CN112954643A

CN112954643A - Direct connection communication authentication method, terminal, edge service node and network side equipment

Info

Publication number: CN112954643A
Application number: CN201911165325.4A
Authority: CN
Inventors: 田野; 杨波
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Priority date: 2019-11-25
Filing date: 2019-11-25
Publication date: 2021-06-11
Anticipated expiration: 2039-11-25
Also published as: CN112954643B

Abstract

The invention provides a direct connection communication authentication method, a terminal, an edge service node and network side equipment, wherein the method comprises the following steps: under the condition that the Internet of vehicles terminal is located in an authentication service area of an edge service node, the identity authentication of the Internet of vehicles terminal is carried out through the edge service node; acquiring an authentication service area identifier of the edge service node and a first session key for performing direct communication between different Internet of vehicles terminals in the authentication service area; sending a direct connection message to other car networking terminals in the authentication service area, wherein the direct connection message is identified by using the authentication service area identification, and integrity protection or digital signature is carried out on the direct connection message by using the first session key; the embodiment of the invention is combined with a cellular network edge computing architecture, can realize regional authentication by utilizing the service capability of the edge service node, fully exerts the technical advantages of the cellular network and improves the authentication efficiency between the terminals of the Internet of vehicles.

Description

Direct connection communication authentication method, terminal, edge service node and network side equipment

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a direct connection communication authentication method, a terminal, an edge service node, and a network side device.

Background

At present, in order to implement secure authentication and secure communication between direct-connected communication terminals in the internet of vehicles, a Public Key Infrastructure (PKI) mechanism based on a Public Key certificate is mainly used by the internet of vehicles to implement secure authentication and secure communication. In the process of direct connection communication, the terminal of the internet of vehicles adopts a public key of a Certificate Authority (CA) to digitally sign the transmitted message, so as to realize the safety Certification of the legal identity of the terminal and the safety Certification of the content of the message.

In order to solve the authentication problem in the direct communication process of the terminals of the Internet of vehicles, the Internet of vehicles generally adopts a public key cryptosystem based on PKI, and mutual authentication between the terminals of the Internet of vehicles is realized by issuing a CA certificate to the terminals of the Internet of vehicles. The method is mature, independent of a cellular network, and easy to directly deploy floor application. However, this method needs to rely on the PKI public key infrastructure, and there are various problems in terms of who deploys, who manages, who operates, who maintains, and the like in the case of the floor application. In the service process, the problems of CA certificate initial installation, destruction and the like exist in the car networking terminal, and the complexity of the service process is increased.

In addition, in the process that the terminal of the internet of vehicles adopts the CA digital certificate to carry out signature authentication on the message, the terminal needs to carry out asymmetric cryptographic operation. From the calculation performance of the current terminal password processing chip, one-time signature verification operation usually needs hundreds of milliseconds, and the time performance is difficult to meet the 100-millisecond time delay requirement of the vehicle networking communication.

Direct communication, i.e. vehicle-to-vehicle, vehicle-to-Road Side Unit (RSU), vehicle-to-person, does not go through cellular network, but communication directly through PC5/V5 interface is one of the typical communication scenarios of the internet of vehicles. Under the circumstance, during the communication process between the vehicle and other vehicles around, road side facilities and pedestrians, the terminal equipment is required to be capable of realizing bidirectional authentication, and the transmitted data should be considered with safety protection in the aspects of integrity, confidentiality, anti-replay and the like.

However, in the car networking application scenario, the relationship between the vehicle, the road side facility and the pedestrian is dynamically changed. With the movement of the vehicle position, environmental things around the terminal device change all the time, the terminal with established communication connection may leave at any time, the terminal without established communication connection may join at any time, and the terminals in the vehicle networking are strange to each other and have no mutual trust foundation, which brings challenges to mutual authentication between the terminals in the vehicle networking.

Although the method of adopting the CA digital certificate based on the PKI public key infrastructure can solve the authentication problem between the direct connection communication terminals, it has problems in terms of deployment, operation, and operation performance, and needs to be solved optimally.

In addition, in order to improve the response rate of the service system and improve the service application experience of the user, the service equipment of the car networking system can be flexibly deployed in the network according to the needs, and can be sunk to the access network to provide the edge computing service capability. The change of the network architecture tends to enhance the service capability of the network side, and can provide stronger service capability for the car networking terminal. However, the direct communication authentication method based on the PKI public key infrastructure is not related to the cellular network, and cannot exert technical advantages of the network side.

Disclosure of Invention

Embodiments of the present invention provide a direct communication authentication method, a terminal, an edge service node, and a network side device, so as to solve the problem that the direct communication authentication method in the prior art is not related to a cellular network and cannot exert technical advantages of a network side.

In order to solve the above problem, an embodiment of the present invention provides an authentication method for direct communication in an internet of vehicles, which is applied to a terminal in the internet of vehicles, and includes:

under the condition that the Internet of vehicles terminal is located in an authentication service area of an edge service node, identity authentication is carried out on the Internet of vehicles terminal through the edge service node;

acquiring an authentication service area identifier of the edge service node and a first session key for performing direct communication between different Internet of vehicles terminals in the authentication service area;

and sending a direct connection message to other car networking terminals in the authentication service area, wherein the direct connection message is identified by using the authentication service area identification, and the first session key is used for carrying out integrity protection or digital signature on the direct connection message.

Wherein, the identity authentication of the internet of vehicles terminal is carried out through the edge service node, and the method comprises the following steps:

sending an access request message to the edge service node, wherein the access request message carries a service layer identifier of the Internet of vehicles terminal;

receiving a bootstrap initialization request message sent by the edge service node;

executing a bootstrap program authentication process according to the bootstrap program initialization request message, and sending a first authentication request message to network side equipment, wherein the first authentication request message carries a service layer identifier of the internet of vehicles terminal;

receiving a second authentication request message sent by the network side equipment;

executing an Authentication and Key Agreement (AKA) authentication process according to the second authentication request message, verifying the identity validity of the network side equipment, and sending a first authentication response message to the network side equipment after the verification is successful;

and receiving a second authentication response message sent by the network side equipment under the condition that the identity of the Internet of vehicles terminal is verified to be legal according to the first authentication response message.

The method for acquiring the identification of the authentication service area of the edge service node and the first session key for direct communication between different internet of vehicles terminals in the authentication service area comprises the following steps:

generating a second session key, wherein the second session key is a session key for communication between the Internet of vehicles terminal and the edge service node;

sending an application request message to the edge service node;

receiving an application response message sent by the edge service node, wherein the application response message carries the identification of the authentication service area and encryption information obtained after the second session key is used for encrypting the first session key;

and decrypting the encrypted information by using the second session key to obtain the first session key.

The embodiment of the invention also provides a method for authenticating direct communication of the Internet of vehicles, which is applied to the edge service node and comprises the following steps:

under the condition that the terminal of the Internet of vehicles is positioned in an authentication service area of an edge service node, performing identity authentication on the terminal of the Internet of vehicles;

and sending an authentication service area identification and a first session key for direct communication between different Internet of vehicles terminals in the authentication service area to the Internet of vehicles terminal.

Wherein, to the car networking terminal carries out authentication, include:

receiving an access request message sent by the Internet of vehicles terminal, wherein the access request message carries a service layer identifier of the Internet of vehicles terminal;

sending a bootstrap initialization request message to the Internet of vehicles terminal; the bootstrap initialization request message is used for instructing the Internet of vehicles terminal to execute bootstrap authentication.

Wherein, to the car networking terminal send authentication service area sign and the first session key that carries out direct communication between the different car networking terminals in the authentication service area, include:

receiving an application request message sent by the Internet of vehicles terminal;

generating an authentication service area identifier, and encrypting the first session key by using a second session key to obtain encrypted information; the second session key is a session key for communication between the Internet of vehicles terminal and the edge service node;

and sending an application response message to the Internet of vehicles terminal, wherein the application response message carries the identification of the authentication service area and the encryption information.

The embodiment of the invention also provides an authentication method for direct communication of the internet of vehicles, which is applied to network side equipment and comprises the following steps:

receiving a first authentication request message sent by an Internet of vehicles terminal, wherein the first authentication request message carries a service layer identifier of the Internet of vehicles terminal;

acquiring an authentication vector of the Internet of vehicles terminal according to the service layer identifier of the Internet of vehicles terminal, and sending a second authentication request message to the Internet of vehicles terminal;

receiving a first authentication response message sent by the Internet of vehicles terminal after the identity validity of the network side equipment is verified;

and verifying the identity validity of the Internet of vehicles terminal according to the first authentication response message, and sending a second authentication response message to the Internet of vehicles terminal after the verification is successful.

After the second authentication response message is sent to the internet of vehicles terminal after the verification is successful, the method further comprises the following steps:

receiving a third authentication request message sent by an edge service node corresponding to an authentication service area where the Internet of vehicles terminal is located, wherein the third authentication request message carries an identifier of the edge service node;

generating a second session key; the second session key is a session key for communication between the Internet of vehicles terminal and the edge service node;

and sending a third authentication response message to the edge service node, wherein the third authentication response message carries the second session key.

The embodiment of the invention also provides a device for authenticating direct communication of the internet of vehicles, which is applied to the terminal of the internet of vehicles and comprises the following components:

the first authentication module is used for authenticating the identity of the Internet of vehicles terminal through the edge service node under the condition that the Internet of vehicles terminal is positioned in an authentication service area of the edge service node;

the acquisition module is used for acquiring the identification of the authentication service area of the edge service node and a first session key for performing direct communication between different Internet of vehicles terminals in the authentication service area;

and the communication module is used for sending a direct connection message to other Internet of vehicles terminals in the authentication service area, wherein the direct connection message is identified by using the identification of the authentication service area, and the first session key is used for carrying out integrity protection or digital signature on the direct connection message.

The embodiment of the invention also provides a vehicle networking terminal, which comprises a processor and a transceiver, wherein the transceiver receives and transmits data under the control of the processor, and the processor is used for executing the following operations:

An embodiment of the present invention further provides an edge service node, including a processor and a transceiver, where the transceiver receives and sends data under the control of the processor, and the processor is configured to perform the following operations:

An embodiment of the present invention further provides a network side device, including a processor and a transceiver, where the transceiver receives and transmits data under the control of the processor, and the processor is configured to perform the following operations:

The embodiment of the invention also provides communication equipment which comprises a memory, a processor and a program which is stored on the memory and can run on the processor, wherein the processor executes the program to realize the Internet of vehicles direct connection communication authentication method.

An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the method for authenticating direct communication in internet of vehicles as described above.

The technical scheme of the invention at least has the following beneficial effects:

in the direct communication authentication method, the terminal, the edge service node and the network side device of the embodiment of the invention, the edge computing node establishes an authentication service area in a coverage area of the edge computing node for providing service, and the identity authentication is mutually carried out between the Internet of vehicles terminal and the edge service node in the authentication service area; the embodiment of the invention is combined with a cellular network edge computing architecture, can realize regional authentication by utilizing the service capability of an edge service node, fully exerts the technical advantages of the cellular network and improves the authentication efficiency between terminals of the Internet of vehicles; and after the identity authentication is successful, the terminal obtains the identification of the authentication service area and the first session key of the area. Furthermore, in the process of direct communication between the terminals of the internet of vehicles, the message can be identified by using the identification of the authentication service area, and the sent message is subjected to integrity protection or digital signature by using the first session key, so that the source of the message is authenticated. The message is identified by the identification of the authentication service area, so that the function of hiding the identity identification of the Internet of vehicles terminal is achieved, and the identity privacy of the user is protected.

Drawings

Fig. 1 is a schematic flowchart illustrating steps of a method for authenticating direct communication in internet of vehicles according to an embodiment of the present invention;

fig. 2 is a schematic flowchart illustrating a step of a method for authenticating direct communication in internet of vehicles according to an embodiment of the present invention;

fig. 3 is a flowchart illustrating a second step of the authentication method for internet of vehicles direct connection communication according to the embodiment of the present invention;

FIG. 4 is an interaction diagram of an example I provided by an embodiment of the invention;

FIG. 5 is an interaction diagram of example two provided by an embodiment of the invention;

fig. 6 is a schematic structural diagram of an internet of vehicles direct communication authentication device according to an embodiment of the present invention;

FIG. 7 is a schematic structural diagram of a terminal in a vehicle networking system according to an embodiment of the invention;

fig. 8 is a second schematic structural diagram of the internet of vehicles direct communication authentication device according to the embodiment of the present invention;

fig. 9 is a schematic structural diagram of an edge service node according to an embodiment of the present invention;

fig. 10 is a third schematic structural diagram of an internet of vehicles direct communication authentication device according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of a network-side device according to an embodiment of the present invention.

Detailed Description

In order to make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings and specific embodiments.

As shown in fig. 1, an embodiment of the present invention further provides an authentication method for direct communication in an internet of vehicles, which is applied to a terminal in the internet of vehicles, and includes:

101, under the condition that the terminal of the internet of vehicles is positioned in an authentication service area of an edge service node, performing identity authentication on the terminal of the internet of vehicles through the edge service node;

optionally, the car networking terminal includes: a vehicle-mounted terminal, a roadside terminal, a pedestrian handheld terminal, etc., which are not specifically limited herein.

102, acquiring an authentication service area identifier of the edge service node and a first session key for performing direct communication between different internet of vehicles terminals in the authentication service area;

step 103, sending a direct connection message to other car networking terminals in the authentication service area, wherein the direct connection message is identified by using the authentication service area identification, and integrity protection or digital signature is carried out on the direct connection message by using the first session key.

It should be noted that before the car networking terminal sends the direct connection message, other car networking terminals in the authentication service area adopt the same steps as the car networking terminal, firstly, the authentication between the other car networking terminals and the edge service node is realized, and then, the authentication service area identifier and the first session key are obtained. Further, the internet of vehicles terminal and other internet of vehicles terminals exchange messages to perform direct communication. When the direct connection message is sent, the Internet of vehicles terminal adopts the identification of the authentication service area to identify the direct connection message, and adopts the first session key to carry out integrity protection or digital signature on the direct connection message. And when other Internet of vehicles terminals receive the direct connection message, the direct connection message is subjected to label checking or integrity verification, and after the direct connection message is successfully verified, the message can be considered to come from a source end passing the network side authentication, and the message is continuously processed. Otherwise, the message is discarded.

The first session key is a session key for performing direct connection communication on the Internet of vehicles terminal in the edge computing node authentication service area, and is used for protecting direct connection communication messages. The first session key may take the form of a symmetric or asymmetric key. Since only the car networking terminals authenticated by the edge computing node have the valid first session key, a trust relationship can be established between the car networking terminals based on the first session key, and the validity of the identity of the message source can be quickly verified.

The authentication service area identification is an identification of an authentication service area of the edge computing node, can be used as a direct connection communication identification of the Internet of vehicles terminal, and is used for hiding identification information of the Internet of vehicles terminal and protecting user identification privacy. The authentication service area identification is used as the message identification, so that the real identification of the Internet of vehicles terminal can be hidden, the leakage of the identification information of the Internet of vehicles terminal can be effectively prevented, and the privacy of a user is protected. The authentication service area identification is simultaneously used for identifying the authentication service areas of different edge computing nodes, and the different edge computing nodes use different authentication service area identifications. Under the condition that the real identification of the car networking terminal is needed to be used, if the car identifies the legal parking space of the open place and the car identified by the legal parking space, the car networking terminal can carry the real identification of the car networking terminal in the direct connection message according to the requirement, so that the upper-layer service can be conveniently realized.

Optionally, in the foregoing embodiment of the present invention, step 101 includes:

and the identity authentication is carried out between the Internet of vehicles terminal and the edge service node by adopting a general authentication architecture (GBA).

Namely, the identity authentication between the vehicle networking terminal and the edge service node can be realized based on a GBA authentication mode, so that the authentication can be completed by utilizing password resources (such as a root key written when an operator sends a card to a user) owned by a USIM card of the vehicle networking terminal, and the advantages of a cellular network are exerted to the maximum extent; the method provided by the embodiment of the invention is combined with an operator network (namely the network side equipment mentioned in the embodiment of the invention), the existing password resources in the USIM card of the vehicle networking terminal are utilized to complete authentication, PKI (public Key infrastructure) -based public key infrastructure is not required, a CA (certificate) is not required, cellular network resources and technical advantages are utilized, and the system construction cost is saved.

Optionally, step 101 includes:

receiving a second authentication request message sent by the network side equipment, wherein the second authentication request message carries a random number and an authentication token;

and receiving a second authentication response message sent by the network side equipment under the condition that the identity of the Internet of vehicles terminal is verified to be legal according to the first authentication response message, wherein the second authentication response message carries a service identifier.

The embodiment of the invention is suitable for the network architecture of the edge computing, and can meet the application requirement of the Internet of vehicles with the edge computing service capability in the future.

As an optional embodiment, the obtaining an authentication service area identifier of the edge service node and a first session key for performing direct communication between different car networking terminals in the authentication service area includes:

generating a second session key, wherein the second session key is a session key for communication between the Internet of vehicles terminal and the edge service node; optionally, a shared key and a second session key are generated according to the service identifier;

sending an application request message to the edge service node, wherein the application request message carries the service identifier;

Optionally, the first session key is generated by the edge service node, or the first session key is generated by a network side device and then sent to the edge service node.

It should be noted that the network-side device in the embodiment of the present invention is a device corresponding to an operator network.

The case where the first session key is generated by the edge service node may be referred to as a loose coupling of the operator network to the first session key; the situation that the first session key is generated by the network side equipment can be called as tight coupling of the operator network to the first session key, and the tight coupling is beneficial for the operator to participate in the operation of the car networking service; in practical applications, the randomness with which the first session key is generated is a basis and key for security, and typically needs to be generated by a dedicated physical noise source device. The edge service node is mainly based on the operation processing capacity with high speed and low time delay, does not necessarily have the capacity of key generation, and needs to rely on an operator network with higher security level and guarantee to provide keys for the edge service node. Therefore, there is a need for a method of implementation that is tightly coupled to the operator network to facilitate the actual deployment operation of the above scheme.

In summary, in the embodiments of the present invention, the edge computing node establishes the authentication service area in the coverage area where the edge computing node provides the service, and adopts the authentication service area identifier. And the vehicle networking terminal in the authentication service area and the edge service node perform identity authentication mutually. And after the identity authentication is successful, the terminal obtains the identification of the authentication service area and the first session key of the area. Furthermore, in the process of direct communication between the terminals of the internet of vehicles, the message can be identified by using the identification of the authentication service area, and the sent message is subjected to integrity protection or digital signature by using the first session key, so that the source of the message is authenticated. The message is identified by the identification of the authentication service area, so that the function of hiding the identity identification of the Internet of vehicles terminal is achieved, and the identity privacy of the user is protected; the embodiment of the invention is combined with a cellular network edge computing architecture, can realize regional authentication by utilizing the service capability of the edge service node, fully exerts the technical advantages of the cellular network and improves the authentication efficiency between the terminals of the Internet of vehicles.

As shown in fig. 2, an embodiment of the present invention further provides an authentication method for direct communication in an internet of vehicles, which is applied to an edge service node, and includes:

step 201, performing identity authentication on the terminal of the internet of vehicles under the condition that the terminal of the internet of vehicles is located in an authentication service area of an edge service node.

Step 202, sending an authentication service area identification and a first session key for direct communication between different internet of vehicles terminals in the authentication service area to the internet of vehicles terminals.

Optionally, in the foregoing embodiment of the present invention, step 201 includes:

and identity authentication is carried out between the edge service node and the Internet of vehicles terminal by adopting a general authentication architecture (GBA).

Namely, the identity authentication between the vehicle networking terminal and the edge service node can be realized based on a GBA authentication mode, so that the authentication can be completed by utilizing password resources (such as a root key written when an operator sends a card to a user) owned by a USIM card of the vehicle networking terminal, and the advantages of a cellular network are exerted to the maximum extent; the method provided by the embodiment of the invention is combined with an operator network, the authentication is completed by utilizing the existing password resources in the USIM card of the vehicle networking terminal, PKI (public Key infrastructure) is not required, a CA (certificate) is not required, the cellular network resources and the technical advantages are utilized, and the system construction cost is saved.

Optionally, step 201 includes:

As an optional embodiment, sending, to the car networking terminal, an authentication service area identifier and a first session key for performing direct communication between different car networking terminals in the authentication service area, includes:

receiving an application request message sent by the Internet of vehicles terminal, wherein the application request message carries the service identifier;

Further, after receiving the application request message sent by the terminal in the internet of vehicles, the method further includes:

sending a third authentication request message to the network side equipment, wherein the third authentication request message carries the service identifier and the identifier of the edge service node;

and receiving a third authentication response message sent by the network side equipment, wherein the third authentication response message carries a second session key generated by the network side equipment according to the service identifier.

Optionally, the third authentication response message further carries the first session key generated by the network side device;

or,

the edge service node generates the first session key.

As shown in fig. 3, an embodiment of the present invention further provides an authentication method for direct communication in internet of vehicles, which is applied to a network device, and includes:

step 301, receiving a first authentication request message sent by an internet of vehicles terminal, where the first authentication request message carries a service layer identifier of the internet of vehicles terminal;

step 302, obtaining an authentication vector of the Internet of vehicles terminal according to the service layer identifier of the Internet of vehicles terminal, and sending a second authentication request message to the Internet of vehicles terminal; optionally, the second authentication request message carries a random number and an authentication token;

step 303, receiving a first authentication response message sent by the car networking terminal after verifying the identity validity of the network side device;

step 304, verifying the identity validity of the Internet of vehicles terminal according to the first authentication response message, and sending a second authentication response message to the Internet of vehicles terminal after the verification is successful; optionally, the second authentication response message carries a service identifier.

Optionally, after step 304, the method further includes:

Optionally, the third authentication response message further carries a first session key for performing direct communication between different car networking terminals in the authentication service area, where the first session key is generated by the network-side device.

In order to more clearly describe the internet of vehicles direct communication authentication method provided by the embodiment of the present invention, the following description is made with reference to two examples.

Example one, operator network Loose coupling

As shown in fig. 4, the internet of vehicles direct communication method includes:

1. when the terminal 1 of the internet of vehicles enters the authentication service area of the edge service node, the terminal 1 of the internet of vehicles sends an access request message to the edge service node to request access.

2. The edge service node starts GBA authentication and sends a bootstrap initialization request message to the car networking terminal 1.

3. The terminal 1 of the internet of vehicles executes the authentication process of the bootstrap, and sends a first authentication request message to the operator network, carrying the service layer identification (User ID) of the terminal of the internet of vehicles.

4. The operator network executes an AKA authentication processing flow, and after acquiring a user authentication vector, sends a second authentication request message, such as 401Unauthorized WWW-authentication Digest, to the Internet of vehicles terminal 1; and initiating an authentication process, wherein the message carries a random number RAND and an authentication token AUTN.

5. And the terminal 1 of the Internet of vehicles runs an AKA process and verifies the validity of the network identity based on AUTN. And generating and sending a first authentication response message in case of successful verification.

6. The operator network judges whether the identity of the internet of vehicles terminal 1 is legal or not based on the first authentication response message. If the shared key Ks and the service identifier B-TID are legal, calculating to generate a shared key Ks and a service identifier B-TID, and returning a second authentication response message, such as a 200OK message. If the terminal is illegal, the identity authentication of the Internet of vehicles terminal 1 fails, and the system exits.

7. The terminal 1 stores the received B-TID, and calculates a shared key Ks and a second session key Ks _ NAF 1.

8. The terminal 1 of the Internet of vehicles sends an application request message to the edge service node, and the application request message carries the B-TID and the relevant parameters of the terminal 1 of the Internet of vehicles.

9. The edge service node sends a third authentication request message to the operator network, carrying the B-TID and the identifier NAF-hostname of the edge service node, and is used for acquiring user information.

10. The operator network obtains the user Profile and the key information thereof according to the B-TID, calculates and generates a second session key Ks _ NAF1, and returns a third authentication response message to the edge service node, wherein the third authentication response message carries Ks _ NAF1 and the user Profile.

Wherein the second session key Ks _ NAF1 is a session key between the car networking terminal 1 and the edge service node for establishing a point-to-point secure channel between the two.

11. The edge service node stores information of Ks _ NAF1 and user Profile, and generates an authentication service area identification M-ID and a first session key Kd. The encryption information Kc is obtained after the Kd is encrypted using Ks _ NAF1, and an application response message containing M-ID and Kc (Ks _ NAF1, Kd) is returned to the vehicle networking terminal 1.

12. The vehicle networking terminal 1 decrypts Kc using Ks _ NAF1 to obtain Kd. The terminal 1 for internet of vehicles stores M-ID and Kd.

13. By adopting the method, the authentication between the edge service node and the vehicle networking terminal 2 can be realized, so that the vehicle networking terminal 2 obtains Ks _ NAF2, M-ID and Kd.

Ks _ NAF2 is a session key between the car networking terminal 2 and the edge service node for establishing a point-to-point secure channel between the two.

14. And the vehicle networking terminal 1 and the vehicle networking terminal 2 exchange messages to perform direct communication. When the message is sent, the vehicle-mounted terminal adopts the M-ID identification message and adopts Kd to carry out integrity protection or digital signature on the message. And when the message is received, the vehicle-mounted terminal checks the label or the integrity of the message, and after the message is successfully checked, the vehicle-mounted terminal can be regarded as the message from the source end passing the network side authentication and continues to process the message. Otherwise, the message is discarded.

Example two, operator network tight coupling

As shown in fig. 5, the internet of vehicles direct communication method includes:

2. The edge service node completes identity authentication and key agreement by using a GBA-based method to establish a secure channel, and sends a bootstrap initialization request message to the Internet of vehicles terminal 1.

10. And the operator network acquires the user Profile and the key information thereof according to the B-TID, calculates and generates a second session key Ks _ NAF1 and a first session key Kd, and returns a third authentication response message to the edge service node, wherein the Ks _ NAF1, the Kd and the user Profile are carried.

11. The edge service node stores Ks _ NAF1 and user Profile, Kd and other information, and generates authentication service area identification M-ID. The encryption information Kc is obtained after the Kd is encrypted using Ks _ NAF1, and an application response message containing M-ID and Kc (Ks _ NAF1, Kd) is returned to the vehicle networking terminal 1.

The tight coupling scheme differs from the loose coupling scheme mainly in that Kd is generated by the operator network (i.e. the difference between step 10 and step 11), typically by a home subscriber server HSS with key generation capability, to ensure that the randomness of the keys meets higher security requirements. At this time, a corresponding field needs to be added to the third authentication response message to transfer Kd to the edge service node, which performs subsequent operations.

As shown in fig. 6, an embodiment of the present invention further provides an authentication device for direct communication in an internet of vehicles, which is applied to a terminal in the internet of vehicles, and includes:

the first authentication module 61 is configured to authenticate the identity of the car networking terminal through the edge service node when the car networking terminal is located in an authentication service area of the edge service node;

the obtaining module 62 is configured to obtain, after the identity authentication is successful, an authentication service area identifier of the edge service node and a first session key for performing direct communication between different internet of vehicles terminals in the authentication service area;

and the communication module 63 is configured to send a direct connection message to other internet of vehicles terminals located in the authentication service area, where the direct connection message is identified by using the authentication service area identifier, and integrity protection or digital signature is performed on the direct connection message by using the first session key.

Optionally, in the above embodiment of the present invention, the first authentication module includes:

a first unit, configured to send an access request message to the edge service node, where the access request message carries a service layer identifier of the car networking terminal;

a second unit, configured to receive a bootstrap initialization request message sent by the edge service node;

a third unit, configured to execute a bootstrap authentication process according to the bootstrap initialization request message, and send a first authentication request message to a network side device, where the first authentication request message carries a service layer identifier of the car networking terminal;

a fourth unit, configured to receive a second authentication request message sent by the network side device;

a fifth unit, configured to execute an authentication and key agreement AKA authentication procedure according to the second authentication request message, verify the identity validity of the network side device, and send a first authentication response message to the network side device after the verification is successful;

and a sixth unit, configured to receive a second authentication response message sent by the network side device when the identity of the car networking terminal is verified to be legal according to the first authentication response message.

Optionally, in the foregoing embodiment of the present invention, the communication module includes:

the second submodule is used for generating a second session key, and the second session key is a session key for communication between the Internet of vehicles terminal and the edge service node;

a third sub-module, configured to send an application request message to the edge service node;

a fourth sub-module, configured to brave and receive an application response message sent by the edge service node, where the application response message carries the authentication service area identifier and encryption information obtained by encrypting the first session key using the second session key;

and the fifth sub-module is used for decrypting the encrypted information by using the second session key to obtain the first session key.

In summary, in the above embodiments of the present invention, the edge computing node establishes the authentication service area in the coverage area where the edge computing node provides the service, and adopts the authentication service area identifier. And the vehicle networking terminal in the authentication service area and the edge service node perform identity authentication mutually. And after the identity authentication is successful, the terminal obtains the identification of the authentication service area and the first session key of the area. Furthermore, in the process of direct communication between the terminals of the internet of vehicles, the message can be identified by using the identification of the authentication service area, and the sent message is subjected to integrity protection or digital signature by using the first session key, so that the source of the message is authenticated. The message is identified by the identification of the authentication service area, so that the function of hiding the identity identification of the Internet of vehicles terminal is achieved, and the identity privacy of the user is protected; the embodiment of the invention is combined with a cellular network edge computing architecture, can realize regional authentication by utilizing the service capability of the edge service node, fully exerts the technical advantages of the cellular network and improves the authentication efficiency between the terminals of the Internet of vehicles.

It should be noted that the internet of vehicles direct communication authentication device provided in the embodiment of the present invention is a device capable of executing the above internet of vehicles direct communication authentication method, and all embodiments of the above internet of vehicles direct communication authentication method are applicable to the device and can achieve the same or similar beneficial effects.

As shown in fig. 7, an embodiment of the present invention further provides a car networking terminal, including a processor 700 and a transceiver 710, where the transceiver 710 receives and transmits data under the control of the processor 700, and the processor 700 is configured to perform the following operations:

Optionally, in the above embodiment of the present invention, the processor is further configured to:

sending an application request message to the edge service node;

It should be noted that the car networking terminal provided by the embodiment of the present invention is a car networking terminal capable of executing the above car networking direct communication authentication method, and all embodiments of the above car networking direct communication authentication method are applicable to the car networking terminal and can achieve the same or similar beneficial effects.

The embodiment of the present invention further provides a communication device, where the communication device is a car networking terminal, and the communication device includes a memory, a processor, and a computer program that is stored in the memory and can be run on the processor, and when the processor executes the program, the processor implements each process in the above-described car networking direct communication authentication method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not described here again.

The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the program is executed by a processor, the process in the embodiment of the method for authenticating direct communication in internet of vehicles described above is implemented, and the same technical effect can be achieved, and in order to avoid repetition, details are not repeated here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.

As shown in fig. 8, an embodiment of the present invention further provides an authentication device for direct communication in an internet of vehicles, which is applied to an edge service node, and includes:

and the second authentication module 81 is configured to perform identity authentication on the car networking terminal under the condition that the car networking terminal is located in an authentication service area of the edge service node.

A sending module 82, configured to send, to the car networking terminal, an authentication service area identifier and a first session key for performing direct communication between different car networking terminals in the authentication service area.

Optionally, in the above embodiment of the present invention, the second authentication module includes:

a seventh unit, configured to receive an access request message sent by the car networking terminal, where the access request message carries a service layer identifier of the car networking terminal;

an eighth unit, configured to send a bootstrap initialization request message to the car networking terminal; the bootstrap initialization request message is used for instructing the Internet of vehicles terminal to execute bootstrap authentication.

Optionally, in the foregoing embodiment of the present invention, the sending module includes:

the seventh submodule is used for receiving an application request message sent by the Internet of vehicles terminal;

the eighth submodule is used for generating an authentication service area identifier and encrypting the first session key by using a second session key to obtain encrypted information; the second session key is a session key for communication between the Internet of vehicles terminal and the edge service node;

and the ninth sub-module is used for sending an application response message to the vehicle networking terminal, wherein the application response message carries the identification of the authentication service area and the encryption information.

Optionally, in the above embodiment of the present invention, the apparatus further includes:

a message sending module, configured to send a third authentication request message to a network side device, where the third authentication request message carries the service identifier and the identifier of the edge service node;

and the message receiving module is configured to receive a third authentication response message sent by the network side device, where the third authentication response message carries a second session key generated by the network side device according to the service identifier.

As shown in fig. 9, an embodiment of the present invention further provides an edge service node, including a processor 900 and a transceiver 910, where the transceiver 910 receives and transmits data under the control of the processor 900, and the processor 900 is configured to perform the following operations:

It should be noted that the edge service node provided in the embodiment of the present invention is an edge service node capable of executing the above-mentioned method for authenticating direct communication in the internet of vehicles, and all embodiments of the above-mentioned method for authenticating direct communication in the internet of vehicles are applicable to the edge service node and all can achieve the same or similar beneficial effects.

An embodiment of the present invention further provides a communication device, where the communication device is an edge service node, and includes a memory, a processor, and a computer program that is stored in the memory and is executable on the processor, where the processor implements each process in the above-described embodiment of the internet of vehicles direct communication authentication method when executing the program, and can achieve the same technical effect, and details are not described here to avoid repetition.

As shown in fig. 10, an embodiment of the present invention further provides an authentication device for direct communication in an internet of vehicles, which is applied to a network device, and includes:

a first receiving module 1001, configured to receive a first authentication request message sent by an internet of vehicles terminal, where the first authentication request message carries a service layer identifier of the internet of vehicles terminal;

the third authentication module 1002 is configured to obtain an authentication vector of the car networking terminal according to the service layer identifier of the car networking terminal, and send a second authentication request message to the car networking terminal;

a second receiving module 1003, configured to receive a first authentication response message sent by the car networking terminal after verifying the identity validity of the network-side device;

the first response module 1004 is configured to verify the identity validity of the car networking terminal according to the first authentication response message, and send a second authentication response message to the car networking terminal after the identity validity is successfully verified.

a third receiving module, configured to receive a third authentication request message sent by an edge service node corresponding to an authentication service area where the car networking terminal is located, where the third authentication request message carries an identifier of the edge service node;

a generating module, configured to generate a second session key; the second session key is a session key for communication between the Internet of vehicles terminal and the edge service node;

and the response sending module is used for sending a third authentication response message to the edge service node, wherein the third authentication response message carries the second session key.

As shown in fig. 11, an embodiment of the present invention further provides a network side device, including a processor 1100 and a transceiver 1101, where the transceiver 1101 is controlled by the processor 1100 to receive and transmit data, and the processor 1100 is configured to perform the following operations:

It should be noted that the network-side device provided in the embodiment of the present invention is a network-side device capable of executing the above-mentioned vehicle networking direct communication authentication method, and all embodiments of the above-mentioned vehicle networking direct communication authentication method are applicable to the network-side device, and can achieve the same or similar beneficial effects.

An embodiment of the present invention further provides a communication device, where the communication device is a network-side device, and includes a memory, a processor, and a computer program that is stored in the memory and is executable on the processor, where the processor implements each process in the above-described embodiment of the method for authenticating direct communication in the internet of vehicles when executing the program, and can achieve the same technical effect, and details are not described here to avoid repetition.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block or blocks.

These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.

Claims

1. The utility model provides a car networking direct communication authentication method, is applied to car networking terminal, its characterized in that includes:

2. The method of claim 1, wherein authenticating the vehicle networking terminal with the edge service node comprises:

3. The method according to claim 1, wherein obtaining the identification of the authentication service area of the edge service node and the first session key for direct communication between different car networking terminals in the authentication service area comprises:

sending an application request message to the edge service node;

4. The utility model provides a car networking direct communication authentication method, is applied to edge service node, its characterized in that includes:

5. The method according to claim 4, wherein the authenticating the vehicle networking terminal comprises:

6. The method of claim 4, wherein sending an authentication service area identification and a first session key for direct communication between different Internet of vehicles terminals within the authentication service area to the Internet of vehicles terminal comprises:

7. A vehicle networking direct communication authentication method is applied to network side equipment and is characterized by comprising the following steps:

8. The method according to claim 7, wherein after sending a second authentication response message to the internet of vehicles terminal after the verification is successful, the method further comprises:

9. The utility model provides a car networking directly links communication authentication device, is applied to car networking terminal, its characterized in that includes:

10. A terminal for internet of vehicles comprising a processor and a transceiver, the transceiver receiving and transmitting data under control of the processor, characterized in that the processor is configured to:

11. An edge service node comprising a processor and a transceiver, the transceiver receiving and transmitting data under control of the processor, wherein the processor is configured to:

12. A network side device comprising a processor and a transceiver, the transceiver receiving and transmitting data under the control of the processor, wherein the processor is configured to:

13. A communication device comprising a memory, a processor, and a program stored on the memory and executable on the processor; wherein the processor, when executing the program, implements the internet of vehicles direct communication authentication method of any of claims 1-3; or the processor, when executing the program, implements the internet of vehicles direct communication authentication method according to any one of claims 4 to 6; alternatively, the processor, when executing the program, implements the internet of vehicles direct communication authentication method according to claim 7 or 8.

14. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps in the internet of vehicles direct communication authentication method according to any one of claims 1 to 3; or the program is executed by a processor to realize the steps in the vehicle networking direct communication authentication method according to any one of claims 4 to 6; alternatively, the program realizes the steps in the internet of vehicles direct communication authentication method according to claim 7 or 8 when being executed by a processor.