CN114615061B - Ethernet access authentication method and device - Google Patents

Ethernet access authentication method and device Download PDF

Info

Publication number
CN114615061B
CN114615061B CN202210241428.XA CN202210241428A CN114615061B CN 114615061 B CN114615061 B CN 114615061B CN 202210241428 A CN202210241428 A CN 202210241428A CN 114615061 B CN114615061 B CN 114615061B
Authority
CN
China
Prior art keywords
authentication
mac address
unicast
message
vehicle
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210241428.XA
Other languages
Chinese (zh)
Other versions
CN114615061A (en
Inventor
张蕾
郭卫华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingwei Hirain Tech Co Ltd
Original Assignee
Beijing Jingwei Hirain Tech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingwei Hirain Tech Co Ltd filed Critical Beijing Jingwei Hirain Tech Co Ltd
Priority to CN202210241428.XA priority Critical patent/CN114615061B/en
Publication of CN114615061A publication Critical patent/CN114615061A/en
Application granted granted Critical
Publication of CN114615061B publication Critical patent/CN114615061B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/84Vehicles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Small-Scale Networks (AREA)

Abstract

The application discloses an Ethernet access authentication method and device, the method includes at least one ECU, TBOX and vehicle-mounted switch, each ECU disposes authentication client, TBOX disposes authentication server, the method further includes: acquiring the MAC address of the TBOX stored in a whole vehicle MAC address information table, wherein the whole vehicle MAC address information table comprises the MAC address of the TBOX and the MAC address of each ECU; generating a unicast start authentication message, wherein the source address of the unicast start authentication message is the MAC address of the ECU to which the authentication client belongs, and the destination address is the MAC address of the TBOX; and sending a unicast start authentication message to the vehicle-mounted switch, so that the vehicle-mounted switch forwards the unicast start authentication message to the authentication server according to the MAC address of the TBOX. The scheme can change the message format from multicast to unicast by changing the preset Ethernet protocol (such as IEEE 802.1X protocol), thereby avoiding the vehicle-mounted switch from discarding the message and further successfully completing the authentication flow.

Description

Ethernet access authentication method and device
Technical Field
The present invention relates to the field of ethernet technologies, and in particular, to an ethernet access authentication method and device.
Background
Ethernet is currently the most common type of computer network that implements the idea of transmitting information by a plurality of nodes of a radio system on the network, each of which must acquire a cable or channel to transmit the information, sometimes referred to as ethernet. Each node has a globally unique 48-bit address, i.e., the MAC (Media Access Control ) address assigned to the network card by the manufacturer, to ensure that all nodes on the ethernet network can authenticate each other.
In order to ensure the safety of the equipment accessed by the user, safety authentication is often required when the Ethernet is accessed. The ieee802.1x protocol is the most commonly used ethernet authentication protocol, which implements authentication in a "client + server" manner. Only EAPOL (Extensible Authentication Protocol, extended authentication protocol over lan) data is allowed to pass through the switch port to which the device is connected before authentication passes, and normal data can pass through the ethernet port smoothly after authentication passes. In the related art, an authentication server is deployed on a switch to run IEEE802.1X protocol, and an authentication client is deployed on each access device, such as a personal computer, a VOIP phone, etc. After the authentication client starts, the switch immediately sends a multicast start authentication message to the switch, starts an IEEE802.1X authentication process, and gives the switch an IEEE802.1X protocol module (namely an authentication server) on the switch to carry out subsequent processing after receiving the multicast start authentication message, then sends the subsequent authentication message to the authentication client according to an IEEE802.1X protocol specification, and finally completes the IEEE802.1X protocol processing flow through multiple times of communication.
However, the above authentication scheme is not suitable for an in-vehicle ethernet network because: firstly, the processing capacity of a switch (i.e. a vehicle-mounted switch) in the vehicle-mounted Ethernet is weaker, only one embedded processing program can be operated, and a complex IEEE802.1X authentication protocol cannot be processed, so that an authentication server cannot be deployed on a vehicle-mounted network access switch or an intermediate switch. Secondly, if the authentication server is deployed on other devices with stronger processing capability, the vehicle-mounted switch only serves as a switch to forward, and authentication still cannot be realized, because the vehicle-mounted switch does not support forwarding of the multicast message, the multicast message sent by the authentication client is discarded, so that authentication is interrupted.
Disclosure of Invention
The application provides an Ethernet access authentication method and device, which can realize vehicle-mounted Ethernet security authentication and can also improve authentication security.
The specific technical scheme is as follows:
in a first aspect, an embodiment of the present application provides an ethernet access authentication method, where the method includes at least one electronic control unit ECU, a telematics unit TBOX, and a vehicle-mounted switch, each ECU deploying an authentication client, where the TBOX is deployed with an authentication server, and where the method further includes:
acquiring the MAC address of a TBOX stored in a whole vehicle Media Access Control (MAC) address information table, wherein the whole vehicle MAC address information table comprises the MAC address of the TBOX and the MAC address of each ECU;
generating a unicast start authentication message, wherein the source address of the unicast start authentication message is the MAC address of the ECU to which the authentication client belongs, and the destination address is the MAC address of the TBOX;
and sending the unicast start authentication message to a vehicle-mounted switch, so that the vehicle-mounted switch forwards the unicast start authentication message to the authentication server according to the MAC address of the TBOX.
In one embodiment, the whole vehicle MAC address information table further includes authentication authority information of each ECU, and the method further includes:
And under the condition that the authentication client sends a unicast start authentication message to an authentication server through the vehicle-mounted switch, the authentication server receives the unicast start authentication message sent by the authentication client and judges whether to carry out a subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol according to authentication authority information corresponding to the source address in the pre-stored whole vehicle MAC address information table.
In one embodiment, the method further comprises:
receiving a unicast re-authentication message sent by the authentication server through the vehicle-mounted switch, wherein after the TBOX is started, generating a unicast re-authentication message corresponding to each ECU with authentication authority according to the whole vehicle MAC address information table, and the destination address of the unicast re-authentication message is the MAC address of the corresponding ECU;
under the condition that the vehicle-mounted switch does not perform access authentication, a first unicast identity information response taking the MAC address of the TBOX as a destination address is sent to the authentication server through the vehicle-mounted switch, so that the authentication server performs a subsequent access authentication flow with the authentication client in a unicast message format based on an authentication client identity in the first unicast identity information response and the preset Ethernet protocol;
Under the condition that the vehicle-mounted switch determines that the vehicle-mounted switch is accessing authentication, a second unicast identity information response taking the MAC address of the TBOX as a destination address is sent to the authentication server, and the second unicast identity information response is used for indicating that the authentication client is accessing authentication, so that the authentication server continues to perform subsequent access authentication flow with the authentication client based on the authentication client identity in the second unicast identity information response and the preset Ethernet protocol in a unicast message format and based on the previous authentication progress;
and under the condition that the self-service access authentication is determined to be completed, ignoring the unicast re-authentication message.
In one embodiment, acquiring the MAC address of the TBOX stored in the medium access control MAC address information table of the whole vehicle includes:
acquiring the MAC address of the TBOX from a local pre-stored whole vehicle MAC address information table;
or receiving a unicast configuration information message sent by the authentication server through the vehicle-mounted switch, wherein the authentication server stores the whole vehicle MAC address information table in advance, the destination address of the unicast configuration information message is the MAC address of the corresponding ECU, and the unicast configuration information message comprises the whole vehicle MAC address information table or the MAC address of the TBOX.
In one embodiment, after the acquiring the whole vehicle MAC address information table, before acquiring the MAC address of the TBOX stored in the whole vehicle medium access control MAC address information table, the method further includes:
searching authentication authority information of the ECU to which the vehicle belongs from the vehicle MAC address information table;
executing the acquisition of the MAC address of the TBOX stored in the whole vehicle Media Access Control (MAC) address information table under the condition that the searched authentication authority information represents authentication authority;
and under the condition that the searched authentication authority information represents that the authentication authority is not available, the acquisition of the MAC address of the TBOX stored in the whole vehicle Media Access Control (MAC) address information table is not executed.
In one embodiment, the method further comprises:
detecting the resource occupation condition of the ECU to which the self belongs;
and sending the resource occupation condition to the authentication server through the vehicle-mounted switch, so that the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table according to the resource occupation condition.
In one embodiment, the adjusting, by the authentication server, the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table according to the resource occupation condition includes:
When the resource occupation condition indicates that the authentication client cannot support the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table indicates that the authentication client has authentication authority, the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to be free of authentication authority;
and under the condition that the resource occupation condition represents that the authentication client supports the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table represents that the authentication authority is not available, the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to have authentication authority.
In one embodiment, before the authentication server determines whether to perform a subsequent access authentication procedure with the authentication client in a unicast message format according to a preset ethernet protocol according to authentication authority information corresponding to the source address in the pre-stored whole vehicle MAC address information table, the method further includes:
the authentication server skips a multicast message judgment rule and directly judges whether a message type field in the unicast Start authentication message is an extended authentication protocol EAPOL-Start based on a local area network, wherein the multicast message judgment rule comprises judging whether the unicast Start authentication message is a multicast message according to a destination MAC address in the unicast Start authentication message;
Under the condition that a message type field in the unicast starting authentication message is EAPOL-Start, the authentication server records a source MAC address in the unicast starting authentication message, establishes a state machine for an authentication client corresponding to the source MAC address, and executes the authentication server after establishing the state machine to judge whether to carry out a subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol according to authentication authority information corresponding to the source address in the whole vehicle MAC address information table.
In one embodiment, the method further comprises:
and receiving a refusal authentication message sent by an authentication server, wherein the refusal authentication message is generated under the condition that the authentication server does not find a source address in the unicast starting authentication message from the whole vehicle MAC address information table.
In a second aspect, an embodiment of the present application provides an ethernet access authentication method, where the method includes at least one electronic control unit ECU, a telematics unit TBOX, and a vehicle-mounted switch, and an authentication client is disposed on each ECU, where the TBOX is disposed with an authentication server, and the method further includes:
Receiving a unicast start authentication message sent by an authentication client through the vehicle-mounted switch, wherein the unicast start authentication message is generated after the authentication client acquires the MAC address of a TBOX stored in a whole vehicle Media Access Control (MAC) address information table, the source address of the unicast start authentication message is the MAC address of an ECU to which the authentication client belongs, the destination address is the MAC address of the TBOX, and the whole vehicle MAC address information table comprises the MAC address of the TBOX and the MAC addresses of all ECUs;
and carrying out subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol.
In one embodiment, the whole vehicle MAC address information table further includes authentication authority information of each ECU, and performing a subsequent access authentication procedure with the authentication client in a unicast message format according to a preset ethernet protocol includes:
searching authentication authority information corresponding to a source address in the unicast starting authentication message from a prestored whole vehicle MAC address information table;
and under the condition that the searched authentication authority information represents that the authentication authority exists, carrying out subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol.
In one embodiment, before searching authentication authority information corresponding to a source address in the unicast start authentication message from the pre-stored whole vehicle MAC address information table, the method further includes:
skipping a multicast message judgment rule to directly judge whether a message type field in the unicast Start authentication message is an extended authentication protocol EAPOL-Start based on a local area network, wherein the multicast message judgment rule comprises judging whether the unicast Start authentication message is a multicast message according to a destination MAC address in the unicast Start authentication message;
and under the condition that a message type field in the unicast starting authentication message is EAPOL-Start, recording a source MAC address in the unicast starting authentication message, establishing a state machine for an authentication client corresponding to the source MAC address, and after establishing the state machine, executing searching authentication authority information corresponding to the source address in the unicast starting authentication message from a pre-stored whole MAC address information table.
In one embodiment, the method further comprises:
generating a corresponding unicast re-authentication message for each ECU with authentication authority according to the whole vehicle MAC address information table after the TBOX is started, wherein the destination address of the unicast re-authentication message is the MAC address of the corresponding ECU;
The unicast re-authentication message is sent to a corresponding authentication client through the vehicle-mounted switch;
under the condition that a first unicast identity information response sent by the authentication client is received through the vehicle-mounted switch, carrying out subsequent access authentication flow with the authentication client in a unicast message format based on an authentication client identity identifier in the first unicast identity information response and the preset Ethernet protocol;
under the condition that a second unicast identity information response sent by the authentication client is received through the vehicle-mounted switch, carrying out a subsequent access authentication process with the authentication client based on an authentication client identity identifier in the second unicast identity information response and the preset Ethernet protocol in a unicast message format and on the basis of the previous authentication progress, wherein destination addresses of the first unicast identity information and the second unicast identity information generated by the authentication client are both MAC addresses of the TBOX, and the second unicast identity information is used for indicating that the authentication client is in access authentication;
and under the condition that the unicast identity information response sent by the authentication client is not received through the vehicle-mounted switch and the state information of the authentication client at the authentication server is successful in authentication, determining that the authentication client has completed access authentication.
In one embodiment, before receiving the unicast start authentication message sent by the authentication client through the in-vehicle switch, the method further includes:
generating a corresponding unicast configuration information message for each authentication client according to the pre-stored whole vehicle MAC address information table, wherein the destination address of the unicast configuration information message is the MAC address of the corresponding ECU, and the unicast configuration information message comprises the whole vehicle MAC address information table or the MAC address of the TBOX;
and sending corresponding unicast configuration information messages to each authentication client through the vehicle-mounted switch.
In one embodiment, the method further comprises:
receiving, by the vehicle-mounted switch, a resource occupation condition of an ECU to which the authentication client belongs, the resource occupation condition being sent by the authentication client;
under the condition that the resource occupation condition indicates that the authentication client cannot support the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table indicates that the authentication authority is provided with the authentication authority, the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table is adjusted to be not provided with the authentication authority;
and under the condition that the resource occupation condition represents that the authentication client supports the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table represents that the authentication authority is not provided, the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table is adjusted to have authentication authority.
In one embodiment, after receiving the unicast start authentication message sent by the authentication client through the in-vehicle switch, the method further includes:
and under the condition that the source address in the unicast starting authentication message is not searched in the whole vehicle MAC address information table, generating a refusing authentication message, and transmitting the refusing authentication message to the authentication client through the vehicle-mounted switch.
In a third aspect, another embodiment of the present application provides an ethernet access authentication device, an authentication client is disposed in an electronic control unit ECU, an authentication server is disposed in a telematics unit TBOX, and the authentication client communicates with the authentication server through a vehicle-mounted switch, where the device includes:
the device comprises an acquisition unit, a control unit and a control unit, wherein the acquisition unit is used for acquiring the MAC address of the TBOX stored in a whole vehicle Media Access Control (MAC) address information table, wherein the whole vehicle MAC address information table comprises the MAC address of the TBOX and the MAC address of each ECU;
the generation unit is used for generating a unicast start authentication message, wherein the source address of the unicast start authentication message is the MAC address of the ECU to which the authentication client belongs, and the destination address is the MAC address of the TBOX;
And the sending unit is used for sending the unicast start authentication message to the vehicle-mounted switch so that the vehicle-mounted switch forwards the unicast start authentication message to the authentication server according to the MAC address of the TBOX.
In one embodiment, the whole vehicle MAC address information table further includes authentication authority information of each ECU, where, when the authentication client sends a unicast start authentication message to the authentication server through the vehicle-mounted switch, the authentication server receives the unicast start authentication message sent by the authentication client, and determines whether to perform a subsequent access authentication procedure with the authentication client in a unicast message format according to a preset ethernet protocol according to the authentication authority information corresponding to the source address in the pre-stored whole vehicle MAC address information table.
In one embodiment, the apparatus further comprises:
the first receiving unit is used for receiving unicast re-authentication messages sent by the authentication server through the vehicle-mounted switch, wherein after the TBOX is started, the unicast re-authentication messages corresponding to each ECU with authentication authority are generated according to the whole vehicle MAC address information table, and the destination address of the unicast re-authentication messages is the MAC address of the corresponding ECU;
The sending unit is further configured to send, when it is determined that access authentication is not performed, a first unicast identity information response with a MAC address of the TBOX as a destination address to the authentication server through the vehicle-mounted switch, so that the authentication server performs a subsequent access authentication procedure with the authentication client in a unicast message format based on an authentication client identity in the first unicast identity information response and the preset ethernet protocol; under the condition that the vehicle-mounted switch determines that the vehicle-mounted switch is accessing authentication, a second unicast identity information response taking the MAC address of the TBOX as a destination address is sent to the authentication server, and the second unicast identity information response is used for indicating that the authentication client is accessing authentication, so that the authentication server continues to perform subsequent access authentication flow with the authentication client based on the authentication client identity in the second unicast identity information response and the preset Ethernet protocol in a unicast message format and based on the previous authentication progress;
and the neglecting unit is used for neglecting the unicast re-authentication message under the condition that the self-authentication is determined to be completed.
In one embodiment, the acquisition unit includes: an acquisition module or a receiving module;
the acquisition module is used for acquiring the MAC address of the TBOX from a local pre-stored whole vehicle MAC address information table;
the receiving module is used for receiving a unicast configuration information message sent by the authentication server through the vehicle-mounted switch, wherein the authentication server stores the whole vehicle MAC address information table in advance, the destination address of the unicast configuration information message is the MAC address of the corresponding ECU, and the unicast configuration information message comprises the whole vehicle MAC address information table or the MAC address of the TBOX.
In one embodiment, the apparatus further comprises:
the searching unit is used for searching the authentication authority information of the ECU of the whole vehicle from the whole vehicle MAC address information table before acquiring the MAC address of the TBOX stored in the whole vehicle MAC address information table after acquiring the whole vehicle MAC address information table;
the acquisition unit is used for acquiring the MAC address of the TBOX stored in the whole vehicle Media Access Control (MAC) address information table under the condition that the searched authentication authority information represents authentication authority;
and the giving up unit is used for not executing the acquisition of the MAC address of the TBOX stored in the whole vehicle Media Access Control (MAC) address information table under the condition that the searched authentication authority information represents that the authentication authority is not available.
In one embodiment, the apparatus further comprises:
the detection unit is used for detecting the resource occupation condition of the ECU to which the detection unit belongs;
and the sending unit is further used for sending the resource occupation condition to the authentication server through the vehicle-mounted switch, so that the authentication server can adjust the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table according to the resource occupation condition.
In one embodiment, when the resource occupation condition indicates that the authentication client cannot support the preset ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table indicates that the authentication client has authentication authority, the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to be free of authentication authority; and under the condition that the resource occupation condition represents that the authentication client supports the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table represents that the authentication authority is not available, the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to have authentication authority.
In one embodiment, before the authentication server judges whether to perform a subsequent access authentication procedure with the authentication client in a unicast message format according to a preset ethernet protocol according to authentication authority information corresponding to the source address in the pre-stored whole vehicle MAC address information table, the authentication server skips a multicast message judgment rule to directly judge whether a message type field in the unicast Start authentication message is an extended authentication protocol EAPOL-Start based on a local area network, where the multicast message judgment rule includes judging whether the unicast Start authentication message is a multicast message according to a destination MAC address in the unicast Start authentication message; under the condition that a message type field in the unicast starting authentication message is EAPOL-Start, the authentication server records a source MAC address in the unicast starting authentication message, establishes a state machine for an authentication client corresponding to the source MAC address, and executes the authentication server after establishing the state machine to judge whether to carry out a subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol according to authentication authority information corresponding to the source address in the whole vehicle MAC address information table.
In one embodiment, the apparatus further comprises:
the second receiving unit is used for receiving a refusing authentication message sent by the authentication server, wherein the refusing authentication message is generated under the condition that the authentication server does not find the source address in the unicast starting authentication message from the whole vehicle MAC address information table.
In a fourth aspect, another embodiment of the present application provides an ethernet access authentication device, an authentication server is disposed on a telematics processor TBOX, and an authentication client is disposed in an electronic control unit ECU, where the authentication client communicates with the authentication server through a vehicle-mounted switch, and the device includes:
a receiving unit, configured to receive a unicast start authentication message sent by an authentication client through the vehicle-mounted switch, where the unicast start authentication message is a message generated by the authentication client after obtaining a MAC address of a TBOX stored in a whole vehicle media access control MAC address information table, a source address of the unicast start authentication message is a MAC address of an ECU to which the authentication client belongs, a destination address is a MAC address of the TBOX, and the whole vehicle MAC address information table includes the MAC address of the TBOX and MAC addresses of each ECU;
And the authentication unit is used for carrying out subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol.
In one embodiment, the authentication unit includes:
the searching module is used for searching authentication authority information corresponding to a source address in the unicast starting authentication message from the pre-stored whole vehicle MAC address information table;
and the authentication module is used for carrying out subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol under the condition that the searched authentication authority information represents authentication authority.
In one embodiment, the apparatus further comprises:
the judging unit is used for directly judging whether a message type field in the unicast starting authentication message is an extended authentication protocol EAPOL-Start based on a local area network or not before the authentication authority information corresponding to a source address in the unicast starting authentication message is searched from the pre-stored whole vehicle MAC address information table, wherein the multicast message judging rule comprises judging whether the unicast starting authentication message is a multicast message according to a destination MAC address in the unicast starting authentication message;
The establishing unit is used for recording a source MAC address in the unicast starting authentication message and establishing a state machine for an authentication client corresponding to the source MAC address under the condition that a message type field in the unicast starting authentication message is EAPOL-Start;
and the searching module is also used for searching the authentication authority information corresponding to the source address in the unicast starting authentication message from the pre-stored whole vehicle MAC address information table after the state machine is established.
In one embodiment, the apparatus further comprises:
the first generation unit is used for generating a corresponding unicast re-authentication message for each ECU with authentication authority according to the whole vehicle MAC address information table after the TBOX is started, wherein the destination address of the unicast re-authentication message is the MAC address of the corresponding ECU;
the first sending unit is used for sending the unicast re-authentication message to the corresponding authentication client through the vehicle-mounted switch;
the authentication unit is further used for carrying out a subsequent access authentication process with the authentication client in a unicast message format based on the authentication client identity identifier in the first unicast identity information response and the preset Ethernet protocol under the condition that the first unicast identity information response sent by the authentication client is received through the vehicle-mounted switch; under the condition that a second unicast identity information response sent by the authentication client is received through the vehicle-mounted switch, carrying out a subsequent access authentication process with the authentication client based on an authentication client identity identifier in the second unicast identity information response and the preset Ethernet protocol in a unicast message format and on the basis of the previous authentication progress, wherein destination addresses of the first unicast identity information and the second unicast identity information generated by the authentication client are both MAC addresses of the TBOX, and the second unicast identity information is used for indicating that the authentication client is in access authentication;
And the determining unit is used for determining that the authentication client has completed access authentication under the condition that the unicast identity information response sent by the authentication client is not received through the vehicle-mounted switch and the authentication client is successful in authentication in the state information of the authentication server.
In one embodiment, the apparatus further comprises:
the second generating unit is used for respectively generating corresponding unicast configuration information messages for each authentication client according to the pre-stored whole vehicle MAC address information table before receiving the unicast start authentication messages sent by the authentication clients through the vehicle-mounted switch, wherein the destination address of the unicast configuration information messages is the MAC address of the corresponding ECU, and the unicast configuration information messages comprise the whole vehicle MAC address information table or the MAC address of the TBOX;
and the second sending unit is used for sending corresponding unicast configuration information messages to each authentication client through the vehicle-mounted switch.
In one embodiment, the receiving unit is further configured to receive, through the vehicle-mounted switch, a resource occupation condition of an ECU to which the authentication client belongs, where the resource occupation condition is sent by the authentication client;
The apparatus further comprises:
the adjusting unit is used for adjusting the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to be free of authentication authority under the condition that the resource occupation condition indicates that the authentication client cannot support the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table indicates that the authentication authority is provided with the authentication authority; and under the condition that the resource occupation condition represents that the authentication client supports the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table represents that the authentication authority is not provided, the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table is adjusted to have authentication authority.
In one embodiment, the apparatus further comprises:
and the rejecting unit is used for generating a reject authentication message under the condition that the source address in the unicast start authentication message is not searched in the whole vehicle MAC address information table after receiving the unicast start authentication message sent by the authentication client through the vehicle-mounted switch, and sending the reject authentication message to the authentication client through the vehicle-mounted switch.
In a fifth aspect, another embodiment of the present application provides an ethernet access authentication system, the system comprising at least one electronic control unit ECU, a telematics processor TBOX, and a vehicle-mounted switch, each ECU deploying an authentication client, the TBOX deploying an authentication server, the authentication client communicating with the authentication server through the vehicle-mounted switch;
The authentication client comprises an apparatus according to any of the embodiments of the third aspect;
the authentication server comprises the device according to any embodiment of the fourth aspect.
In a sixth aspect, another embodiment of the present application provides a storage medium having stored thereon executable instructions that when executed by a processor cause the processor to implement a method according to any one of the embodiments of the first or second aspects.
In a seventh aspect, another embodiment of the present application provides a vehicle comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of the embodiments of the first or second aspects.
As can be seen from the foregoing, the embodiments of the present application provide an ethernet access authentication method and apparatus, including at least one electronic control unit ECU, a remote information processor TBOX, and a vehicle-mounted switch, where an authentication client is disposed in each ECU, the TBOX is configured with an authentication server, the authentication client obtains a MAC address of the TBOX stored in a whole vehicle MAC address information table, generates a unicast start authentication message using the MAC address of the ECU to which the authentication client belongs as a source address, and sends the unicast start authentication message to the authentication server through the vehicle-mounted switch, so that the authentication server performs a subsequent access authentication procedure with the authentication client in a unicast message format according to a preset ethernet protocol. Therefore, for the specific network scenario of the vehicle-mounted ethernet, the embodiment of the present application may pre-configure the whole vehicle MAC address information table in the TBOX, the authentication client deployed in the ECU may obtain the MAC address of the TBOX in the whole vehicle MAC address information table (may pre-configure the whole vehicle MAC address information table in the ECU, or synchronize the MAC address of the TBOX with the authentication client by the authentication server), and change the preset ethernet protocol (such as IEEE 802.1X protocol) to make the message format change from multicast to unicast, thereby avoiding the vehicle-mounted switch from discarding the message, and further completing the authentication procedure successfully. In addition, compared with the prior art that the equipment provided with the legal authentication client can successfully apply for authentication, the embodiment of the application can ensure that the authentication server can determine whether to perform subsequent authentication according to the authentication authority information by configuring the authentication authority information for each ECU in the whole vehicle MAC address information table, thereby avoiding illegal ECU invasion and further improving the authentication safety and the whole vehicle safety. In addition, in order to prevent the security risk caused by that part of authentication clients do not actively initiate authentication, the authentication server side of the embodiment of the application can initiate forced authentication to the authentication clients according to the whole vehicle MAC address information table.
Of course, not all of the above-described advantages need be achieved simultaneously in practicing any one of the products or methods of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following description will briefly introduce the drawings that are required to be used in the description of the embodiments or the prior art. It is apparent that the drawings in the following description are only some of the embodiments of the present application. Other figures may be derived from these figures without inventive effort for a person of ordinary skill in the art.
Fig. 1 is a schematic diagram of an ethernet access authentication system according to an embodiment of the present application;
fig. 2 is a flow chart of an ethernet access authentication method provided in an embodiment of the present application;
fig. 3 is a flow chart of another method for authenticating ethernet access according to an embodiment of the present disclosure;
fig. 4 is a flow chart of another method for authenticating ethernet access according to an embodiment of the present disclosure;
fig. 5 is a flow chart of another method for authenticating ethernet access according to an embodiment of the present disclosure;
fig. 6 is a block diagram of an ethernet access authentication device according to an embodiment of the present application;
Fig. 7 is a block diagram of another ethernet access authentication device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without undue burden, are within the scope of the present application.
It should be noted that the terms "comprising" and "having" and any variations thereof in the embodiments and figures herein are intended to cover a non-exclusive inclusion. A process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed but may alternatively include other steps or elements not listed or inherent to such process, method, article, or apparatus.
Fig. 1 is a schematic diagram of an ethernet access authentication system according to an embodiment of the present application, where the system includes at least one ECU (Electronic Control Unit ) 11, a TBOX (telematics box) 12, and an on-board switch 13, and an authentication client 111 is disposed in each ECU11, and an authentication server 121 is disposed in the TBOX 12. By adopting the system architecture, the TBOX with stronger processing capability can be used as an authentication server to successfully process the preset Ethernet protocol (such as 802.1X protocol), and the vehicle-mounted switch with weaker processing capability can be used as a relay to forward data between the authentication client and the authentication server.
The following describes an ethernet access authentication procedure based on the system architecture:
fig. 2 is a flow chart of an ethernet access authentication method provided in an embodiment of the present application, where the method is applied to any authentication client, and the method further includes:
s210: and acquiring the MAC address of the TBOX stored in the whole vehicle MAC address information table.
The whole vehicle MAC address information table comprises the MAC address of the TBOX and the MAC address of each ECU, and can also comprise the authentication authority information of each ECU. Specifically, the information of the TBOX and the ECU can be stored in the whole vehicle MAC address information table according to a preset sequence, so that the TBOX identification and the ECU identification do not need to be added in the whole vehicle MAC address information table, and the information belonging to the TBOX and the information belonging to the ECU can be obtained. Of course, the TBOX identifier and the ECU identifier may be added to the whole vehicle MAC address information table to directly determine the relevant information.
For example, in an embodiment where a vehicle includes a TBOX and 2 ECUs, the vehicle MAC address information table may be as shown in Table 1.
TABLE 1
Identification mark MAC address Authentication authority information
TBOX 00:00:FF:11:99:BF ——
ECU_1 00:00:FF:11:76:DA Has authentication authority
ECU_2 00:00:FF:11:76:C1 Authentication-free authority
In one embodiment, before the vehicle leaves the factory, the whole vehicle MAC address information table may be configured in the TBOX (or the authentication server) and each ECU (or the authentication client), or may be configured only in the TBOX (or the authentication server), and after the TBOX is started, the whole vehicle MAC address information table or the MAC address of the TBOX is transmitted to each ECU (or the authentication client).
Thus, the specific implementation of step S210 includes: acquiring the MAC address of the TBOX from a local pre-stored whole vehicle MAC address information table; or receiving a unicast configuration information message sent by the authentication server through the vehicle-mounted switch, wherein the authentication server stores the whole vehicle MAC address information table in advance, the destination address of the unicast configuration information message is the MAC address of the corresponding ECU, the source address is the MAC address of the TBOX, and the unicast configuration information message comprises the whole vehicle MAC address information table or the MAC address of the TBOX.
In one embodiment, after the authentication client obtains the whole vehicle MAC address information table, before obtaining the MAC address of the TBOX stored in the whole vehicle MAC address information table, the authentication authority information of the ECU to which the authentication client belongs may be first searched from the whole vehicle MAC address information table; executing step S110 under the condition that the searched authentication authority information represents that the authentication authority exists; under the condition that the searched authentication authority information characterizes no authentication authority, step S110 is not executed, so that the condition that access authentication is blindly applied to an authentication server side but cannot be successfully authenticated under the condition that no authentication authority exists can be avoided, and further resource waste is caused.
S220: and generating a unicast start authentication message, wherein the source address of the unicast start authentication message is the MAC address of the ECU to which the authentication client belongs, and the destination address is the MAC address of the TBOX.
The authentication client of ecu_1 in table 1 may perform packet encapsulation, generate a MAC address with a source address of ecu_1, a MAC address with a destination address of TBOX, and a unicast Start authentication packet 1 with a type EAPOL-Start (Extensible Authentication Protocol, extended authentication protocol based on local area network), where the contents of some fields of the unicast Start authentication packet 1 are as follows:
unicast start authentication message 1
00:00:FF:11:99:BF 00:00:FF:11:76:DA 0x888E xxx 0x01 xxx
The authentication client of ecu_2 in table 1 may perform packet encapsulation, generate a MAC address with a source address of ecu_2, a MAC address with a destination address of TBOX, and a unicast Start authentication packet 2 with a type EAPOL-Start (Extensible Authentication Protocol, extended authentication protocol based on local area network), where the contents of some fields of the unicast Start authentication packet 2 are as follows:
unicast start authentication message 2
00:00:FF:11:99:BF 00:00:FF:11:76:C1 0x888E xxx 0x01 xxx
S230: and sending the unicast start authentication message to a vehicle-mounted switch, so that the vehicle-mounted switch forwards the unicast start authentication message to the authentication server according to the MAC address of the TBOX.
After receiving the unicast start authentication message, the authentication server can judge whether to perform subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol according to authentication authority information corresponding to the source address in the pre-stored whole vehicle MAC address information table.
And under the condition that the authentication authority information corresponding to the source address in the whole vehicle MAC address information table is used for representing that the authentication authority is provided, the authentication server determines that the follow-up access authentication process is carried out with the authentication client in a unicast message format according to a preset Ethernet protocol, and otherwise, the follow-up access authentication process is not carried out.
Subsequent access authentication methods include EAP-MD5 (Extensible Authentication Protocol-Message Digest, using extensible authentication protocol-Message Digest algorithm 5), EAP-TLS (Transport Layer Security, transport layer protocol), EAP-TTLS (Tunnel transport layer security protocol, tunneling layer security protocol), etc., as exemplified by EAP-MD 5:
(A1) The authentication server side sends an authentication client side user ID request message to the authentication client side through the vehicle-mounted switch, and the authentication client side sends an authentication client side user ID response message to the authentication server side through the vehicle-mounted switch, wherein the authentication client side user ID response message comprises a user ID.
(A2) The authentication server matches the received user ID with the user information table, and searches password information corresponding to the user ID. The authentication service end then generates a request message corresponding to the user ID password information, and sends the request message to the vehicle-mounted switch, and the vehicle-mounted switch transmits the request message to the authentication client.
(A3) After receiving the request message for requesting the password information, the authentication client searches the own password information, then carries out MD5 operation on the password information, encapsulates the operation result in a response message, and then transmits the response message to the authentication server through the vehicle-mounted switch.
(A4) After receiving the response message sent by the authentication client, the authentication server takes out the MD5 content of the password information, then performs MD5 operation on the password information corresponding to the user ID stored by the authentication server, compares the content of the operation result with the MD5 content sent by the authentication client, if the content of the operation result is the same as the MD5 content sent by the authentication client, considers the user ID as a legal user, feeds back the authentication passing message, sends an instruction of opening a port to the vehicle-mounted switch, and allows the service flow of the user to access the network through the port. Otherwise, feeding back the authentication failure message, and keeping the closed state of the port of the vehicle-mounted switch, and only allowing the authentication information data to pass but not allowing the service data to pass.
It should be added that, the authentication client and the authentication server can both establish a state machine, update the state in the state machine along with the change of the authentication flow, and determine the next authentication flow according to the latest state.
In one embodiment, after the authentication server in the related art receives the Start authentication message, whether the Start authentication message is a multicast message is first determined according to the destination MAC address in the Start authentication message, and after the Start authentication message is determined to be the multicast message, whether the Start authentication message is an EAPOL-Start type message is determined. In order to improve authentication efficiency, before the authentication server judges whether to perform a subsequent access authentication process with the authentication client in a unicast message format according to a preset ethernet protocol according to authentication authority information corresponding to the source address in the whole vehicle MAC address information table, the authentication server skips a multicast message judgment rule to directly judge whether a message type field in the unicast Start authentication message is EAPOL-Start, wherein the multicast message judgment rule includes judging whether the unicast Start authentication message is a multicast message according to a destination MAC address in the unicast Start authentication message; under the condition that a message type field in the unicast starting authentication message is EAPOL-Start, the authentication server records a source MAC address in the unicast starting authentication message, establishes a state machine for an authentication client corresponding to the source MAC address, and executes the authentication server after establishing the state machine to judge whether to carry out a subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol according to authentication authority information corresponding to the source address in the whole vehicle MAC address information table.
The embodiment of the application provides an Ethernet access authentication method, which comprises at least one electronic control unit ECU, a remote information processor TBOX and a vehicle-mounted switch, wherein an authentication client is arranged in each ECU, the TBOX is provided with an authentication server, the authentication client acquires the MAC address of the TBOX stored in a whole vehicle MAC address information table, generates a unicast start authentication message taking the MAC address of the ECU to which the authentication client belongs as a source address and takes the MAC address of the TBOX as a destination address, and sends the unicast start authentication message to the authentication server through the vehicle-mounted switch so that the authentication server performs subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol. Therefore, for the specific network scenario of the vehicle-mounted ethernet, the embodiment of the present application may pre-configure the whole vehicle MAC address information table in the TBOX, the authentication client deployed in the ECU may obtain the MAC address of the TBOX in the whole vehicle MAC address information table (may pre-configure the whole vehicle MAC address information table in the ECU, or synchronize the MAC address of the TBOX with the authentication client by the authentication server), and change the preset ethernet protocol (such as ieee802.1x protocol) to make the message format change from multicast to unicast, so as to avoid the vehicle-mounted switch from discarding the message, and further successfully complete the authentication procedure. In addition, compared with the prior art that the equipment provided with the legal authentication client can successfully apply for authentication, the embodiment of the application can ensure that the authentication server can determine whether to perform subsequent authentication according to the authentication authority information by configuring the authentication authority information for each ECU in the whole vehicle MAC address information table, thereby avoiding illegal ECU invasion and further improving the authentication safety and the whole vehicle safety.
In one embodiment, each authentication client may not actively initiate authentication, so that there may be a security risk, and in order to ensure that each authentication client is service data transmitted after the access authentication is passed, the authentication server may initiate forced authentication to the authentication client. The method specifically comprises the following steps:
and the authentication client receives a unicast re-authentication message sent by the authentication server through the vehicle-mounted switch, wherein after the TBOX is started, a unicast re-authentication message corresponding to each ECU with authentication authority is generated according to the whole vehicle MAC address information table, and the destination address of the unicast re-authentication message is the MAC address of the corresponding ECU.
And under the condition that the authentication client does not perform access authentication, the authentication client sends a first unicast identity information response taking the MAC address of the TBOX as a destination address to the authentication server through the vehicle-mounted switch, so that the authentication server performs a subsequent access authentication process with the authentication client in a unicast message format based on an authentication client identity in the first unicast identity information response and the preset Ethernet protocol, wherein the authentication client identity is a user identity logging in the authentication client.
Under the condition that the authentication client determines that the authentication client is accessing authentication, the authentication client sends a second unicast identity information response taking the MAC address of the TBOX as a destination address to the authentication server through the vehicle-mounted switch, wherein the second unicast identity information response is used for indicating that the authentication client is accessing authentication, so that the authentication server carries out subsequent access authentication flow with the authentication client in a unicast message format based on the authentication client identity in the second unicast identity information response and the preset Ethernet protocol.
And under the condition that the authentication client determines that the authentication client has completed access authentication, the authentication client ignores the unicast re-authentication message.
Compared with the prior art that forced authentication cannot be realized because the authentication server cannot know the MAC addresses to which all the authentication clients belong, the method and the device for the authentication of the vehicle are capable of initiating forced authentication to the authentication clients on each ECU according to the MAC addresses of each ECU by deploying the authentication server on the TBOX and obtaining the MAC addresses of each ECU through the whole vehicle MAC address information table, so that the phenomenon that a certain ECU does not actively apply for authentication to transmit service data and further causes vehicle danger is avoided.
In one embodiment, during the running process of the vehicle, the capability of each ECU is dynamically changed, and when the resources of a certain ECU occupy more resources, there is no possibility that the ethernet access authentication is successful or that the ethernet data transmission is performed by the unnecessary resources and the TBOX, so that the resource waste is caused. In order to solve the technical problem, the authentication client can detect the resource occupation condition of the ECU to which the authentication client belongs, and the resource occupation condition is sent to the authentication server through the vehicle-mounted switch, so that the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table according to the resource occupation condition. The specific adjustment method comprises the following steps: when the resource occupation condition indicates that the authentication client cannot support the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table indicates that the authentication client has authentication authority, the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to be free of authentication authority; and under the condition that the resource occupation condition represents that the authentication client supports the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table represents that the authentication authority is not available, the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to have authentication authority.
In one embodiment, in order to prevent the ECU from being attacked by the illegal authentication client, the authentication client may further receive a reject authentication message sent by the authentication server, where the reject authentication message is generated when the authentication server does not find the source address in the unicast start authentication message from the whole vehicle MAC address information table.
Based on the foregoing embodiments, another embodiment of the present application provides an ethernet access authentication method, where the method is applied to an authentication server, as shown in fig. 3, and the method further includes:
s310: and receiving a unicast start authentication message sent by the authentication client through the vehicle-mounted switch.
The unicast start authentication message is a message generated by the authentication client after acquiring the MAC address of the TBOX stored in a whole vehicle Media Access Control (MAC) address information table, the source address of the unicast start authentication message is the MAC address of the ECU to which the authentication client belongs, the destination address is the MAC address of the TBOX, and the whole vehicle MAC address information table comprises the MAC address of the TBOX and the MAC addresses of all the ECUs.
Under the condition that the authentication client does not store the whole vehicle MAC address information table in advance, before receiving a unicast start authentication message sent by the authentication client through the vehicle-mounted switch, the authentication server side can respectively generate a corresponding unicast configuration information message for each authentication client according to the prestored whole vehicle MAC address information table, wherein the destination address of the unicast configuration information message is the MAC address of the corresponding ECU, and the unicast configuration information message comprises the whole vehicle MAC address information table or the MAC address of the TBOX; and sending corresponding unicast configuration information messages to each authentication client through the vehicle-mounted switch.
In one embodiment, in the related art, only a device deployed with a legal authentication client can successfully apply for authentication, so that a great potential safety hazard exists. In order to further improve authentication safety, after receiving a unicast start authentication message sent by an authentication client through the vehicle-mounted switch, the authentication server generates a reject authentication message under the condition that a source address in the unicast start authentication message is not searched in the whole vehicle MAC address information table, and sends the reject authentication message to the authentication client through the vehicle-mounted switch. That is, if the MAC of the ECU to which the authentication client that transmits the unicast start authentication message to the authentication server is not in the whole vehicle MAC address information table, this means that the authentication client is an illegal authentication client and is likely a malicious attacker, so that the authentication operation of this authentication client is denied in order to ensure security.
S320: and carrying out subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol.
Compared with the prior art that only equipment provided with legal authentication clients can successfully apply for authentication, the embodiment of the application can configure authentication authority information for each ECU in the whole vehicle MAC address information table, before the follow-up access authentication process is carried out on the authentication clients in a unicast message format according to a preset Ethernet protocol, the authentication authority information corresponding to the source address in the unicast start authentication message is searched in the prestored whole vehicle MAC address information table, and under the condition that the searched authentication authority information represents authentication authority, the follow-up access authentication process is carried out on the authentication clients in the unicast message format according to the preset Ethernet protocol, otherwise, the follow-up access authentication process is carried out on the authentication clients in the unicast message format according to the preset Ethernet protocol.
If the first unicast start authentication message from the authentication client is received this time, the authentication server considers that the authentication client initiatively initiates authentication, and a subsequent authentication process is needed. At this time, the authentication server establishes an 802.1X state machine with the MAC address of the ECU to which the authentication client belongs, and starts the authentication flow process. And performing subsequent authentication operation according to the 802.1X protocol flow. If the received unicast start authentication message is not the first message from the authentication client, the unicast start authentication message is received in the authentication process, and the unicast start authentication message needs to be processed according to the current authentication state of the authentication client and the 802.1X protocol standard flow.
In one embodiment, after the authentication server in the related art receives the Start authentication message, whether the Start authentication message is a multicast message is first determined according to the destination MAC address in the Start authentication message, and after the Start authentication message is determined to be the multicast message, whether the Start authentication message is an EAPOL-Start type message is determined. In order to improve the authentication efficiency, before the authentication authority information corresponding to the source address in the unicast Start authentication message is searched in the pre-stored whole vehicle MAC address information table, the authentication server may skip a multicast message judgment rule to directly judge whether a message type field in the unicast Start authentication message is EAPOL-Start, where the multicast message judgment rule includes judging whether the unicast Start authentication message is a multicast message according to a destination MAC address in the unicast Start authentication message; and under the condition that a message type field in the unicast starting authentication message is EAPOL-Start, recording a source MAC address in the unicast starting authentication message, establishing a state machine for an authentication client corresponding to the source MAC address, and after establishing the state machine, executing searching authentication authority information corresponding to the source address in the unicast starting authentication message from a pre-stored whole MAC address information table.
The embodiment of the application provides an Ethernet access authentication method, which comprises at least one electronic control unit ECU, a remote information processor TBOX and a vehicle-mounted switch, wherein an authentication client is arranged in each ECU, the TBOX is provided with an authentication server, the authentication client acquires the MAC address of the TBOX stored in a whole vehicle MAC address information table, generates a unicast start authentication message taking the MAC address of the ECU to which the authentication client belongs as a source address and takes the MAC address of the TBOX as a destination address, and sends the unicast start authentication message to the authentication server through the vehicle-mounted switch, and the authentication server performs subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol. Therefore, for the specific network scenario of the vehicle-mounted ethernet, the embodiment of the present application may pre-configure the whole vehicle MAC address information table in the TBOX, the authentication client deployed in the ECU may obtain the MAC address of the TBOX in the whole vehicle MAC address information table (may pre-configure the whole vehicle MAC address information table in the ECU, or synchronize the MAC address of the TBOX with the authentication client by the authentication server), and change the preset ethernet protocol (such as IEEE 802.1X protocol) to make the message format change from multicast to unicast, thereby avoiding the vehicle-mounted switch from discarding the message, and further completing the authentication procedure successfully. In addition, compared with the prior art that the equipment provided with the legal authentication client can successfully apply for authentication, the embodiment of the application can ensure that the authentication server can determine whether to perform subsequent authentication according to the authentication authority information by configuring the authentication authority information for each ECU in the whole vehicle MAC address information table, thereby avoiding illegal ECU invasion and further improving the authentication safety and the whole vehicle safety.
In one embodiment, each authentication client may not actively initiate authentication, so that there may be a security risk, and in order to ensure that each authentication client is service data transmitted after the access authentication is passed, the authentication server may initiate forced authentication to the authentication client. The method specifically comprises the following steps:
generating a corresponding unicast re-authentication message for each ECU with authentication authority according to the whole vehicle MAC address information table after the TBOX is started, wherein the destination address of the unicast re-authentication message is the MAC address of the corresponding ECU; the unicast re-authentication message is sent to a corresponding authentication client through the vehicle-mounted switch; under the condition that a first unicast identity information response sent by the authentication client is received through the vehicle-mounted switch, carrying out subsequent access authentication flow with the authentication client in a unicast message format based on an authentication client identity identifier in the first unicast identity information response and the preset Ethernet protocol; under the condition that a second unicast identity information response sent by the authentication client is received through the vehicle-mounted switch, carrying out a subsequent access authentication process with the authentication client based on an authentication client identity identifier in the second unicast identity information response and the preset Ethernet protocol in a unicast message format and on the basis of the previous authentication progress, wherein destination addresses of the first unicast identity information and the second unicast identity information generated by the authentication client are both MAC addresses of the TBOX, and the second unicast identity information is used for indicating that the authentication client is in access authentication; and under the condition that the unicast identity information response sent by the authentication client is not received through the vehicle-mounted switch and the state information of the authentication client at the authentication server is successful in authentication, determining that the authentication client has completed access authentication.
For example, the authentication server of TBOX in table 1 may perform packet encapsulation, generate a unicast re-authentication packet 1 with a source address of MAC address of TBOX, a destination address of MAC address of ecu_1, and an EAPOL (Extensible Authentication Protocol, extended authentication protocol based on local area network), where part of field contents of the unicast re-authentication packet 1 are as follows:
unicast reauthentication message 1
00:00:FF:11:76:DA 00:00:FF:11:99:BF 0x888E xxx 0x00 xxx
The authentication server of TBOX in table 1 may further generate a unicast reauthentication message 2 with a source address of MAC address of TBOX, a destination address of MAC address of ecu_2, and an EAPOL (Extensible Authentication Protocol, extended authentication protocol based on local area network), where a part of field contents of the unicast reauthentication message 2 are as follows:
unicast reauthentication message 2
00:00:FF:11:76:C1 00:00:FF:11:99:BF 0x888E xxx 0x00 xxx
In one embodiment, during the running process of the vehicle, the capability of each ECU is dynamically changed, and when the resources of a certain ECU occupy more resources, there is no possibility that the ethernet access authentication is successful or that the ethernet data transmission is performed by the unnecessary resources and the TBOX, so that the resource waste is caused. In order to solve the technical problem, an authentication server can receive the resource occupation condition of an ECU to which the authentication client belongs, which is sent by the authentication client, through the vehicle-mounted switch; under the condition that the resource occupation condition indicates that the authentication client cannot support the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table indicates that the authentication authority is provided with the authentication authority, the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table is adjusted to be not provided with the authentication authority; and under the condition that the resource occupation condition represents that the authentication client supports the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table represents that the authentication authority is not available, the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table is adjusted to have the authentication authority, otherwise, the adjustment is not performed. When the resource occupancy rate is larger than a preset threshold value, the authentication client is characterized as incapable of supporting the preset Ethernet protocol; otherwise, characterizing that the authentication client supports the preset Ethernet protocol.
In one embodiment, the procedure of the authentication client actively initiating access authentication to the authentication server may be as shown in fig. 4:
s410: the authentication client 111 in the ECU11 acquires the MAC address of the TBOX12 stored in the whole vehicle MAC address information table, and generates a unicast start authentication message;
s420: the authentication client 111 transmits a unicast start authentication message to the in-vehicle switch 13;
s430: the vehicle-mounted switch 13 forwards the unicast start authentication message to the authentication server 121;
s440: the authentication server 121 receives the unicast start authentication message, searches the authentication authority information corresponding to the source address in the unicast start authentication message from the whole vehicle MAC address information table, and determines whether to perform a subsequent access authentication procedure with the authentication client 111 in a unicast message format according to a preset ethernet protocol according to the searched authentication authority information.
In one embodiment, the procedure of the authentication server initiating the forced authentication may be as shown in fig. 5:
s510: after the TBOX12 is started, generating a corresponding unicast re-authentication message for each ECU11 with authentication authority according to the whole vehicle MAC address information table;
s520: the authentication server 121 sends a unicast re-authentication message to the vehicle-mounted switch 13;
s530: the in-vehicle switch 13 forwards the unicast re-authentication message to the authentication client 111;
