target encryption algorithm information to the cloud, and correspondingly, the cloud receives the target protocol version information and the target encryption algorithm information.
In this embodiment, a Transport Layer Security (TLS) protocol is used for communication between the vehicle end and the cloud end, and accordingly, the target protocol version information is the version information of the used TLS protocol. Optionally, the target protocol version information is TLS 1.3.
The encryption algorithm information is information of a specified target encryption algorithm, and in this embodiment, the target encryption algorithm information includes a target encryption suite, a target elliptic curve algorithm, and a target signature algorithm. The target encryption suite is a designated encryption suite, the encryption suite is a set of encryption and decryption algorithms, for example, the name of a certain encryption suite is TLS _ AES _128_ GCM _ SHA256, TLS is a protocol, AES _128_ GCM is a batch encryption algorithm, SHA256 is a hash algorithm, and the encryption suite is a method for encrypting data transmitted between a vehicle end and a cloud end; the target elliptic curve algorithm is a designated elliptic curve algorithm, and the elliptic curve algorithm is an algorithm for generating a temporary public and private key pair; the target signature algorithm is a designated signature algorithm and is an algorithm for signing data transmitted between the vehicle end and the cloud end.
Illustratively, the target protocol version information and the target encryption algorithm information in the present embodiment are shown in table 1.
TABLE 1
Species of Detailed information
Target protocol version (supported _ version) TLS1.3(0x1301)
Target encryption suite (cipher _ suites) TLS_AES_128_GCM_SHA256(0x1301)
Target elliptic curve algorithm (supported _ groups) secp256r1(0x0017)
Target signature algorithm (supported _ algorithms) ecdsa_secp256r1(0x0403)
It can be understood that, in this step, a protocol version and an encryption algorithm can be selected in advance as a target protocol and a target encryption algorithm according to the version of the protocol supported by the vehicle end and the cloud end, the condition of the encryption algorithm and the application scene requirements, and when key negotiation with the cloud end is required, only the selected target protocol version information and the selected target encryption algorithm information need to be sent to the cloud end, so that data flow between the vehicle end and the cloud end is effectively reduced, and flow consumption is reduced.
Optionally, in this embodiment, a random algorithm may also be used, and one of the candidate protocol versions is selected as the target protocol version and one of the candidate encryption algorithms is selected as the target encryption algorithm each time.
And S102, when the target protocol corresponding to the target protocol version information and the target encryption algorithm corresponding to the target encryption algorithm information are determined to be selected, sending preset response information to the vehicle end.
In the step, when the cloud receives target protocol version information and target encryption algorithm information sent by the vehicle end, the cloud determines whether a target protocol corresponding to the target protocol version information and a target encryption algorithm corresponding to the target encryption algorithm are selected, and when the target protocol corresponding to the target protocol version information and the target encryption algorithm corresponding to the target encryption algorithm information are determined to be selected, preset response information is sent to the vehicle end, wherein the preset response information is information for confirming the use of the encryption algorithm corresponding to the target protocol version and the target encryption algorithm information sent by the vehicle end. Optionally, the preset response information in this step is response information including target protocol version information and target encryption algorithm information. Accordingly, the vehicle end receives response information including the target protocol version information and the target encryption algorithm information.
It can be understood that the response message sent by the cloud end to the vehicle end includes both the selected target protocol and the target encryption algorithm, namely the preset response information, when the cloud end does not select the target protocol corresponding to the target protocol version information and/or the target encryption algorithm corresponding to the target encryption algorithm information, the response message includes only the target encryption algorithm information or the target protocol version information or neither, for example, if the cloud selects the target protocol corresponding to the target protocol version information and does not select the target encryption algorithm corresponding to the target encryption algorithm information, and if the cloud end does not select the target protocol corresponding to the target protocol version information or select the target encryption algorithm corresponding to the target encryption algorithm information, the content of the response information received by the vehicle end is empty. At this time, the vehicle end needs to re-determine the target protocol version information and/or the target encryption algorithm information, and sends the re-determined target protocol version information and/or the re-determined target encryption algorithm information to the cloud end, so as to complete negotiation between the protocol version and the encryption algorithm.
It should be noted that, if the information sent to the cloud end by the vehicle end is only the specified target encryption algorithm information, the preset response information is the response information including the target encryption algorithm information.
In this embodiment, because the vehicle end only needs to send the target protocol version information and the target encryption algorithm information to the cloud end in the handshaking process, compared with the prior art in which the information that the vehicle end supports all protocol versions and the information that the vehicle end supports all encryption algorithms are all sent to the cloud end, the data volume is greatly reduced, the time required in the handshaking stage and the consumed flow are effectively reduced, and the improvement of the user experience is facilitated.
S103, carrying out key agreement according to the target protocol version information and the target encryption algorithm information.
In this step, after S102, the vehicle end and the cloud end perform key agreement according to the target protocol version information and the target encryption algorithm information. Specifically, the vehicle end and the cloud end communicate according to a communication rule agreed by a target protocol corresponding to the target protocol version information, and perform identity verification according to a target elliptic curve algorithm and a target signature algorithm; and after the identity authentication is passed, carrying out key agreement to obtain a key matched with the target encryption suite.
The communication rule agreed by the target protocol is a rule that the vehicle-side and cloud-side communication must comply with, such as which information needs to be encrypted, which information does not need to be encrypted, and an adopted encryption algorithm is permitted.
The key agreement process can be ensured only if the identity authentication is passed.
And key agreement, namely a process of generating a key which conforms to an encryption and decryption algorithm specified by a target encryption suite.
In the embodiment, the target protocol version information and the target encryption algorithm information are sent to the cloud, the target encryption algorithm information comprises the target encryption suite, the target elliptic curve algorithm and the target signature algorithm, and when response information which is sent by the cloud and comprises the target protocol version information and the target encryption algorithm information is received, key negotiation is performed with the cloud according to the target protocol version information and the target encryption algorithm information, so that the data volume of interaction between the vehicle end and the cloud in the key negotiation process is reduced, the flow consumption and the time required by negotiation are reduced, and the use experience of a user is improved.
Example two
As an important stage of key agreement, identity authentication is crucial to security of a key being negotiated, a specific embodiment will be described below to describe an identity authentication process, and exemplarily, fig. 3 is a schematic flow diagram of an identity authentication stage in a key agreement method provided in the second embodiment of the present application, and on the basis of the first embodiment, as shown in fig. 3, in this embodiment, identity authentication is performed according to a target elliptic curve algorithm and a target signature algorithm, including:
s201, sending the original public key of the vehicle end to a cloud end.
In this step, the vehicle end reads the vehicle end original public key from the storage location of the vehicle end original public key (vehicle. The original public key of the vehicle end is the identity public key of the vehicle end, and the vehicle end is written into the vehicle end before leaving a factory.
It can be understood that, in order to avoid the data amount generated in the process of issuing the certificate, in this embodiment, the original public key of the vehicle end, the original private key of the vehicle end, and the hardware identification code of the vehicle end are stored in the vehicle end in advance, for example, before the vehicle end leaves a factory, the data of the original public key of the vehicle end, the original private key of the vehicle end, and the hardware identification code of the vehicle end are written into the memory of the vehicle end, that is, a certificate is issued to the vehicle end in advance, so that when performing the identity verification, the vehicle end only needs to extract the required certificate information from the memory, and does not need to perform information interaction with the vehicle end, thereby further saving time and reducing traffic consumption.
And S202, sending the cloud original public key to the vehicle end.
In this step, the cloud end reads the cloud end original public key from the storage location of the cloud end original public key (server. The cloud original public key is a cloud identity public key, and the cloud is written into the cloud before delivery.
It can be understood that the above S201-S202 are original public key exchange processes of the vehicle end and the cloud end, and when the exchange results, both of them obtain the original public key of the opposite end.
And S203, generating a vehicle-end temporary public key and a vehicle-end temporary private key according to the target elliptic curve algorithm.
In this step, the vehicle end generates a vehicle end temporary public key (vehicle. ep.pk) and a vehicle end temporary private key (vehicle. ep.sk) by using a target elliptic curve algorithm negotiated in the handshake process, such as secp256r1, wherein the vehicle end temporary public key and the vehicle end temporary private key form a vehicle end temporary public and private key pair.
And S204, signing the vehicle end data consisting of the vehicle end random number, the vehicle end hardware identification code and the vehicle end temporary public key by adopting the vehicle end original private key according to a target signature algorithm to obtain a vehicle end data signature.
In this step, the vehicle end combines the vehicle end random number, the vehicle end hardware identification code and the vehicle end temporary public key generated in the step S203 into a file according to a certain format to obtain vehicle end data, and then signs the vehicle end data by using the vehicle end original private key according to a target signature algorithm negotiated in the handshake process to obtain a vehicle end data signature.
Optionally, before executing this step, the vehicle end generates a vehicle end random number by a random number generator.
Optionally, the target signature algorithm employed in this step is ecdsa _ secp256r 1.
And S205, sending the vehicle end random number, the vehicle end temporary public key and the vehicle end data signature to a cloud end.
In this step, after S204, the vehicle end sends the vehicle end random number, the vehicle end temporary public key, and the vehicle end data signature to the cloud end according to the rule agreed by the target protocol, and accordingly, the cloud end receives the vehicle end random number, the vehicle end temporary public key, and the vehicle end data signature.
S206, generating a cloud temporary public key and a cloud temporary private key according to the target elliptic curve algorithm.
In this step, the cloud also adopts a target elliptic curve algorithm (the same as the elliptic curve algorithm adopted by the vehicle end) negotiated in the handshake process to generate a cloud temporary public key (server.
And S207, according to a target signature algorithm, adopting a cloud original private key to sign cloud data formed by a cloud random number, a vehicle-end hardware identification code and a cloud temporary public key to obtain a cloud data signature.
