CN113269931B - Capacity-based shared automobile access method and device - Google Patents

Capacity-based shared automobile access method and device Download PDF

Info

Publication number
CN113269931B
CN113269931B CN202110623178.1A CN202110623178A CN113269931B CN 113269931 B CN113269931 B CN 113269931B CN 202110623178 A CN202110623178 A CN 202110623178A CN 113269931 B CN113269931 B CN 113269931B
Authority
CN
China
Prior art keywords
user
token
request
server
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110623178.1A
Other languages
Chinese (zh)
Other versions
CN113269931A (en
Inventor
殷丽华
李超
余震雷
罗天杰
罗熙
孙哲
王滨
王星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN202110623178.1A priority Critical patent/CN113269931B/en
Publication of CN113269931A publication Critical patent/CN113269931A/en
Application granted granted Critical
Publication of CN113269931B publication Critical patent/CN113269931B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F17/00Coin-freed apparatus for hiring articles; Coin-freed facilities or services
    • G07F17/0042Coin-freed apparatus for hiring articles; Coin-freed facilities or services for hiring of objects
    • G07F17/0057Coin-freed apparatus for hiring articles; Coin-freed facilities or services for hiring of objects for the hiring or rent of vehicles, e.g. cars, bicycles or wheelchairs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention relates to the technical field of access control of the Internet of things, and discloses a method and a device for sharing automobile access based on capability, wherein the method comprises the steps of receiving a first access request sent by first user equipment; verifying the server private key of the first capability token according to a pre-stored first server public key, and if the server private key of the first capability token is matched with the pre-stored first server public key, acquiring a user public key in the first capability token and verifying the user private key in the first access request by using the user public key; and if the acquired user public key is matched with the user private key in the first access request, allowing the first user equipment to access the shared automobile. Has the advantages that: according to the access control method based on the energy, the user and the shared automobile gateway directly verify the access request, so that the user can still normally access the shared automobile even under the condition of no network condition or unavailable cloud server, and the user experience is guaranteed.

Description

Capacity-based shared automobile access method and device
Technical Field
The invention relates to the technical field of access control of the Internet of things, in particular to a shared automobile access method and device based on energy.
Background
In a scene of sharing automobiles, a car renting service platform at the cloud end is required to authorize idle vehicles near a user to the user to realize the car renting service. Existing Car authorization functions (such as Car Access of tesla) are generally determined (i.e., whether authorization is available or not) and authorized on a cloud, and used Access Control models are mainly Role-Based Access Control (RBAC) models and Attribute-Based Access Control (ABAC) models. The above two conventional access control model systems have the following disadvantages:
the expandability is poor. The access control execution is performed through a background cloud server, and is highly centralized in nature, difficult to perform in a distributed manner, and has the problems of single-point failure and performance bottleneck, namely poor expansibility.
The timeliness is poor. The access process needs to be verified by a more complicated digital certificate, the verification time is long, and the reaction is slow.
The scale and the popularity of the shared automobile will gradually increase in the future, if the method of controlling access by the server is still adopted, the feedback time will be affected by the processing capacity of the server, the user experience will be reduced, and if the server fails, the problem that the user cannot use the shared automobile will be caused. Therefore, it is necessary to improve the existing access method for sharing the automobile, improve the expandability and timeliness of the access control system, and meet the increasing travel demand of people.
Disclosure of Invention
The purpose of the invention is: the shared automobile access method and device with expandability and high timeliness are provided, so that a user can directly access the shared automobile, the access time is reduced, the increasing travel requirements of people are met, and the user experience is improved.
In order to achieve the above object, the present invention provides a method for sharing automobile access based on capability, comprising:
receiving a first access request sent by first user equipment; the first access request comprises a first capability token, the first capability token comprises a server private key and a first user public key, the first capability token is generated after the first user equipment verifies a received second capability token sent by the server, the second capability token is generated after the server signs the capability token containing the first user public key according to the server private key, and the first access request is a request signed by the first user private key.
Verifying the first capability token according to a pre-stored first server public key, and if the first capability token passes the verification, acquiring a first user public key in the first capability token and verifying a first user private key in the first access request by using the first user public key; and if the acquired first user public key is matched with the first user private key in the first access request, allowing the first user equipment to access the shared automobile.
Further, the first capability token is generated after the first user equipment verifies the received second capability token sent by the server, and specifically includes:
the first user equipment sends a first authorization request containing a first user private key signature to the server, so that the server verifies the first user private key signature of the first authorization request by using a first pre-stored user public key, carries out authorization decision on the authorization request passing the verification according to pre-stored user attribute information and an access control strategy, and then feeds back a second ability token to the first user equipment when the decision result is authorization, wherein the second ability token is an ability token which is signed by using the server private key and comprises the first user public key.
And the first user equipment verifies the server private key of the second capability token according to the prestored second server public key, and generates the first capability token after the verification is passed.
Further, the making an authorization decision on the authorization request passing the verification according to the pre-stored user attribute information and the access control policy specifically includes:
the server acquires a user attribute corresponding to the user name according to the user name in the first authorization request, wherein the user attribute comprises a user authority identity and an order state; the first authorization request includes: user name, authority requirements, and shared car name.
And judging whether the order state is paid, if so, acquiring the authority requirement in the first authorization request and judging whether the authority requirement exceeds the user authority identity authority limit.
And if not, generating a second ability token, wherein the second ability token comprises a user name, an authority requirement, a first user public key, a shared automobile name and a second ability token number.
Further, the access method further includes:
and receiving a second capability token revocation command which is sent by the server and signed by the private key of the server.
And verifying the server private key of the second capability token revocation command according to the pre-stored first server public key, and recording the second capability token number in the second capability token revocation command into a token revocation list if the server private key passes the verification.
And feeding back third information to the first user equipment when detecting that the second capability token number of the first capability token in the first access request is in the token revocation list.
Further, the allowing the first user equipment to access the shared automobile specifically includes:
the first access request also comprises a first request, whether the request authority in the first request is matched with the authority requirement in the first authority token is verified, if the request authority is matched with the authority requirement, a first control command is generated according to the request authority of the first request, the first control command is used for controlling equipment in the shared automobile, and first information corresponding to the first control command is fed back to the first user equipment; and if the request permission is not matched with the permission requirement, feeding back second information to the first user equipment.
The invention also discloses a shared automobile access method based on the capability, which comprises the following steps:
sending a first access request to a shared automobile gateway; the first access request comprises a first capability token, the first capability token comprises a server private key and a first user public key, the first capability token is generated after the first user equipment verifies a received second capability token sent by the server, the second capability token is generated after the server signs the capability token containing the first user public key according to the server private key, and the first access request is a request signed by the first user private key.
Enabling the gateway to verify the first capability token according to a pre-stored first server public key, and if the first capability token passes the verification, acquiring a first user public key in the first capability token and verifying a first user private key in the first access request by using the first user public key; and if the acquired first user public key is matched with the first user private key in the first access request, allowing the first user equipment to access the shared automobile.
Further, the first capability token is generated after the first user equipment verifies the received second capability token sent by the server, and specifically includes:
the first user equipment sends a first authorization request containing a first user private key signature to the server, so that the server verifies the first user private key signature of the first authorization request by using a first pre-stored user public key, carries out authorization decision on the authorization request passing the verification according to pre-stored user attribute information and an access control strategy, and then feeds back a second ability token to the first user equipment when the decision result is authorization, wherein the second ability token is an ability token which is signed by using the server private key and comprises the first user public key.
And the first user equipment verifies the server private key of the second capability token according to the prestored second server public key, and generates the first capability token after the verification is passed.
Further, the making an authorization decision on the authorization request passing the verification according to the pre-stored user attribute information and the access control policy specifically includes:
the server acquires a user attribute corresponding to the user name according to the user name in the first authorization request, wherein the user attribute comprises a user authority identity and an order state; the first authorization request includes: user name, authority requirements, and shared car name.
And judging whether the order state is paid, if so, acquiring the authority requirement in the first authorization request and judging whether the authority requirement exceeds the user authority identity authority limit.
And if not, generating a second ability token, wherein the second ability token comprises a user name, an authority requirement, a first user public key, a shared automobile name and a second ability token number.
Further, the allowing the first user equipment to access the shared automobile specifically includes:
the first access request also comprises a first request, whether the request authority in the first request is matched with the authority requirement in the first authority token is verified, if the request authority is matched with the authority requirement, a first control command is generated according to the request authority of the first request, the first control command is used for controlling equipment in the shared automobile, and first information corresponding to the first control command is fed back to the first user equipment; and if the request permission is not matched with the permission requirement, feeding back second information to the first user equipment.
The invention also discloses a shared automobile access device based on the capability, which comprises: the device comprises a first receiving module and a first judging module.
The first receiving module is used for receiving a first access request sent by first user equipment; the first access request comprises a first capability token, the first capability token comprises a server private key and a first user public key, the first capability token is generated after the first user equipment verifies a received second capability token sent by the server, the second capability token is generated after the server signs the capability token containing the first user public key according to the server private key, and the first access request is a request signed by the first user private key.
The first judging module is used for verifying the first ability token according to a pre-stored first server public key, and if the first ability token passes the verification, acquiring a first user public key in the first ability token and verifying a first user private key in the first access request by using the first user public key; and if the acquired first user public key is matched with the first user private key in the first access request, allowing the first user equipment to access the shared automobile.
Compared with the prior art, the method and the device for sharing the automobile access based on the capability have the advantages that: according to the access control method based on the energy, the user can directly verify the access request between the user and the shared automobile gateway without passing through the cloud terminal when accessing the authorized shared automobile, so that the user can still normally access the shared automobile even under the condition of no network condition or unavailable cloud terminal servers, and the user experience is guaranteed. Meanwhile, the access method does not pass through the cloud end during access, so that the communication time is saved, the response speed is greatly improved, and the verification times of the user digital certificate are reduced when the shared automobile gateway performs the verification of the first access request by directly writing the user public key into the right token, so that the time is saved.
Drawings
FIG. 1 is a schematic flow chart of a shared vehicle access method based on capabilities of the present invention;
FIG. 2 is a schematic diagram of a first access request in a capability-based shared vehicle access method of the present invention;
fig. 3 is a schematic structural diagram of a shared car access device based on capability according to the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
Example 1:
for some explanations and descriptions of some names in this application, the present invention employs a Capability-Based Access Control model (CapBAC) as opposed to the two Access Control models in the background art. In the access control model based on the Capability, a concept of Capability (Capability) is introduced, and the Capability refers to the operation authority of a user on a resource (data or equipment), which generally exists in the structure of a token, a ticket or a key. If the user possesses the corresponding Capability Token (equivalent to a more secure key), the user is authorized to perform the specified access operation on the specified resource. Due to the fact that the capability token is arranged, when the device side verifies the capability token, only the user's capability token needs to be verified, and the information and the access control strategy of the user do not need to be obtained, so that management of the user information and the access control strategy can be separated from execution of the access control, distributed access control is achieved easily, and the defects caused by high concentration of a traditional access control model are overcome.
Referring to the attached figure 1, the invention discloses a method for sharing automobile access based on capability, which is applied to a gateway of a shared automobile and comprises the following steps:
step S1, receiving a first access request sent by a first user equipment; the first access request comprises a first capability token, the first capability token comprises a server private key and a first user public key, the first capability token is generated after the first user equipment verifies a received second capability token sent by the server, the second capability token is generated after the server signs the capability token containing the first user public key according to the server private key, and the first access request is a request signed by the first user private key.
Step S2, verifying the first capability token according to a pre-stored first server public key, and if the first capability token passes the verification, obtaining a first user public key in the first capability token and verifying a first user private key in the first access request by using the first user public key; and if the acquired first user public key is matched with the first user private key in the first access request, allowing the first user equipment to access the shared automobile.
Referring to fig. 2 in step S1, it can be seen that the first capability token is commonly signed by the server private key and the user private key, and the first requesting user private key is signed.
In step S1 of the embodiment of the present invention, the request right of the first request includes: opening, closing, swinging on windows, starting an engine, etc., or applying for a period of use of a basic function.
In embodiment 1 of the present invention, the gateway receives the first access request sent by the first user equipment, and the selectable communication modes are bluetooth, 3G, 4G, 5G, and the like.
In step S2, after receiving the first access request, the gateway verifies the server private key of the first capability token to verify that the first capability token is sent by the cloud, and then extracts the user public key in the first capability token and compares the extracted user public key with the user private key of the first access request to ensure the authenticity and integrity of the first access request. And when the first access request passes the verification twice, allowing the first access request sent by the first user equipment to access the shared automobile.
When the shared automobile gateway allows the first user equipment to access the shared automobile, the method specifically comprises the following steps:
the first access request also comprises a first request, whether the request authority in the first request is matched with the authority requirement in the first authority token is verified, if the request authority is matched with the authority requirement, a first control command is generated according to the request authority of the first request, the first control command is used for controlling equipment in the shared automobile, and first information corresponding to the first control command is fed back to the first user equipment; and if the request permission is not matched with the permission requirement, feeding back second information to the first user equipment.
In embodiment 1, an example is given by taking the request permission of the first request as an actual application scene, specifically:
the user A generates a first access request, signs the first access request by using a private key of the user A, and sends the first access request to the shared automobile B to request to open the automobile door.
The gateway of the shared automobile B receives the request, firstly verifies the server private key of the first capability token to verify the authenticity of the token, then verifies the signature of the user A of the access request message by using the public key of the user A in the first capability token to ensure the integrity and the authenticity of the message, and finally judges whether the authority requirement specified in the first capability token is matched with the door opening operation (request authority) in the access request.
After the verification is passed, the gateway generates a control command for opening the door and sends the control command to the vehicle door. While the gateway may cache the first capability token (e.g., store a hash value of the token), access for a later period of time may eliminate the need for a verification operation on the first capability token. The ECU that controls the vehicle door receives and executes the instructions. The ECU sends a feedback to the gateway. The gateway processes the feedback information and forwards it back to the user a's device.
In this embodiment, the first capability token is generated after the first user equipment verifies the received second capability token sent by the server, and specifically includes:
the first user equipment sends a first authorization request containing a first user private key signature to the server, so that the server verifies the first user private key signature of the first authorization request by using a first pre-stored user public key, carries out authorization decision on the authorization request passing the verification according to pre-stored user attribute information and an access control strategy, and then feeds back a second ability token to the first user equipment when the decision result is authorization, wherein the second ability token is an ability token which is signed by using the server private key and comprises the first user public key.
And the first user equipment verifies the server private key of the second capability token according to the prestored second server public key, and generates the first capability token after the verification is passed.
In this embodiment, the making an authorization decision on the authorization request passing the verification according to the pre-stored user attribute information and the access control policy specifically includes:
the server acquires a user attribute corresponding to the user name according to the user name in the first authorization request, wherein the user attribute comprises a user authority identity and an order state; the first authorization request includes: user name, authority requirements, and shared car name.
And judging whether the order state is paid, if so, acquiring the authority requirement in the first authorization request and judging whether the authority requirement exceeds the user authority identity authority limit.
And if not, generating a second ability token, wherein the second ability token comprises a user name, an authority requirement, a first user public key, a shared automobile name and a second ability token number.
In an embodiment, a user applies for a shared car authorization using a first user device.
The user A uses a mobile phone of the user A to generate a first authorization request, the first authorization request is signed by a private key of the user A and then is sent to a cloud server of the shared automobile, so that the user A applies for authorization of using automobile body equipment, engines and other equipment of the shared automobile B to carry out normal driving.
The cloud server verifies the signature of the first authorization request by using the public key of the user A, and makes a decision according to the user attribute and the access control strategy after the verification is passed (for example, the attribute of the user A is { identity: common user, order state: paid }, the access control strategy is { identity greater than or equal to common user, order state paid, control right of appointed vehicle body equipment and engine equipment } and { identity greater than or equal to administrator user, control right of privacy-sensitive equipment such as an appointed vehicle event data recorder and the like } can be granted), and if the user attribute is matched with the applied authority, the decision result of the cloud is allowed.
And after the decision passes, the cloud end generates a capability token, numbers the capability token and sends the capability token to the user A. And the user A verifies the server private key on the token by using the public key of the cloud server, and stores the token locally after the verification is passed. In the later use process, when the user A wants to apply for privacy-sensitive equipment such as a vehicle data recorder, a new authorization request needs to be sent.
The cloud end makes a decision on the request. And if the access control strategies are not matched, the decision result is rejection, and failure information is sent to the user A.
In this embodiment, the access method further includes:
and receiving a second capability token revocation command which is sent by the server and signed by the private key of the server.
And verifying the server private key of the second capability token revocation command according to the pre-stored first server public key, and recording the second capability token number in the second capability token revocation command into a token revocation list if the server private key passes the verification.
And feeding back third information to the first user equipment when detecting that the second capability token number of the first capability token in the first access request is in the token revocation list.
In this embodiment, the cloud server revokes the capability token with the number 001 for example.
And the cloud server generates a capability token revocation message, signs the message with a server private key and then sends the message to the shared automobile B gateway so as to revoke the capability token of the user A with the number of 001.
And the shared automobile B gateway receives the message and verifies the signature by using the public key of the cloud server.
And writing the token information to be revoked into a local capability token revocation list of the gateway after the authentication is passed. After that, the user a sends an access request again requesting the opening of the door. And the gateway acquires the token number in the request and inquires a revocation list. The number 001 exists in the revocation list, the gateway refuses access, and feedback information is sent to the user A.
Example 2:
the invention also discloses a shared automobile access method based on the capability, which is applied to user equipment for accessing the shared automobile and comprises the following steps:
sending a first access request to a shared automobile gateway; the first access request comprises a first capability token, the first capability token comprises a server private key and a first user public key, the first capability token is generated after the first user equipment verifies a received second capability token sent by the server, the second capability token is generated after the server signs the capability token containing the first user public key according to the server private key, and the first access request is a request signed by the first user private key.
Enabling the gateway to verify the first capability token according to a pre-stored first server public key, and if the first capability token passes the verification, acquiring a first user public key in the first capability token and verifying a first user private key in the first access request by using the first user public key; and if the acquired first user public key is matched with the first user private key in the first access request, allowing the first user equipment to access the shared automobile.
Embodiment 2 is a shared car access applied to the same scene as embodiment 1, except that embodiment 1 is written and explained with a gateway of a shared car as an execution subject, and embodiment 2 is written and explained with a user device as an execution subject. Therefore, embodiment 2 and embodiment 1 have the same technical features, and the contents partially repeated on the basis of embodiment 1 are not repeated.
In this embodiment, the first capability token is generated after the first user equipment verifies the received second capability token sent by the server, and specifically includes:
the first user equipment sends a first authorization request containing a first user private key signature to the server, so that the server verifies the first user private key signature of the first authorization request by using a first pre-stored user public key, carries out authorization decision on the authorization request passing the verification according to pre-stored user attribute information and an access control strategy, and then feeds back a second ability token to the first user equipment when the decision result is authorization, wherein the second ability token is an ability token which is signed by using the server private key and comprises the first user public key.
And the first user equipment verifies the server private key of the second performance token according to the prestored server public key, and generates the first performance token after the verification is passed.
In this embodiment, the authorization decision for the authorization request passing the verification according to the pre-stored user attribute information and the access control policy is specifically described.
The server acquires a user attribute corresponding to the user name according to the user name in the first authorization request, wherein the user attribute comprises a user authority identity and an order state; the first authorization request includes: user name, authority requirements, and shared car name.
And judging whether the order state is paid, if so, acquiring the authority requirement in the first authorization request and judging whether the authority requirement exceeds the user authority identity authority limit.
And if not, generating a second ability token, wherein the second ability token comprises a user name, an authority requirement, a first user public key, a shared automobile name and a second ability token number.
In this embodiment, the allowing the first user equipment to access the shared automobile specifically includes:
the first access request also comprises a first request, whether the request authority in the first request is matched with the authority requirement in the first authority token is verified, if the request authority is matched with the authority requirement, a first control command is generated according to the request authority of the first request, the first control command is used for controlling equipment in the shared automobile, and first information corresponding to the first control command is fed back to the first user equipment; and if the request permission is not matched with the permission requirement, feeding back second information to the first user equipment.
Example 3:
a shared automobile access device based on capability is applied to a gateway in the process of accessing a shared automobile by user equipment, and the access device comprises: a first receiving module 101 and a first judging module 102;
a first receiving module 101, configured to receive a first access request sent by a first user equipment; the first access request comprises a first capability token, the first capability token comprises a server private key and a first user public key, the first capability token is generated after the first user equipment verifies a received second capability token sent by the server, the second capability token is generated after the server signs the capability token containing the first user public key according to the server private key, and the first access request is a request signed by the first user private key.
The first judging module 102 is configured to verify the first capability token according to a pre-stored first server public key, and if the first capability token passes the verification, obtain a first user public key in the first capability token and verify a first user private key in the first access request by using the first user public key; and if the acquired first user public key is matched with the first user private key in the first access request, allowing the first user equipment to access the shared automobile.
Embodiment 3 is written based on embodiment 1, and is applied to the same application scenario as embodiment 1 to solve the same technical problem. Therefore, the access device in embodiment 3 has the same technical features as those in embodiment 1, and the repetitive technical features are not described in detail.
To sum up, compared with the prior art, the embodiment of the invention provides a method and a device for sharing automobile access based on capability, which have the following beneficial effects: according to the access control method based on the energy, the user can directly verify the access request between the user and the shared automobile gateway without passing through the cloud terminal when accessing the authorized shared automobile, so that the user can still normally access the shared automobile even under the condition of no network condition or unavailable cloud terminal servers, and the user experience is guaranteed. Meanwhile, the access method does not pass through the cloud end during access, so that the communication time is saved, the response speed is greatly improved, and the verification times of the user digital certificate are reduced when the shared automobile gateway performs the verification of the first access request by directly writing the user public key into the right token, so that the time is saved.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and substitutions can be made without departing from the technical principle of the present invention, and these modifications and substitutions should also be regarded as the protection scope of the present invention.

Claims (8)

1. A shared automobile access method based on capability is characterized by comprising the following steps:
receiving a first access request sent by first user equipment; wherein, the first access request comprises a first ability token which comprises a server private key and a first user public key, wherein, the first ability token is generated after the first user equipment verifies a received second ability token sent by the server, the first user equipment sends a first authorization request containing a first user private key signature to the server, so that the server verifies the first user private key signature of the first authorization request by using a prestored first user public key, and carries out authorization decision on the authorized request passing the verification according to prestored user attribute information and an access control strategy, and then feeds back the second ability token to the first user equipment when the decision result is authorization, the second ability token is an ability token which comprises the first user public key and is signed by using the server private key, the first user equipment verifies a server private key of the second performance token according to a prestored second server public key, and generates a first performance token after the verification is passed;
the second ability token is generated after the server signs the ability token containing the first user public key according to the server private key, and the first access request is a request signed by the first user private key;
verifying the first capability token according to a pre-stored first server public key, and if the first capability token passes the verification, acquiring a first user public key in the first capability token and verifying a first user private key in the first access request by using the first user public key; and if the acquired first user public key is matched with the first user private key in the first access request, allowing the first user equipment to access the shared automobile.
2. The automobile access sharing method based on the capability according to claim 1, wherein the authorization decision of the authorized request passing the verification is performed according to the pre-stored user attribute information and the access control policy, specifically:
the server acquires a user attribute corresponding to the user name according to the user name in the first authorization request, wherein the user attribute comprises a user authority identity and an order state; the first authorization request includes: user name, authority requirements and shared car name;
judging whether the order state is paid, if so, acquiring the authority requirement in the first authorization request and judging whether the authority requirement exceeds the user authority identity authority limit;
and if not, generating a second ability token, wherein the second ability token comprises a user name, an authority requirement, a first user public key, a shared automobile name and a second ability token number.
3. The method of claim 2, wherein the method further comprises:
receiving a second capability token revocation command which is sent by the server and signed by a server private key;
verifying a server private key of a second capability token revocation command according to a pre-stored first server public key, and recording a second capability token number in the second capability token revocation command into a token revocation list if the server private key passes the verification;
and feeding back third information to the first user equipment when detecting that the second capability token number of the first capability token in the first access request is in the token revocation list.
4. The method according to claim 1, wherein the allowing the first user device to access the shared vehicle specifically comprises:
the first access request also comprises a first request, whether the request authority in the first request is matched with the authority requirement in the first authority token is verified, if the request authority is matched with the authority requirement, a first control command is generated according to the request authority of the first request, the first control command is used for controlling equipment in the shared automobile, and first information corresponding to the first control command is fed back to the first user equipment; and if the request permission is not matched with the permission requirement, feeding back second information to the first user equipment.
5. A shared automobile access method based on capability is characterized by comprising the following steps:
sending a first access request to a shared automobile gateway; wherein the first access request comprises a first ability token which comprises a server private key and a first user public key, wherein the first ability token is generated by a first user device after verifying a received second ability token sent by the server, the first user device sends a first authorization request containing a first user private key signature to the server, so that the server verifies the first user private key signature of the first authorization request by using a prestored first user public key, and carries out authorization decision on an authorization request passing the verification according to prestored user attribute information and an access control strategy, and then feeds back the second ability token to the first user device when the decision result is authorization, and the second ability token is an ability token which comprises the first user public key and is signed by using the server private key, the first user equipment verifies a server private key of the second performance token according to a prestored second server public key, and generates a first performance token after the verification is passed;
the second ability token is generated after the server signs the ability token containing the first user public key according to the server private key, and the first access request is a request signed by the first user private key;
enabling the gateway to verify the first capability token according to a pre-stored first server public key, and if the first capability token passes the verification, acquiring a first user public key in the first capability token and verifying a first user private key in the first access request by using the first user public key; and if the acquired first user public key is matched with the first user private key in the first access request, allowing the first user equipment to access the shared automobile.
6. The automobile access method based on capability sharing of claim 5, wherein the authorization decision of the authorized request passing the verification is performed according to the pre-stored user attribute information and the access control policy, specifically:
the server acquires a user attribute corresponding to the user name according to the user name in the first authorization request, wherein the user attribute comprises a user authority identity and an order state; the first authorization request includes: user name, authority requirements and shared car name;
judging whether the order state is paid, if so, acquiring the authority requirement in the first authorization request and judging whether the authority requirement exceeds the user authority identity authority limit;
and if not, generating a second ability token, wherein the second ability token comprises a user name, an authority requirement, a first user public key, a shared automobile name and a second ability token number.
7. The method according to claim 5, wherein the allowing the first user device to access the shared automobile specifically comprises:
the first access request also comprises a first request, whether the request authority in the first request is matched with the authority requirement in the first authority token is verified, if the request authority is matched with the authority requirement, a first control command is generated according to the request authority of the first request, the first control command is used for controlling equipment in the shared automobile, and first information corresponding to the first control command is fed back to the first user equipment; and if the request permission is not matched with the permission requirement, feeding back second information to the first user equipment.
8. A shared vehicle access device based on capabilities, the access device comprising: the device comprises a first receiving module and a first judging module;
the first receiving module is used for receiving a first access request sent by first user equipment; wherein, the first access request comprises a first ability token which comprises a server private key and a first user public key, wherein, the first ability token is generated after the first user equipment verifies a received second ability token sent by the server, the first user equipment sends a first authorization request containing a first user private key signature to the server, so that the server verifies the first user private key signature of the first authorization request by using a prestored first user public key, and carries out authorization decision on the authorized request passing the verification according to prestored user attribute information and an access control strategy, and then feeds back the second ability token to the first user equipment when the decision result is authorization, the second ability token is an ability token which comprises the first user public key and is signed by using the server private key, the first user equipment verifies a server private key of the second performance token according to a prestored second server public key, and generates a first performance token after the verification is passed;
the second ability token is generated after the server signs the ability token containing the first user public key according to the server private key, and the first access request is a request signed by the first user private key;
the first judging module is used for verifying the first ability token according to a pre-stored first server public key, and if the first ability token passes the verification, acquiring a first user public key in the first ability token and verifying a first user private key in the first access request by using the first user public key; and if the acquired first user public key is matched with the first user private key in the first access request, allowing the first user equipment to access the shared automobile.
CN202110623178.1A 2021-06-03 2021-06-03 Capacity-based shared automobile access method and device Active CN113269931B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110623178.1A CN113269931B (en) 2021-06-03 2021-06-03 Capacity-based shared automobile access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110623178.1A CN113269931B (en) 2021-06-03 2021-06-03 Capacity-based shared automobile access method and device

Publications (2)

Publication Number Publication Date
CN113269931A CN113269931A (en) 2021-08-17
CN113269931B true CN113269931B (en) 2022-01-14

Family

ID=77234251

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110623178.1A Active CN113269931B (en) 2021-06-03 2021-06-03 Capacity-based shared automobile access method and device

Country Status (1)

Country Link
CN (1) CN113269931B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118235366A (en) * 2021-11-29 2024-06-21 华为技术有限公司 Remote control method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111213339A (en) * 2017-10-19 2020-05-29 T移动美国公司 Authentication token with client key
CN111669386A (en) * 2020-05-29 2020-09-15 武汉理工大学 Access control method and device based on token and supporting object attribute

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111213339A (en) * 2017-10-19 2020-05-29 T移动美国公司 Authentication token with client key
CN111669386A (en) * 2020-05-29 2020-09-15 武汉理工大学 Access control method and device based on token and supporting object attribute

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于OAuth 2.0的委托授权架构;沈海波;《计算机与现代化》;20160812(第08期);全文 *

Also Published As

Publication number Publication date
CN113269931A (en) 2021-08-17

Similar Documents

Publication Publication Date Title
TWI779139B (en) Vehicle virtual key generation and use method, system and user terminal
KR102426930B1 (en) Method for managing digital key of mobile device for vehicle-sharing and key server using the same
CN109830018B (en) Vehicle borrowing system based on Bluetooth key
WO2021135258A1 (en) Method and apparatus for using vehicle based on smart key
EP3576378B1 (en) Transferring control of vehicles
US8499147B2 (en) Account management system, root-account management apparatus, derived-account management apparatus, and program
US20050177724A1 (en) Authentication system and method
JP2016511191A (en) Method for making a vehicle available and corresponding system for making a vehicle available
WO2019004097A1 (en) Maintenance system and maintenance method
CN108569250A (en) The automatic authorization method of bluetooth key based on shared automobile
WO2021164609A1 (en) Authentication method and apparatus for vehicle-mounted device
CN111181931B (en) Authorization system and method based on user terminal authentication
CN113556314A (en) System for controlling vehicle operation using mobile device and related method thereof
CN113269931B (en) Capacity-based shared automobile access method and device
US20230294638A1 (en) System for managing access to a vehicle by a service provider that is to provide a service associated with the vehicle
US10755504B1 (en) Method for controlling vehicle based on location information and vehicle-control supporting server using the same
CN115102772A (en) Safe access control method based on automobile SOA
CN113411311A (en) ECU (electronic control Unit) diagnosis authorization verification method, storage medium and system
CN114785489A (en) Entrusted secret key sharing method of digital automobile secret key system
CN113806709A (en) Method for activating vehicle-mounted machine service, vehicle and readable storage medium
WO2024098429A1 (en) Method for accessing service and related products
CN117641352B (en) Secure access method and device, cloud terminal device and storage medium
US20220044207A1 (en) Vehicle service authorization
WO2023145349A1 (en) Vehicle utilization system, first server of vehicle utilization system, and vehicle utilization method
WO2021121755A1 (en) Method for operating a multimedia system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant