CN114095919A

CN114095919A - Certificate authorization processing method based on Internet of vehicles and related equipment

Info

Publication number: CN114095919A
Application number: CN202010622188.9A
Authority: CN
Inventors: 田野
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Priority date: 2020-06-30
Filing date: 2020-06-30
Publication date: 2022-02-25

Abstract

The embodiment of the invention discloses a certificate authorization processing method based on Internet of vehicles and related equipment. The method comprises the following steps: the first network device receiving a first message from the V2X device; the first message is used for representing a service request related to an authorization certificate; the first message comprises a temporary identifier; sending a second message to the second network device; the second message comprises the temporary identity; the second message is used for applying for auditing authorization aiming at the service request; and obtaining a second response message sent by the second network equipment, wherein the second response message is used for indicating whether the auditing authorization is successful or not.

Description

Certificate authorization processing method based on Internet of vehicles and related equipment

Technical Field

The invention relates to the technical field of Internet of vehicles, in particular to a certificate authorization processing method based on the Internet of vehicles and related equipment.

Background

At present, in a basic work flow of a Cellular Vehicle wireless communication technology (C-V2X, Cellular-Vehicle to electronic) Certificate Authority (CA, Certificate Authority) management system, a V2X device further applies for an authorization Certificate based on a registration Certificate acquired at an initial stage. After the V2X device acquires the registration certificate, the registration certificate may interact with an authorized certificate registration authority or other third party applications to acquire an authorized digital certificate or launch various third party applications, which are not controlled by the legal department of the V2X device, and once the risk occurs, the applications cannot be controlled.

Disclosure of Invention

In order to solve the existing technical problem, the embodiment of the invention provides a certificate authorization processing method based on the internet of vehicles and related equipment.

In order to achieve the above purpose, the technical solution of the embodiment of the present invention is realized as follows:

in a first aspect, an embodiment of the present invention provides a certificate authorization processing method based on an internet of vehicles, where the method includes:

the first network device receiving a first message from the V2X device; the first message is used for representing a service request related to an authorization certificate; the first message comprises a temporary identifier;

sending a second message to the second network device; the second message comprises the temporary identity; the second message is used for applying for auditing authorization aiming at the service request;

and obtaining a second response message sent by the second network equipment, wherein the second response message is used for indicating whether the auditing authorization is successful or not.

In the above scheme, the first message further includes user identity information.

In the above scheme, the user identity information is encrypted based on a fifth key.

In the above scheme, the first message is encrypted and/or integrity protected based on the first key and the second key;

when the second response message indicates that the authorization audit is successful, the second response message at least comprises the first key and a second key;

correspondingly, the first network device performs integrity protection verification and/or decryption on the first message based on the second key and the first key, and applies for an authorization certificate based on the first message passing integrity protection verification and/or decryption.

In the above scheme, the first message is encrypted and/or integrity protected based on a first key;

when the second response message indicates that the authorization audit is successful, the second response message at least comprises the first key;

correspondingly, the first network device performs integrity protection verification and/or decryption on the first message based on the first key, and applies for an authorization certificate based on the first message passing the integrity protection verification and/or decryption.

In the above scheme, when the second response message indicates that the authorization audit is successful, the second response message further includes a third key; the method further comprises the following steps:

and performing identity authentication between the first network device and the V2X device based on the third key.

In the above scheme, when the second response message indicates that the authorization audit is successful, the second response message further includes a fourth key; the method further comprises the following steps: and establishing a secure transmission channel between the first network device and the V2X device based on the fourth key.

In the above scheme, the method further comprises: the first network device sending a first response message to the V2X device; the first response message is encrypted and/or integrity-protected based on a first key and a second key, or the first response message is encrypted and/or integrity-protected based on the first key; the first response message comprises the related information of the authorization certificate.

In the above solution, in a case that the first message is used to apply for an application certificate, the information related to the authorization certificate includes the application certificate, or the information related to the authorization certificate includes a download time of the application certificate;

in a case where the first message is for applying for a pseudonymous certificate, the authorization certificate related information includes a download time of the pseudonymous certificate.

In the foregoing scheme, the sending the first response message to the V2X device includes:

the first network device sending a first response message directly to the V2X device; alternatively, the first and second electrodes may be,

the first network device sends a first response message to the V2X device via forwarding.

In the foregoing solution, the receiving, by the first network device, the first message from the V2X device includes:

the first network device receives a first message directly sent by the V2X device; alternatively, the first and second electrodes may be,

the first network device receives the forwarded first message from the V2X device.

In a second aspect, an embodiment of the present invention further provides a certificate authorization processing method based on the internet of vehicles, where the method includes:

the second network equipment receives a second message sent by the first network equipment; the second message comprises a temporary identification; the second message is used for applying for auditing authorization aiming at the service request; the service request is sent to the first network device by the V2X device;

performing an authorization check based on the temporary identifier;

and sending a second response message to the first network equipment, wherein the second response message is used for indicating whether the authorization audit is successful or not.

In the above scheme, the second message further includes user identity information.

In the above scheme, the user identity information is encrypted based on a fifth key;

the performing authorization verification based on the temporary identifier includes:

and generating a fifth key based on the temporary identifier, decrypting the user identity information by using the fifth key, and performing authorization verification.

In the foregoing solution, the generating a fifth key based on the temporary identifier includes:

obtaining a shared symmetric key corresponding to the V2X device based on the temporary identification, and generating at least the fifth key based on the shared symmetric key.

In the above scheme, the method further comprises: generating at least a first key and a second key based on the shared symmetric key;

when the second response message indicates that the authorization audit is successful, the second response message at least includes the first key and a second key.

In the above scheme, the method further comprises: generating at least a first key based on the shared symmetric key;

when the second response message indicates that the authorization audit is successful, the second response message at least includes the first key.

In the above scheme, the method further comprises: generating a third key based on the shared symmetric key, the third key being used for identity authentication between the first network device and the V2X device;

when the second response message indicates that the authorization audit is successful, the second response message further includes the third key.

In the above scheme, the method further comprises: generating a fourth key based on the shared symmetric key, the fourth key being used to establish a secure transmission channel between the first network device and the V2X device;

when the second response message indicates that the authorization audit is successful, the second response message further includes the fourth key.

In a third aspect, an embodiment of the present invention further provides a certificate authorization processing method based on the internet of vehicles, where the method includes:

the V2X device sending a first message to the first network device; the first message is used for representing a service request related to an authorization certificate; the first message comprises a temporary identifier.

In the above scheme, the user identity information is encrypted based on a fifth key; the fifth key is generated based on a shared symmetric key.

In the foregoing solution, before the V2X device sends the first message to the first network device, the method further includes:

the V2X device generating at least a first key and a second key based on a shared symmetric key; wherein the first message is encrypted and/or integrity protected based on the first key and the second key.

the V2X device generating at least a first key based on a shared symmetric key; wherein the first message is encrypted and/or integrity protected based on the first key.

In the above scheme, the method further comprises: the V2X device generates a third key based on the shared symmetric key, and based on the third key, the V2X device authenticates with the first network device.

In the above scheme, the method further comprises: the V2X device generates a fourth key based on the shared symmetric key, based on which a secure transmission channel is established between the V2X device and the first network device.

In the above scheme, the method further comprises: the V2X device receives a first response message sent by the first network device; the first response message is encrypted and/or integrity protected based on the first key and the second key; the first response message comprises the related information of the authorization certificate;

and performing integrity protection verification and/or decryption on the first response message based on the second key and the first key, and obtaining the related information of the authorization certificate based on the first response message passing the integrity protection verification and/or decryption.

In the above scheme, the method further comprises: the V2X device receives a first response message sent by the first network device; the first response message is encrypted and/or integrity protected based on a first key; the first response message comprises the related information of the authorization certificate;

and performing integrity protection verification and/or decryption on the first response message based on the first key, and obtaining the related information of the authorization certificate based on the first response message passing the integrity protection verification and/or decryption.

In the above solution, in a case that the first message is used to apply for an application certificate, the information related to the authorization certificate includes the application certificate; or, the authorization certificate related information includes a download time of the application certificate; the method further comprises the following steps: the V2X device downloads the application certificate according to the download time;

in the case that the first message is used for applying for a pseudonymous certificate, the authorization certificate related information includes a download time of the pseudonymous certificate; the method further comprises the following steps: the V2X device downloads the pseudonymous certificate according to the download time.

In the foregoing solution, the receiving, by the V2X device, the first response message sent by the first network device includes:

the V2X device receives a first response message directly sent by the first network device; alternatively, the first and second electrodes may be,

the V2X device receives the forwarded first response message from the first network device.

In the foregoing solution, the sending, by the V2X device, the first message to the first network device includes:

the V2X device sending the first message directly to the first network device; alternatively, the first and second electrodes may be,

the V2X device sends the first message to the first network device via forwarding.

In a fourth aspect, an embodiment of the present invention further provides a network device, where the network device is a first network device, and the network device includes: a first communication unit and a second communication unit; wherein the content of the first and second substances,

the first communication unit is used for receiving a first message from the V2X device; the first message is used for representing a service request related to an authorization certificate; the first message comprises a temporary identifier;

the second communication unit is used for sending a second message to second network equipment; the second message comprises the temporary identity; the second message is used for applying for auditing authorization aiming at the service request; and the second network device is further configured to obtain a second response message sent by the second network device, where the second response message is used to indicate whether the audit authorization is successful.

the network device further includes a first processing unit, configured to perform integrity protection verification and/or decryption on the first message based on the second key and the first key, and apply for an authorization certificate based on the first message that passes integrity protection verification and/or decryption.

the network device further includes a first processing unit, configured to perform integrity protection verification and/or decryption on the first message based on the first key, and apply for an authorization certificate based on the first message that passes the integrity protection verification and/or decryption.

In the above scheme, when the second response message indicates that the authorization audit is successful, the second response message further includes a third key;

the network device further comprises a first processing unit, configured to perform identity authentication with the V2X device based on the third key.

In the above scheme, when the second response message indicates that the authorization audit is successful, the second response message further includes a fourth key;

the network device further comprises a first processing unit, configured to establish a secure transmission channel with the V2X device based on the fourth key.

In the above scheme, the first communication unit is further configured to send a first response message to the V2X device; the first response message is encrypted and/or integrity-protected based on a first key and a second key, or the first response message is encrypted and/or integrity-protected based on the first key; the first response message comprises the related information of the authorization certificate.

In the above scheme, the first communication unit is configured to directly send a first response message to the V2X device; alternatively, the first response message is sent to the V2X device via forwarding.

In the above scheme, the first communication unit is configured to receive a first message directly sent by the V2X device; alternatively, a forwarded first message is received from the V2X device.

In a fifth aspect, an embodiment of the present invention further provides a network device, where the network device is a second network device, and the network device includes: a fourth communication unit and a second processing unit; wherein the content of the first and second substances,

the fourth communication unit is configured to receive a second message sent by the first network device; the second message comprises a temporary identification; the second message is used for applying for auditing authorization aiming at the service request; the service request is sent to the first network device by the V2X device;

the second processing unit is used for performing authorization verification based on the temporary identifier;

the fourth communication unit is further configured to send a second response message to the first network device, where the second response message is used to indicate whether the authorization audit is successful.

and the second processing unit is used for generating a fifth key based on the temporary identifier, decrypting the user identity information by using the fifth key and performing authorization verification.

In the foregoing solution, the second processing unit is configured to obtain a shared symmetric key corresponding to the V2X device based on the temporary identifier, and generate at least the fifth key based on the shared symmetric key.

In the foregoing solution, the second processing unit is further configured to generate at least a first key and a second key based on the shared symmetric key;

In the foregoing solution, the second processing unit is further configured to generate at least a first key based on the shared symmetric key;

In the foregoing solution, the second processing unit is further configured to generate a third key based on the shared symmetric key, where the third key is used for performing identity authentication between the first network device and the V2X device;

In the foregoing solution, the second processing unit is further configured to generate a fourth key based on the shared symmetric key, where the fourth key is used to establish a secure transmission channel between the first network device and the V2X device;

In a sixth aspect, an embodiment of the present invention further provides a V2X device, where the V2X device includes a fifth communication unit, configured to send a first message to a first network device; the first message is used for representing a service request related to an authorization certificate; the first message comprises a temporary identifier.

In the foregoing solution, the V2X device further includes a third processing unit, configured to generate at least a first key and a second key based on the shared symmetric key before the fifth communication unit sends the first message to the first network device; wherein the first message is encrypted and/or integrity protected based on the first key and the second key.

In the foregoing solution, the V2X device further includes a third processing unit, configured to, before the fifth communication unit sends the first message to the first network device, generate at least a first key based on the shared symmetric key; wherein the first message is encrypted and/or integrity protected based on the first key.

In the foregoing solution, the V2X device further includes a third processing unit, configured to generate a third key based on the shared symmetric key, and perform identity authentication with the first network device based on the third key.

In the foregoing solution, the V2X device further includes a third processing unit, configured to generate a fourth key based on the shared symmetric key, and establish a secure transmission channel with the first network device based on the fourth key.

In the above solution, the V2X apparatus further includes a third processing unit;

the fifth communication unit is further configured to receive a first response message sent by the first network device; the first response message is encrypted and/or integrity protected based on a first key and a second key; the first response message comprises the related information of the authorization certificate;

the third processing unit is configured to perform integrity protection verification and/or decryption on the first response message based on the second key and the first key, and obtain the information related to the authorization certificate based on the first response message that passes integrity protection verification and/or decryption.

the fifth communication unit is further configured to receive a first response message sent by the first network device; the first response message is encrypted and/or integrity protected based on a first key; the first response message comprises the related information of the authorization certificate;

the third processing unit is configured to perform integrity protection verification and/or decryption on the first response message based on the first key, and obtain the information related to the authorization certificate based on the first response message that passes the integrity protection verification and/or decryption.

In the above solution, in a case that the first message is used to apply for an application certificate, the information related to the authorization certificate includes the application certificate, or the information related to the authorization certificate includes a download time of the application certificate; the third processing unit is further configured to download the application certificate according to the download time;

in the case that the first message is used for applying for a pseudonymous certificate, the authorization certificate related information includes a download time of the pseudonymous certificate; the third processing unit is further configured to download the pseudonymous certificate according to the download time.

In the foregoing solution, the fifth communication unit is configured to receive a first response message directly sent by the first network device; alternatively, a forwarded first response message is received from the first network device.

In the foregoing solution, the fifth communication unit is configured to directly send the first message to the first network device; or, after forwarding, sending the first message to the first network device.

In a seventh aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method according to the foregoing first aspect, second aspect, or third aspect of the embodiment of the present invention.

In an eighth aspect, an embodiment of the present invention further provides a network device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the steps of the method according to the foregoing first aspect or second aspect of the embodiment of the present invention.

In a ninth aspect, an embodiment of the present invention further provides a V2X apparatus, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the steps of the method according to the foregoing third aspect of the embodiment of the present invention.

The embodiment of the invention provides a certificate authorization processing method based on Internet of vehicles and related equipment, wherein the method comprises the following steps: the first network device receiving a first message from the V2X device; the first message is used for representing a service request related to an authorization certificate; the first message comprises a temporary identifier; sending a second message to the second network device; the second message comprises the temporary identity; the second message is used for applying for auditing authorization aiming at the service request; and obtaining a second response message sent by the second network equipment, wherein the second response message is used for indicating whether the auditing authorization is successful or not. By adopting the technical scheme of the embodiment of the invention, the interface is added between the first network equipment and the second network equipment, and the authorization audit of the V2X equipment application for the service request is realized through the second network equipment, so that the management and control of the certificate authorization of the legal department of the V2X equipment are realized.

Drawings

Fig. 1 is a schematic diagram of an architecture of a vehicle networking certificate management system in a related technical solution;

fig. 2 is a schematic system architecture diagram of an application of the certificate authority processing method based on the internet of vehicles according to the embodiment of the present invention;

fig. 3 is a first flowchart illustrating a certificate authority processing method based on the internet of vehicles according to an embodiment of the present invention;

fig. 4 is a flowchart illustrating a certificate authority processing method based on the internet of vehicles according to an embodiment of the present invention;

fig. 5 is a third schematic flowchart of a certificate authorization processing method based on the internet of vehicles according to the embodiment of the present invention;

FIG. 6 is an interaction flow diagram of a certificate authority processing method based on Internet of vehicles according to an embodiment of the present invention;

fig. 7 is a first schematic structural diagram of a network device according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of a network device according to an embodiment of the present invention;

FIG. 9 is a schematic diagram of the structure of the V2X apparatus according to the embodiment of the present invention;

fig. 10 is a schematic diagram of a hardware component structure of a communication device according to an embodiment of the present invention.

Detailed Description

The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.

In order to implement secure authentication and secure communication between V2X devices such as On Board Units (OBUs), Road Side units (RSUs, Road Side units), etc., C-V2X systems have explicitly adopted Public Key Infrastructure (PKI) mechanisms based On Public Key certificates to secure Vehicle-to-Vehicle/Vehicle-to-Infrastructure (V2I, Vehicle-to-Infrastructure)/Vehicle-to-pedestrian (V2P, Vehicle-to-Pedestrians) direct communication between V2X devices. The PKI-based CA management system manages various types of digital certificates used on V2X devices such as OBUs and RSUs, such as registration and authorization, and completes operations of issuing, downloading, revocation and the like of the certificates according to a flow. An example of a CA management system architecture that is currently widely recognized by the industry is shown in fig. 1. The Authentication and Authorization Authority (AAA) system may have three different implementations of a Device Configuration Manager (DCM), a Generic Bootstrapping Architecture (GBA), and an OAuth, according to different specific technologies used in implementation.

Referring to the system architecture shown in fig. 1, the basic workflow of the CA management system may include:

1. in the initial stage, V2X devices such as OBUs and RSUs serve as Certificate application bodies to apply for registration certificates to an entity for registration Certificate Authority (ECA) through an AAA system. After the AAA successfully authenticates the V2X device, the ECA issues a registration certificate to the V2X device. The V2X device is then ready to apply to an authorization certificate authority for obtaining authorization certificates for launching various applications.

2. The V2X device applies for relevant Application function authorization using the Registration Certificate to an authorization Certificate Registration Authority (including a pseudonymous Certificate Registration Authority (PRA)) and/or an Application Certificate Registration Authority (ARA).

3. The authorization Certificate registration Authority (PRA and/or ARA) checks the registration Certificate of the V2X device, verifies the identity of the V2X device and further applies for a relevant authorization Certificate to an authorization Certificate issuing Authority (including a pseudonymous Certificate issuing Authority (PCA) or an Application Certificate issuing Authority (ACA)) according to the Authority range given in the registration Certificate and issues the V2X device. The applications, functions performed and security operations that the device can launch are described in the authorization certificate.

4. The V2X equipment utilizes the authorization certificate and the corresponding password public and private keys to sign, check or encrypt and decrypt the received and sent messages, and ensures the transmission safety of the V2X messages.

It can be seen from the above process that the application of the authorization certificate is independently performed between the V2X device and the authorization certificate authority, and the processes of remote downloading, updating and data interaction of the V2X device are not known at all by legal management departments of the V2X device (such as automobile manufacturing enterprises, transportation infrastructure management departments, industry regulatory agencies, etc.), and are not controlled by the management departments. This causes a problem that the V2X device cannot be tracked and managed after the application is deployed.

Based on this, the following examples of the present invention are proposed.

Fig. 2 is a schematic system architecture diagram of an application of the certificate authority processing method based on the internet of vehicles according to the embodiment of the present invention; as shown in fig. 2, in the embodiment of the present invention, an interface is added between the AAA and the authorization certificate registration authority (such as PRA/ARA), which is used to manage and control the interaction of operations such as requesting and updating the authorization certificate of the V2X device, so as to prevent illegal operations without authorization. Meanwhile, the interface is used for extracting privacy information related to the user identity of the V2X equipment, so that an authorized certificate registration authority cannot acquire the real identity and the pseudonymous identity information of the V2X equipment at the same time, the security risk that a user vehicle corresponding to the V2X equipment is illegally tracked by the authorized certificate registration authority is prevented, and the user privacy is protected.

The embodiment of the present invention provides a certificate authorization processing method based on internet of vehicles, which is applied to a first network device, where the first network device may be the aforementioned authorization certificate registration authority in fig. 2, and for example, the first network device may be, for example, a PRA and/or an ARA. Fig. 3 is a first flowchart illustrating a certificate authority processing method based on the internet of vehicles according to an embodiment of the present invention; as shown in fig. 3, the method includes:

step 101: the first network device receiving a first message from the V2X device; the first message is used for representing a service request related to an authorization certificate; the first message comprises a temporary identifier;

step 102: sending a second message to the second network device; the second message comprises the temporary identity; the second message is used for applying for auditing authorization aiming at the service request;

step 103: and obtaining a second response message sent by the second network equipment, wherein the second response message is used for indicating whether the auditing authorization is successful or not.

In this embodiment, based on the system architecture shown in fig. 2, the first network device may be an authorized certificate registration authority, which may be, for example, a PRA and/or an ARA. Accordingly, the second network device may be an Authentication and Authorization Authority (AAA). The AAA system may be implemented in a plurality of ways based on a DCM service system, a GBA authentication and authorization system, or an OAuth authorization service system, according to different application scenarios. Then in some examples the first network device may be a DCM service system, a GBA authentication authorization system or an OAuth authorization service system. In the following embodiments, the first network device may be taken as a GBA authentication and authorization system as an example for explanation.

In this embodiment, the first message may be an authorization certificate application request from the V2X device, or an authorization certificate update request. In some examples, the V2X device may issue an authorization certificate application request without having an authorization certificate of its own. In other examples, the V2X device may issue an authorization certificate update request if its own authorization certificate fails or expires.

In some optional embodiments, the first message includes a temporary identifier; the temporary identifier is an identifier corresponding to the V2X device, it being understood that the temporary identifier may be used to identify the V2X device.

In some optional embodiments, the first message further includes user identity information. In one example, the user identity information may be unencrypted user identity information; in another example, the user identity information is encrypted based on a fifth key. Wherein the fifth key used to encrypt the user identity information is generated by the V2X device.

In one example, the user identity information may also be referred to as user privacy information, or privacy information related to the user identity, or the like. Exemplary user identity information may include: information such as vehicle and/or device identification numbers associated with the identity of the user, a previously obtained registration certificate (e.g., the registration certificate obtained in step 1 above), etc. In another example, the user identity information may also include device descriptive information about the device and/or vehicle.

As can be seen from the foregoing basic workflow of the CA management system, the V2X device needs to send information (such as a registration certificate) related to the privacy of the user identity to the PRA and/or ARA for identity and authority verification, and the information includes the true identity information of the V2X device. In the case where the pseudonymous certificate is unencrypted, the PRA can know both the user identity information and pseudonymous certificate information of the V2X device, which will enable the PRA to associate the true identity of the V2X device with the pseudonymous identity information to track the V2X device.

According to the method and the device, the user identity information can be encrypted and protected through the fifth secret key, the first network equipment (such as PRA) cannot obtain the decrypted user identity information, the user identity information can be obtained only at the second network equipment, the separation of the real identity and the pseudonymous identity of the user is achieved at the first network equipment (such as PRA), the protection of the user privacy is achieved, and tracking control is achieved.

In some optional embodiments of the invention, the first network device receiving the first message from the V2X device comprises: the first network device receives a first message directly sent by the V2X device; alternatively, the first network device receives a forwarded first message from the V2X device.

In this embodiment, referring to the example shown in fig. 2, taking the first network device as an authorized certificate registration authority and the second network device as a certificate authority as an example, the first network device may obtain the first message directly sent as the certificate application main body (e.g., the OBU and/or the RSU) of the V2X device, or the first network device may also obtain the first message forwarded by the second network device and sent as the certificate application main body (e.g., the OBU and/or the RSU) of the V2X device through an interface with the second network device.

In this embodiment, the first network device sends a second message to the second network device, where the second message includes the temporary identifier, or the second message includes the temporary identifier and the user identity information. Based on the foregoing, the user identity information included in the second message may be unencrypted user identity information or user identity information encrypted based on the fifth key. It can be understood that the second message further includes related information for applying for authorization and audit of the service request, so that the second network device performs authorization and audit on the content carried in the second message. Further, the first network device obtains a second response message sent by the second network device; when the authorization of the second network equipment is successfully checked, the obtained second response message is used for indicating that the checking and authorization are successful; and when the authorization audit of the second network equipment is unsuccessful, the obtained second response message is used for indicating that the authorization audit fails.

In some optional embodiments of the invention, the first message is encrypted and/or integrity protected based on a first key and a second key; when the second response message indicates that the authorization audit is successful, the second response message at least comprises the first key and a second key; correspondingly, the first network device performs integrity protection verification and/or decryption on the first message based on the second key and the first key, and applies for an authorization certificate based on the first message passing integrity protection verification and/or decryption.

In one example of the present invention, the V2X device may encrypt and integrity-protect the first message with the first key and the second key, respectively, in generating the first message; in another example of the present invention, the V2X device may encrypt or integrity protect the first message using the first key and the second key in generating the first message.

In some optional embodiments of the invention, the first message is encrypted and/or integrity protected based on a first key; when the second response message indicates that the authorization audit is successful, the second response message at least comprises the first key; correspondingly, the first network device performs integrity protection verification and/or decryption on the first message based on the first key, and applies for an authorization certificate based on the first message passing the integrity protection verification and/or decryption.

In one example of the present invention, the V2X device may encrypt and integrity protect the first message with the first key during generation of the first message; in another example of the present invention, the V2X device may employ the first key to encrypt or integrity protect the first message during generation of the first message.

In addition, in this embodiment, by performing encryption protection on the user identity information (specifically, encrypting the user identity information by using a fifth key), after the first network device obtains the first message, the first network device cannot decrypt the first message to obtain the user identity information carried in the first message, and the user identity information can be obtained only at the second network device, so that separation of the true identity and the pseudonym identity of the user is achieved at the first network device, protection of the user privacy is achieved, and authorization control is achieved.

In some optional embodiments of the present invention, when the second response message indicates that the authorization audit is successful, the second response message further includes a third key; the method further comprises the following steps: and performing identity authentication between the first network device and the V2X device based on the third key.

Illustratively, a message for authentication may be transmitted between the first network device and the V2X device, and the message is encrypted by the third key, so that the first network device and the V2X device can decrypt the message by the third key for authentication.

In some optional embodiments of the present invention, when the second response message indicates that the authorization audit is successful, the second response message further includes a fourth key; the method further comprises the following steps: and establishing a secure transmission channel between the first network device and the V2X device based on the fourth key.

Illustratively, a message for establishing the secure transmission channel may be transmitted between the first network device and the V2X device, and the message is encrypted by the fourth key, so that the first network device and the V2X device may decrypt the message by the fourth key, thereby establishing the secure transmission channel.

In some optional embodiments of the invention, the method further comprises: the first network device sending a first response message to the V2X device; the first response message is encrypted and/or integrity-protected based on a first key and a second key, or the first response message is encrypted and/or integrity-protected based on the first key; the first response message comprises the related information of the authorization certificate.

In this embodiment, referring to the system architecture example shown in fig. 2, when the first network device is an authorization certificate registration authority, the first network device may apply for authorization of a related application function through an authorization certificate issuing authority (for example, PCA/ACA), obtain information related to an authorization certificate, and send the information related to the authorization certificate to the V2X device through a first response message.

In one example, the first response message may be encrypted and integrity protected based on the first key and the second key, respectively; in another example, the first response message may be encrypted or integrity protected based on the first key and the second key.

For example, in a case that the first message is used for applying for an application certificate, the information related to the authorization certificate includes the application certificate, or the information related to the authorization certificate includes a download time of the application certificate; in a case where the first message is for applying for a pseudonymous certificate, the authorization certificate related information includes a download time of the pseudonymous certificate.

It is to be understood that, in the context of application for an application certificate, in an embodiment, the first network device may obtain an issued application certificate from an authorized certificate issuing authority (specifically, ACA), and send the obtained application certificate to the V2X device through the first response message; in another embodiment, the first network device may inform the V2X device of the download time of the application certificate through a first response message; in this time range, the first network device may obtain and store the issued application certificate from an authorized certificate issuing authority (specifically, ACA), and when the V2X device determines that the download time is reached, send an application certificate download request message to the first network device; the first network device transmits an application certificate download response message to the V2X device, and transmits the application certificate to the V2X device through the application certificate download response message. It is understood that the first network device may send the download time of the application certificate to the V2X device through the first response message after determining that the authorization for the audit of the second network device is passed; and after the first network device obtains the issued application certificate from the authorization certificate issuing authority (specifically, ACA), when the download time of the application certificate arrives, the V2X device initiates the download of the application certificate according to the download time of the application certificate.

On the other hand, in the case of pseudonymous certificate application, similar to the second embodiment of the application certificate, the detailed description is omitted here.

In some optional embodiments of the invention, the sending the first response message to the V2X device comprises: the first network device sending a first response message directly to the V2X device; alternatively, the first network device sends a first response message to the V2X device via forwarding.

Based on the foregoing embodiment, an embodiment of the present invention further provides a certificate authorization processing method based on the internet of vehicles, which is applied to a second network device, where the second network device may be the foregoing authentication and authorization system in fig. 2, and for example, the second network device may be a GBA authentication and authorization system. Fig. 4 is a flowchart illustrating a certificate authority processing method based on the internet of vehicles according to an embodiment of the present invention; as shown in fig. 4, the method includes:

step 201: the second network equipment receives a second message sent by the first network equipment; the second message comprises a temporary identification; the second message is used for applying for auditing authorization aiming at the service request; the service request is sent to the first network device by the V2X device;

step 202: performing an authorization check based on the temporary identifier;

step 203: and sending a second response message to the first network equipment, wherein the second response message is used for indicating whether the authorization audit is successful or not.

In this embodiment, the second message includes a temporary identifier; the temporary identifier is an identifier corresponding to the V2X device, it being understood that the temporary identifier may be used to identify the V2X device.

In some optional embodiments of the invention, the second message further comprises user identity information. In one example, the user identity information may be unencrypted user identity information; in another example, the user identity information is encrypted based on a fifth key.

In some optional embodiments of the invention, the performing an authorization check based on the temporary identifier comprises: and generating a fifth key based on the temporary identifier, decrypting the user identity information by using the fifth key, and performing authorization verification.

In some optional embodiments of the invention, the generating a fifth key based on the temporary identifier comprises: obtaining a shared symmetric key corresponding to the V2X device based on the temporary identification, and generating at least the fifth key based on the shared symmetric key.

It is understood that the second network device obtains the shared symmetric key corresponding to the V2X device in advance before executing the method of the present embodiment. In some optional embodiments, when the AAA is implemented in a GBA manner, the AAA (i.e., the second network device) or the GBA authentication and authorization system may be connected to a Bootstrapping Service Function (BSF) or a Home Subscriber Server (HSS), and obtain or generate the shared symmetric key from the operator network.

In some examples, when the AAA is implemented in GBA, the Temporary identifier may be a transaction Temporary identifier (B-TID) in GBA. The second network device may obtain and store the mapping relationship between the temporary identifier of the V2X device and the shared symmetric key after performing the GBA processing procedure; after the second message is obtained, the mapping relationship may be searched based on the temporary identifier carried in the second message, and the shared symmetric key corresponding to the temporary identifier of the V2X device is obtained. At least a fifth key is generated further based on the shared symmetric key. Illustratively, at least the fifth Key may be generated based on a shared symmetric Key and a Key Derivation Function (KDF).

Illustratively, the second network device stores in advance security context information corresponding to the temporary identifier of the V2X device, where the security context information may include information such as a shared symmetric key of the V2X device, a true identifier of the V2X device, and the like; it is understood that the above-mentioned security context information includes the mapping relationship between the temporary identification of the V2X device and the shared symmetric key.

It should be noted that the second network device may obtain the shared symmetric key and the temporary identifier during the initialization process. The above-mentioned shared symmetric key and temporary identifier can be implemented in an online manner, and also can be implemented in an offline manner (i.e. a preconfigured manner).

In this embodiment, the second network device at least generates a fifth key based on the shared symmetric key, decrypts the user identity information using the fifth key, and performs verification and authorization on the service operation request of the user according to the decrypted user identity information to determine whether to allow the V2X device to issue the applied authorization certificate (including a pseudonymous certificate and/or an application certificate); if the authorization of the audit is passed, the second network equipment sends a second response message for indicating that the authorization audit is successful to the first network equipment; if the authorization of the audit is not passed, the second network equipment sends a second response message for indicating the authorization audit failure to the first network equipment

In some optional embodiments of the invention, the method further comprises: generating at least a first key and a second key based on the shared symmetric key; when the second response message indicates that the authorization audit is successful, the second response message at least includes the first key and a second key.

In this embodiment, the second network device may generate the first key and the second key based on the shared symmetric key, in addition to the fifth key based on the shared symmetric key, and when the authorization is successfully checked, the first key and the second key are sent to the first network device through the second response message, so that the first network device may perform integrity protection verification and/or decryption on the first message based on the second key and the first key.

In some optional embodiments of the invention, the method further comprises: the method further comprises the following steps: generating at least a first key based on the shared symmetric key; when the second response message indicates that the authorization audit is successful, the second response message at least includes the first key.

In this embodiment, the second network device may generate the first key based on the shared symmetric key, in addition to the fifth key based on the shared symmetric key, and when the authorization is successfully checked, the first key may be sent to the first network device through the second response message, so that the first network device may perform integrity protection verification and/or decryption on the first message based on the first key.

In some optional embodiments of the invention, the method further comprises: generating a third key based on the shared symmetric key, the third key being used for identity authentication between the first network device and the V2X device; when the second response message indicates that the authorization audit is successful, the second response message further includes the third key.

In some optional embodiments of the invention, the method further comprises: generating a fourth key based on the shared symmetric key, the fourth key being used to establish a secure transmission channel between the first network device and the V2X device; when the second response message indicates that the authorization audit is successful, the second response message further includes the fourth key.

Based on the foregoing embodiment, the embodiment of the present invention further provides a certificate authorization processing method based on the internet of vehicles, which is applied to the V2X device, where the V2X device may be, for example, an OBU, an RSU, or other devices. Fig. 5 is a third schematic flowchart of a certificate authorization processing method based on the internet of vehicles according to the embodiment of the present invention; as shown in fig. 5, the method includes:

step 301: the V2X device sending a first message to the first network device; the first message is used for representing a service request related to an authorization certificate; the first message comprises a temporary identifier.

In some optional embodiments, the first message further includes user identity information. In one example, the user identity information may be unencrypted user identity information; in another example, the user identity information is encrypted based on a fifth key. Wherein the fifth key used to encrypt the user identity information is generated by the V2X device based on the shared symmetric key.

In some optional embodiments of the invention, before the V2X device sends the first message to the first network device, the method further comprises: the V2X device generating at least a first key and a second key based on a shared symmetric key; wherein the first message is encrypted and/or integrity protected based on the first key and the second key.

In some optional embodiments of the invention, before the V2X device sends the first message to the first network device, the method further comprises: the V2X device generating at least a first key based on a shared symmetric key; wherein the first message is encrypted and/or integrity protected based on the first key.

In the two embodiments, for a scenario where the first message only includes the temporary identifier, or the first message includes the temporary identifier and the user identity information (the user identity information is not encrypted), the first message may be encrypted and/or integrity protected based on the first key and the second key; or may be encrypted and/or integrity protected based on the first key only.

In some optional embodiments of the invention, before the V2X device sends the first message to the first network device, the method further comprises: the V2X device generating at least a first key, a second key, and a fifth key based on a shared symmetric key; wherein the first message is encrypted and/or integrity protected based on the first key and the second key; the user identity information is encrypted based on the first key.

In some optional embodiments of the invention, before the V2X device sends the first message to the first network device, the method further comprises: the V2X device generating at least a first key and a fifth key based on a shared symmetric key; wherein the first message is encrypted and/or integrity protected based on the first key; the user identity information is encrypted based on the first key.

In the two embodiments, for a scenario that the first message includes the temporary identifier and the user identity information is encrypted based on the fifth key, the first message may be encrypted and/or integrity protected based on the first key and the second key; or may be encrypted and/or integrity protected based on the first key only.

It will be appreciated that the V2X device may obtain the shared symmetric key and the temporary identification before performing the method of the present embodiment, i.e. during the initialization phase, for the V2X device. In some optional examples, the V2X device can interact with a first network device (e.g., AAA or GBA authentication and authorization system) in an online manner to obtain a temporary identifier; alternatively, the V2X device may obtain the temporary identification in an offline manner (e.g., a preconfigured manner).

Further, the V2X device may generate a first key, or a first key and a second key, or a first key and a fifth key, or a first key, a second key and a fifth key based on the shared symmetric key, may encrypt the user identity information based on the fifth key, and encrypt and/or integrity protect the first message based on the first key and the second key, or encrypt and/or integrity protect the first message based on the first key. The encrypted user identity information is in the first message, and the temporary identifier is outside the first message, so that after the first message is sent to the first network equipment and the first network equipment sends the first message to the second network equipment, the second network equipment can directly obtain the temporary identifier carried by the first message.

In some optional embodiments of the invention, the V2X device sending the first message to a first network device, comprising: the V2X device sending the first message directly to the first network device; alternatively, the V2X device sends the first message to the first network device via forwarding.

In this embodiment, referring to the example shown in fig. 2, taking the first network device as an authorization certificate registration authority and the second network device as an authentication authorization authority as an example, the certificate application main body (e.g., an OBU and/or an RSU) serving as the V2X device may directly send the first message to the first network device, or the certificate application main body (e.g., an OBU and/or an RSU) serving as the V2X device may also send the first message to the second network device first, and then the second network device forwards the first message to the second network device through an interface with the second network device.

In some optional embodiments of the invention, the method may further comprise:

step 302 a: the V2X device receives a first response message sent by the first network device; the first response message is encrypted and/or integrity protected based on a first key and a second key; the first response message comprises the related information of the authorization certificate;

step 303 a: and performing integrity protection verification and/or decryption on the first response message based on the second key and the first key, and obtaining the related information of the authorization certificate based on the first response message passing the integrity protection verification and/or decryption.

Similar to the above steps, the method may further comprise:

step 302 b: the V2X device receives a first response message sent by the first network device; the first response message is encrypted and/or integrity protected based on a first key; the first response message comprises the related information of the authorization certificate;

step 303 b: and performing integrity protection verification and/or decryption on the first response message based on the first key, and obtaining the related information of the authorization certificate based on the first response message passing the integrity protection verification and/or decryption.

The difference between the two embodiments is that in the first embodiment, the first response message is encrypted and/or integrity protected based on the first key and the second key; therefore, the second network device performs integrity protection verification and/or decryption on the first response message based on the second key and the first key, and can obtain the information related to the authorization certificate based on the first response message after passing the integrity protection verification and/or decryption. In a second embodiment, the first response message is encrypted and/or integrity-protected based on only the first key, so that the second network device performs integrity-protection verification and/or decryption on the first response message based on the first key, and obtains the information related to the authorization certificate based on the first response message after integrity-protection verification and/or decryption.

In some optional embodiments of the invention, in a case that the first message is for applying for an application certificate, the authorization certificate related information comprises the application certificate; or, the authorization certificate related information includes a download time of the application certificate; the method further comprises the following steps: the V2X device downloads the application certificate according to the download time; in the case that the first message is used for applying for a pseudonymous certificate, the authorization certificate related information includes a download time of the pseudonymous certificate; the method further comprises the following steps: the V2X device downloads the pseudonymous certificate according to the download time.

In this embodiment, in a scenario of application for an application certificate, in an implementation manner, a first network device may obtain an issued application certificate from an authorization certificate issuing authority (specifically, ACA), and send the obtained application certificate to a V2X device through a first response message; in another embodiment, the first network device may inform the V2X device of the download time of the application certificate through a first response message; in this time range, the first network device may obtain and store the issued application certificate from an authorized certificate issuing authority (specifically, ACA), and when the V2X device determines that the download time is reached, send an application certificate download request message to the first network device; the first network device transmits an application certificate download response message to the V2X device, and transmits the application certificate to the V2X device through the application certificate download response message. It is understood that the first network device may send the download time of the application certificate to the V2X device through the first response message after determining that the authorization for the audit of the second network device is passed; and after the first network device obtains the issued application certificate from the authorization certificate issuing authority (specifically, ACA), when the download time of the application certificate arrives, the V2X device initiates the download of the application certificate according to the download time of the application certificate.

In some optional embodiments of the present invention, the receiving, by the V2X device, the first response message sent by the first network device includes: the V2X device receives a first response message directly sent by the first network device; alternatively, the V2X device receives the forwarded first response message from the first network device.

In some optional embodiments of the invention, the method further comprises: the V2X device generates a third key based on the shared symmetric key, and based on the third key, the V2X device authenticates with the first network device.

For example, a message for identity authentication may be transmitted between the V2X device and the first network device, and the message is encrypted by the third key, so that the V2X device and the first network device can decrypt the message by the third key to perform identity authentication.

In some optional embodiments of the invention, the method further comprises: the V2X device generates a fourth key based on the shared symmetric key, based on which a secure transmission channel is established between the V2X device and the first network device.

Illustratively, a message for establishing the secure transmission channel may be transmitted between the V2X device and the first network device, and the message is encrypted by the fourth key, so that the V2X device and the first network device may decrypt the message by the fourth key to establish the secure transmission channel.

By adopting the technical scheme of the embodiment of the invention, on one hand, the first network equipment cannot obtain the decrypted user identity information by carrying out encryption protection on the user identity information, and the user identity information can be obtained only at the second network equipment, so that the separation of the real identity and the pseudonymous identity of the user is realized at the first network equipment, the protection of the user privacy is realized, and the authorization control is realized; on the other hand, by adding an interface between the first network device and the second network device and by using the second network device, authorization and verification of the V2X device for the service request is realized, and control of the V2X device legal department on certificate authorization is realized.

The following describes a certificate authorization processing method based on the internet of vehicles in detail with reference to a specific example.

FIG. 6 is an interaction flow diagram of a certificate authority processing method based on Internet of vehicles according to an embodiment of the present invention; as shown in fig. 6, the method includes:

step 401: a key preparation process. Upon application of the authorization certificate, the V2X device derives a session key based on the shared symmetric key K, which includes the first key K in the foregoing embodiments₁A second key K₂A third key K₃A fourth key K₄And a fifth key K₅. It will be appreciated that the five keys described above may also be usedReferred to as first session key K₁A second session key K₂A third session key K₃A fourth session key K₄And a fifth session key K₅。

Step 402: and (4) preparing an authorized certificate application. The V2X device locally generates a cryptographic public-private key pair for the authorized certificate, composes the authorized certificate application request message, and signs the authorized certificate application request message using the private key of the obtained registration certificate.

Step 403: the authorization certificate applies for the security protection of the request message. The V2X device uses the first session key K₁And a first session key K₂And respectively encrypting and integrity protecting the request for applying the authorization certificate. The V2X device may use the fifth session key K₅Carrying out encryption protection on user identity information; in one example, the user identity information may include at least one of: information such as vehicle and/or device identification numbers, registration certificates, etc. related to the identity of the user, the present example is applicable to the application of pseudonymous certificates; in another example, the user identity information may also include device description information related to the device and/or the vehicle; the present example is applicable to application of an application certificate.

Step 404: the V2X device sends an authorization certificate application request message (i.e. the first message in the foregoing embodiment) to the PRA/ARA, where the authorization certificate application request message may include the temporary identification T-ID and the user identity information; wherein, the user identity information can adopt a fifth secret key K₅Encryption is performed. This message may be forwarded via the AAA to the PRA/ARA as shown in steps 404a and 404 b; in other embodiments, the authorization certificate application request message may not be forwarded by the AAA, but may be sent directly to the PRA/ARA by the V2X device.

It is understood that if applying for a pseudonymous certificate, the V2X device sends an authorization certificate application request message to the PRA; if an application certificate is applied, the V2X device sends an authorization certificate application request message to the ARA.

Step 405: the PRA/ARA sends an authorization and user information request message (i.e. the second message in the foregoing embodiment) to the AAA for applying for obtaining the operation authorization permission, where the authorization and user information request message may include the temporary identification T-ID of the V2X device and the user identity information.

Step 406: and (4) authorization verification. The AAA obtains the security context information of the V2X device based on the temporary identifier T-ID in the authorization and user information request message (for example, the security context message may include the real identifier of the V2X device, the shared symmetric key K, other user information, etc.), and generates a session key based on the derivation of the shared symmetric key K, where the session key includes the first key K in the foregoing embodiment₁A second key K₂A third key K₃A fourth key K₄And a fifth key K₅. AAA uses the fifth key K₅Decrypting the encrypted user identity information, checking authorization and user information request messages sent by the PRA/ARA by the AAA according to the decrypted user identity information, and performing verification authorization on the service operation request of the user to determine whether to allow the V2X equipment to be signed with the applied authorization certificate (the authorization certificate can comprise a pseudonymous certificate/an application certificate).

Step 407: if authorization audit is passed, AAA sends authorization and user information response message (i.e. the second response message in the above embodiment) to PRA/ARA, where the second response message may include user information and the first key K₁A second key K₂A third key K₃And a fourth key K₄。

Optionally, the AAA derives a session key based on the shared symmetric key K, and determines a key lifetime corresponding to each session key; accordingly, the first key K may be included in the second response message₁A second key K₂A third key K₃And a fourth key K₄And the key lifetime corresponding to each key.

Step 408: and applying for message verification by the authorization certificate. PRA/ARA use the second key K respectively₂And a first key K₁The authorization certificate application request message (i.e., the first message in the foregoing embodiment) is subjected to integrity protection checksum decryption.

Step 409a to step 409 b: the PRA/ARA returns an authorization certificate application response message (i.e., up) to the V2X deviceAn example of the first response message in the above embodiment), the download time of the pseudonymous certificate/application certificate is included in the authorization certificate application response, so as to notify the V2X of the download time of the pseudonymous certificate/application certificate. The authorization certificate application response message may use the first key K₁And a second key K₂Encryption and integrity protection are performed. The authorization certificate application response message may be forwarded to the V2X device via AAA as shown in the figure, or in other embodiments, the authorization certificate application response message may be directly sent to the V2X device by the PRA/ARA without being forwarded via AAA.

It should be noted that, if the present step is directed to application of the application certificate, that is, the download time of the application certificate is returned to the V2X device through the authorized certificate application response message, then step 413a and step 413b are not executed subsequently.

Step 410: the PRA/ARA sends an authorization certificate application request to the PCA/ACA.

Step 411: the PCA/ACA issues the relevant authorization certificates (including pseudonym certificates/application certificates).

Step 412: the PCA/ACA sends an authorization certificate application response to the PRA/ARA. For the case of applying for the pseudonymous certificate, the PRA compresses and stores the received pseudonymous certificate, and waits for the V2X device to download according to the download time indicated in the step 409a to the step 409 b.

Step 413a to step 413 b: for the case of applying for an application certificate, the ARA sends an authorization certificate application response message (i.e., another example of the first response message in the above-described embodiment) to the V2X device, where the authorization certificate application response message includes the application certificate. The authorization certificate application response message may use the first key K₁And a second key K₂Encryption and integrity protection are performed. The authorization certificate application response message may be forwarded to the V2X device via AAA as shown in the figure, or in other embodiments, the authorization certificate application response message may be directly sent to the V2X device by ARA without being forwarded via AAA.

It should be noted that, if the ARA sends the authorization certificate application response message to the V2X device through this step, the foregoing steps 409a to 409b are not executed.

After the V2X devices receive the authorization certificate application response message, they respectively base on the second key K₂And a first key K₁And carrying out integrity protection verification and decryption on the response message of the authorization certificate application, and safely storing the content in the decrypted message.

The above process is an authorization certificate application process, and the above process can also be applied to an authorization certificate update process. In the case that the above-mentioned procedure is applied to the authorization certificate updating procedure, the names of some messages in the above-mentioned procedure should be modified adaptively, for example, in step 402, to prepare for the authorization certificate updating; step 404a to step 404b, updating the request message for the authorization certificate; step 408, updating message authentication for the authorization certificate; step 413a to step 413b, updating the response message for the authorization certificate; step 410, updating request message for authorization certificate; at step 412, the response message is updated for the authorization credential.

It should be noted that, optionally, the naming of the steps 405 to 406 in the above process is based on the naming of the message corresponding to the application of the pseudonymous certificate; if the application certificate is applied, step 405 may be: the ARA sends a certificate issuing authorization request message (i.e. the second message in the previous embodiment) to the AAA; accordingly, step 407 may be: if authorization verification is passed, AAA sends certificate issue authorization response message (i.e. the second response message in the above embodiment) to ARA, where the second response message may include user information and first key K₁A second key K₂A third key K₃And a fourth key K₄。

It is to be understood that the above-mentioned request message for requesting an authorized certificate and the request message for updating an authorized certificate can be both used as the first message in the above-mentioned embodiments of the present invention; both the certificate authority application response message and the certificate authority update response message can be used as the first response message in the above embodiments of the present invention.

Optionally, on the basis of the above method, the following steps may be further included:

step 414: based on the third key K₃The PRA/ARA and V2X devices can perform two-way identity authentication.

Step 415: based on the fourth key K₄A secure transmission channel, such as a Transport Layer Protocol (TLS) secure channel, an Internet Security Protocol (IPSec) secure channel, an application Layer secure channel, etc., may be established between the PRA/ARA and the V2X device for end-to-end secure transmission of data.

In this embodiment, in an initialization stage, V2X devices such as an OBU and an RSU may interact with an AAA in an offline or online manner to obtain a temporary identifier T-id (temporal id), negotiate a shared symmetric key or exchange a digital certificate, and establish a security association. Meanwhile, the V2X device applies for obtaining a registration certificate or a service token from a registration certificate authority through AAA. It is to be understood that in other examples, the processing may also be performed based on the service token by using the similar process described above, and details are not described here.

In some optional embodiments, in the case that AAA is implemented by GBA, in the scenario of applying for pseudonymous certificate:

if the V2X device does not have a valid GBA shared session key (i.e., the shared session key in the foregoing embodiment), the V2X device accesses the GBA authentication and authorization system through the cellular network to initiate an authentication and authorization request. The GBA authentication and authorization system preferentially adopts a GBA _ U mode, and returns an authentication and authorization response to the V2X equipment after success. The BSF in the GBA authentication authorization system is responsible for authenticating the V2X device and providing the GBA key to the NAF, which is responsible for generating multiple GBA shared session keys for use by the PRA.

In step 404, the V2X device sends a protected pseudonymous certificate application request message to the pseudonymous certificate authority PRA through the GBA certificate authority system, where the protected pseudonymous certificate application request message includes encrypted user identity information. The pseudonym certificate application request message may be carried by a hypertext Transfer Protocol (HTTP) message, and the HTTP message carries information of a B-TID and a domain name of a PRA server.

The GBA authentication and authorization system can forward a pseudonymous certificate application request to the PRA according to domain name information of the PRA server.

The embodiment of the invention also provides network equipment, which is the first network equipment in the embodiment. Fig. 7 is a first schematic structural diagram of a network device according to an embodiment of the present invention; as shown in fig. 7, the network device includes: a first communication unit 51 and a second communication unit 52; wherein the content of the first and second substances,

the first communication unit 51, configured to receive a first message from a V2X device; the first message is used for representing a service request related to an authorization certificate; the first message comprises a temporary identifier;

the second communication unit 52 is configured to send a second message to a second network device; the second message comprises the temporary identity; the second message is used for applying for auditing authorization aiming at the service request; and the second network device is further configured to obtain a second response message sent by the second network device, where the second response message is used to indicate whether the audit authorization is successful.

In some optional embodiments of the invention, the first message further comprises user identity information.

In some optional embodiments of the invention, the user identity information is encrypted based on a fifth key.

In some optional embodiments of the invention, the first message is encrypted and/or integrity protected based on a first key and a second key;

the network device further includes a first processing unit 53, configured to perform integrity protection verification and/or decryption on the first message based on the second key and the first key, and apply for an authorization certificate based on the first message that passes integrity protection verification and/or decryption.

In some optional embodiments of the invention, the first message is encrypted and/or integrity protected based on a first key; when the second response message indicates that the authorization audit is successful, the second response message at least comprises the first key;

the first processing unit 53 is configured to perform integrity protection verification and/or decryption on the first message based on the first key, and apply for an authorization certificate based on the first message that passes integrity protection verification and/or decryption.

In some optional embodiments of the present invention, when the second response message indicates that the authorization audit is successful, the second response message further includes a third key;

the network device further comprises a first processing unit 53 configured to perform identity authentication with the V2X device based on the third key.

In some optional embodiments of the present invention, when the second response message indicates that the authorization audit is successful, the second response message further includes a fourth key;

the network device further comprises a first processing unit 53 configured to establish a secure transmission channel with the V2X device based on the fifth key.

In some optional embodiments of the present invention, the first communication unit 51 is further configured to send a first response message to the V2X device; the first response message is encrypted and/or integrity-protected based on a first key and a second key, or the first response message is encrypted and/or integrity-protected based on the first key; the first response message comprises the related information of the authorization certificate.

In some optional embodiments of the present invention, in a case that the first message is used to apply for an application certificate, the authorization certificate related information includes the application certificate, or the authorization certificate related information includes a download time of the application certificate;

In some optional embodiments of the present invention, the first communication unit 51 is configured to send a first response message directly to the V2X device; alternatively, the first response message is sent to the V2X device via forwarding.

In some optional embodiments of the present invention, the first communication unit 51 is configured to receive a first message directly sent by the V2X device; alternatively, a forwarded first message is received from the V2X device.

In the embodiment of the present invention, the first Processing Unit 53 in the network device may be implemented by a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a Micro Control Unit (MCU), or a Programmable Gate Array (FPGA) in the network device in practical application; the first communication unit 51, the second communication unit 52 and the third communication unit in the network device can be implemented by a communication module (including a basic communication suite, an operating system, a communication module, a standardized interface, a protocol, etc.) and a transceiving antenna in practical application.

The embodiment of the invention also provides network equipment, which is the second network equipment in the embodiment. Fig. 8 is a schematic structural diagram of a network device according to an embodiment of the present invention; as shown in fig. 8, the network device includes: a fourth communication unit 61 and a second processing unit 62; wherein the content of the first and second substances,

the fourth communication unit 61 is configured to receive a second message sent by the first network device; the second message comprises a temporary identification; the second message is used for applying for auditing authorization aiming at the service request; the service request is sent to the first network device by the V2X device;

the second processing unit 62 is configured to perform an authorization check based on the temporary identifier;

the fourth communication unit 61 is further configured to send a second response message to the first network device, where the second response message is used to indicate whether the authorization audit is successful.

In some optional embodiments of the invention, the second message further comprises user identity information.

In some optional embodiments of the invention, the user identity information is encrypted based on a fifth key;

the second processing unit 62 is configured to generate a fifth key based on the temporary identifier, decrypt the user identity information with the fifth key, and perform authorization check.

In some optional embodiments of the invention, the second processing unit 62 is configured to obtain a shared symmetric key corresponding to the V2X device based on the temporary identifier, and generate at least the fifth key based on the shared symmetric key.

In some optional embodiments of the invention, the second processing unit 62 is further configured to generate at least a first key and a second key based on the shared symmetric key;

The second processing unit 62 is further configured to generate at least a first key based on the shared symmetric key;

In some optional embodiments of the present invention, the second processing unit 62 is further configured to generate a third key based on the shared symmetric key, where the third key is used for identity authentication between the first network device and the V2X device;

In some optional embodiments of the present invention, the second processing unit 62 is further configured to generate a fourth key based on the shared symmetric key, where the fourth key is used to establish a secure transmission channel between the first network device and the V2X device;

In the embodiment of the present invention, the second processing unit 62 in the network device can be implemented by a CPU, a DSP, an MCU or an FPGA in the network device in practical application; the fourth communication unit 61 in the network device can be implemented by a communication module (including a basic communication suite, an operating system, a communication module, a standardized interface, a protocol, etc.) and a transceiver antenna in practical application.

An embodiment of the present invention further provides a V2X device, fig. 9 is a schematic diagram of a structure of the V2X device according to the embodiment of the present invention, and as shown in fig. 9, the V2X device includes a fifth communication unit 71, configured to send a first message to a first network device; the first message is used for representing a service request related to an authorization certificate; the first message comprises a temporary identifier.

In some optional embodiments of the invention, the user identity information is encrypted based on a fifth key; the fifth key is generated based on a shared symmetric key.

In some optional embodiments of the invention, the V2X device further comprises a third processing unit 72 for generating at least a first key and a second key based on the shared symmetric key before the fifth communication unit 71 sends the first message to the first network device; wherein the first message is encrypted and/or integrity protected based on the first key and the second key.

In some optional embodiments of the invention, the third processing unit 72 is configured to, before the fifth communication unit sends the first message to the first network device, generate at least a first key based on the shared symmetric key; wherein the first message is encrypted and/or integrity protected based on the first key.

In some optional embodiments of the present invention, the third processing unit 72 is configured to generate a third key based on the shared symmetric key, and perform identity authentication with the first network device based on the third key.

In some optional embodiments of the present invention, the third processing unit 72 is configured to generate a fourth key based on the shared symmetric key, and establish a secure transmission channel with the first network device based on the fourth key.

In some optional embodiments of the present invention, the fifth communication unit 71 is further configured to receive a first response message sent by the first network device; the first response message is encrypted and/or integrity protected based on the first key and the second key; the first response message comprises the related information of the authorization certificate;

the third processing unit 72 is further configured to perform integrity protection verification and/or decryption on the first response message based on the second key and the first key, and obtain the information related to the authorization certificate based on the first response message that passes integrity protection verification and/or decryption.

In some optional embodiments of the present invention, the fifth communication unit 71 is further configured to receive a first response message sent by the first network device; the first response message is encrypted and/or integrity protected based on a first key; the first response message comprises the related information of the authorization certificate;

the third processing unit 72 is configured to perform integrity protection verification and/or decryption on the first response message based on the first key, and obtain the information related to the authorization certificate based on the first response message that passes integrity protection verification and/or decryption.

In some optional embodiments of the present invention, in a case that the first message is used to apply for an application certificate, the authorization certificate related information includes the application certificate, or the authorization certificate related information includes a download time of the application certificate; the third processing unit 72 is further configured to download the application certificate according to the download time;

in the case that the first message is used for applying for a pseudonymous certificate, the authorization certificate related information includes a download time of the pseudonymous certificate; the third processing unit 72 is further configured to download the pseudonymous certificate according to the download time.

In some optional embodiments of the present invention, the fifth communication unit 71 is configured to receive a first response message directly sent by the first network device; alternatively, a forwarded first response message is received from the first network device.

In some optional embodiments of the present invention, the fifth communication unit 71 is configured to send the first message directly to the first network device; or, after forwarding, sending the first message to the first network device.

In the embodiment of the present invention, the third processing unit 72 in the V2X device can be implemented by a CPU, a DSP, an MCU, or an FPGA in the V2X device in practical application; the fifth communication unit 71 in the network device can be implemented by a communication module (including a basic communication suite, an operating system, a communication module, a standardized interface, a protocol, etc.) and a transceiver antenna in practical application.

It should be noted that: in the information reminding device provided in the above embodiment, only the division of the program modules is exemplified when reminding information, and in practical applications, the processing allocation may be completed by different program modules as needed, that is, the internal structure of the device may be divided into different program modules to complete all or part of the processing described above. In addition, the information reminding device and the information reminding method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments in detail and are not described herein again.

An embodiment of the present invention further provides a communication device, where the communication device may be the first network device, the second network device, or the V2X device in the foregoing embodiments. Fig. 10 is a schematic diagram of a hardware composition structure of a communication device according to an embodiment of the present invention, and as shown in fig. 10, the communication device may include a memory 82, a processor 81, and a computer program stored on the memory 82 and operable on the processor 81, where the processor 81 executes the computer program to implement the steps of the method for processing the certificate authority based on the internet of vehicles, which is applied to the foregoing first network device, second network device, or V2X device in the embodiment of the present invention.

It will be appreciated that one or more network interfaces 83 may also be included in the communication device. Optionally, various components in the communication device are coupled together by a bus system 84. It will be appreciated that the bus system 84 is used to enable communications among the components. The bus system 84 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 84 in fig. 10.

It will be appreciated that the memory 82 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 82 described in connection with the embodiments of the invention is intended to comprise, without being limited to, these and any other suitable types of memory.

The method disclosed in the above embodiments of the present invention may be applied to the processor 81, or implemented by the processor 81. The processor 81 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 81. The processor 81 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Processor 81 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 82, and the processor 81 reads the information in the memory 82 and performs the steps of the aforementioned methods in conjunction with its hardware.

In an exemplary embodiment, the communication Device may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), FPGAs, general purpose processors, controllers, MCUs, microprocessors (microprocessors), or other electronic components for performing the aforementioned methods.

In an exemplary embodiment, the present invention further provides a computer readable storage medium, such as a memory 82, comprising a computer program, which is executable by a processor 81 of a communication device to perform the steps of the aforementioned method. The computer readable storage medium can be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM; or may be various devices including one or any combination of the above memories.

The computer-readable storage medium provided by the embodiment of the present invention stores thereon a computer program, where the computer program is executed by a processor to implement the steps of the method for processing certificate authority based on internet of vehicles, applied to the aforementioned first network device, second network device or V2X device in the embodiment of the present invention.

The methods disclosed in the several method embodiments provided in the present application may be combined arbitrarily without conflict to obtain new method embodiments.

Features disclosed in several of the product embodiments provided in the present application may be combined in any combination to yield new product embodiments without conflict.

The features disclosed in the several method or apparatus embodiments provided in the present application may be combined arbitrarily, without conflict, to arrive at new method embodiments or apparatus embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims

1. A certificate authorization processing method based on Internet of vehicles is characterized by comprising the following steps:

2. The method of claim 1, wherein the first message further comprises user identity information; correspondingly, the second message further includes the user identity information.

3. The method of claim 2, wherein the user identity information is encrypted based on a fifth key.

4. The method according to claim 1, characterized in that the first message is encrypted and/or integrity protected based on a first key and a second key;

5. The method according to claim 1, wherein the first message is encrypted and/or integrity protected based on a first key;

6. The method according to any one of claims 1 to 5, wherein when the second response message indicates that the authorization audit is successful, a third key is further included in the second response message; the method further comprises the following steps:

7. The method according to any one of claims 1 to 5, wherein when the second response message indicates that the authorization audit is successful, a fourth key is further included in the second response message; the method further comprises the following steps:

and establishing a secure transmission channel between the first network device and the V2X device based on the fourth key.

8. The method of claim 1, further comprising:

the first network device sending a first response message to the V2X device; the first response message is encrypted and/or integrity-protected based on a first key and a second key, or the first response message is encrypted and/or integrity-protected based on the first key; the first response message comprises the related information of the authorization certificate.

9. The method according to claim 8, wherein, in the case that the first message is used for applying for an application certificate, the authorization certificate related information comprises the application certificate, or the authorization certificate related information comprises a download time of the application certificate;

10. The method of claim 8, wherein sending the first response message to the V2X device comprises:

11. The method of claim 1, wherein the first network device receives a first message from a V2X device, comprising:

12. A certificate authorization processing method based on Internet of vehicles is characterized by comprising the following steps:

performing an authorization check based on the temporary identifier;

13. The method of claim 12, wherein the second message further comprises user identity information.

14. The method of claim 13, wherein the user identity information is encrypted based on a fifth key;

15. The method of claim 12, wherein generating the fifth key based on the temporary identifier comprises:

16. The method of claim 15, further comprising: generating at least a first key and a second key based on the shared symmetric key;

17. The method of claim 15, further comprising: generating at least a first key based on the shared symmetric key;

18. The method of claim 15, further comprising:

generating a third key based on the shared symmetric key, the third key being used for identity authentication between the first network device and the V2X device;

19. The method of claim 15, further comprising:

generating a fourth key based on the shared symmetric key, the fourth key being used to establish a secure transmission channel between the first network device and the V2X device;

20. A certificate authorization processing method based on Internet of vehicles is characterized by comprising the following steps:

21. The method of claim 20, wherein the first message further comprises user identity information.

22. The method of claim 21, wherein the user identity information is encrypted based on a fifth key; the fifth key is generated based on a shared symmetric key.

23. The method of claim 20, wherein prior to the V2X device sending the first message to the first network device, the method further comprises:

24. The method of claim 20, wherein prior to the V2X device sending the first message to the first network device, the method further comprises:

25. The method of any one of claims 20 to 24, further comprising:

the V2X device generates a third key based on a shared symmetric key, and based on the third key, the V2X device authenticates with the first network device.

26. The method of any one of claims 20 to 24, further comprising:

the V2X device generates a fourth key based on a shared symmetric key, based on which a secure transmission channel is established between the V2X device and the first network device.

27. The method of claim 20, further comprising:

the V2X device receives a first response message sent by the first network device; the first response message is encrypted and/or integrity protected based on a first key and a second key; the first response message comprises the related information of the authorization certificate;

28. The method of claim 20, further comprising:

the V2X device receives a first response message sent by the first network device; the first response message is encrypted and/or integrity protected based on a first key; the first response message comprises the related information of the authorization certificate;

29. The method according to claim 27 or 28, wherein, in the case that the first message is used for applying for an application certificate, the authorization certificate related information comprises the application certificate; or, the authorization certificate related information includes a download time of the application certificate; the method further comprises the following steps: the V2X device downloads the application certificate according to the download time;

30. The method according to claim 27 or 28, wherein the V2X device receiving the first response message sent by the first network device comprises:

31. The method of claim 20, wherein the V2X device sends the first message to a first network device, comprising:

32. A network device, the network device being a first network device, the network device comprising: a first communication unit and a second communication unit; wherein the content of the first and second substances,

33. The network device of claim 32, wherein the first message further comprises user identity information; correspondingly, the second message further includes the user identity information.

34. The network device of claim 33, wherein the user identity information is encrypted based on a fifth key.

35. The network device of claim 32, wherein the first message is encrypted and/or integrity protected based on a first key and a second key;

36. The network device of claim 32, wherein the first message is encrypted and/or integrity protected based on a first key;

37. The network device according to any one of claims 32 to 36, wherein when the second response message indicates that the authorization audit is successful, a third key is further included in the second response message;

38. The network device according to any one of claims 32 to 36, wherein when the second response message indicates that the authorization audit is successful, a fourth key is further included in the second response message;

the network device further comprises a first processing unit, configured to establish a secure transmission channel with the V2X device based on the fifth key.

39. The network device of claim 32, wherein the first communication unit is further configured to send a first response message to the V2X device; the first response message is encrypted and/or integrity-protected based on a first key and a second key, or the first response message is encrypted and/or integrity-protected based on the first key; the first response message comprises the related information of the authorization certificate.

40. The network device according to claim 39, wherein in a case that the first message is used to apply for an application certificate, the information related to the authorization certificate comprises the application certificate, or the information related to the authorization certificate comprises a download time of the application certificate;

41. The network device of claim 39, wherein the first communication unit is configured to send the first response message directly to the V2X device; alternatively, the first response message is sent to the V2X device via forwarding.

42. The network device according to claim 32, wherein the first communication unit is configured to receive a first message directly sent by the V2X device; alternatively, a forwarded first message is received from the V2X device.

43. A network device, the network device being a second network device, the network device comprising: a fourth communication unit and a second processing unit; wherein the content of the first and second substances,

44. The network device of claim 43, wherein the second message further comprises user identity information.

45. The network device of claim 44, wherein the user identity information is encrypted based on a fifth key;

46. The network device of claim 45, wherein the second processing unit is configured to obtain a shared symmetric key corresponding to the V2X device based on the temporary identifier, and generate at least the fifth key based on the shared symmetric key.

47. The network device of claim 46, wherein the second processing unit is further configured to generate at least a first key and a second key based on the shared symmetric key;

48. The network device of claim 46, wherein the second processing unit is further configured to generate at least a first key based on the shared symmetric key;

49. The network device of claim 46, wherein the second processing unit is further configured to generate a third key based on the shared symmetric key, wherein the third key is used for identity authentication between the first network device and the V2X device;

50. The network device of claim 46, wherein the second processing unit is further configured to generate a fourth key based on the shared symmetric key, wherein the fourth key is used to establish a secure transmission channel between the first network device and the V2X device;

51. A V2X device, characterized in that the V2X device comprises a fifth communication unit for sending a first message to a first network device; the first message is used for representing a service request related to an authorization certificate; the first message comprises a temporary identifier.

52. The V2X device of claim 51, wherein the first message further includes user identity information.

53. The V2X device of claim 52, wherein the user identity information is encrypted based on a fifth key; the fifth key is generated based on a shared symmetric key.

54. The V2X device of claim 51, wherein the V2X device further comprises a third processing unit for generating at least a first key and a second key based on the shared symmetric key prior to the fifth communication unit sending the first message to the first network device; wherein the first message is encrypted and/or integrity protected based on the first key and the second key.

55. The V2X device of claim 51, wherein the V2X device further comprises a third processing unit for generating at least a first key based on the shared symmetric key prior to the fifth communication unit sending the first message to the first network device; wherein the first message is encrypted and/or integrity protected based on the first key.

56. The V2X device of any of claims 51-55, wherein the V2X device further comprises a third processing unit configured to generate a third key based on the shared symmetric key, and authenticate with the first network device based on the third key.

57. The V2X device of any of claims 51-55, wherein the V2X device further comprises a third processing unit configured to generate a fourth key based on the shared symmetric key, and to establish a secure transmission channel with the first network device based on the fourth key.

58. The V2X apparatus of claim 51, wherein the V2X apparatus further comprises a third processing unit;

59. The V2X apparatus of claim 51, wherein the V2X apparatus further comprises a third processing unit;

60. The V2X device according to claim 58 or 59, wherein, in the case that the first message is for applying for an application certificate, the authorization certificate related information includes the application certificate, or wherein the authorization certificate related information includes a download time of the application certificate; the third processing unit is further configured to download the application certificate according to the download time;

61. The V2X device according to claim 58 or 59, wherein the fifth communication unit is configured to receive a first response message directly sent by the first network device; alternatively, a forwarded first response message is received from the first network device.

62. The V2X device of claim 51, wherein the fifth communication unit is configured to send the first message directly to the first network device; or, after forwarding, sending the first message to the first network device.

63. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 11; or the program, when executed by a processor, implements the steps of the method of any one of claims 12 to 19; alternatively, the program when executed by a processor implements the steps of the method of any of claims 20 to 31.

64. A network device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method of any one of claims 1 to 11 are carried out when the program is executed by the processor; alternatively, the processor, when executing the program, performs the steps of the method of any of claims 12 to 19.

65. A V2X apparatus comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method of any one of claims 20 to 31 are carried out when the program is executed by the processor.