In this step, similarly, the cloud combines the cloud random number, the vehicle-side hardware identification code, and the cloud temporary public key generated in S206 into one file according to a certain format to obtain cloud data, and then signs the cloud data by using the cloud original private key according to a target signature algorithm (the same as the signature algorithm used by the vehicle side) negotiated in the handshake process to obtain a cloud data signature.
Optionally, before performing this step, the cloud generates a cloud random number by a random number generator.
It can be understood that, the cloud in this embodiment also stores the cloud original public key, the cloud original private key, and the vehicle-side hardware identification code in advance.
It is understood that there is no precedence relationship between the above steps S206-S207 and S203-S205, and S206-S207 may be executed after S203-S205, or before S203-S205, or may be executed in parallel with S203-S205.
And S208, verifying the vehicle end data signature according to the original public key of the vehicle end.
In this step, after receiving the vehicle-side data signature sent by the vehicle side, the cloud verifies the vehicle-side data signature according to the vehicle-side original public key obtained in S201, so as to verify the identity of the vehicle side.
In this step, if the vehicle-side data signature verification is passed, which indicates that the vehicle-side authentication is passed, the cloud continues to execute S209, and if the vehicle-side data signature verification is not passed, which indicates that the vehicle-side authentication is not passed, the cloud disconnects from the vehicle-side.
And S209, after the vehicle-side data signature is verified, sending the cloud random number, the cloud temporary public key and the cloud data signature to the vehicle side.
In this step, after the cloud verifies the vehicle data signature, the cloud random number, the cloud temporary public key and the cloud data signature are sent to the vehicle, and accordingly the vehicle receives the cloud random number, the cloud temporary public key and the cloud data signature.
S210, verifying the cloud data signature according to the cloud original public key.
In this step, after S209, the vehicle end obtains the cloud original public key according to S202, verifies the cloud data signature, and realizes the identity verification of the cloud, and if the verification passes, the identity verification of the cloud is described, that is, the vehicle end and the cloud pass the mutual identity verification, which indicates that the vehicle end and the cloud can both trust the identity, and can perform the negotiation process of the secret key, and if the verification fails, the vehicle end disconnects from the cloud.
In this embodiment, through the above technical scheme, the mutual authentication of the identities of the vehicle end and the cloud and the exchange of data required in the key agreement stage are realized, and a security guarantee and a data basis are provided for the subsequent key agreement stage. In addition, in the embodiment, data such as the vehicle-side original public key, the vehicle-side original private key and the like are stored in the vehicle side in advance, so that the data volume generated in the certificate issuing process is avoided, the flow and the time required in the authentication stage are reduced, the flow and the time required in the whole key negotiation process are further improved, and the use satisfaction of a user is improved.
EXAMPLE III
After the identity authentication between the vehicle end and the cloud end is passed, a key agreement stage is entered, which will be described in a specific embodiment below, and fig. 4 is an exemplary flow diagram of the key agreement stage in the key agreement method provided in the third embodiment of the present application, as shown in fig. 4, and on the basis of the second embodiment, in this embodiment, the key agreement is performed with the cloud end to obtain a key matched with a target encryption suite, including:
s301, generating a first Diffie-Hellman secret key according to the vehicle-end temporary private key and the cloud temporary public key.
In this step, the vehicle end generates a first Diffie-Hellman key (DHkey for short) by using an elliptic curve Diffie-Hellman (ECDH) key exchange algorithm according to the vehicle end temporary private key and the cloud end temporary public key.
S302, generating a first negotiation key, a first encryption and decryption key and a first initialization vector by adopting a key generation function according to the first Diffie-Hellman key, the vehicle-end temporary public key, the cloud temporary public key, the vehicle-end random number, the cloud random number and the vehicle-end hardware identification code.
In this step, the vehicle end uses the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number, the vehicle end hardware identification code and the first diffie-hellman key generated in S301 to generate a first negotiation key, a first encryption/decryption key and a first initialization vector by using a key generation function, the first negotiation key is used for verifying with the cloud end, and the first encryption/decryption key and the first initialization vector are keys used for encrypting the data of the cloud end by using an algorithm in the target encryption suite to send the vehicle end to the vehicle end.
Optionally, in this embodiment, the key generation function is a key derivation function that is constructed in advance based on the SHA256 algorithm, and for example, assuming that the key generation function is denoted by f5, with Secret, N1, N2, a1, a2 and E as arguments, and Mackey, Enckey and IV as function values, the definition of the key generation function is as follows:
Figure BDA0002837024470000151
Figure BDA0002837024470000161
according to the definition of the key generation function, the first diffie-hellman key (as Secret in the key generation function), the vehicle-end temporary public key (as N1 in the key generation function), the cloud-end temporary public key (as N2 in the key generation function), the vehicle-end random number (as a1 in the key generation function), the cloud-end random number (as a2 in the key generation function) and the vehicle-end hardware identification code (as E in the key generation function) are substituted into the key generation function to be calculated, so that a first negotiation key (corresponding to the value of Mackey obtained through the key generation function), a first encryption and decryption key (corresponding to the value of Enckey obtained through the key generation function) and a first initialization vector (corresponding to the value of IV obtained through the key generation function) can be obtained.
S303, generating a first check value by adopting a check function according to the first negotiation key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number and the vehicle end hardware identification code.
In this step, after S302, the vehicle end generates a first check value by using a check function according to the first negotiation key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number, and the vehicle end hardware identification code.
Optionally, in this embodiment, the check function is a function constructed based on the hmac _ sha256 algorithm, and for example, assuming that the check function is denoted by f6 and Secret, N1, N2, a1, a2 and E are used as arguments, the check function is defined as follows:
Figure BDA0002837024470000162
Figure BDA0002837024470000171
correspondingly, in this step, the first negotiation key (as Secret in the check function), the vehicle-end temporary public key (as N1 in the check function), the cloud-end temporary public key (as N2 in the check function), the vehicle-end random number (as a1 in the check function), the cloud-end random number (as a2 in the check function), and the vehicle-end hardware identification code (as E in the check function) are substituted into the check function for calculation, so that the first check value can be obtained.
S304, sending the first check value to a cloud.
In this step, the vehicle end sends the first check value obtained through the calculation in S303 to the cloud end, and accordingly, the cloud end receives the first check value from the vehicle end.
S305, generating a second Diffie-Hellman secret key according to the cloud temporary private key and the vehicle-end temporary public key.
In this step, the cloud generates a second diffie-hellman key according to the cloud temporary private key and the vehicle-end temporary public key, and a specific implementation manner thereof is similar to that in S301, and is not described herein again.
S306, generating a second negotiation key, a second encryption and decryption key and a second initialization vector by adopting a key generation function according to the second Diffie-Hellman key, the vehicle-end temporary public key, the cloud temporary public key, the vehicle-end random number, the cloud random number and the vehicle-end hardware identification code.
In this step, the cloud generates a second negotiation key, a second encryption and decryption key, and a second initialization vector by using the same key generation function as in S302 according to the second diffie-hellman key, the vehicle-end temporary public key, the cloud temporary public key, the vehicle-end random number, the cloud random number, and the vehicle-end hardware identification code.
Optionally, in this step, by substituting the second diffie-hellman key (as Secret in the key generation function), the vehicle-end temporary public key (as N1 in the key generation function), the cloud-end temporary public key (as N2 in the key generation function), the vehicle-end random number (as a1 in the key generation function), the cloud-end random number (as a2 in the key generation function), and the vehicle-end hardware identification code (as E in the key generation function) into the key generation function defined in S302, the second negotiation key (corresponding to the value of Mackey obtained by the key generation function), the second encryption/decryption key (corresponding to the value of Enckey obtained by the key generation function), and the second initialization vector (corresponding to the value of IV obtained by the key generation function) can be obtained through calculation.
And S307, generating a second check value by adopting a check function according to the second negotiation key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number and the vehicle end hardware identification code.
In this step, the cloud generates a second check value by using the same check function as in S303 according to the second negotiation key, the vehicle-side temporary public key, the cloud-side temporary public key, the vehicle-side random number, the cloud-side random number, and the vehicle-side hardware identification code.
Optionally, in this step, the second negotiation key (as Secret in the check function), the vehicle-end temporary public key (as N1 in the check function), the cloud-end temporary public key (as N2 in the check function), the vehicle-end random number (as a1 in the check function), the cloud-end random number (as a2 in the check function), and the vehicle-end hardware identification code (as E in the check function) are substituted into the check function defined in S303, and the second check value is obtained through calculation
And S308, sending the second check value to the vehicle end.
In this step, the cloud sends the second check value obtained through the calculation in S307 to the vehicle end, and accordingly, the vehicle end receives the second check value from the cloud.
It is understood that there is no precedence relationship between the above steps S305-S308 and S301-S304, that is, S305-S308 may be executed after S301-S304, may be executed before S301-S304, and may also be executed in parallel with S301-S304.
S309, if the second check value is consistent with the first check value, determining the first encryption and decryption key and the first initialization vector as the encryption and decryption key of the vehicle end.
In this step, the vehicle end compares whether the first check value obtained by calculation is consistent with the second check value received from the cloud end, if so, the first encryption and decryption key and the first initialization vector are determined as the encryption and decryption key used by the vehicle end when the vehicle end performs information interaction with the cloud end, if not, the connection with the cloud end is disconnected, and the key negotiation is unsuccessful and the key negotiation needs to be performed again.
And S310, if the first check value is consistent with the second check value, determining the second encryption and decryption key and the second initialization vector as the encryption and decryption key of the cloud.
In this step, the cloud compares whether the calculated second check value is consistent with the first check value received from the vehicle end, if so, the second encryption and decryption key and the second initialization vector are determined as the encryption and decryption key used by the cloud when the cloud performs information interaction with the vehicle end, if not, the connection with the vehicle end is disconnected, and the key negotiation is unsuccessful and the key negotiation needs to be performed again.
In this embodiment, according to the above technical scheme, key agreement between the vehicle end and the cloud end is realized, key calculation is performed through the custom key generation function, and the calculated key is verified through the verification function, so that the usability and reliability of the key obtained through the agreement are improved.
Example four
Fig. 5 is a schematic structural diagram of a key agreement device according to a fourth embodiment of the present application, and as shown in fig. 5, a key agreement device 10 according to the present embodiment includes:
a first processing module 11 and a second processing module 12.
The first processing module 11 is configured to send specified target encryption algorithm information to the cloud;
and the second processing module 12 is configured to perform key agreement with the cloud according to the target encryption algorithm information when receiving preset response information sent by the cloud.
Optionally, the target encryption algorithm information at least includes a target elliptic curve algorithm and a target signature algorithm; the second processing module 12 is further configured to:
and performing identity verification with the cloud according to the target elliptic curve algorithm and the target signature algorithm.
Optionally, the vehicle end pre-stores a vehicle end original private key and a vehicle end hardware identification code; the second processing module 12 is specifically configured to:
generating a vehicle-end temporary public key and a vehicle-end temporary private key according to the target elliptic curve algorithm;
according to the target signature algorithm, adopting the original private key of the vehicle end to sign vehicle end data consisting of a vehicle end random number, the vehicle end hardware identification code and the vehicle end temporary public key to obtain a vehicle end data signature;
and sending the vehicle end random number, the vehicle end temporary public key and the vehicle end data signature to the cloud end for the cloud end to verify the identity of the vehicle end.
Optionally, the vehicle end also stores an original public key of the vehicle end in advance; the first processing module 12 is further configured to:
carrying out original public key exchange with the cloud to obtain a cloud original public key;
and when receiving the cloud random number, the cloud temporary public key and the cloud data signature, verifying the cloud data signature according to the cloud original public key.
Optionally, the target encryption algorithm information further includes a target encryption suite; the second processing module 12 is specifically configured to:
and carrying out key agreement with the cloud end to obtain a key matched with the target encryption suite.
Optionally, the second processing module 12 is specifically configured to:
generating a first Diffie-Hellman key according to the vehicle-end temporary private key and the cloud temporary public key;
generating a first negotiation key, a first encryption and decryption key and a first initialization vector by adopting a key generation function according to the first Diffie-Hellman key, the vehicle-end temporary public key, the cloud temporary public key, the vehicle-end random number, the cloud random number and the vehicle-end hardware identification code;
generating a first check value by adopting a check function according to the first negotiation key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number and the vehicle end hardware identification code;
and if the received second check value sent by the cloud end is consistent with the first check value, determining the first encryption and decryption key and the first initialization vector as the encryption and decryption key of the vehicle end.
The key agreement device provided by the embodiment can execute the key agreement method on the vehicle side in the method embodiment, and has the corresponding functional modules and beneficial effects of the execution method. The implementation principle and technical effect of this embodiment are similar to those of the above method embodiments, and are not described in detail here.
EXAMPLE five
Fig. 6 is a schematic structural diagram of a key agreement device according to a fifth embodiment of the present application, and as shown in fig. 6, a key agreement device 20 in the present embodiment includes:
a first processing module 21 and a second processing module 22.
The first processing module 21 is used for receiving the appointed target encryption algorithm information sent by the vehicle end; when the target encryption algorithm corresponding to the target encryption algorithm information is determined to be selected, sending preset response information to the vehicle end;
and the second processing module 22 is configured to perform key agreement with the vehicle end according to the target encryption algorithm information.
Optionally, the target encryption algorithm information at least includes a target elliptic curve algorithm and a target signature algorithm; the second processing module 22 is specifically configured to:
and performing identity verification with the vehicle end according to the target elliptic curve algorithm and the target signature algorithm.
Optionally, the cloud end pre-stores a cloud original public key, a cloud original private key, and a vehicle end hardware identification code, and the second processing module 22 is specifically configured to:
carrying out original public key interaction with the vehicle end to obtain an original public key of the vehicle end;
generating a cloud temporary public key and a cloud temporary private key according to the target elliptic curve algorithm;
according to the target signature algorithm, the cloud data consisting of a cloud random number, the vehicle-end hardware identification code and the cloud temporary public key is signed by adopting the cloud original private key to obtain a cloud data signature;
verifying the received vehicle end data signature according to the vehicle end original public key;
and after the vehicle end data signature passes verification, sending the cloud random number, the cloud temporary public key and the cloud data signature to the vehicle end.
Optionally, the target encryption algorithm information further includes a target encryption suite, and the second processing module 22 is specifically configured to:
and carrying out key agreement with the vehicle end to obtain a key matched with the target encryption suite.
Optionally, the second processing module 22 is specifically configured to:
generating a second Diffie-Hellman key according to the cloud temporary private key and the vehicle-end temporary public key;
generating a second negotiation key, a second encryption and decryption key and a second initialization vector by adopting a key generation function according to the second diffie-hellman key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number and the vehicle end hardware identification code;
generating a second check value by adopting a check function according to the second negotiation key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number and the vehicle end hardware identification code;
and if the received first check value sent by the vehicle end is consistent with the second check value, determining the second encryption and decryption key and the second initialization vector as the encryption and decryption key of the cloud end.
The key agreement device provided by the embodiment can execute the key agreement method on the cloud side in the method embodiment, and has the corresponding functional modules and beneficial effects of the execution method. The implementation principle and technical effect of this embodiment are similar to those of the above method embodiments, and are not described in detail here.
EXAMPLE six
Fig. 7 is a schematic structural diagram of a vehicle end according to a sixth embodiment of the present invention, as shown in fig. 7, the vehicle end 30 includes a memory 31, a processor 32, and a computer program stored in the memory and executable on the processor; the processor 32 executes the computer program to implement the key agreement method on the vehicle side in any of the method embodiments described above.
EXAMPLE seven
Fig. 8 is a schematic structural diagram of a cloud according to a seventh embodiment of the present disclosure, as shown in fig. 8, the cloud 40 includes a memory 41, a processor 42, and a computer program stored in the memory and running on the processor; the processor 42 executes the computer program to implement the key agreement method on the cloud side in any of the foregoing method embodiments.
It should be noted that, in the sixth embodiment and the seventh embodiment, the number of the processors may be one or more, and one processor is taken as an example in fig. 7 and fig. 8; the processor and the memory may be connected by a bus or other means, and the bus connection is exemplified in fig. 7 and 8.
The memory, which is a computer-readable storage medium, may be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the first processing module and the second processing module in the embodiments of the present application. The processor runs software programs, instructions and modules stored in the memory, so that various functional applications and data processing of the vehicle end/cloud end are achieved, and the key agreement method is achieved.
The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system and an application program required by at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory may further include memory located remotely from the processor, which may be connected to the vehicle/cloud end through a grid. Examples of such a mesh include, but are not limited to, the internet, an intranet, a local area network, a mobile communications network, and combinations thereof.
Example eight
An eighth embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is used to execute the technical solution of the vehicle end side in any of the above method embodiments when executed by a computer processor.
Example nine
An embodiment ninth of the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is used to execute the technical solution of the cloud side in any of the above method embodiments when executed by a computer processor.
From the above description of the embodiments, it is obvious for those skilled in the art that the present application can be implemented by software and necessary general hardware, and certainly can be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a grid device) to execute the methods described in the embodiments of the present application.
It should be noted that, in the embodiment of the key agreement device, the included units and modules are merely divided according to the functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only used for distinguishing one functional unit from another, and are not used for limiting the protection scope of the application.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present application and the technical principles employed. It will be understood by those skilled in the art that the present application is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the application. Therefore, although the present application has been described in more detail with reference to the above embodiments, the present application is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present application, and the scope of the present application is determined by the scope of the appended claims.

Claims (17)

1. A key agreement method is characterized in that the method is applied to a vehicle end, and comprises the following steps:
sending appointed target encryption algorithm information to a cloud;
and when preset response information sent by the cloud is received, carrying out key negotiation with the cloud according to the target encryption algorithm information.
2. The method of claim 1, wherein the target encryption algorithm information includes at least a target elliptic curve algorithm and a target signature algorithm; before performing key agreement with the cloud, the method further includes:
and performing identity verification with the cloud according to the target elliptic curve algorithm and the target signature algorithm.
3. The method according to claim 2, wherein the vehicle end stores a vehicle end original private key and a vehicle end hardware identification code in advance; the identity verification with the cloud terminal according to the target elliptic curve algorithm and the target signature algorithm comprises the following steps:
generating a vehicle-end temporary public key and a vehicle-end temporary private key according to the target elliptic curve algorithm;
according to the target signature algorithm, adopting the original private key of the vehicle end to sign vehicle end data consisting of a vehicle end random number, the vehicle end hardware identification code and the vehicle end temporary public key to obtain a vehicle end data signature;
and sending the vehicle end random number, the vehicle end temporary public key and the vehicle end data signature to the cloud end for the cloud end to verify the identity of the vehicle end.
4. The method according to claim 1, characterized in that the vehicle end also stores a vehicle end original public key in advance; the method further comprises the following steps:
carrying out original public key exchange with the cloud to obtain a cloud original public key;
and when receiving the cloud random number, the cloud temporary public key and the cloud data signature, verifying the cloud data signature according to the cloud original public key.
5. The method of claim 1, wherein the target encryption algorithm information further comprises a target encryption suite; and the key agreement with the cloud terminal is carried out according to the target encryption algorithm information, and the key agreement comprises the following steps:
and carrying out key agreement with the cloud end to obtain a key matched with the target encryption suite.
6. The method of claim 5, wherein the performing key agreement with the cloud to obtain a key matching the target encryption suite comprises:
generating a first Diffie-Hellman key according to the vehicle-end temporary private key and the cloud temporary public key;
generating a first negotiation key, a first encryption and decryption key and a first initialization vector by adopting a key generation function according to the first Diffie-Hellman key, the vehicle-end temporary public key, the cloud temporary public key, the vehicle-end random number, the cloud random number and the vehicle-end hardware identification code;
generating a first check value by adopting a check function according to the first negotiation key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number and the vehicle end hardware identification code;
and if the received second check value sent by the cloud end is consistent with the first check value, determining the first encryption and decryption key and the first initialization vector as the encryption and decryption key of the vehicle end.
7. A key agreement method is applied to a cloud end, and comprises the following steps:
receiving appointed target encryption algorithm information sent by a vehicle end;
when the target encryption algorithm corresponding to the target encryption algorithm information is determined to be selected, sending preset response information to the vehicle end;
and carrying out key agreement with the vehicle end according to the target encryption algorithm information.
8. The method of claim 7, wherein the target encryption algorithm information includes at least a target elliptic curve algorithm and a target signature algorithm; before performing key agreement with the vehicle end, the method further includes:
and performing identity verification with the vehicle end according to the target elliptic curve algorithm and the target signature algorithm.
9. The method according to claim 8, wherein a cloud original public key, a cloud original private key and a vehicle-end hardware identification code are stored on the cloud end in advance; the identity verification with the vehicle end according to the target elliptic curve algorithm and the target signature algorithm comprises the following steps:
carrying out original public key interaction with the vehicle end to obtain an original public key of the vehicle end;
generating a cloud temporary public key and a cloud temporary private key according to the target elliptic curve algorithm;
according to the target signature algorithm, the cloud data consisting of a cloud random number, the vehicle-end hardware identification code and the cloud temporary public key is signed by adopting the cloud original private key to obtain a cloud data signature;
verifying the received vehicle end data signature according to the vehicle end original public key;
and after the vehicle end data signature passes verification, sending the cloud random number, the cloud temporary public key and the cloud data signature to the vehicle end.
10. The method of claim 7, wherein the target encryption algorithm information further comprises a target encryption suite; and the key agreement with the vehicle end is carried out according to the target encryption algorithm information, and the key agreement comprises the following steps:
and carrying out key agreement with the vehicle end to obtain a key matched with the target encryption suite.
11. The method of claim 10, wherein the performing key agreement with the vehicle end to obtain a key matching the target encryption suite comprises:
generating a second Diffie-Hellman key according to the cloud temporary private key and the vehicle-end temporary public key;
generating a second negotiation key, a second encryption and decryption key and a second initialization vector by adopting a key generation function according to the second diffie-hellman key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number and the vehicle end hardware identification code;
generating a second check value by adopting a check function according to the second negotiation key, the vehicle end temporary public key, the cloud end temporary public key, the vehicle end random number, the cloud end random number and the vehicle end hardware identification code;
and if the received first check value sent by the vehicle end is consistent with the second check value, determining the second encryption and decryption key and the second initialization vector as the encryption and decryption key of the cloud end.
12. A key agreement apparatus, comprising:
the first processing module is used for sending appointed target encryption algorithm information to the cloud end;
and the second processing module is used for carrying out key negotiation with the cloud end according to the target encryption algorithm information when receiving preset response information sent by the cloud end.
13. A key agreement apparatus, comprising:
the first processing module is used for receiving the appointed target encryption algorithm information sent by the vehicle end; when the target encryption algorithm corresponding to the target encryption algorithm information is determined to be selected, sending preset response information to the vehicle end;
and the second processing module is used for carrying out key agreement with the vehicle end according to the target encryption algorithm information.
14. A vehicle end comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements a key agreement method as claimed in any one of claims 1 to 6.
15. Cloud comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the key agreement method according to any one of claims 7 to 11 when executing the program.
16. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out a key agreement method according to any one of claims 1-6.
17. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out a key agreement method according to any one of claims 7-11.
CN202011479617.8A 2020-12-15 2020-12-15 Key agreement method, device, electronic equipment and storage medium Pending CN112600668A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011479617.8A CN112600668A (en) 2020-12-15 2020-12-15 Key agreement method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011479617.8A CN112600668A (en) 2020-12-15 2020-12-15 Key agreement method, device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN112600668A true CN112600668A (en) 2021-04-02

Family

ID=75196075

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011479617.8A Pending CN112600668A (en) 2020-12-15 2020-12-15 Key agreement method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112600668A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113347613A (en) * 2021-04-15 2021-09-03 奇瑞商用车(安徽)有限公司 Safe communication method and system based on Bluetooth digital key
CN113378136A (en) * 2021-06-08 2021-09-10 罗克佳华(重庆)科技有限公司 Fingerprint identification method and device, password key and storage medium
CN115529127A (en) * 2022-09-23 2022-12-27 中科海川(北京)科技有限公司 Device authentication method, device, medium and device based on SD-WAN scene
WO2023151582A1 (en) * 2022-02-14 2023-08-17 华为技术有限公司 Secure communication method for vehicle, related apparatus and communication system
WO2023230975A1 (en) * 2022-06-02 2023-12-07 Oppo广东移动通信有限公司 Method and apparatus for establishing interoperation channel, and chip and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080130895A1 (en) * 2006-10-25 2008-06-05 Spyrus, Inc. Method and System for Deploying Advanced Cryptographic Algorithms
EP2334008A1 (en) * 2009-12-10 2011-06-15 Tata Consultancy Services Limited A system and method for designing secure client-server communication protocols based on certificateless public key infrastructure
CN102724211A (en) * 2012-06-29 2012-10-10 飞天诚信科技股份有限公司 Key agreement method
CN106470104A (en) * 2015-08-20 2017-03-01 阿里巴巴集团控股有限公司 For generating method, device, terminal unit and the system of shared key
CN109150897A (en) * 2018-09-18 2019-01-04 深圳市风云实业有限公司 A kind of communication encrypting method and device end to end
CN111314274A (en) * 2019-07-30 2020-06-19 厦门雅迅网络股份有限公司 Vehicle-mounted terminal and center platform bidirectional authentication method and system
CN111327605A (en) * 2020-01-23 2020-06-23 北京无限光场科技有限公司 Method, terminal, server and system for transmitting private information

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080130895A1 (en) * 2006-10-25 2008-06-05 Spyrus, Inc. Method and System for Deploying Advanced Cryptographic Algorithms
EP2334008A1 (en) * 2009-12-10 2011-06-15 Tata Consultancy Services Limited A system and method for designing secure client-server communication protocols based on certificateless public key infrastructure
CN102724211A (en) * 2012-06-29 2012-10-10 飞天诚信科技股份有限公司 Key agreement method
CN106470104A (en) * 2015-08-20 2017-03-01 阿里巴巴集团控股有限公司 For generating method, device, terminal unit and the system of shared key
CN109150897A (en) * 2018-09-18 2019-01-04 深圳市风云实业有限公司 A kind of communication encrypting method and device end to end
CN111314274A (en) * 2019-07-30 2020-06-19 厦门雅迅网络股份有限公司 Vehicle-mounted terminal and center platform bidirectional authentication method and system
CN111327605A (en) * 2020-01-23 2020-06-23 北京无限光场科技有限公司 Method, terminal, server and system for transmitting private information

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113347613A (en) * 2021-04-15 2021-09-03 奇瑞商用车(安徽)有限公司 Safe communication method and system based on Bluetooth digital key
CN113347613B (en) * 2021-04-15 2024-01-30 奇瑞商用车(安徽)有限公司 Bluetooth digital key-based secure communication method and system
CN113378136A (en) * 2021-06-08 2021-09-10 罗克佳华(重庆)科技有限公司 Fingerprint identification method and device, password key and storage medium
WO2023151582A1 (en) * 2022-02-14 2023-08-17 华为技术有限公司 Secure communication method for vehicle, related apparatus and communication system
WO2023230975A1 (en) * 2022-06-02 2023-12-07 Oppo广东移动通信有限公司 Method and apparatus for establishing interoperation channel, and chip and storage medium
CN115529127A (en) * 2022-09-23 2022-12-27 中科海川(北京)科技有限公司 Device authentication method, device, medium and device based on SD-WAN scene
CN115529127B (en) * 2022-09-23 2023-10-03 中科海川(北京)科技有限公司 Device authentication method, device, medium and device based on SD-WAN scene

Similar Documents

Publication Publication Date Title
CN112600668A (en) Key agreement method, device, electronic equipment and storage medium
CN110677240B (en) Method, apparatus and medium for providing highly available computing services through certificate issuance
CN110535628B (en) Method and device for performing multi-party security calculation through certificate signing and issuing
CN110380852B (en) Bidirectional authentication method and communication system
US9467430B2 (en) Device, method, and system for secure trust anchor provisioning and protection using tamper-resistant hardware
US10972272B2 (en) Providing high availability computing service by issuing a certificate
US10516654B2 (en) System, apparatus and method for key provisioning delegation
CN101828357B (en) Credential provisioning method and device
CN108566381A (en) A kind of security upgrading method, device, server, equipment and medium
EP3700124B1 (en) Security authentication method, configuration method, and related device
US11375369B2 (en) Message authentication method and communication method of communication network system, and communication network system
CN107425971B (en) Certificateless data encryption/decryption method and device and terminal
CN113099443A (en) Equipment authentication method, device, equipment and system
CN114125832B (en) Network connection method, terminal, network equipment to be distributed and storage medium
CN112351037B (en) Information processing method and device for secure communication
US11038699B2 (en) Method and apparatus for performing multi-party secure computing based-on issuing certificate
CN106788989A (en) A kind of method and apparatus for setting up safe encryption channel
WO2015135398A1 (en) Negotiation key based data processing method
CN114039753B (en) Access control method and device, storage medium and electronic equipment
CN110690969A (en) Method and system for completing bidirectional SSL/TLS authentication in cooperation of multiple parties
WO2020018187A1 (en) Network device, method for security and computer readable storage medium
WO2015158173A1 (en) Agreement key-based data processing method
CN111859314A (en) SM2 encryption method, system, terminal and storage medium based on encryption software
CN110290113B (en) PoW algorithm-based device identification construction method and device and computer-readable storage medium
CN114244513A (en) Key agreement method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210402