CN115174605A

CN115174605A - Internet of vehicles equipment authentication method and device and processor readable storage medium

Info

Publication number: CN115174605A
Application number: CN202110285435.5A
Authority: CN
Inventors: 周巍
Original assignee: Datang Mobile Communications Equipment Co Ltd
Current assignee: Datang Mobile Communications Equipment Co Ltd
Priority date: 2021-03-17
Filing date: 2021-03-17
Publication date: 2022-10-11

Abstract

The invention provides an authentication method and device for Internet of vehicles equipment and a processor readable storage medium. The method comprises the following steps: the first equipment generates a first key according to a first vehicle networking equipment identification card (VIM) key of the first equipment and a first random number; the first device generates a first authentication request message by using the first key; the first equipment sends the first authentication request message to a vehicle networking equipment identification (VID) authentication entity; wherein the first authentication request message includes a first VID of a first device or information related to the first VID. According to the embodiment of the invention, the authentication and the safe communication between the vehicle network equipment and the VID authentication entity are completed based on the VIM safety mechanism and the vehicle networking equipment identification VID, a brand-new vehicle network equipment authentication scheme is provided, and safe and effective equipment authentication can be realized.

Description

Internet of vehicles equipment authentication method and device and processor readable storage medium

Technical Field

The invention relates to the technical field of communication, in particular to a vehicle networking equipment authentication method and device and a processor readable storage medium.

Background

The vehicle networking system is composed of an On Board Unit (OBU) installed On a vehicle, a Road Side Unit (RSU) installed On the Road Side and a network infrastructure supporting vehicle networking communication and service. The OBUs and RSUs are collectively referred to as vehicle networking devices (V2X). Communication between V2X devices, such as OBU-OBU, OBU-RSU, RSU-RSU, etc.; communication between the V2X device and the V2X application service provider, e.g. OBU-cloud, RSU-cloud.

A typical method for implementing authentication and secure communication between V2X devices, or between a V2X device and a V2X application service provider, is to employ a technical solution based on public key certificates. Currently, there is no standard related to the management of the car networking device identification and its security in the field of car networking, and thus there is no scheme for implementing authentication between car networking devices based on the car networking device identification (VID).

Disclosure of Invention

The invention provides a vehicle networking equipment authentication method, a device and a processor readable storage medium, which solve the problem that no authentication scheme based on VID between vehicle networking equipment exists in the prior art.

The embodiment of the invention provides an authentication method for Internet of vehicles equipment, which comprises the following steps:

the first Equipment generates a first key according to a first vehicle networking Equipment Identity Module (VIM) key of the first Equipment and a first random number;

the first device generates a first authentication request message by using the first key;

the first equipment sends the first authentication request message to a vehicle networking equipment identification (VID) authentication entity;

wherein the first authentication request message includes a first VID of a first device or information related to the first VID.

Optionally, the first authentication request message further includes: the first cipher text, the first message authentication code and the first random number;

the first ciphertext is generated by encrypting a second random number by using the first key, and the first message authentication code is generated according to the first key.

Optionally, in a case that the first authentication request message includes information related to a first VID, the first ciphertext includes the first VID.

Optionally, before generating the first authentication request message using the first key, the method further comprises:

receiving a second authentication request message sent by second equipment; the second authentication request message includes: a second VID of a second device or information related to the second VID;

the generating a first authentication request message using the first key includes:

generating the first authentication request message using the first key and the second authentication request message.

Optionally, the second authentication request message further includes: a second ciphertext, a second message authentication code, and a third random number;

the second ciphertext is generated by encrypting a fourth random number with a second key, the second key is generated according to a second VIM key of the second device and the third random number, and the second message authentication code is generated according to the second key.

Optionally, the sending the first authentication request message to the VID authentication entity includes:

and sending the first authentication request message to a third device, and sending the first authentication request message to a VID authentication entity by the third device.

Optionally, the method further comprises:

receiving a first authentication response message sent by a VID authentication entity, wherein the first authentication response message comprises: a third ciphertext and a fifth random number;

and obtaining a communication master key according to the first authentication response message.

Optionally, the obtaining a communication master key according to the first authentication response message includes:

generating a third key according to the first VIM key, the second random number and the fifth random number;

and decrypting the third ciphertext by using the third key to obtain the communication master key.

Optionally, the first authentication response message further includes: a second authentication response message of the second device;

the second authentication response message includes a fourth ciphertext and the fifth random number, the fourth ciphertext is generated by encrypting the communication master key with a fourth key, and the fourth key is generated according to a second VIM key of a second device, the fourth random number, and the fifth random number.

Optionally, the method further comprises:

sending the second authentication response message to the second device.

Optionally, the receiving a first authentication response message sent by the VID authentication entity includes:

and receiving a first authentication response message sent by the VID authentication entity through a third device.

The embodiment of the invention also provides a vehicle networking equipment authentication method, which comprises the following steps:

a VID authentication entity receives a first authentication request message sent by first equipment, wherein the first authentication request message is generated according to a first secret key, and the first secret key is generated according to a first VIM secret key and a first random number of the first equipment;

the VID authentication entity generates a first authentication response message according to the first authentication request message under the condition that the first authentication request message passes the verification;

Optionally, in a case that the first authentication request message includes information about a first VID, the first ciphertext includes the first VID.

Optionally, after receiving the first authentication request message sent by the first device, the method further includes:

verifying the first authentication request message;

and generating a communication master key and a fifth random number in the case that the first authentication request message is verified.

Optionally, the verifying the first authentication request message includes:

determining a first VID according to the first authentication request message;

determining a first VIM key according to the first VID;

verifying the first message authentication code using the first VIM key;

and determining that the first authentication request message is verified under the condition that the first message authentication code is verified.

Optionally, the generating a first authentication response message according to the first authentication request message when the first authentication request message is verified includes:

determining a first VID according to the first authentication request message;

determining a first VIM key according to the first VID;

generating a first key according to the first VIM key and the first random number;

decrypting the first ciphertext by using the first key to obtain a second random number;

encrypting the communication master key by using the third key to generate a third ciphertext;

generating the first authentication response message using the third ciphertext and the fifth nonce.

Optionally, the first authentication request message further includes: a second authentication request message of the second device;

the second authentication request message includes: a second VID for a second device or information related to the second VID.

the second ciphertext is generated by encrypting a fourth random number by using a second key, the second key is generated according to a second VIM key of the second device and the third random number, and the second message authentication code is generated according to the second key.

Optionally, before generating the first authentication response message according to the first authentication request message, the method further comprises:

generating a second authentication response message of the second device according to the second authentication request message;

the first authentication response message further includes: the second authentication response message.

Optionally, the generating a second authentication response message of the second device according to the second authentication request message includes:

determining a second VID according to the second authentication request message;

determining a second VIM key based on the second VID;

generating a second key according to a second VIM key and the third random number;

decrypting the second ciphertext by using the second key to obtain a fourth random number;

generating a fourth key according to the second VIM key, the fourth random number and the fifth random number;

encrypting the communication master key by using the fourth key to generate a fourth ciphertext;

generating the second authentication response message using the fourth ciphertext and the fifth nonce.

Optionally, before generating the communication master key and the fifth random number, the method further comprises:

verifying the second authentication request message.

Optionally, the verifying the second authentication request message includes:

determining a second VIM key according to the second VID;

verifying the second message authentication code using the second VIM key;

and determining that the second authentication request message is verified under the condition that the second message authentication code is verified.

Optionally, the receiving a first authentication request message sent by a first device includes:

and receiving a first authentication request message sent by the first equipment through third equipment.

Optionally, the method further comprises:

sending the first authentication response message to the first device.

Optionally, the sending the first authentication response message to the first device includes:

and sending the first authentication response message to a third device, and sending the first authentication response message to the first device by the third device.

The embodiment of the present invention further provides an authentication apparatus for vehicle networking devices, including: memory, transceiver, processor:

a memory for storing a computer program; a transceiver for transceiving data under control of the processor; a processor for reading the computer program in the memory and performing the following operations:

generating a first key according to a first vehicle networking equipment identification card (VIM) key of first equipment and a first random number;

generating a first authentication request message using the first key;

sending the first authentication request message to a vehicle networking device identification (VID) authentication entity;

Optionally, the processor is further configured to:

the generating a first authentication request message using the first key comprises:

Optionally, the processor is configured to read the computer program in the memory and perform the following operations:

sending the second authentication response message to the second device.

receiving a first authentication request message sent by first equipment, wherein the first authentication request message is generated according to a first secret key, and the first secret key is generated according to a first VIM secret key and a first random number of the first equipment;

under the condition that the first authentication request message passes the verification, generating a first authentication response message according to the first authentication request message;

Optionally, the first authentication request message further includes: a first ciphertext, a first message authentication code, and the first random number;

Optionally, the processor is further configured to:

verifying the first authentication request message;

Optionally, the verifying the first authentication request message includes:

determining a first VID according to the first authentication request message;

determining a first VIM key according to the first VID;

verifying the first message authentication code using the first VIM key;

determining a first VID according to the first authentication request message;

determining a first VIM key according to the first VID;

Optionally, the processor is further configured to:

the first authentication response message further comprises: the second authentication response message.

determining a second VIM key based on the second VID;

Optionally, the processor is further configured to:

verifying the second authentication request message.

Optionally, the verifying the second authentication request message includes:

determining a second VIM key according to the second VID;

verifying the second message authentication code using the second VIM key;

Optionally, the processor is further configured to:

sending the first authentication response message to the first device.

The embodiment of the invention also provides a device for authenticating the internet of vehicles, which comprises:

the first generation unit is used for generating a first key according to a first vehicle networking equipment identification card (VIM) key of first equipment and a first random number;

a second generation unit configured to generate a first authentication request message using the first key;

the first sending unit is used for sending the first authentication request message to a vehicle networking equipment identification (VID) authentication entity;

a first receiving unit, configured to receive a first authentication request message sent by a first device, where the first authentication request message is generated according to a first key, and the first key is generated according to a first VIM key and a first random number of the first device;

a third generating unit, configured to generate a first authentication response message according to the first authentication request message if the first authentication request message passes verification;

Embodiments of the present invention provide a processor readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the vehicle networking device authentication method as described above.

The technical scheme of the invention has the beneficial effects that:

according to the embodiment of the invention, the authentication and the safe communication between the vehicle network equipment and the VID authentication entity are completed based on the VIM safety mechanism and the vehicle networking equipment identification VID, a brand-new vehicle network equipment authentication scheme is provided, and safe and effective equipment authentication can be realized.

Drawings

FIG. 1 shows an architectural diagram of a vehicle networking device authentication of an embodiment of the invention;

FIG. 2 is a schematic flow chart of a vehicle networking authentication method according to an embodiment of the invention;

fig. 3 is a second schematic flowchart of the car networking authentication method according to the embodiment of the invention;

fig. 4 is a third schematic flow chart of the internet-of-vehicles authentication method according to the embodiment of the invention;

fig. 5 shows one of the schematic structural diagrams of the vehicle networking authentication device according to the embodiment of the invention;

fig. 6 shows a second schematic structural diagram of the vehicle networking authentication device according to the embodiment of the invention;

fig. 7 shows a third schematic structural diagram of an authentication apparatus in a vehicle networking system according to an embodiment of the present invention;

fig. 8 is a fourth schematic structural diagram of the vehicle networking authentication device according to the embodiment of the present invention.

Detailed Description

To make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings and specific embodiments. In the following description, specific details such as specific configurations and components are provided only to help the full understanding of the embodiments of the present invention. It will therefore be apparent to those skilled in the art that various changes and modifications can be made in the embodiments described herein without departing from the scope and spirit of the invention. In addition, descriptions of well-known functions and constructions are omitted for clarity and conciseness.

It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

In various embodiments of the present invention, it should be understood that the sequence numbers of the following processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.

The term "and/or" in the embodiments of the present invention describes an association relationship of associated objects, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.

In the embodiments of the present application, the term "plurality" means two or more, and other terms are similar thereto.

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In making the description of the embodiments of the present invention, some concepts used in the following description will first be explained.

First equipment, second equipment, third equipment are the car networking equipment, car networking equipment: the device is called V2X equipment for short, and is an on-board unit or a road side unit in an internet of vehicles system.

Vehicle networking equipment identification: information uniquely identifying a V2X device in a car networking system.

Vehicle networking equipment identification card: a security module located in the vehicle networking device is able to securely store the VID and the security calculations required to perform the VID authentication. The VIM stores a key uniquely corresponding to the VID, referred to as VIM key for short.

VID Authentication entity (VID Authentication Authority, VAA): responsible for generating VID authentication keys and writing them in a secure manner into the VIM of the V2X device. The Key written to VIM is also called VIM _ Key. The V2X device and the VID authentication entity perform mutual authentication using the VIM _ Key.

In an embodiment of the present invention, an architecture of the car networking device authentication is shown in fig. 1, and may include a V2X device 1, a V2X device 2, and a VID authentication entity; wherein, the V2X device 1 includes a V2X device and a VIM, and the V2X device 2 includes a V2X device and a VIM; and performing information interaction between the V2X equipment and the VIM to complete the VID authentication operation.

The VID authentication entity writes VID1 and VIM _ Key1 of a V2X device 1 into the V2X device 1, and writes VID2 and VIM _ Key2 of a V2X device 2 into the V2X device 2; the V2X device 1 generates an authentication and key request 1, optionally sends the authentication and key request 2 to the V2X device 1, the V2X device 1 generates an authentication and key request 1, and sends the authentication and key request 1 to the VID authentication entity.

VID authentication entity generates authentication and key response 2 and authentication and key response 1, optionally, authentication and key response 1 may include the authentication and key response 2; and the VID authentication entity sends the authentication and key response 1 to the V2X equipment 1, and the V2X equipment 1 sends the authentication and key response 2 to the V2X equipment 2, so that the end-to-end authentication and the safe communication of the vehicle networking equipment based on the vehicle networking equipment identification are realized.

The method for authenticating the internet of vehicles device provided by the embodiment of the application is described through a specific embodiment.

As shown in fig. 2, an authentication method for a device in a vehicle networking according to an embodiment of the present invention is applied to a first device, and specifically includes the following steps:

step 201, the first device generates a first key according to a first vehicle networking device identification card (VIM) key of the first device and a first random number.

The first equipment is a vehicle networking equipment, and the VID authentication entity sends a first VIM key and a first VID of the first equipment to the first equipment and stores the first VIM key and the first VID by the first equipment. The first random number is randomly generated by the first device.

The first device provides the first random number to the VIM of the first device, which generates the first key from the first VIM key and the first random number.

Step 202, the first device generates a first authentication request message by using the first key.

The first authentication request message may be obtained by encrypting information content to be sent to a VID authentication entity with the first key or a derivative of the first key.

Wherein the first authentication request message includes a first VID of a first device or information related to the first VID. The first VID may be set in an encrypted form or a clear text transmission according to requirements within the first authentication request message. The information about the first VID may include: an application ID and/or an identification ID of the first device in the application. The first VID may be determined based on information associated with the first VID.

And 203, the first equipment sends the first authentication request message to a vehicle networking equipment identification (VID) authentication entity.

And the first equipment sends the first authentication request message to the VID authentication entity for authentication. The first device may send the first authentication request message directly to the VID authentication entity, or send the first authentication request message to another vehicle network device, and send the first authentication request message to the VID authentication entity by the other vehicle network device.

Specifically, the first authentication request message further includes: a first ciphertext, a first message authentication code, and the first random number; the first ciphertext is generated by encrypting a second random number by using the first key, and the first message authentication code is generated according to the first key.

The first device generates a first random number and a second random number. And the first equipment encrypts the second random number by using the first secret key to generate the first ciphertext. The second random number is used to calculate a key. The first message authentication code provides integrity protection for the first authentication request message, and the first message authentication code is generated by using the first key or a derivative key of the first key.

In this embodiment, the first authentication request message includes: the first VID of the first device or the related information of the first VID, the first ciphertext, the first message authentication code and the first random number. Wherein, in case the first authentication request message includes information on a first VID, the first ciphertext includes the first VID. The first ciphertext may include the encrypted first VID.

The content of the first authentication request message is one of:

(1) The first authentication request message includes: the first VID, the first ciphertext, the first message authentication code, and the first random number. Wherein the first VID is encryption-free.

(2) The first authentication request message includes: the first cipher text, the first message authentication code and the first random number. Wherein the first ciphertext comprises the first VID, and the first VID and the second random number are encrypted by using the first key to obtain the first ciphertext.

(3) The first authentication request message includes: the VID comprises the relevant information of the first VID, a first ciphertext, a first message authentication code and the first random number. Wherein the first ciphertext may include the encrypted first VID therein.

The first authentication request message may be directly sent to the VID authentication entity by the first device, and the first authentication request message may carry an authentication request message of another car networking device; or the first device sends the first authentication request message to another vehicle networking device, and the other vehicle networking device sends the first authentication request message to the VID authentication entity. The following is illustrated by two examples, respectively.

As an optional embodiment, before generating the first authentication request message using the first key, the method further comprises: receiving a second authentication request message sent by second equipment; the second authentication request message includes: a second VID of a second device or information related to the second VID; the generating a first authentication request message using the first key includes: generating the first authentication request message using the first key and the second authentication request message.

In this embodiment, the first authentication request message may further include a second authentication request message of the second device. The second device is another car networking device except the first device. And the second equipment sends the second authentication request message to the first equipment, and the first equipment sends the second authentication request message and the first authentication request message to the VID authentication entity at the same time.

Wherein the second authentication request message comprises: a second VID for a second device or information related to the second VID. The second VID for the second device is sent by the VID authentication entity, which writes a second VID and a second VIM key for the second device to the second device. The second device generates the second authentication request message based on the second VID and a second VIM key.

Specifically, the second authentication request message further includes: a second ciphertext, a second message authentication code, and a third random number; the second ciphertext is generated by encrypting a fourth random number by using a second key, the second key is generated according to a second VIM key of the second device and the third random number, and the second message authentication code is generated according to the second key.

The second device generates a third random number and a fourth random number, the third random number is used for providing the VIM of the second device, the VIM of the second device generates a second key by using the second VIM key and the third random number, the fourth random number is encrypted by using the second key or a derivative key of the second key to obtain a second ciphertext, and a second message authentication code is generated by using the second key or the derivative key of the second key, and the second message authentication code is used for providing integrity protection for the second authentication request message.

In this embodiment, the second authentication request message includes: the second VID of the second device or the related information of the second VID, the second ciphertext, the second message authentication code and the third random number. Wherein, in a case where the second authentication request message includes information on a second VID, the second cipher text includes the second VID. The second ciphertext may include the second VID that is encrypted.

The content of the second authentication request message is one of:

(1) The second authentication request message includes: the second VID, the second ciphertext, the second message authentication code, and the third random number. Wherein the second VID is without encryption.

(2) The second authentication request message includes: a second ciphertext, a second message authentication code, and the third random number. And the second ciphertext comprises the second VID, that is, the second VID and the fourth random number are encrypted by using the second key to obtain the second ciphertext.

(3) The second authentication request message includes: the second VID comprises the related information of the second VID, a second ciphertext, a second message authentication code and the third random number. Wherein the second ciphertext may include the encrypted second VID.

And the second device sends the generated second authentication request message to the first device, and when the first device generates the first authentication request message, the second authentication request message is included in the first authentication request message, so that the first authentication request message containing the second authentication request message is sent to the VID authentication entity for authentication.

As another alternative embodiment, the sending the first authentication request message to the VID authentication entity includes: and sending the first authentication request message to a third device, and sending the first authentication request message to a VID authentication entity by the third device.

The third device in this embodiment is another car networking device except the first device, and the first authentication request message of the first device is sent to the VID authentication entity through the third device. The third device may generate a third authentication request message, and carry the first authentication request message in the third authentication request message, so as to send the third authentication request message including the first authentication request message to the VID authentication entity. It should be noted that, the method for generating the third authentication request message by the third device and the content of the third authentication request message are similar to those of the first device and the second device, and are not described herein again.

And after the first equipment sends the first authentication request message to the VID authentication entity, the VID authentication entity generates an authentication response message according to the first authentication request message.

Specifically, the method may further include: receiving a first authentication response message sent by a VID authentication entity, wherein the first authentication response message comprises: a third ciphertext and a fifth random number; and obtaining a communication master key according to the first authentication response message.

And the third ciphertext is generated by the VID authentication entity according to the first authentication request message. And after receiving the first authentication request message, the VID authentication entity authenticates the first authentication request message and generates a first authentication response message under the condition of successful authentication. Specifically, the VID authentication entity retrieves a corresponding first VID from a database according to the first VID in the first authentication request message or information related to the first VID, and if the corresponding first VID is not retrieved, determines that the first authentication request message fails to be verified; if the first VID is retrieved, determining a first VIM key according to the first VID, verifying the first message authentication code by using the first VIM key or a derivative key thereof, and if the verification is successful, determining that the first authentication request message is successfully authenticated.

The VID authentication entity decrypts the first ciphertext using the first VIM key or a derivative thereof, may decrypt to obtain the first VID and the second random number if the first ciphertext includes the first VID, and determines that the first device owns the first VID if the decrypted first VID is the same as the first VID obtained by retrieval at the database.

And the VID authentication entity randomly generates a communication master key and a fifth random number, and generates a first authentication response message under the condition that the first authentication request message is successfully verified. Specifically, the VID authentication entity generates a third key using the first VIM key, the second random number, and the fifth random number. And encrypting the communication master key by using the third key or a derivative key thereof to obtain a third ciphertext, and performing integrity protection on the third ciphertext and the fifth random number to obtain the first authentication response message. And sending the first authentication response message to the first device.

The obtaining a communication master key according to the first authentication response message may include: generating a third key according to the first VIM key, the second random number and the fifth random number; and decrypting the third ciphertext by using the third key to obtain the communication master key, so that the first device may complete subsequent security operations according to the communication master key, for example: and implementing a Security association of a Transport Layer Security (TLS) by using the communication master Key, or implementing integrity and/or confidentiality protection of data by directly using the communication master Key or a derivative Key thereof.

It should be noted that, if the first authentication request message further includes a second authentication request message of a second device, the VID authentication entity authenticates the second authentication request message. Specifically, the VID authentication entity retrieves a corresponding second VID from a database according to the second VID in the second authentication request message or information related to the second VID, and if the corresponding second VID is not retrieved, determines that the second authentication request message fails to be verified; and if the second VID is retrieved, determining a second VIM key according to the second VID, verifying the second message authentication code by using the second VIM key or a derivative key thereof, and if the verification is successful, determining that the second authentication request message is successfully authenticated.

The VID authentication entity decrypts the second ciphertext using the second VIM key or a derivative key thereof, and if the second ciphertext includes a second VID, may decrypt to obtain the second VID and a fourth random number, and if the second VID obtained by decryption is the same as the second VID obtained by retrieval at the database, determines that the second device owns the second VID.

And after the VID authentication entity successfully authenticates the second authentication request message, generating a second authentication response message carried by the first authentication response message of the first equipment. Specifically, the first authentication response message further includes: a second authentication response message of the second device; the second authentication response message includes a fourth ciphertext and the fifth random number, the fourth ciphertext is generated by encrypting the communication master key with a fourth key, and the fourth key is generated according to a second VIM key of a second device, the fourth random number, and the fifth random number.

Specifically, the VID authentication entity generates a fourth key using the second VIM key, the fourth random number, and the fifth random number. And encrypting the communication master key by using the fourth key or a derivative key thereof to obtain a fourth ciphertext, and performing integrity protection on the fourth ciphertext and the fifth random number to obtain the second authentication response message. The second authentication response message is carried in the first authentication response message, and after the VID authentication entity sends the first authentication response message to the first device, the method further includes: the first device sends the second authentication response message to the second device.

The second device may obtain, according to the second authentication response message, a communication master key, specifically: generating a fourth key according to the second VIM key, a fourth random number and the fifth random number; and decrypting the fourth ciphertext by using the fourth key to obtain the communication master key, so that the second device can complete subsequent security operations according to the communication master key.

As an alternative embodiment, when the first device receives the first authentication response message sent by the VID authentication entity, the first authentication response message sent by the VID authentication entity through the third device may be received. In this embodiment, after successfully authenticating the first authentication request message and generating a first authentication response message, the VID authentication entity may carry the first authentication response message in authentication response messages of other pieces of car networking equipment (that is, the third equipment), send the authentication response message to the third equipment, and send the first authentication response message to the first equipment by the third equipment. It should be noted that a manner in which the first authentication response message is carried by the third authentication response message of the third device is similar to a manner in which the first authentication response message of the first device carries the second authentication response message of the second device, and details are not repeated here.

The following describes a specific implementation procedure of the vehicle network device authentication method according to the present invention by using a specific example.

Taking the first authentication request message of the first device includes the second authentication request message of the second device, and the first authentication response message of the first device includes the second authentication response message of the second device, where the first device is the V2X device 1, and the second device is the V2X device 2 as an example, as shown in fig. 3:

step 0: the VID authentication entity writes VID1 of the V2X equipment 1 and a VIM1 Key VIM _ Key1 corresponding to the VID1 into the VIM of the V2X equipment 1; VID2 of the V2X device 2 and VIM2 Key VIM _ Key2 corresponding to the VID2 are written into the VIM of the V2X device 2.

Step 1: the V2X device 1 and the V2X device 2 negotiate to determine the following information:

an application ID;

the V2X device 1 communicates with the VID authentication entity to complete the authentication of the device.

Step 2: the V2X device 2 generates a random number 1 and a random number 1'.

And step 3: the V2X device 2 provides the random number 1 to the VIM of the device, which generates a Key2 using its VIM Key and the random number 1.

And 4, step 4: the V2X device 2 generates an authentication request message 2 as follows:

1) The following information is encrypted using Key2 or its derivative Key, and an authentication ciphertext 2 is generated. The ciphertext 2 contains the following information:

VID2 of V2X device 2 (ciphertext 2 may not be included if VID2 does not require encryption);

a random number of 1'.

2) An authentication request message 2 is generated. The message provides integrity protection using a message authentication code. The message authentication code is generated using Key2 or a derivative thereof. The authentication request message 2 includes:

an application ID;

the identification ID of the V2X device 2 in the application (if VID2 does not need to be encrypted, the application ID and the identification ID in the application may be replaced with VID2 of the V2X device 2);

a random number of 1;

authenticating the ciphertext 2;

a message authentication code.

And 5: the V2X device 2 transmits an authentication request message 2 to the V2X device 1.

Step 6: the V2X device 1 generates a random number 2 and a random number 2'.

And 7: the V2X device 1 provides the random number 2 to the VIM of the device, which generates a Key1 using its VIM Key and the random number 2.

And step 8: the V2X device 1 generates an authentication request message 1 as follows:

1) The following information is encrypted by using Key1 or its derivative Key, and a device authentication ciphertext 1 is generated. The ciphertext 1 contains the following information:

VID1 of V2X device 1 (ciphertext 1 may not be included if VID1 does not need to be encrypted);

the random number 2'.

2) An authentication request message 1 is generated. The message provides integrity protection using a message authentication code. The message authentication code is generated using Key1 or its derivative Key. The authentication request message 1 includes:

an application ID;

the identification ID of the V2X device 1 in the application (if VID1 does not need to be encrypted, the application ID and the identification ID in the application may be replaced with VID1 of the V2X device 1);

a random number of 2;

authenticating the ciphertext 1;

authentication request message 2 of V2X device 2;

a message authentication code.

And step 9: the V2X device 1 sends an authentication request message 1 to the VID authentication entity.

Step 10: VID authentication entity verifies authentication request message 1:

1) VID1 'is determined using the application ID in the authentication request message 1 and the identification ID of the V2X device 1 in the application, and the corresponding VIM _ Key1' is obtained.

2) The message authentication code is verified using the VIM _ Key1' or its derivative Key.

3) The authentication ciphertext 1 is decrypted using the VIM _ Key1 'or a derivative Key thereof to obtain VID1 and a random number 2'. If VID1 is the same as VID1', then it is verified that V2X device 1 possesses VID1.

Step 11: VID authentication entity verification device authentication request message 2:

1) VID2 'is determined using the application ID in the message and the identification ID of the V2X device 2 in the application, and the corresponding VIM _ Key2' is obtained.

2) The message authentication code is verified using VIM _ Key2' or its derivative Key.

3) The authentication ciphertext 2 is decrypted using the VIM _ Key2 'or a derivative Key thereof to obtain the VID2 and the random number 1'. If VID2 is the same as VID2', then it is verified that V2X device 2 owns VID2.

Step 12: the VID authentication entity generates an end-to-end communication master Key COMM _ Key and a random number 3.

Step 13: the VID authentication entity generates an authentication response message 2. The method specifically comprises the following steps: generating a Key2 'by using the VIM _ Key2, the random number 1' and the random number 3; the COMM _ Key is subjected to confidentiality protection by using Key2' or a derivative Key thereof; the cipher text and the random number 3 are then integrity protected, thereby obtaining an authentication response message 2.

Step 14: the VID authentication entity generates an authentication response message 1. The method specifically comprises the following steps: generating a Key1 'by using the VIM _ Key1, the random number 2' and the random number 3; the method comprises the following steps of performing confidentiality protection on a COMM _ Key by using a Key1' or a derivative Key thereof; the cipher text of the COMM _ Key, the random number 3, and the authentication response message 2 are then integrity protected, thereby generating an authentication response message 1 of the device.

Step 15: the VID authentication entity sends an authentication response message 1 to the V2X device 1.

Step 16: the VIM of the V2X device 1 generates the Key1 'using the VIM _ Key1, the random number 2', and the random number 3.

And step 17: the device 1 verifies and decrypts the device authentication response message 1 by using the Key1' or the derivative Key thereof, and obtains the COMM _ Key and the authentication response message 2.

Step 18: the V2X device 1 transmits an authentication response message 2 to the V2X device 2.

Step 19: the VIM of the V2X device 2 generates a Key2 'using VIM _ Key2, a random number 1', and a random number 3.

Step 20: the V2X device 2 verifies and decrypts the device authentication response message 2 using Key2' or its derivative Key, and obtains the COMM _ Key.

Step 21: the V2X device 1 and the V2X device 2 establish a security association, and may complete subsequent security operations using the Key COMM _ Key, for example, implementing PSK TLS security association using COMM _ Key, or implementing integrity and/or confidentiality protection of data directly using COMM _ Key or its derivative Key.

As shown in fig. 4, an embodiment of the present application further provides a device authentication method for a vehicle networking device, which is applied to a VID authentication entity, and includes:

step 401, the VID authentication entity receives a first authentication request message sent by a first device, where the first authentication request message is generated according to a first key, and the first key is generated according to a first VIM key and a first random number of the first device.

The VID authentication entity sends a first VIM key and a first VID for a first device to the first device. The first equipment generates a first secret key according to the first VIM secret key and a first random number, encrypts a second random number by using the first secret key to obtain a first ciphertext, generates a first authentication request message according to the first ciphertext, and sends the first authentication request message to the VID authentication entity.

The first authentication request message may be directly sent by the first device, or the first device may send the first authentication request message to another vehicle network device, and the other vehicle network device sends the first authentication request message to the VID authentication entity.

Step 402, VID authentication entity generates a first authentication response message according to the first authentication request message under the condition that the first authentication request message passes the verification; wherein the first authentication request message includes a first VID of a first device or information related to the first VID.

And after receiving the first authentication request message, the VID authentication entity verifies the first heat or energy request message, generates a first authentication response message according to the first authentication request message when the verification is passed, and sends the first authentication response message to the first equipment.

The VID authentication entity verifies the first authentication request message according to the first VID in the first authentication request message or the related information of the first VID.

Specifically, the first authentication request message may further include: the first cipher text, the first message authentication code and the first random number; the first ciphertext is generated by encrypting a second random number by using the first key, and the first message authentication code is generated according to the first key.

And the first equipment generates a first random number and a second random number, encrypts the second random number by using the first key and generates the first ciphertext. The first message authentication code provides integrity protection for the first authentication request message, and the first message authentication code is generated by using the first key or a derivative key of the first key.

The first VID may exist in an encrypted form or a plaintext form in the first authentication request message; alternatively, the first authentication request message may not include the first VID, but may include information related to the first VID. When the first VID exists in the form of a pseudonym in the first authentication request message, the first VID is included in the first ciphertext. Optionally, in a case that the first authentication request message includes information related to a first VID, the first ciphertext includes the first VID. The content of the first authentication request message is one of:

(1) The first authentication request message includes: the first VID, the first ciphertext, the first message authentication code, and the first random number. Wherein the first VID is encryption free.

(3) The first authentication request message includes: the VID comprises the related information of the first VID, a first ciphertext, a first message authentication code and the first random number. Wherein the first ciphertext may include the encrypted first VID therein.

Optionally, after receiving the first authentication request message sent by the first device, the method further includes: verifying the first authentication request message; and generating a communication master key and a fifth random number in the case that the first authentication request message is verified.

Specifically, the verifying the first authentication request message may include: determining a first VID according to the first authentication request message; determining a first VIM key according to the first VID; verifying the first message authentication code using the first VIM key; and determining that the first authentication request message is verified under the condition that the first message authentication code is verified.

In this embodiment, the VID authentication entity retrieves the corresponding first VID from the database according to the first VID in the first authentication request message or the related information of the first VID, and if the corresponding first VID is not retrieved, it is determined that the first authentication request message fails to be verified; if the first VID is retrieved, determining a first VIM key according to the first VID, verifying the first message authentication code by using the first VIM key or a derivative key thereof, and if the verification is successful, determining that the first authentication request message is successfully authenticated.

Optionally, the generating a first authentication response message according to the first authentication request message when the first authentication request message is verified includes: determining a first VID according to the first authentication request message; determining a first VIM key according to the first VID; generating a first key according to the first VIM key and the first random number; decrypting the first ciphertext by using the first key to obtain a second random number; generating a third key according to the first VIM key, the second random number and the fifth random number; encrypting the communication master key by using the third key to generate a third ciphertext; generating the first authentication response message using the third ciphertext and the fifth nonce.

In this embodiment, the VID authentication entity decrypts the first ciphertext using the first VIM key or a derivative key thereof, and if the first ciphertext includes the first VID, may decrypt to obtain the first VID and the second random number, and if the first VID obtained by decryption is the same as the first VID obtained by retrieval in the database, determine that the first device owns the first VID.

The VID authentication entity randomly generates a communication master key and a fifth random number, and specifically, the VID authentication entity generates a third key by using the first VIM key, the second random number and the fifth random number. And encrypting the communication master key by using the third key or a derivative key thereof to obtain a third ciphertext, and performing integrity protection on the third ciphertext and the fifth random number to obtain the first authentication response message. And sending the first authentication response message to the first device.

It should be noted that the first authentication request message may further include a second authentication request message of the second device. In the case where the first authentication request message comprises a second authentication request message, the VID authentication entity also needs to verify the second authentication request message and generate a second authentication response message. And sending the second authentication response message to the first equipment together with the first authentication response message, and sending the second authentication response message to the second equipment by the first equipment. The following is a description by way of specific examples.

Specifically, the first authentication request message may further include: a second authentication request message of the second device; the second authentication request message includes: a second VID for a second device or information related to the second VID.

Wherein the second authentication request message further comprises: a second ciphertext, a second message authentication code, and a third random number; the second ciphertext is generated by encrypting a fourth random number with a second key, the second key is generated according to a second VIM key of the second device and the third random number, and the second message authentication code is generated according to the second key. It should be noted that a manner of generating the second authentication request message by the second device is similar to the method of generating the first authentication request message by the first device, and details are not repeated here.

As an optional embodiment, if the first authentication request message further includes the second authentication request message, the VID authentication entity authenticates the second authentication request message. Optionally, before generating the communication master key and the fifth random number, the method further comprises: verifying the second authentication request message. Specifically, the verifying the second authentication request message includes: determining a second VID according to the second authentication request message; determining a second VIM key according to the second VID; verifying the second message authentication code using the second VIM key; and determining that the second authentication request message is verified under the condition that the second message authentication code is verified.

In this embodiment, the VID authentication entity retrieves a corresponding second VID from a database according to the second VID in the second authentication request message or the related information of the second VID, and if the corresponding second VID is not retrieved, it is determined that the second authentication request message fails to be verified; and if the second VID is retrieved, determining a second VIM key according to the second VID, verifying the second message authentication code by using the second VIM key or a derivative key thereof, and if the verification is successful, determining that the second authentication request message is successfully authenticated.

Optionally, before generating the first authentication response message according to the first authentication request message, the method further comprises: generating a second authentication response message of the second device according to the second authentication request message; the first authentication response message further includes: the second authentication response message.

And after the VID authentication entity successfully authenticates the second authentication request message, generating a second authentication response message carried by the first authentication response message of the first equipment. Specifically, the second authentication response message includes: a fourth ciphertext and the fifth nonce. Specifically, the generating a second authentication response message of the second device according to the second authentication request message may include: determining a second VID according to the second authentication request message; determining a second VIM key based on the second VID; generating a second key according to a second VIM key and the third random number; decrypting the second ciphertext by using the second key to obtain a fourth random number; generating a fourth key according to the second VIM key, the fourth random number and the fifth random number; encrypting the communication master key by using the fourth key to generate a fourth ciphertext; generating the second authentication response message using the fourth ciphertext and the fifth nonce.

Optionally, the method further comprises: sending the first authentication response message to the first device. The first device sends a second authentication response message to the second device in case the first authentication response message comprises the second authentication response message.

After the first device obtains the first authentication response message, the first device obtains a communication master key according to the first authentication response message, and can complete subsequent security operations according to the communication master key; and after the second equipment obtains the second authentication response message, the second equipment obtains a communication master key according to the second authentication response message, and can complete subsequent security operation according to the communication master key. For example: and realizing PSK TLS security association by utilizing the communication master key, or directly using the communication master key or a derivative key thereof to realize data integrity and/or confidentiality protection.

As an optional embodiment, the sending the first authentication response message to the first device includes: and sending the first authentication response message to a third device, and sending the first authentication response message to the first device by the third device.

In this embodiment, when the first authentication response message is sent to the first device, the VID authentication entity may send the first authentication response message to other vehicle networking devices except the first device, and send the first authentication response message to the first device by the other vehicle networking devices. The receiving the first authentication request message sent by the first device, which is also sent by the third device to the VID authentication entity, may include: and receiving a first authentication request message sent by the first equipment through third equipment.

It should be noted that a manner in which the first authentication response message is carried by the third authentication response message of the third device is similar to a manner in which the first authentication response message of the first device carries the second authentication response message of the second device, and is not described herein again.

According to the embodiment of the invention, the authentication and the safe communication between the vehicle network equipment and the VID authentication entity are completed based on the VIM safety mechanism and the vehicle networking equipment identification VID, a brand-new vehicle network equipment authentication scheme is provided, and safe and effective equipment authentication can be realized. It should be noted that, in the foregoing embodiment of the method for authenticating a device in an internet of vehicles applied to a first device, functions and steps implemented by the VID authentication entity are all applicable to this embodiment of the method for authenticating a VID, and are not described herein again.

The above embodiments are described with respect to the positioning method of the present invention, and the embodiments will be further described with reference to the accompanying drawings.

Specifically, as shown in fig. 5, an embodiment of the present invention provides an authentication apparatus 500 for a vehicle networking device, which is applied to a first device, and includes:

a first generating unit 510, configured to generate a first key according to a first vehicle networking device identifier VIM key of the first device and a first random number;

a second generating unit 520 for generating a first authentication request message using the first key;

a first sending unit 530, configured to send the first authentication request message to a device identifier VID authentication entity in the internet of vehicles;

Optionally, the apparatus further comprises:

a second receiving unit, configured to receive a second authentication request message sent by a second device; the second authentication request message includes: a second VID of a second device or information related to the second VID;

the second generating unit 520 is specifically configured to: generating the first authentication request message using the first key and the second authentication request message.

Optionally, the first sending unit 530 is specifically configured to: and sending the first authentication request message to a third device, and sending the first authentication request message to a VID authentication entity by the third device.

Optionally, the apparatus further comprises:

a third receiving unit, configured to receive a first authentication response message sent by a VID authentication entity, where the first authentication response message includes: a third ciphertext and a fifth random number;

and the first acquisition unit is used for acquiring the communication master key according to the first authentication response message.

Optionally, the first obtaining unit includes:

a first generation subunit, configured to generate a third key according to the first VIM key, the second random number, and the fifth random number;

and the first processing subunit is configured to perform decryption processing on the third ciphertext by using the third key, so as to obtain the communication master key.

Optionally, the apparatus further comprises:

a second sending unit, configured to send the second authentication response message to the second device.

Optionally, the third receiving unit is specifically configured to: and receiving a first authentication response message sent by the VID authentication entity through a third device.

It should be noted that the apparatus provided in the embodiment of the present invention can implement all the method steps implemented in the method embodiment applied to the first device, and can achieve the same technical effects, and detailed descriptions of the same parts and beneficial effects as the method embodiment in this embodiment are not repeated here.

Specifically, as shown in fig. 6, an embodiment of the present invention provides a device authentication apparatus 600 for vehicle networking, which is applied to a VID authentication entity, and includes:

a first receiving unit 610, configured to receive a first authentication request message sent by a first device, where the first authentication request message is generated according to a first key, and the first key is generated according to a first VIM key of the first device and a first random number;

a third generating unit 620, configured to generate a first authentication response message according to the first authentication request message if the first authentication request message passes verification;

Optionally, the apparatus further comprises:

a first verification unit configured to verify the first authentication request message;

a fourth generation unit configured to generate a communication master key and a fifth random number in a case where the first authentication request message is verified.

Optionally, the first verification unit includes:

a first determining subunit, configured to determine a first VID according to the first authentication request message;

a second determining subunit, configured to determine a first VIM key according to the first VID;

a first verification subunit, configured to verify the first message authentication code by using the first VIM key;

a third determining subunit, configured to determine that the first authentication request message is verified if the first message authentication code is verified.

Optionally, the third generating unit 620 includes:

a fourth determining subunit, configured to determine the first VID according to the first authentication request message;

a fifth determining subunit, configured to determine a first VIM key according to the first VID;

a second generation subunit, configured to generate a first key according to the first VIM key and the first random number;

the second processing subunit is configured to decrypt the first ciphertext by using the first key to obtain a second random number;

a third generation subunit, configured to generate a third key according to the first VIM key, the second random number, and the fifth random number;

the third processing subunit is configured to perform encryption processing on the communication master key by using the third key to generate a third ciphertext;

a fourth generating subunit, configured to generate the first authentication response message using the third ciphertext and the fifth nonce.

Optionally, the apparatus further comprises:

a fifth generating unit, configured to generate a second authentication response message of the second device according to the second authentication request message;

Optionally, the fifth generating unit includes:

a sixth determining subunit, configured to determine a second VID according to the second authentication request message;

a seventh determining subunit, configured to determine a second VIM key according to the second VID;

a fifth generation subunit, configured to generate a second key according to a second VIM key and the third random number;

a fourth processing subunit, configured to decrypt the second ciphertext with the second key to obtain a fourth random number;

a sixth generation subunit, configured to generate a fourth key according to the second VIM key, the fourth random number, and the fifth random number;

a fifth processing subunit, configured to perform encryption processing on the communication master key by using the fourth key, and generate a fourth ciphertext;

a seventh generating subunit, configured to generate the second authentication response message using the fourth ciphertext and the fifth nonce.

Optionally, the apparatus further comprises:

a second verification unit configured to verify the second authentication request message.

Optionally, the second authentication unit includes:

an eighth determining subunit, configured to determine a second VID according to the second authentication request message;

a ninth determining subunit, configured to determine a second VIM key according to the second VID;

a second verification subunit, configured to verify the second message authentication code by using the second VIM key;

a tenth determining subunit, configured to determine that the second authentication request message is verified if the second message authentication code is verified.

Optionally, the first receiving unit is specifically configured to: and receiving a first authentication request message sent by the first equipment through third equipment.

Optionally, the apparatus further comprises:

a third sending unit, configured to send the first authentication response message to the first device.

Optionally, the third sending unit is specifically configured to: sending the first authentication response message to the first device.

It should be noted that, the apparatus provided in the embodiment of the present invention can implement all the method steps implemented in the method embodiment applied to the VID authentication entity, and can achieve the same technical effect, and details of the same parts and beneficial effects as those in the method embodiment in this embodiment are not described herein again.

It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation. In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented as a software functional unit and sold or used as a stand-alone product, may be stored in a processor readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.

As shown in fig. 7, an embodiment of the present invention further provides a device for authenticating a vehicle networking device, which is applied to a first device, and includes: memory 720, transceiver 700, processor 710; a memory 720 for storing a computer program; a transceiver 700 for transceiving data under the control of the processor 710;

a processor 710 for reading the computer program in the memory and performing the following operations:

generating a first key according to a first vehicle networking equipment identification card (VIM) key of the first equipment and a first random number;

generating a first authentication request message using the first key;

Optionally, the processor 710 is further configured to:

Optionally, the processor 710 is configured to read the computer program in the memory and perform the following operations:

sending the second authentication response message to the second device.

Wherein in fig. 7, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 710, and various circuits, represented by memory 720, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 700 may be a plurality of elements, including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 710 is responsible for managing the bus architecture and general processing, and the memory 720 may store data used by the processor 710 in performing operations.

The processor 710 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or a Complex Programmable Logic Device (CPLD), and may also have a multi-core architecture.

It should be noted that, the vehicle network authentication apparatus provided in the embodiment of the present invention can implement all the method steps implemented by the method embodiment applied to the first device, and can achieve the same technical effect, and details of the same parts and beneficial effects as those of the method embodiment in this embodiment are not described herein again.

As shown in fig. 8, an embodiment of the present invention further provides a device for authenticating a vehicle networking device, which is applied to a VID authentication entity, and includes: memory 820, transceiver 800, processor 810; a memory 820 for storing a computer program; a transceiver 800 for transceiving data under the control of the processor 810;

a processor 810 for reading the computer program in the memory and performing the following operations:

Optionally, the processor 810 is further configured to:

verifying the first authentication request message;

Optionally, the verifying the first authentication request message includes:

determining a first VID according to the first authentication request message;

determining a first VIM key according to the first VID;

verifying the first message authentication code using the first VIM key;

determining a first VID according to the first authentication request message;

determining a first VIM key according to the first VID;

Optionally, the processor 810 is further configured to:

determining a second VIM key according to the second VID;

Optionally, the processor 810 is further configured to:

verifying the second authentication request message.

Optionally, the verifying the second authentication request message includes:

determining a second VIM key based on the second VID;

verifying the second message authentication code using the second VIM key;

Optionally, the processor 810 is further configured to:

sending the first authentication response message to the first device.

Where in fig. 8, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 810, and various circuits, represented by memory 820, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 800 may be a number of elements, including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 810 is responsible for managing the bus architecture and general processing, and the memory 820 may store data used by the processor 810 in performing operations.

The processor 810 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or a Complex Programmable Logic Device (CPLD), and may also have a multi-core architecture.

It should be noted that, the vehicle network authentication apparatus provided in the embodiment of the present invention can implement all the method steps implemented by the method embodiment applied to the VID authentication entity, and can achieve the same technical effect, and details of the same parts and beneficial effects as those of the method embodiment in this embodiment are not described herein again.

In addition, a processor-readable storage medium is provided, on which a computer program is stored, where the program is executed by a processor to implement the steps of the vehicle network device authentication method as described above. And the same technical effect can be achieved, and in order to avoid repetition, the description is omitted here. The readable storage medium can be any available medium or data storage device that can be accessed by a processor, including but not limited to magnetic memory (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical memory (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor memory (e.g., ROMs, EPROMs, EEPROMs, non-volatile memories (NAND FLASH), solid State Disks (SSDs)), etc.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer-executable instructions. These computer-executable instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These processor-executable instructions may also be stored in a processor-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the processor-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These processor-executable instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A vehicle networking device authentication method is characterized by comprising the following steps:

the first equipment generates a first key according to a first vehicle networking equipment identification card (VIM) key of the first equipment and a first random number;

2. The method of claim 1, wherein the first authentication request message further comprises: the first cipher text, the first message authentication code and the first random number;

3. The method of claim 2, wherein the first cipher text comprises a first VID in a case that the first authentication request message comprises information about the first VID.

4. The method of claim 1, wherein prior to generating the first authentication request message using the first key, the method further comprises:

5. The method of claim 4, wherein the second authentication request message further comprises: a second ciphertext, a second message authentication code, and a third random number;

6. The method of claim 1, wherein sending the first authentication request message to a VID authentication entity comprises:

7. The method of claim 1, further comprising:

and acquiring a communication master key according to the first authentication response message.

8. The method of claim 7, wherein obtaining a communication master key according to the first authentication response message comprises:

9. The method of claim 7, wherein the first authentication response message further comprises: a second authentication response message of the second device;

the second authentication response message includes a fourth ciphertext and the fifth random number, the fourth ciphertext is generated by encrypting the communication master key with a fourth key, and the fourth key is generated according to a second VIM key of a second device, a fourth random number, and the fifth random number.

10. The method of claim 9, further comprising:

sending the second authentication response message to the second device.

11. The method of claim 7, wherein receiving the first authentication response message sent by the VID authentication entity comprises:

12. A vehicle networking device authentication method is characterized by comprising the following steps:

13. The method of claim 12, wherein the first authentication request message further comprises: the first cipher text, the first message authentication code and the first random number;

14. The method of claim 13, wherein the first cipher text comprises a first VID in a case that the first authentication request message comprises information about the first VID.

15. The method of claim 13, wherein after receiving the first authentication request message sent by the first device, the method further comprises:

verifying the first authentication request message;

16. The method of claim 15, wherein the verifying the first authentication request message comprises:

determining a first VID according to the first authentication request message;

determining a first VIM key according to the first VID;

verifying the first message authentication code using the first VIM key;

17. The method according to claim 15, wherein the generating a first authentication response message according to the first authentication request message in case that the first authentication request message is verified comprises:

determining a first VID according to the first authentication request message;

determining a first VIM key according to the first VID;

18. The method of claim 15, wherein the first authentication request message further comprises: a second authentication request message of the second device;

19. The method of claim 18, wherein the second authentication request message further comprises: a second ciphertext, a second message authentication code, and a third random number;

20. The method of claim 19, wherein prior to generating a first authentication response message from the first authentication request message, the method further comprises:

21. The method of claim 20, wherein generating a second authentication response message for the second device according to the second authentication request message comprises:

determining a second VIM key based on the second VID;

22. The method of claim 19, wherein prior to generating the communication master key and the fifth random number, the method further comprises:

verifying the second authentication request message.

23. The method of claim 22, wherein the verifying the second authentication request message comprises:

determining a second VIM key according to the second VID;

verifying the second message authentication code using the second VIM key;

24. The method of claim 12, wherein receiving the first authentication request message sent by the first device comprises:

25. The method of claim 12, further comprising:

sending the first authentication response message to the first device.

26. The method of claim 25, wherein sending the first authentication response message to the first device comprises:

27. An internet of vehicles equipment authentication device, comprising: memory, transceiver, processor:

a memory for storing a computer program; a transceiver for transceiving data under the control of the processor; a processor for reading the computer program in the memory and performing the following operations:

generating a first authentication request message using the first key;

28. The apparatus of claim 27, wherein the first authentication request message further comprises: a first ciphertext, a first message authentication code, and the first random number;

29. The apparatus of claim 28, wherein the first ciphertext comprises the first VID if the first authentication request message comprises information related to the first VID.

30. The apparatus of claim 27, wherein the processor is further configured to:

31. The apparatus of claim 30, wherein the second authentication request message further comprises: a second ciphertext, a second message authentication code, and a third random number;

32. The apparatus of claim 27, wherein sending the first authentication request message to a VID authentication entity comprises:

33. The apparatus of claim 27, wherein the processor is configured to read the computer program in the memory and perform the following:

34. The apparatus of claim 33, wherein obtaining a communication master key according to the first authentication response message comprises:

35. The apparatus of claim 33, wherein the first authentication response message further comprises: a second authentication response message of the second device;

36. The apparatus of claim 35, wherein the processor is configured to read the computer program in the memory and perform the following:

sending the second authentication response message to the second device.

37. The apparatus of claim 33, wherein the receiving the first authentication response message sent by the VID authentication entity comprises:

38. An authentication device for internet of vehicles, comprising: memory, transceiver, processor:

a memory for storing a computer program; a transceiver for transceiving data under control of the processor; a processor for reading the computer program in the memory and performing the following:

under the condition that the first authentication request message is verified, generating a first authentication response message according to the first authentication request message;

39. The apparatus of claim 38, wherein the first authentication request message further comprises: the first cipher text, the first message authentication code and the first random number;

40. The apparatus of claim 39, wherein the first ciphertext comprises the first VID if the first authentication request message comprises information related to the first VID.

41. The apparatus of claim 39, wherein the processor is further configured to:

verifying the first authentication request message;

42. The apparatus of claim 41, wherein the verifying the first authentication request message comprises:

determining a first VID according to the first authentication request message;

determining a first VIM key according to the first VID;

verifying the first message authentication code using the first VIM key;

43. The apparatus according to claim 41, wherein the generating a first authentication response message according to the first authentication request message in case that the first authentication request message is verified comprises:

determining a first VID according to the first authentication request message;

determining a first VIM key according to the first VID;

44. The apparatus of claim 41, wherein the first authentication request message further comprises: a second authentication request message of the second device;

45. The apparatus of claim 44, wherein the second authentication request message further comprises: a second ciphertext, a second message authentication code, and a third random number;

46. The apparatus of claim 45, wherein the processor is further configured to:

47. The apparatus of claim 46, wherein the generating a second authentication response message for the second device from the second authentication request message comprises:

determining a second VIM key according to the second VID;

48. The apparatus of claim 45, wherein the processor is further configured to:

verifying the second authentication request message.

49. The apparatus of claim 48, wherein the verifying the second authentication request message comprises:

determining a second VIM key according to the second VID;

verifying the second message authentication code using the second VIM key;

50. The apparatus of claim 38, wherein receiving the first authentication request message sent by the first device comprises:

51. The apparatus of claim 38, wherein the processor is further configured to:

sending the first authentication response message to the first device.

52. The apparatus of claim 51, wherein the sending the first authentication response message to the first device comprises:

53. An authentication device for internet of vehicles, comprising:

54. An internet of vehicles equipment authentication device, comprising:

55. A processor readable storage medium having stored thereon a computer program, characterized in that the computer program, when being executed by a processor, carries out the steps of the vehicle networking device authentication method according to one of the claims 1 to 11, or carries out the steps of the vehicle networking device authentication method according to one of the claims 12 to 26.