S540: the authentication client 111 receives the unicast re-authentication message, and determines whether to reply the unicast identity information response to the authentication server 121 according to the self access authentication condition to implement the subsequent access authentication procedure.
Based on the above method embodiment, another embodiment of the present application provides an ethernet access authentication device, where the device is applied to any one of authentication clients, the authentication clients are deployed in an ECU, and an authentication server is deployed in a telematics unit TBOX, and the authentication clients communicate with the authentication server through a vehicle-mounted switch, as shown in fig. 6, where the device includes:
an obtaining unit 60, configured to obtain a MAC address of a TBOX stored in a whole vehicle medium access control MAC address information table, where the whole vehicle MAC address information table includes the MAC address of the TBOX and a MAC address of each ECU;
a generating unit 62, configured to generate a unicast start authentication packet, where a source address of the unicast start authentication packet is a MAC address of the ECU to which the authentication client belongs, and a destination address is a MAC address of the TBOX;
and the sending unit 64 is configured to send the unicast start authentication packet to a vehicle-mounted switch, so that the vehicle-mounted switch forwards the unicast start authentication packet to the authentication server according to the MAC address of the TBOX.
In one embodiment, the whole vehicle MAC address information table further includes authentication authority information of each ECU, where, when the authentication client sends a unicast start authentication message to the authentication server through the vehicle-mounted switch, the authentication server receives the unicast start authentication message sent by the authentication client, and determines whether to perform a subsequent access authentication procedure with the authentication client in a unicast message format according to a preset ethernet protocol according to the authentication authority information corresponding to the source address in the pre-stored whole vehicle MAC address information table.
In one embodiment, the apparatus further comprises:
the first receiving unit is used for receiving unicast re-authentication messages sent by the authentication server through the vehicle-mounted switch, wherein after the TBOX is started, the unicast re-authentication messages corresponding to each ECU with authentication authority are generated according to the whole vehicle MAC address information table, and the destination address of the unicast re-authentication messages is the MAC address of the corresponding ECU;
the sending unit 64 is further configured to send, when it is determined that access authentication is not performed, a first unicast identity information response with the MAC address of the TBOX as a destination address to the authentication server through the vehicle-mounted switch, so that the authentication server performs a subsequent access authentication procedure with the authentication client in a unicast message format based on the authentication client identity in the first unicast identity information response and the preset ethernet protocol; under the condition that the vehicle-mounted switch determines that the vehicle-mounted switch is accessing authentication, a second unicast identity information response taking the MAC address of the TBOX as a destination address is sent to the authentication server, and the second unicast identity information response is used for indicating that the authentication client is accessing authentication, so that the authentication server continues to perform subsequent access authentication flow with the authentication client based on the authentication client identity in the second unicast identity information response and the preset Ethernet protocol in a unicast message format and based on the previous authentication progress;
And the neglecting unit is used for neglecting the unicast re-authentication message under the condition that the self-authentication is determined to be completed.
In one embodiment, the acquisition unit 60 includes: an acquisition module or a receiving module;
the acquisition module is used for acquiring the MAC address of the TBOX from a local pre-stored whole vehicle MAC address information table;
the receiving module is used for receiving a unicast configuration information message sent by the authentication server through the vehicle-mounted switch, wherein the authentication server stores the whole vehicle MAC address information table in advance, the destination address of the unicast configuration information message is the MAC address of the corresponding ECU, and the unicast configuration information message comprises the whole vehicle MAC address information table or the MAC address of the TBOX.
In one embodiment, the apparatus further comprises:
the searching unit is used for searching the authentication authority information of the ECU of the whole vehicle from the whole vehicle MAC address information table before acquiring the MAC address of the TBOX stored in the whole vehicle MAC address information table after acquiring the whole vehicle MAC address information table;
an obtaining unit 60, configured to obtain a MAC address of the TBOX stored in the whole vehicle medium access control MAC address information table, where the searched authentication authority information indicates that the authentication authority is available;
And the giving up unit is used for not executing the acquisition of the MAC address of the TBOX stored in the whole vehicle Media Access Control (MAC) address information table under the condition that the searched authentication authority information represents that the authentication authority is not available.
In one embodiment, the apparatus further comprises:
the detection unit is used for detecting the resource occupation condition of the ECU to which the detection unit belongs;
the sending unit 64 is further configured to send the resource occupation situation to the authentication server through the vehicle-mounted switch, so that the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table according to the resource occupation situation.
In one embodiment, when the resource occupation condition indicates that the authentication client cannot support the preset ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table indicates that the authentication client has authentication authority, the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to be free of authentication authority; and under the condition that the resource occupation condition represents that the authentication client supports the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table represents that the authentication authority is not available, the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to have authentication authority.
In one embodiment, before the authentication server judges whether to perform a subsequent access authentication procedure with the authentication client in a unicast message format according to a preset ethernet protocol according to authentication authority information corresponding to the source address in the pre-stored whole vehicle MAC address information table, the authentication server skips a multicast message judgment rule to directly judge whether a message type field in the unicast Start authentication message is an extended authentication protocol EAPOL-Start based on a local area network, where the multicast message judgment rule includes judging whether the unicast Start authentication message is a multicast message according to a destination MAC address in the unicast Start authentication message; under the condition that a message type field in the unicast starting authentication message is EAPOL-Start, the authentication server records a source MAC address in the unicast starting authentication message, establishes a state machine for an authentication client corresponding to the source MAC address, and executes the authentication server after establishing the state machine to judge whether to carry out a subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol according to authentication authority information corresponding to the source address in the whole vehicle MAC address information table.
In one embodiment, the apparatus further comprises:
the second receiving unit is used for receiving a refusing authentication message sent by the authentication server, wherein the refusing authentication message is generated under the condition that the authentication server does not find the source address in the unicast starting authentication message from the whole vehicle MAC address information table.
Based on the above method embodiment, another embodiment of the present application provides an ethernet access authentication device, where the device is applied to an authentication server, the authentication server is deployed in a telematics unit TBOX, and an authentication client is deployed in an ECU, and the authentication client communicates with the authentication server through a vehicle-mounted switch, as shown in fig. 7, where the device includes:
a receiving unit 70, configured to receive a unicast start authentication packet sent by an authentication client through the vehicle-mounted switch, where the unicast start authentication packet is a packet generated by the authentication client after obtaining a MAC address of a TBOX stored in a whole vehicle media access control MAC address information table, a source address of the unicast start authentication packet is a MAC address of an ECU to which the authentication client belongs, a destination address is a MAC address of the TBOX, and the whole vehicle MAC address information table includes the MAC address of the TBOX, the MAC address of each ECU, and authentication authority information of each ECU;
The authentication unit 72 is configured to perform a subsequent access authentication procedure with the authentication client in a unicast message format according to a preset ethernet protocol.
In one embodiment, the authentication unit 72 includes:
the searching module is used for searching authentication authority information corresponding to a source address in the unicast starting authentication message from the pre-stored whole vehicle MAC address information table;
and the authentication module is used for carrying out subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol under the condition that the searched authentication authority information represents authentication authority.
In one embodiment, the apparatus further comprises:
the judging unit is used for directly judging whether a message type field in the unicast starting authentication message is an extended authentication protocol EAPOL-Start based on a local area network or not before the authentication authority information corresponding to a source address in the unicast starting authentication message is searched from the pre-stored whole vehicle MAC address information table, wherein the multicast message judging rule comprises judging whether the unicast starting authentication message is a multicast message according to a destination MAC address in the unicast starting authentication message;
The establishing unit is used for recording a source MAC address in the unicast starting authentication message and establishing a state machine for an authentication client corresponding to the source MAC address under the condition that a message type field in the unicast starting authentication message is EAPOL-Start;
and the searching module is also used for searching the authentication authority information corresponding to the source address in the unicast starting authentication message from the pre-stored whole vehicle MAC address information table after the state machine is established.
In one embodiment, the apparatus further comprises:
the first generation unit is used for generating a corresponding unicast re-authentication message for each ECU with authentication authority according to the whole vehicle MAC address information table after the TBOX is started, wherein the destination address of the unicast re-authentication message is the MAC address of the corresponding ECU;
the first sending unit is used for sending the unicast re-authentication message to the corresponding authentication client through the vehicle-mounted switch;
an authentication unit 72, configured to, when receiving, by the on-vehicle switch, a first unicast identity information response sent by the authentication client, perform a subsequent access authentication procedure with the authentication client in a unicast message format based on an authentication client identity in the first unicast identity information response and the preset ethernet protocol; under the condition that a second unicast identity information response sent by the authentication client is received through the vehicle-mounted switch, carrying out a subsequent access authentication process with the authentication client based on an authentication client identity identifier in the second unicast identity information response and the preset Ethernet protocol in a unicast message format and on the basis of the previous authentication progress, wherein destination addresses of the first unicast identity information and the second unicast identity information generated by the authentication client are both MAC addresses of the TBOX, and the second unicast identity information is used for indicating that the authentication client is in access authentication;
And the determining unit is used for determining that the authentication client has completed access authentication under the condition that the unicast identity information response sent by the authentication client is not received through the vehicle-mounted switch and the authentication client is successful in authentication in the state information of the authentication server.
In one embodiment, the apparatus further comprises:
the second generating unit is used for respectively generating corresponding unicast configuration information messages for each authentication client according to the pre-stored whole vehicle MAC address information table before receiving the unicast start authentication messages sent by the authentication clients through the vehicle-mounted switch, wherein the destination address of the unicast configuration information messages is the MAC address of the corresponding ECU, and the unicast configuration information messages comprise the whole vehicle MAC address information table or the MAC address of the TBOX;
and the second sending unit is used for sending corresponding unicast configuration information messages to each authentication client through the vehicle-mounted switch.
In one embodiment, the receiving unit is further configured to receive, through the vehicle-mounted switch, a resource occupation condition of an ECU to which the authentication client belongs, where the resource occupation condition is sent by the authentication client;
The apparatus further comprises:
the adjusting unit is used for adjusting the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to be free of authentication authority under the condition that the resource occupation condition indicates that the authentication client cannot support the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table indicates that the authentication authority is provided with the authentication authority; and under the condition that the resource occupation condition represents that the authentication client supports the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table represents that the authentication authority is not provided, the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table is adjusted to have authentication authority.
In one embodiment, the apparatus further comprises:
and the rejecting unit is used for generating a reject authentication message under the condition that the source address in the unicast start authentication message is not searched in the whole vehicle MAC address information table after receiving the unicast start authentication message sent by the authentication client through the vehicle-mounted switch, and sending the reject authentication message to the authentication client through the vehicle-mounted switch.
Based on the method embodiment, another embodiment of the present application provides an ethernet access authentication system, where the system includes at least one electronic control unit ECU, a telematics unit TBOX, and a vehicle-mounted switch, each ECU deploys an authentication client, where the TBOX deploys an authentication server, and the authentication client communicates with the authentication server through the vehicle-mounted switch;
The authentication client comprises the apparatus of any of the embodiments applied to the authentication client;
the authentication server comprises the device of any embodiment applied to the authentication server.
Based on the above method embodiments, another embodiment of the present application provides a storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to implement the method described in any of the method embodiments above.
Based on the above method embodiments, another embodiment of the present application provides a vehicle, including: one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described in any of the method embodiments above.
The system and device embodiments correspond to the method embodiments, and have the same technical effects as the method embodiments, and specific description refers to the method embodiments. The apparatus embodiments are based on the method embodiments, and specific descriptions may be referred to in the method embodiment section, which is not repeated herein. Those of ordinary skill in the art will appreciate that: the figures are schematic representations of one embodiment only and the modules or flows in the figures are not necessarily required to practice the present application.
Those of ordinary skill in the art will appreciate that: the modules in the apparatus of the embodiments may be distributed in the apparatus of the embodiments according to the description of the embodiments, or may be located in one or more apparatuses different from the present embodiments with corresponding changes. The modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims (9)

1. An ethernet access authentication method, the method comprising at least one electronic control unit ECU, a telematics processor TBOX, and a vehicle-mounted switch, each ECU deploying an authentication client, the TBOX deploying an authentication server, the method further comprising:
Acquiring the MAC address of a TBOX stored in a whole vehicle Media Access Control (MAC) address information table, wherein the whole vehicle MAC address information table comprises the MAC address of the TBOX and the MAC address of each ECU;
generating a unicast start authentication message, wherein the source address of the unicast start authentication message is the MAC address of the ECU to which the authentication client belongs, and the destination address is the MAC address of the TBOX;
the unicast start authentication message is sent to a vehicle-mounted switch, so that the vehicle-mounted switch forwards the unicast start authentication message to the authentication server according to the MAC address of the TBOX;
the whole vehicle MAC address information table also comprises authentication authority information of each ECU, and the method further comprises the following steps:
and under the condition that the authentication client sends a unicast start authentication message to an authentication server through the vehicle-mounted switch, the authentication server receives the unicast start authentication message sent by the authentication client and judges whether to carry out a subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol according to authentication authority information corresponding to the source address in the pre-stored whole vehicle MAC address information table.
2. The method according to claim 1, wherein the method further comprises:
receiving a unicast re-authentication message sent by the authentication server through the vehicle-mounted switch, wherein after the TBOX is started, generating a unicast re-authentication message corresponding to each ECU with authentication authority according to the whole vehicle MAC address information table, and the destination address of the unicast re-authentication message is the MAC address of the corresponding ECU;
under the condition that the vehicle-mounted switch does not perform access authentication, a first unicast identity information response taking the MAC address of the TBOX as a destination address is sent to the authentication server through the vehicle-mounted switch, so that the authentication server performs a subsequent access authentication flow with the authentication client in a unicast message format based on an authentication client identity in the first unicast identity information response and the preset Ethernet protocol;
under the condition that the vehicle-mounted switch determines that the vehicle-mounted switch is accessing authentication, a second unicast identity information response taking the MAC address of the TBOX as a destination address is sent to the authentication server, and the second unicast identity information response is used for indicating that the authentication client is accessing authentication, so that the authentication server continues to perform subsequent access authentication flow with the authentication client based on the authentication client identity in the second unicast identity information response and the preset Ethernet protocol in a unicast message format and based on the previous authentication progress;
And under the condition that the self-service access authentication is determined to be completed, ignoring the unicast re-authentication message.
3. The method of claim 1, wherein obtaining the MAC address of the TBOX stored in the vehicle medium access control MAC address information table comprises:
acquiring the MAC address of the TBOX from a local pre-stored whole vehicle MAC address information table;
or receiving a unicast configuration information message sent by the authentication server through the vehicle-mounted switch, wherein the authentication server stores the whole vehicle MAC address information table in advance, the destination address of the unicast configuration information message is the MAC address of the corresponding ECU, and the unicast configuration information message comprises the whole vehicle MAC address information table or the MAC address of the TBOX.
4. A method according to claim 3, wherein after the whole vehicle MAC address information table is acquired, before acquiring the MAC address of the TBOX stored in the whole vehicle medium access control MAC address information table, the method further comprises:
searching authentication authority information of the ECU to which the vehicle belongs from the vehicle MAC address information table;
executing the acquisition of the MAC address of the TBOX stored in the whole vehicle Media Access Control (MAC) address information table under the condition that the searched authentication authority information represents authentication authority;
And under the condition that the searched authentication authority information represents that the authentication authority is not available, the acquisition of the MAC address of the TBOX stored in the whole vehicle Media Access Control (MAC) address information table is not executed.
5. The method according to claim 1, wherein the method further comprises:
detecting the resource occupation condition of the ECU to which the self belongs;
and sending the resource occupation condition to the authentication server through the vehicle-mounted switch, so that the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table according to the resource occupation condition.
6. The method of claim 5, wherein the authentication server adjusts authentication authority information of a corresponding ECU in the whole vehicle MAC address information table according to the resource occupation condition, including:
when the resource occupation condition indicates that the authentication client cannot support the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table indicates that the authentication client has authentication authority, the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to be free of authentication authority;
And under the condition that the resource occupation condition represents that the authentication client supports the preset Ethernet protocol and the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table represents that the authentication authority is not available, the authentication server adjusts the authentication authority information of the corresponding ECU in the whole vehicle MAC address information table to have authentication authority.
7. The method according to claim 1, wherein before the authentication server determines whether to perform a subsequent access authentication procedure with the authentication client in a unicast message format according to a preset ethernet protocol according to authentication authority information corresponding to the source address in the pre-stored whole vehicle MAC address information table, the method further includes:
the authentication server skips a multicast message judgment rule and directly judges whether a message type field in the unicast Start authentication message is an extended authentication protocol EAPOL-Start based on a local area network, wherein the multicast message judgment rule comprises judging whether the unicast Start authentication message is a multicast message according to a destination MAC address in the unicast Start authentication message;
under the condition that a message type field in the unicast starting authentication message is EAPOL-Start, the authentication server records a source MAC address in the unicast starting authentication message, establishes a state machine for an authentication client corresponding to the source MAC address, and executes the authentication server after establishing the state machine to judge whether to carry out a subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol according to authentication authority information corresponding to the source address in the whole vehicle MAC address information table.
8. The method according to any one of claims 1-7, further comprising:
and receiving a refusal authentication message sent by the authentication server, wherein the refusal authentication message is generated under the condition that the authentication server does not find a source address in the unicast starting authentication message from the whole vehicle MAC address information table.
9. An ethernet access authentication device, wherein an authentication client is disposed in an electronic control unit ECU, and an authentication server is disposed in a telematics unit TBOX, and the authentication client communicates with the authentication server through a vehicle-mounted switch, the device comprising:
the device comprises an acquisition unit, a control unit and a control unit, wherein the acquisition unit is used for acquiring the MAC address of the TBOX stored in a whole vehicle Media Access Control (MAC) address information table, wherein the whole vehicle MAC address information table comprises the MAC address of the TBOX and the MAC address of each ECU;
the generation unit is used for generating a unicast start authentication message, wherein the source address of the unicast start authentication message is the MAC address of the ECU to which the authentication client belongs, and the destination address is the MAC address of the TBOX;
the sending unit is used for sending the unicast start authentication message to the vehicle-mounted switch so that the vehicle-mounted switch forwards the unicast start authentication message to the authentication server according to the MAC address of the TBOX;
The whole vehicle MAC address information table also comprises authentication authority information of each ECU, and when the authentication client sends a unicast start authentication message to the authentication server through the vehicle-mounted switch, the authentication server receives the unicast start authentication message sent by the authentication client and judges whether to carry out subsequent access authentication flow with the authentication client in a unicast message format according to a preset Ethernet protocol according to authentication authority information corresponding to the source address in the pre-stored whole vehicle MAC address information table.
CN202210241428.XA 2022-03-11 2022-03-11 Ethernet access authentication method and device Active CN114615061B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210241428.XA CN114615061B (en) 2022-03-11 2022-03-11 Ethernet access authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210241428.XA CN114615061B (en) 2022-03-11 2022-03-11 Ethernet access authentication method and device

Publications (2)

Publication Number Publication Date
CN114615061A CN114615061A (en) 2022-06-10
CN114615061B true CN114615061B (en) 2023-06-16

Family

ID=81863902

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210241428.XA Active CN114615061B (en) 2022-03-11 2022-03-11 Ethernet access authentication method and device

Country Status (1)

Country Link
CN (1) CN114615061B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110741604A (en) * 2017-06-23 2020-01-31 住友电气工业株式会社 In-vehicle communication device, communication control method, and communication control program
CN111459518A (en) * 2020-03-30 2020-07-28 北京经纬恒润科技有限公司 Vehicle ECU (electronic control Unit) upgrading method and system
CN112468294A (en) * 2020-11-23 2021-03-09 北京经纬恒润科技股份有限公司 Access method and authentication equipment for vehicle-mounted TBOX
CN112511396A (en) * 2020-11-27 2021-03-16 北京经纬恒润科技股份有限公司 Whole vehicle communication monitoring method and device
CN112671798A (en) * 2020-12-31 2021-04-16 北京明朝万达科技股份有限公司 Service request method, device and system in Internet of vehicles
CN112751887A (en) * 2019-10-30 2021-05-04 广州汽车集团股份有限公司 Method for improving vehicle response speed, TBOX device, vehicle-mounted electronic control unit and system
WO2021164609A1 (en) * 2020-02-18 2021-08-26 华为技术有限公司 Authentication method and apparatus for vehicle-mounted device
CN113839775A (en) * 2021-11-01 2021-12-24 合肥工业大学智能制造技术研究院 New energy automobile remote start control method based on 5GTBOX encryption technology

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110741604A (en) * 2017-06-23 2020-01-31 住友电气工业株式会社 In-vehicle communication device, communication control method, and communication control program
CN112751887A (en) * 2019-10-30 2021-05-04 广州汽车集团股份有限公司 Method for improving vehicle response speed, TBOX device, vehicle-mounted electronic control unit and system
WO2021164609A1 (en) * 2020-02-18 2021-08-26 华为技术有限公司 Authentication method and apparatus for vehicle-mounted device
CN111459518A (en) * 2020-03-30 2020-07-28 北京经纬恒润科技有限公司 Vehicle ECU (electronic control Unit) upgrading method and system
CN112468294A (en) * 2020-11-23 2021-03-09 北京经纬恒润科技股份有限公司 Access method and authentication equipment for vehicle-mounted TBOX
CN112511396A (en) * 2020-11-27 2021-03-16 北京经纬恒润科技股份有限公司 Whole vehicle communication monitoring method and device
CN112671798A (en) * 2020-12-31 2021-04-16 北京明朝万达科技股份有限公司 Service request method, device and system in Internet of vehicles
CN113839775A (en) * 2021-11-01 2021-12-24 合肥工业大学智能制造技术研究院 New energy automobile remote start control method based on 5GTBOX encryption technology

Also Published As

Publication number Publication date
CN114615061A (en) 2022-06-10

Similar Documents

Publication Publication Date Title
US8045530B2 (en) Method and apparatus for authentication in a wireless telecommunications system
US9948647B2 (en) Method and device for authenticating static user terminal
US8036183B2 (en) Method and system for transporting configuration protocol messages across a distribution system (DS) in a wireless local area network (WLAN)
US7480933B2 (en) Method and apparatus for ensuring address information of a wireless terminal device in communications network
US9071968B2 (en) Method, apparatus, and system for centralized 802.1X authentication in wireless local area network
US8238315B2 (en) Rapid local address assignment for wireless communication networks
US7343411B2 (en) Method and system for secure management and communication utilizing configuration network setup in a WLAN
US9603021B2 (en) Rogue access point detection
US9986431B2 (en) Method and apparatus for direct communication key establishment
US20070180499A1 (en) Authenticating clients to wireless access networks
CN109413649B (en) Access authentication method and device
US20220060898A1 (en) Systems and methods for multi-link device privacy protection
CN107995216B (en) Security authentication method, device, authentication server and storage medium
TWI315139B (en)
CN111327599A (en) Authentication process processing method and device
US20060039305A1 (en) Method and system for EAP encapsulation exchange for a setup configuration protocol in a WLAN
CN114615061B (en) Ethernet access authentication method and device
US20130191635A1 (en) Wireless authentication terminal
CN103188662B (en) A kind of method and device verifying WAP (wireless access point)
CN105915565B (en) Authentication method, device and system
JP4230683B2 (en) Security judgment method and security judgment device
CN106603492B (en) Authentication method and device
CN118158066A (en) User escape method and BRAS equipment
CN117040965A (en) Communication method and device
CN117939574A (en) Equipment networking method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant