CN114364062A - Method for accessing gateway safely in Internet of vehicles - Google Patents
Method for accessing gateway safely in Internet of vehicles Download PDFInfo
- Publication number
- CN114364062A CN114364062A CN202111522723.4A CN202111522723A CN114364062A CN 114364062 A CN114364062 A CN 114364062A CN 202111522723 A CN202111522723 A CN 202111522723A CN 114364062 A CN114364062 A CN 114364062A
- Authority
- CN
- China
- Prior art keywords
- data signal
- data
- gateway
- interface
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000004891 communication Methods 0.000 claims abstract description 25
- 230000006855 networking Effects 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 19
- 235000014510 cooky Nutrition 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 13
- 230000002155 anti-virotic effect Effects 0.000 claims description 7
- 238000001514 detection method Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 4
- 230000002159 abnormal effect Effects 0.000 claims description 3
- QVFWZNCVPCJQOP-UHFFFAOYSA-N chloralodol Chemical compound CC(O)(C)CC(C)OC(O)C(Cl)(Cl)Cl QVFWZNCVPCJQOP-UHFFFAOYSA-N 0.000 claims description 3
- 238000002955 isolation Methods 0.000 claims description 2
- 239000011159 matrix material Substances 0.000 description 7
- 238000004590 computer program Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000002441 reversible effect Effects 0.000 description 5
- 238000013507 mapping Methods 0.000 description 4
- 230000009466 transformation Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 238000009792 diffusion process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000006073 displacement reaction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001954 sterilising effect Effects 0.000 description 1
- 230000017105 transposition Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for accessing a gateway safely in the Internet of vehicles, which comprises the steps of scanning a data signal through a processor; the processor calls data of the potential safety hazard case database and compares the data signals with case characteristics in the potential safety hazard case database; if the same case characteristics exist, intercepting the data signals; if the case characteristics are not the same, converting the data signal into an encrypted data signal; and transmitting the encrypted data signal. By selecting different encryption algorithms, the multi-scene data access security of the Internet of vehicles can be realized, the data security needs to be guaranteed, the user information is prevented from being stolen, the real-time performance of the data is improved, the information exchange speed is improved, and the communication is more convenient and faster.
Description
Technical Field
The invention relates to the technical field of Internet of vehicles, in particular to a method for safely accessing a gateway of the Internet of vehicles.
Background
The gateway is also called an internetwork connector and a protocol converter. The gateway realizes network interconnection above a network layer, is a complex network interconnection device and is only used for interconnection of two networks with different high-level protocols. The gateway can be used for interconnection of a wide area network and local area network, and the gateway of the internet of things realizes the functions of wide area interconnection, local area interconnection and management equipment through a communication network.
At present, basic functions of an internet of things gateway include data acquisition, data transmission, monitoring and equipment control, the concept of the internet of vehicles comes along with the development of electric vehicles, the communication and data sharing of the internet of vehicles become mainstream, however, the communication in the internet of vehicles is mainly wireless communication, data analysis is generally wired communication modes such as carrier communication and optical fiber communication, and in the process of converting different protocols into the gateway, data security needs to be guaranteed, and user information is prevented from being stolen.
Disclosure of Invention
This section is for the purpose of summarizing some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. In this section, as well as in the abstract and the title of the invention of this application, simplifications or omissions may be made to avoid obscuring the purpose of the section, the abstract and the title, and such simplifications or omissions are not intended to limit the scope of the invention.
The present invention has been made in view of the above-mentioned conventional problems.
Therefore, the technical problem solved by the invention is as follows: communication in the internet of vehicles is mainly wireless communication, data analysis is generally wired communication modes such as carrier communication and optical fiber communication, and in the process of converting different protocols into a gateway, data safety needs to be guaranteed, and user information is prevented from being stolen.
In order to solve the technical problems, the invention provides the following technical scheme: a method for accessing a gateway safely in the Internet of vehicles comprises the steps of scanning a data signal through a processor; the processor calls data of the potential safety hazard case database and compares the data signals with case characteristics in the potential safety hazard case database; if the same case characteristics exist, intercepting the data signals; if the case characteristics are not the same, converting the data signal into an encrypted data signal; and transmitting the encrypted data signal.
As a preferred solution of the method for accessing a gateway to a car networking security according to the present invention, wherein: the gateway receives the data signal and stores the data signal into the isolation memory; scanning, by a processor, the data signal; an external detection interface is arranged on the gateway, and an external antivirus module is connected to the external detection interface.
As a preferred solution of the method for accessing a gateway to a car networking security according to the present invention, wherein: set up a plurality of interfaces on the gateway, the interface type includes WLAN interface, bluetooth interface, WIFI, BT interface, loRa interface, ethernet interface, Serial interface and carrier communication interface.
As a preferred solution of the method for accessing a gateway to a car networking security according to the present invention, wherein: encrypting the data signal according to an ipsec protocol, and converting the data signal into an encrypted data signal; and monitoring the process of the ipsec protocol, stopping converting the data signals when the data signals are abnormal, and storing the data signals as data cases into a potential safety hazard case database.
As a preferred solution of the method for accessing a gateway to a car networking security according to the present invention, wherein: and encrypting and decrypting the data signal through a DES data encryption algorithm to obtain an original plaintext, wherein the computational expression of encryption and decryption is as follows:
M=m1m2…mt…m64(1≤t≤64)
K=k1k2…kt…k64(1≤t≤64)
DES(M)=IP-1(M)T16T15…T1IP(M)
wherein M represents a plaintext or ciphertext, K represents a key, IP represents an initial permutation operation, IP-1 represents an inverse initial permutation operation, and T represents a loop iteration operation; DES packet M operates on 64b plaintext, with M going through the initial transpose IP to M1M is1Division of plaintext into m1=(L0,R0) The length of each of the left and right parts 2 is 32b, then 16 rounds of same iteration are carried out, and the key after corresponding iteration is combined in each round of iteration to generate the encrypted and decrypted plaintext or ciphertext.
As a preferred solution of the method for accessing a gateway to a car networking security according to the present invention, wherein: the encrypted data signal enters the isolated memory again; scanning the encrypted data signal by a processor for security verification; the processor calls data of the potential safety hazard case database and compares the encrypted data signals with case characteristics in the potential safety hazard case database; if the same case characteristics exist, intercepting an encrypted data signal, and storing the encrypted data signal as a data case into a potential safety hazard case database; and if the case characteristics are not the same, outputting the encrypted data signal through a gateway interface.
As a preferred solution of the method for accessing a gateway to a car networking security according to the present invention, wherein: taking the public key information of the block chain node as the identity of the node, and replacing the certificate of the node; the encrypted data signal is verified by querying the blockchain network for public key information for the node.
As a preferred solution of the method for accessing a gateway to a car networking security according to the present invention, wherein: storing pre-negotiated parameters which are encrypted asymmetrically among nodes of the Internet of vehicles through cookies; when data transmission is carried out again between the same nodes, the PreMasterKey is extracted from the cookie file corresponding to the local nodes, and the key agreement process is simplified.
The invention has the beneficial effects that: by selecting different encryption algorithms, the multi-scene data access security of the Internet of vehicles can be realized, the data security needs to be guaranteed, the user information is prevented from being stolen, the real-time performance of the data is improved, the information exchange speed is improved, and the communication is more convenient and faster.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise. Wherein:
fig. 1 is a basic flowchart of a method for accessing a gateway in a car networking system according to an embodiment of the present invention.
Fig. 2 is a schematic flowchart of a DES data encryption algorithm of a method for a car networking security access gateway according to an embodiment of the present invention.
Fig. 3 is a schematic flowchart of an AES data encryption algorithm of a method for a car networking security access gateway according to an embodiment of the present invention.
Fig. 4 is a schematic flow chart of a security verification process performed on an encrypted data signal by a method of a car networking security access gateway according to an embodiment of the present invention.
FIG. 5 is a specific flowchart of a method for securely transmitting Internet of vehicles data according to an ipsec protocol of a method for securely accessing a gateway in an Internet of vehicles according to an embodiment of the present invention
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, specific embodiments accompanied with figures are described in detail below, and it is apparent that the described embodiments are a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present invention, shall fall within the protection scope of the present invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways than those specifically described and will be readily apparent to those of ordinary skill in the art without departing from the spirit of the present invention, and therefore the present invention is not limited to the specific embodiments disclosed below.
Furthermore, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
The present invention will be described in detail with reference to the drawings, wherein the cross-sectional views illustrating the structure of the device are not enlarged partially in general scale for convenience of illustration, and the drawings are only exemplary and should not be construed as limiting the scope of the present invention. In addition, the three-dimensional dimensions of length, width and depth should be included in the actual fabrication.
Meanwhile, in the description of the present invention, it should be noted that the terms "upper, lower, inner and outer" and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of describing the present invention and simplifying the description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation and operate, and thus, cannot be construed as limiting the present invention. Furthermore, the terms first, second, or third are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected and connected" in the present invention are to be understood broadly, unless otherwise explicitly specified or limited, for example: can be fixedly connected, detachably connected or integrally connected; they may be mechanically, electrically, or directly connected, or indirectly connected through intervening media, or may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Example 1
Referring to fig. 1-3, there is provided, for one embodiment of the present invention, a method including:
and S1, an external detection interface is arranged on the gateway, and the interface types comprise a WLAN interface, a Bluetooth interface, WIFI, a BT interface, a LoRa interface, an Ethernet interface, a Serial interface and a carrier communication interface. The external detection interface is connected with an external antivirus module; the external antivirus module is a hard disk of a drive, a antivirus program is arranged in the external antivirus module, and the external antivirus device is used for physically inspecting and sterilizing the case database and increasing a novel case updating database.
The gateway receives the data signal and stores the data signal in the isolated memory.
The data signal is scanned by the processor.
And S2, the processor calls the data of the potential safety hazard case database and compares the data signals with the case characteristics in the potential safety hazard case database.
And if the same case characteristics exist, intercepting the data signals.
If the same case characteristics do not exist, the data signal is converted into an encrypted data signal.
The encrypted data signal is transmitted.
And S3, encrypting the data signal according to the ipsec protocol, and converting the data signal into an encrypted data signal.
According to the different requirements of the safety and the real-time difference of the transmission of different service data of the Internet of vehicles, different encryption algorithms are selected to encrypt the data of the Internet of vehicles; the DES data encryption algorithm is one of block encryption algorithms, the plaintext length, the key length and the ciphertext length are all 64b, 56b of an original key is used as an initial key (8 th, 16 th, 24 th, 32 th, 40 th, 48 th, 56 th and 64 th are check bits) to participate in DES operation, and the original key is used for decrypting the ciphertext to obtain the original plaintext; the DES packet M operates on the 64b plaintext, and M is changed into 2 parts of left and right parts with the length of 32b respectively after the initial transposition IP, then the data is combined with the key iterated correspondingly in each iteration through 16 rounds of the same iteration, and finally the final data is formed by replacement.
The AES data encryption algorithm is a symmetric block cipher algorithm, iterative operation is carried out through a Rijnda-el structure, the block length is 128b, keys with the lengths of 128b, 192b and 256b can be supported, the key length and the block length jointly determine the number of rounds of conversion, the AES algorithm encryption step mainly comprises byte transformation, row displacement, column confusion and round key addition, and the byte transformation (SubByte) has the main function of completing byte mapping by using an S box; the row shift (ShiftRows) is an operation of circularly shifting the state matrix to the left on the basis of SubByte; column confusion (MixColumn) is to transform columns of a state matrix to ensure that a high diffusion characteristic is obtained after multiple rounds of operations of an AES algorithm; round key addition (AddRoundKey) is the bitwise exclusive or of a round key to intermediate data.
Before data transmission is carried out by two communication parties, firstly, key negotiation is carried out through asymmetric encryption to ensure the secure sharing of a session key, and then, encrypted transmission of communication data is carried out between nodes through the negotiated session key and a symmetric encryption algorithm, so that communication delay and the loss of computing resources are reduced under the condition of ensuring the confidentiality and the integrity of data transmission.
Encrypting and decrypting the data signal through a DES data encryption algorithm to obtain an original plaintext, wherein the computational expression of encryption and decryption is as follows:
M=m1m2…mt…m64(1≤t≤64)
K=k1k2…kt…k64(1≤t≤64)
DES(M)=IP-1(M)T16T15…T1IP(M)
wherein M represents a plaintext or ciphertext, K represents a key, IP represents an initial permutation operation, IP-1 represents an inverse initial permutation operation, and T represents a loop iteration operation; DES packet M operates on 64b plaintext, with M going through the initial transpose IP to M1M is1Division of plaintext into m1=(L0,R0) The length of each of the left and right parts 2 is 32b, then 16 rounds of same iteration are carried out, and the key after corresponding iteration is combined in each round of iteration to generate the encrypted and decrypted plaintext or ciphertext.
The key bits are shifted in each round of encryption and decryption, and 48b is selected from the key at 56 b. The right half of the data is expanded to 48b by expansion permutation and then replaced with new 48b data by an exclusive-or operation and then compressed to 32 b. The new right half is combined with the left half by another exclusive-or operation, and the original right half becomes the new left half. This operation was repeated for 16 rounds and the left and right halves were combined and subjected to final permutation to form the final data.
The AES algorithm is a symmetric block cipher algorithm, iterative operation is carried out through a Rijnda-el structure, the block length is 128b, keys with the lengths of 128b, 192b and 256b can be supported, and the number of rounds of conversion is determined by the key length and the block length. Fig. 2 shows an AES algorithm encryption process of 128b, which enters 10 iterations after the 1 st round of key addition transformation, the first 9 rounds are completely the same, one round of key addition is performed after byte substitution, row shift, column mixing, and round of key addition, and the last round is different, and column mixing operation is skipped. The reverse operation of the corresponding encryption flow is a decryption flow, each step of operation is reversible, the decryption flow is completed according to the reverse sequence, and the sequence of the two rounds of keys is just reverse.
The main function of byte mapping (SubByte) is to accomplish the mapping of bytes by using S-boxes. The S box is a matrix with the size of 16 multiplied by 16, the mapping from 8b input to 8b output is completed, the input low 4b value is a column mark, the input high 4b value is a bit row mark, and the essence is a table look-up process.
The row shift (ShiftRows) is an operation of circularly shifting the state matrix to the left on the basis of SubByte. After the AES algorithm of 128B is transformed, the 1 st row of the state matrix is not shifted, the 2 nd to 4 th rows are respectively shifted by 1 to 3B in a left-circular mode, and the expression is as follows:
sta'[i][j]=sta[i][(j+i)%4],i,j∈[0,3]
reverse row shifting is the opposite operation, and the expression is:
sta'[i][j]=sta[i][(4+j-i)%4],i,j∈[0,3]
column obfuscation (MixColumn) is the transformation of the columns of a state matrix, each column of which can be seen as a coefficient from a finite field GF (2)5) And the times are less than4 in modulus x4The following is multiplied by the polynomial c (x), i.e.:
c(x)=03×x3+01×x2+01×x+02
b(x)=c(x)×a(x)mod(x4+1)
written in matrix form as:
as well as the effect of the row shift, column obfuscation also ensures that a high degree of diffusion properties are obtained after multiple rounds of AES algorithm operation. Round key addition (AddRoundKey) is the bitwise exclusive or of a round key to intermediate data. The round key is generated by calculating and distributing the initial key through a key arrangement algorithm, and the length of the round key is equal to the length of the packet.
The data encryption safety and the real-time performance are important indexes for selecting an encryption algorithm, and the safety of the AES is higher than that of the DES under the condition of the key with the same number of bits by analyzing from the aspect of the encryption algorithm safety; from the perspective of the implementation of the encryption algorithm, the DES encryption and decryption operation speed is high compared with the AES algorithm. Therefore, aiming at the requirements of differentiated safety and real-time performance of the Internet of vehicles service, the safety of accessing multi-scene data of the Internet of vehicles can be realized by selecting different encryption algorithms, so that the data safety needs to be ensured, the user information is prevented from being stolen, the real-time performance of the data is improved, the information exchange speed is improved, and the communication is more convenient and faster.
S4, the public key information of the block chain node is used as the identity of the node to replace the certificate of the node; the encrypted data signal is verified by querying the blockchain network for public key information for the node.
Storing pre-negotiated parameters which are encrypted asymmetrically among nodes of the Internet of vehicles through cookies; when data transmission is carried out again between the same nodes, the PreMasterKey is extracted from the cookie file corresponding to the local nodes, and the key agreement process is simplified.
And monitoring the process of the ipsec protocol, stopping converting the data signals when the data signals are abnormal, and storing the data signals as data cases into a potential safety hazard case database.
S5, the encrypted data signal enters the isolated memory again; scanning the encrypted data signal through a processor to perform security verification; the processor calls data of the potential safety hazard case database and compares the encrypted data signals with case characteristics in the potential safety hazard case database; if the same case characteristics exist, the encrypted data signals are intercepted, and the encrypted data signals are stored in a potential safety hazard case database as data cases; and if the same case characteristics do not exist, outputting the encrypted data signal through the gateway interface.
Example 2
Referring to fig. 4 and 5, another embodiment of the present invention is different from the first embodiment in that a method for a car networking security access gateway is provided, and in order to verify and explain technical effects adopted in the method, the embodiment adopts a conventional technical scheme and the method of the present invention to perform a comparison test, and compares test results by means of scientific demonstration to verify a real effect of the method.
The ipsec protocol is widely used for internet applications, such as online payment, e-mail, e-commerce portal sites and the like, and is widely deployed in different terminal system platforms, such as Windows, Linux, Android and the like.
The method adopts the public key information of the blockchain nodes as the identity of the nodes to replace the certificates of the nodes, and can verify the authenticity and the effectiveness of the nodes by inquiring the public key information of the nodes from the blockchain network, thereby avoiding the single-point failure problem caused by the participation of a third-party central authority CA in the traditional ipsec protocol, reducing the security threat of public key authentication and improving the security of key agreement; meanwhile, the public key information of the Internet of vehicles node is stored in the block chain by utilizing the characteristics of non-falsification, traceability and the like of the block chain storage data to ensure the integrity of the public key information of the node, so that the authenticity and the validity of the public key of other nodes can be verified by directly inquiring the public key information through the block chain network.
Based on the principle that cookies and sessions are used for saving http login information, the cookies are used for saving parameters (such as PreMasterKey) which are well negotiated by asymmetric encryption among nodes of the Internet of vehicles; when the session is carried out again between the same nodes, the PreMasterKey is directly extracted from the locally corresponding cookie file, and the secure sharing of the PreMasterKey is not completed through the asymmetric encryption technology, so that one-time asymmetric encryption and decryption is reduced, the key negotiation process is simplified, and the purpose of reducing the key negotiation delay is achieved.
The specific process of the Internet of vehicles data security transmission method of the improved ipsec protocol comprises the following steps:
s1: node a → node B: node A sends A Hello message to node B, and proposes request for establishing session. Wherein the A Hello message contains the following; the A ID is a code generated by the node A, and the A Cipher Suit is a related encryption algorithm group selected by the node A for the session, and mainly comprises a symmetric encryption algorithm, an asymmetric encryption algorithm, a hash algorithm and other related contents; RandomA is a random number generated by the node A and is mainly used for generating a subsequent session key; the A Count is used for node A access counting, the initial access is 0, and then 1 is added in sequence; the A Public Key is a Public Key used by the node A for the transmission, and is used for determining the authenticity of the node A.
S2: node B → node a: the node B sends a B Hello message to the node A, after receiving the A Hello message, the node B verifies a public key of the node A through a block chain network, ensures the authenticity of the node A, checks whether the node A is in initial connection or whether cookie information is invalid, and transmits the public key information of the node B and a key suite to the node A; wherein, the specific content contained in the B Hello message is similar to the A Hello. And (4) processing according to different conditions, if the initial session or the cookie information fails, the node A performs the operation S3 and the subsequent steps, and otherwise, the step is skipped to the step S5 and the subsequent steps.
S3: node a → node B: the node A generates a premasterKey PreMasterKey and transmits the premasterKey to the node B, the node A verifies a public key of the node B through a block chain network to ensure that the public key is really the node B, if the verification is passed, the premasterKey PreMasterKey is randomly generated, the premasterKey is encrypted and transmitted to the node B by utilizing an RSA encryption algorithm and the public key provided in a B Hello message, and information such as the premasterKey is generated into cookies to be locally stored.
S4: node B → node a: the node B decrypts the information sent by the node A by using a private key and an RSA algorithm to obtain a premasterKey, generates cookie files for local storage by using the premasterKey and other information, and informs the node A that the premasterKey is received.
S5: node a → node B: the node A generates a session key for the session connection, informs the node B of the end of the handshake, extracts a premasterKey PreMasterKey from a cookie, generates a premasterKey MasterKey and a session key SessionKey of the communication by a PRF algorithm in combination with a random number RandomA and RandomB, then updates cookie information, replaces the premasterKey with the latest MasterKey, and informs the node B of the end of the handshake. The key and encryption algorithm for subsequent communication will change, and node a will update its access count.
S6: node B → node a: the node B generates a session key for the session connection, sends a check value to the node A, informs the node A of finishing handshake, extracts a premasterKey, a random number RandomA and a RandomB, generates a master key MasterKey and a session key SessionKey by a PRF algorithm, then updates cookie information, replaces the original premasterKey with the latest MasterKey, generates a check value HMAC from the information of the whole key negotiation process by a message digest algorithm, transmits the check value to the node A to inform the node B of finishing handshake, changes the session key and the encryption algorithm of subsequent communication, and simultaneously updates the access count of the node B to show that a safe data transmission channel is established.
S7: and the node A and the node B perform information encryption transmission by using a session key Session Key and an AES symmetric encryption algorithm, so that the data transmission safety is ensured.
Table 1: the comparison table of the method and the traditional method.
It should be recognized that embodiments of the present invention can be realized and implemented by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer-readable storage medium configured with the computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, according to the methods and figures described in the detailed description. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Further, the operations of processes described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes described herein (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) collectively executed on one or more processors, by hardware, or combinations thereof. The computer program includes a plurality of instructions executable by one or more processors.
Further, the method may be implemented in any type of computing platform operatively connected to a suitable interface, including but not limited to a personal computer, mini computer, mainframe, workstation, networked or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and the like. Aspects of the invention may be embodied in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, optically read and/or write storage medium, RAM, ROM, or the like, such that it may be read by a programmable computer, which when read by the storage medium or device, is operative to configure and operate the computer to perform the procedures described herein. Further, the machine-readable code, or portions thereof, may be transmitted over a wired or wireless network. The invention described herein includes these and other different types of non-transitory computer-readable storage media when such media include instructions or programs that implement the steps described above in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described herein. A computer program can be applied to input data to perform the functions described herein to transform the input data to generate output data that is stored to non-volatile memory. The output information may also be applied to one or more output devices, such as a display. In a preferred embodiment of the invention, the transformed data represents physical and tangible objects, including particular visual depictions of physical and tangible objects produced on a display.
As used in this application, the terms "component," "module," "system," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, a component may be, but is not limited to being: a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of example, both an application running on a computing device and the computing device can be a component. One or more components can reside within a process and/or thread of execution and a component can be localized on one computer and/or distributed between two or more computers. In addition, these components can execute from various computer readable media having various data structures thereon. The components may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the internet with other systems by way of the signal).
It should be noted that the above-mentioned embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.
Claims (9)
1. A method for accessing a gateway safely in a car networking is characterized by comprising the following steps:
scanning, by a processor, the data signal;
the processor calls data of the potential safety hazard case database and compares the data signals with case characteristics in the potential safety hazard case database;
if the same case characteristics exist, intercepting the data signals;
if the case characteristics are not the same, converting the data signal into an encrypted data signal;
and transmitting the encrypted data signal.
2. The method of the car networking security access gateway of claim 1, wherein:
the gateway receives the data signal and stores the data signal into the isolation memory;
scanning, by a processor, the data signal;
an external detection interface is arranged on the gateway, and an external antivirus module is connected to the external detection interface.
3. The method of the car networking security access gateway of claim 2, wherein: set up a plurality of interfaces on the gateway, the interface type includes WLAN interface, bluetooth interface, WIFI, BT interface, loRa interface, ethernet interface, Serial interface and carrier communication interface.
4. The method of the car networking security access gateway of claim 3, wherein: encrypting the data signal according to an ipsec protocol, and converting the data signal into an encrypted data signal;
and monitoring the process of the ipsec protocol, stopping converting the data signals when the data signals are abnormal, and storing the data signals as data cases into a potential safety hazard case database.
5. The method of the car networking security access gateway of claim 4, wherein: and encrypting and decrypting the data signal through a DES data encryption algorithm to obtain an original plaintext, wherein the computational expression of encryption and decryption is as follows:
M=m1m2…mt…m64(1≤t≤64)
K=k1k2…kt…k64(1≤t≤64)
DES(M)=IP-1(M)T16T15…T1IP(M)
wherein M represents plaintext or ciphertext, K represents a key, IP represents an initial permutation operation, IP-1 represents an inverse initial permutation operation, and T represents a loop iteration operation.
6. The method of the car networking security access gateway of claim 5, wherein: DES packet M operates on 64b plaintext, with M going through the initial transpose IP to M1M is1Division of plaintext into m1=(L0,R0) Each 32b in length, then through 16 identical iterations, and at each iterationAnd combining the key obtained by the corresponding iteration in one iteration to generate the encrypted and decrypted plaintext or ciphertext.
7. The method of the car networking security access gateway of claim 6, wherein:
the encrypted data signal enters the isolated memory again;
performing security verification on the encrypted data signal by scanning of a processor;
the processor calls data of the potential safety hazard case database and compares the encrypted data signals with case characteristics in the potential safety hazard case database;
if the same case characteristics exist, intercepting an encrypted data signal, and storing the encrypted data signal as a data case into a potential safety hazard case database;
and if the case characteristics are not the same, outputting the encrypted data signal through a gateway interface.
8. The method of the car networking security access gateway of claim 7, wherein: taking the public key information of the block chain node as the identity of the node, and replacing the certificate of the node;
the encrypted data signal is verified by querying the blockchain network for public key information for the node.
9. The method of the car networking security access gateway of claim 8, wherein: storing pre-negotiated parameters which are encrypted asymmetrically among nodes of the Internet of vehicles through cookies;
when data transmission is carried out again between the same nodes, the PreMasterKey is extracted from the cookie file corresponding to the local nodes, and the key agreement process is simplified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111522723.4A CN114364062B (en) | 2021-12-13 | 2021-12-13 | Method for safely accessing gateway of Internet of vehicles |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111522723.4A CN114364062B (en) | 2021-12-13 | 2021-12-13 | Method for safely accessing gateway of Internet of vehicles |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114364062A true CN114364062A (en) | 2022-04-15 |
| CN114364062B CN114364062B (en) | 2023-12-01 |
Family
ID=81098875
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111522723.4A Active CN114364062B (en) | 2021-12-13 | 2021-12-13 | Method for safely accessing gateway of Internet of vehicles |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114364062B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114760056A (en) * | 2022-06-15 | 2022-07-15 | 广州万协通信息技术有限公司 | Secure communication method and device for dynamically updating key |
| CN115208694A (en) * | 2022-09-13 | 2022-10-18 | 智己汽车科技有限公司 | Vehicle-mounted network communication encryption system based on central computing platform and vehicle |
| CN116599774A (en) * | 2023-07-17 | 2023-08-15 | 交通运输部公路科学研究所 | Encryption chip for information security and data protection of Internet of vehicles |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410569A (en) * | 2014-11-26 | 2015-03-11 | 公安部第三研究所 | Perception communication interconnecting gateway and method for processing data |
| US20150146540A1 (en) * | 2013-11-22 | 2015-05-28 | At&T Mobility Ii Llc | Methods, Devices and Computer Readable Storage Devices for Intercepting VoIP Traffic for Analysis |
| CN107968774A (en) * | 2016-10-20 | 2018-04-27 | 深圳联友科技有限公司 | A kind of protecting information safety method of car networking terminal device |
| CN110048850A (en) * | 2019-03-26 | 2019-07-23 | 重庆邮电大学 | A kind of car networking data security transmission technology based on improvement SSL/TLS agreement |
| US10887348B1 (en) * | 2017-08-04 | 2021-01-05 | Amazon Technologies, Inc. | Detection of network traffic interception |
| CN113472817A (en) * | 2021-09-03 | 2021-10-01 | 杭州网银互联科技股份有限公司 | Gateway access method and device for large-scale IPSec and electronic equipment |
-
2021
- 2021-12-13 CN CN202111522723.4A patent/CN114364062B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150146540A1 (en) * | 2013-11-22 | 2015-05-28 | At&T Mobility Ii Llc | Methods, Devices and Computer Readable Storage Devices for Intercepting VoIP Traffic for Analysis |
| CN104410569A (en) * | 2014-11-26 | 2015-03-11 | 公安部第三研究所 | Perception communication interconnecting gateway and method for processing data |
| CN107968774A (en) * | 2016-10-20 | 2018-04-27 | 深圳联友科技有限公司 | A kind of protecting information safety method of car networking terminal device |
| US10887348B1 (en) * | 2017-08-04 | 2021-01-05 | Amazon Technologies, Inc. | Detection of network traffic interception |
| CN110048850A (en) * | 2019-03-26 | 2019-07-23 | 重庆邮电大学 | A kind of car networking data security transmission technology based on improvement SSL/TLS agreement |
| CN113472817A (en) * | 2021-09-03 | 2021-10-01 | 杭州网银互联科技股份有限公司 | Gateway access method and device for large-scale IPSec and electronic equipment |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114760056A (en) * | 2022-06-15 | 2022-07-15 | 广州万协通信息技术有限公司 | Secure communication method and device for dynamically updating key |
| CN114760056B (en) * | 2022-06-15 | 2022-10-18 | 广州万协通信息技术有限公司 | Secure communication method and device for dynamically updating key |
| CN115208694A (en) * | 2022-09-13 | 2022-10-18 | 智己汽车科技有限公司 | Vehicle-mounted network communication encryption system based on central computing platform and vehicle |
| CN115208694B (en) * | 2022-09-13 | 2023-01-13 | 智己汽车科技有限公司 | Vehicle-mounted network communication encryption system based on central computing platform and vehicle |
| CN116599774A (en) * | 2023-07-17 | 2023-08-15 | 交通运输部公路科学研究所 | Encryption chip for information security and data protection of Internet of vehicles |
| CN116599774B (en) * | 2023-07-17 | 2023-09-15 | 交通运输部公路科学研究所 | Encryption chip for information security and data protection of Internet of vehicles |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114364062B (en) | 2023-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kessler | An overview of cryptography | |
| US6965992B1 (en) | Method and system for network security capable of doing stronger encryption with authorized devices | |
| CN111052672B (en) | Secure key transfer protocol without certificate or pre-shared symmetric key | |
| Giesen et al. | On the security of TLS renegotiation | |
| Ristic | Bulletproof SSL and TLS: Understanding and deploying SSL/TLS and PKI to secure servers and web applications | |
| CN110995414B (en) | Method for establishing channel in TLS1_3 protocol based on cryptographic algorithm | |
| CN114364062B (en) | Method for safely accessing gateway of Internet of vehicles | |
| CN108886468A (en) | System and method for distributing the keying material and certificate of identity-based | |
| CN111756529B (en) | Quantum session key distribution method and system | |
| CN113078997B (en) | Terminal protection method based on lightweight cryptographic algorithm | |
| WO2020254177A1 (en) | Authenticated lattice-based key agreement or key encapsulation | |
| Bhargavan et al. | A formal treatment of accountable proxying over TLS | |
| KR102172181B1 (en) | Apparatus and Method for Patterned Cipher Block for Real-Time Data Communication | |
| US20050160269A1 (en) | Common security key generation apparatus | |
| CN111756528B (en) | Quantum session key distribution method, device and communication architecture | |
| Paul et al. | Hybrid OPC UA: enabling post-quantum security for the industrial internet of things | |
| AlJabri et al. | [Retracted] A Comprehensive Review of Lightweight Authenticated Encryption for IoT Devices | |
| CN110012467A (en) | The packet authentication method of narrowband Internet of Things | |
| Hall-Andersen et al. | nQUIC: Noise-based QUIC packet protection | |
| Fazzat et al. | A comparative performance study of cryptographic algorithms for connected vehicles | |
| US11115187B2 (en) | Apparatus and method for block ciphers for real-time data transmission | |
| Kiratiwintakorn | Energy efficient security framework for wireless Local Area Networks | |
| WO2023130970A1 (en) | Trusted measurement-integrated communication method and apparatus | |
| US20240064024A1 (en) | Identity authentication method and apparatus, and device, chip, storage medium and program | |
| Matharu | Exploiting SSL/TLS Vulnerabilities in Modern Technologies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |