CN115208694B - Vehicle-mounted network communication encryption system based on central computing platform and vehicle - Google Patents
Vehicle-mounted network communication encryption system based on central computing platform and vehicle Download PDFInfo
- Publication number
- CN115208694B CN115208694B CN202211106638.4A CN202211106638A CN115208694B CN 115208694 B CN115208694 B CN 115208694B CN 202211106638 A CN202211106638 A CN 202211106638A CN 115208694 B CN115208694 B CN 115208694B
- Authority
- CN
- China
- Prior art keywords
- encryption
- communication
- computing platform
- central computing
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Communication Control (AREA)
Abstract
The invention discloses a vehicle-mounted network communication encryption system based on a central computing platform, which comprises: the service interface module is at least used for providing data encryption and decryption services for the application program, cloud platform interaction services, certificate and key management services, remote upgrading services and calling log information read-write services; the encryption link module is at least used for integrating communication protocols under different environments and dynamically adapting the communication protocols according to the communication link security encryption channel protocol used by a communication object; the encryption chip is at least used for integrating algorithms of password encryption and decryption under different environments and processing data packets under different communication protocols for encryption or decryption; and the communication protocol module is at least used for integrating a MacSec network security protocol and correspondingly calling different encryption and decryption algorithms for encryption transmission based on the security policy grades of different domain control functions.
Description
Technical Field
The invention relates to the field of intelligent automobiles, in particular to a vehicle-mounted network communication encryption system based on a central computing platform and a vehicle.
Background
The central computing platform is the basis for the design and development of computer system hardware and software. The computer system has certain standard and public properties and simultaneously determines the performance of hardware and software of the computer system. The hardware basis is the Central Processing Unit (CPU) and the software basis is the operating system. Thus, a computing platform is typically characterized by a certain processor type, which is the computer system CPU, and an operating system, i.e., a processor/operating system, used by the system.
In the prior art, when processing vehicle-mounted network communication, a central computing platform is usually processed by a vehicle-mounted ECU (electronic control unit), but the service processing occupies the whole performance. In addition, the vehicle-mounted network communication generally adopts a single service interface, a single communication protocol and a single encryption algorithm, which is not favorable for the safety and the communication efficiency of the communication network.
The prior art is therefore still subject to further development.
Disclosure of Invention
Aiming at the technical problem, the invention provides a vehicle-mounted network communication encryption system based on a central computing platform and a vehicle.
In a first aspect of the present invention, a vehicle network communication encryption system based on a central computing platform is provided, including:
the service interface module is at least used for providing data encryption and decryption services for the application program, cloud platform interaction services, certificate and key management services, remote upgrading services and log information reading and writing services;
the encryption link module is at least used for integrating communication protocols under different environments and dynamically adapting the communication protocol according to a communication link security encryption channel protocol used by a communication object;
the encryption chip is at least used for integrating algorithms for encrypting and decrypting passwords in different environments and processing data packets under different communication protocols for encryption or decryption;
the communication protocol module is at least used for integrating a MacSec network security protocol and correspondingly calling different encryption and decryption algorithms for encrypted transmission based on the security policy grades of different domain control functions;
the service interface module, the encryption link module, the encryption chip and the communication protocol module are all in communication connection with a central computing platform and are in communication with an external actuator through the central computing platform.
In an optional embodiment, the vehicle-mounted network communication encryption system further includes a policy configuration module, and the policy configuration module is at least configured to dynamically allocate a data packet to the encryption chip for encryption and decryption according to an encryption and decryption adaptation relationship corresponding to a preset service and function.
In an optional embodiment, the vehicle-mounted network communication encryption system further includes a cloud server, and the cloud server is at least used for implanting the service and function domain corresponding encryption and decryption module adaptation relationship into the policy configuration module through an over-the-air download technology.
In an optional embodiment, the in-vehicle network communication encryption system further includes a freshness configuration module, where the freshness configuration module is at least configured to add a freshness value to the encrypted message.
In an optional embodiment, the communication protocol module comprises a link layer encryption unit for encrypting at least a link layer protocol transmission based on an AES-256-GCM algorithm.
In an optional embodiment, the communication protocol module includes a network layer encryption unit, where the network layer encryption unit is at least used to integrate an IPsec network security protocol, and ensure that a receiving node can be reassembled according to a queue and ensure integrity after acquiring a message and rearranging it by using a message splitting and queue serial number inserting method.
In an optional embodiment, the encrypted link module is disposed at an application layer of an on-board network communication protocol, and at least adapts to a TLS1.2 communication protocol (secure transport layer protocol).
In an optional embodiment, the encryption chip includes a first encryption unit, and the first encryption unit is configured to directly encrypt the service packet by using a soft encryption method.
In an optional embodiment, the encryption chip includes a second encryption unit, and the second encryption unit is configured to encrypt the service packet based on at least a cryptographic algorithm on the unstructured data.
In a first aspect of the present invention, a vehicle is provided, wherein the vehicle network communication encryption system based on the central computing platform is described in the first aspect of the present invention.
Drawings
FIG. 1 is a block diagram of a vehicular network communication encryption system based on a central computing platform according to an embodiment of the present invention;
FIG. 2 is a schematic block diagram of another vehicle-mounted network communication encryption system based on a central computing platform according to an embodiment of the present invention;
FIG. 3 is a block diagram of another vehicular network communication encryption system based on a central computing platform according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a module of interaction between a vehicle-mounted network communication encryption system based on a central computing platform and an actuator according to an embodiment of the present invention;
fig. 5 is a schematic block diagram of a connection between a central computing platform and a user terminal and a cloud server according to an embodiment of the present invention.
Detailed Description
The following description is presented to enable any person skilled in the art to make and use the invention and is incorporated in the context of a particular application. Various modifications, as well as various uses in different applications will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to a wide range of embodiments. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
In the following detailed description, numerous specific details are set forth in order to provide a more thorough understanding of the invention. It will be apparent, however, to one skilled in the art that the practice of the invention may not necessarily be limited to these specific details. In other instances, well-known structures and devices are shown in block diagram form, rather than in detail, in order to avoid obscuring the present invention.
The reader's attention is directed to all papers and documents which are filed concurrently with this specification and which are open to public inspection with this specification, and the contents of all such papers and documents are incorporated herein by reference. All the features disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features.
Note that where used, the designations left, right, front, back, top, bottom, positive, negative, clockwise, and counterclockwise are used for convenience only and do not imply any particular fixed orientation. In fact, they are used to reflect the relative position and/or orientation between the various parts of the object. Furthermore, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in a specific case to those of ordinary skill in the art.
It is noted that, where used, further, preferably, still further and more preferably is a brief introduction to the exposition of the alternative embodiment on the basis of the preceding embodiment, the contents of the further, preferably, still further or more preferably back band being combined with the preceding embodiment as a complete constituent of the alternative embodiment. Several further, preferred, still further or more preferred arrangements of the back tape of the same embodiment may be combined in any combination to form a further embodiment.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a vehicle, which comprises but is not limited to an intelligent electric automobile, a traditional gasoline automobile and a gasoline-electric hybrid automobile. The vehicle comprises a vehicle-mounted network communication encryption system, and is applied to a central computing platform of the vehicle, wherein the central computing platform is based on service modules integrating different functions, realizes the cooperative work among the service modules with different functions, and can realize the communication encryption of dynamic adaptation services and functional domains.
The communication encryption is used for OTA (Over The Air), which is a technology for realizing dynamic downloading, deletion and updating of a service menu in an SIM card through a mobile phone terminal or a server (on line) based on a short message mechanism, so that a user can acquire a data value added service (OTA service for short) of a personalized information service, and The technology is used for remotely managing SIM card data and application through an Air interface of mobile communication. The use of OTA technology enables mobile communications to provide not only voice and data services, but also new service downloads. Based on this, the application and content service provider can continuously develop more personalized services close to the user's requirements, such as information on demand, interactive entertainment, location service and bank transaction, without being limited by the platform. Through the OTA over-the-air downloading technology, a mobile phone user can download various service menus provided by a network into the mobile phone by using an OTA mechanism according to personal preference as long as the mobile phone user performs simple operation, and can customize specific services according to own wishes.
Information security is the technical and administrative security protection established and adopted by data processing systems in order to protect computer hardware, software, and data from being damaged, altered, and revealed due to casual and malicious reasons. In the future, automobiles will be used as an important part of life of users, communication of the automobiles will contain a lot of data and privacy of the users, and the protection of the safety of communication information will become more important. For security of vehicular network communication, the present invention provides the following solutions:
referring to fig. 1, the vehicle network communication encryption system based on the central computing platform provided by the present invention includes: a service interface module 11, an encryption link module 12, an encryption chip 13 and a communication protocol module 14. The service interface module 11, the encryption link module 12, the encryption chip 13 and the communication protocol module 14 are all in communication connection with a central computing platform, and communicate with an external actuator through the central computing platform. The modules are respectively designed with an application layer, a transmission layer, a network layer and a link layer of network communication, and carry out security encryption on the network communication.
Specifically, the service interface module 11 is at least used for providing data encryption and decryption services for the application program, cloud platform interaction services, certificate and key management services, remote upgrade services, and call of log information read-write services. The service interface can be understood as a service request interface address, and the defined parameters of the interface are transmitted, and the data and the corresponding data format agreed by the interface are returned through the logic processing of the interface. In the communication process of the vehicle network, a plurality of services are involved, and different services are involved in different service interfaces. For example, before the vehicle establishes secure communication with an external system, handshake is performed first, a long link between the cloud system and the vehicle communication module is established after power-on, and an identity certificate of the unique identifier of the vehicle is authenticated and bound through the cloud certificate and the session key management system.
The encryption link module 12 is at least used for integrating communication protocols under different environments and dynamically adapting the communication protocol according to a communication link security encryption channel protocol used by a communication object. The encrypted link module 12 is connected with the service interface module 11, the encrypted link module 12 dynamically adapts the communication protocol including but not limited to the industry standard TLS1.2 communication protocol and the version of the communication protocol above TLS1.2 according to the communication link security encrypted channel protocol used by the communication object, and the encrypted link module 12 is arranged at an application layer so as to establish a non-reversible security communication encrypted link for preventing other people from intercepting messages and further tampering. TLS is a high-level protocol that works on the top two layers of the five-level model of a computer network, namely the Transport layer (Transport layer) and the Application layer (Application layer).
The encryption chip 13 is at least used for integrating algorithms for encrypting and decrypting passwords in different environments and processing data packets under different communication protocols for encryption or decryption. The encryption chip 13 integrates cryptographic operation methods under different environments, and is adapted to an international cryptographic calculation algorithm and a domestic cryptographic calculation algorithm (a national cryptographic algorithm, i.e., a domestic cryptographic algorithm identified by the national crypto-authority). And dynamically configuring corresponding encryption and decryption cryptographic algorithms according to the differentiation of the communication protocols, completing the encryption and decryption of data packets under different communication protocols, and distributing the data packets to each processing unit by the central computing platform. It should be understood that different encryption modes can be adopted for different services and data to realize dynamic adjustment; since there may be a plurality of cryptographic chips 13, each may be responsible for one or several cryptographic functions. For example, the spare encryption chip 13 is called to perform encryption and decryption processing on the newly added service or data.
And the communication protocol module 14 is at least used for integrating a MacSec network security protocol and correspondingly calling different encryption and decryption algorithms to encrypt and transmit based on the security policy grades of different domain control functions. The communication protocol module 14 can achieve link layer and network layer, and ensure the requirements of link layer for secure transmission and encryption and the requirements of network layer for secure transmission and encryption.
For example, the link layer protocol transport is encrypted based on the AES-256-GCM algorithm. The communication protocol module 14 may also use the split message and insert the queue number based on the IPsec network security protocol to ensure that the receiving node can be reassembled according to the queue and ensure integrity after obtaining the message and rearranging.
As can be seen from the above, the central computing platform of the present invention integrates the encryption link module 12, the encryption chip 13, and the communication protocol module 14, and uses the service interface module 11 to interface various services, so as to encrypt and decrypt data communicated in the services. The central computing platform adopts a plurality of compatible safety chips, integrates and adapts the encryption chips supporting the native cryptographic algorithm and the international cryptographic algorithm, obtains the matching parameters of the corresponding encryption algorithm according to the message analysis after the corresponding service is analyzed, and calls the corresponding encryption chip to load the encryption and decryption tasks. The encryption link module 12 and the communication protocol module 14 further encrypt and decrypt data at an application layer, a transport layer, a network layer, and a link layer, and may also dynamically invoke according to types of service messages and the like in the process.
Referring to fig. 2, the vehicle-mounted network communication encryption system based on the central computing platform further includes a policy configuration module 15, where the policy configuration module 15 is at least configured to dynamically allocate a data packet to the encryption chip for encryption and decryption according to an encryption and decryption adaptation relationship corresponding to a preset service and function. The central computing platform receives the service data through the service interface module 11, obtains the matching parameters of the corresponding encryption algorithm according to the message analysis after the corresponding service data is analyzed, and calls the corresponding encryption chip 13 to load the encryption and decryption tasks through the strategy configuration module 15. The strategy configuration module 15 selects different signature certificates and packaging modes to perform data interaction with an ECU (electronic control unit), performs corresponding signature verification, decryption and decompression on data in the central computing platform, and finally transmits the data to the ECU for processing.
Referring to fig. 3, the vehicle-mounted network communication encryption system based on the central computing platform according to the present invention further includes a freshness configuration module 16, where the freshness configuration module 16 is at least used for adding a freshness value to an encrypted message. The freshness configuration module 16 realizes unified calculation configuration and management of message freshness values, and mainly uses a symmetric authentication method with a message authentication code. They achieve the same level of security using smaller keys than asymmetric methods and can be implemented compactly and efficiently in software and hardware. The freshness value is added into the encrypted message to reduce the risk of repeated attack, the freshness value is a numerical value which is continuously updated according to certain logic and can be realized by a freshness value algorithm, the freshness value updating method is various, and finally, replay attack prevention based on freshness is realized.
The present invention is further illustrated by way of specific examples in connection with fig. 4.
The modules in the central computing platform integrated diagram are used as security components, the service interface module 11 provides a service request interface, the encryption link module 12 dynamically adapts and includes but is not limited to an industry standard TLS1.2 communication protocol and a communication protocol more than a TLS1.2 version according to a communication link security encryption channel protocol used by a communication object in an application layer, and therefore a non-reversible security communication encryption link for preventing other people from intercepting messages and further tampering is established. Before the vehicle and an external system establish safe communication, handshake is firstly carried out, a TLS protocol server address is burnt in a specific port of the networked device, a long link between a cloud system and a central computing platform is established after the network is powered on, and an identity certificate of a unique identifier of the vehicle is authenticated and bound through a cloud certificate and a session key management system. In order to avoid attacks by others, the public key is protected by a digital certificate in the process. And the communication protocol of the industry standard TLS1.2 and the communication protocol above the TLS1.2 version are integrated for use, so that the services of certificate authentication, key agreement and encryption transmission can be carried out. The security component interacts with an actuator (a control chip with specific functions), the actuator comprises a plurality of ECUs (electronic control units) 1, 2, 3, 4 and the like, each ECU is used as a single TLS (remote Teller Server) endpoint when the vehicle internal communication based on the central computing platform is carried out, a long link with the central computing platform is established after the vehicle internal communication is powered on, and the ECU acquires an identity certificate binding a unique identifier of the vehicle from the central computing platform through the established long link endpoint for negotiating a session key and further avoiding attacks of others.
The communication protocol module 14 ensures the safe transmission encryption requirement of a link layer by integrating a MacSec network security protocol and utilizing the AES-256-GCM algorithm characteristic; by integrating an IPsec network security protocol, by utilizing message splitting and queue serial number insertion, a receiving node can be ensured to be recombined according to a queue and ensure completeness after acquiring message rearrangement, and the requirement of network layer security transmission encryption is ensured. The method can also support adaptation based on an AutoSAR system and an SOMEIP protocol, and can get through the safe communication scheduling of an application layer, a transmission layer, a network layer and a link layer, thereby meeting the safe adaptation of the transmission layer and multiple protocols in the vehicle-mounted Ethernet.
And according to different domain control functions carried by the central computing platform, encryption transmission modes with different security strategy levels are respectively adopted. The encryption chip comprises a first encryption unit and a second encryption unit, wherein the first encryption unit is used for directly encrypting the service message in a soft encryption mode. The second encryption unit is used for encrypting the unstructured data to the service message at least based on a cryptographic algorithm.
The vehicle body control system and the intelligent cabin system adopt non-Ethernet load communication, the automatic driving system and the vehicle-outside collected data transmission need to use the Ethernet load communication, and a soft encryption module integrated by a first encryption unit is used for driving an encryption and decryption algorithm SDK (software development kit) to directly encrypt and decrypt service messages; partial controllers collect unstructured data such as videos and pictures outside the vehicle, the second encryption unit is compatible with a password encryption and decryption scheme for national cryptology and business use authenticated by a national commercial password evaluation system, a security chip module integrated with a password algorithm for national cryptology and business use is carried, the HSM (hardware security module) can be expanded, and the encryption and decryption process is completed in the module. When the vehicle is powered on and different services simultaneously occupy the communication load in the vehicle, the central computing platform dynamically allocates data packets to the corresponding controllers and the hardware security modules HSM for encryption and decryption services according to the service and functional domain corresponding encryption and decryption module adaptation relation preset by the platform.
The invention is provided with the function modules correspondingly arranged on the physical layer, the application layer, the transmission layer, the network layer and the network interface layer of the network communication to encrypt the data in the network communication, more effectively processes the encryption and decryption services compared with the single service interface, the single communication protocol, the single cryptographic operation algorithm and the single security chip adopted by the prior art, can realize dynamic adaptation encryption and decryption, and completes dynamic encryption and decryption aiming at different services and data (video, image, audio and video files, system update and the like).
As shown in fig. 5, in the vehicle-mounted network communication encryption system based on the central computing platform, the vehicle-mounted network communication encryption system further includes a cloud server, and the cloud server is at least used for implanting the adaptation relationship between the encryption and decryption modules corresponding to the service and functional domains into the policy configuration module through an over-the-air download technology. Based on the method, software and hardware research and development, updating iterative decoupling can be realized, and an OTA downloading technology is combined. The adaptive relation of the encryption and decryption modules corresponding to the service and functional domains in the central computing platform can be implanted into corresponding controllers and processor processes through an over-the-air downloading technology.
Those skilled in the art will appreciate that cloud server 520 may be based on a conventional content service provider (TSP) server, and cloud server 520 may include, but is not limited to, the functionality of a conventional TSP cloud platform, and may communicate with central computing platform 510 and user terminal 530 remotely via the internet. The cloud server 520 may perform management services of the vehicle virtual key and services such as OTA by sending a control command to each of the central computing platforms 510.
The user terminal 530 includes, but is not limited to, a user's mobile phone, a tablet computer, and other handheld smart devices and wearable smart devices. The users may include owner users and non-owner users. Near field communication with the central computing platform 510 may be achieved through bluetooth communication techniques when the user terminal 530 is within a certain proximity of the central computing platform 510. When the user terminal 530 is far away from the central computing platform 510 and cannot communicate with the nfc, the user terminal can communicate with the cloud server 520 through the TCP/IP protocol, and the cloud server 520 forwards the communication to the central computing platform 510.
The central computing platform 510 enters a deep sleep state, and communication with the user terminal 130 or the cloud server 120 cannot be achieved at this time. However, in some cases, such as: the user may need to remotely perform the start and setting of the vehicle in advance, or the cloud server may need to perform background data update, etc., and the user or the cloud server needs to control the vehicle or communicate with the central computing platform 510 when the vehicle is in a dormant state. Then cloud server 520 is first required to wake central computing platform 510 at this point.
The invention also provides an automobile comprising a processor, a memory and a computer program stored on the memory and capable of running on the processor, wherein the computer program, when executed by the processor, implements the steps of the in-vehicle multimedia zone switching method as described above.
The present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the in-vehicle multimedia zone switching method as described above.
It is understood that the computer-readable storage medium may include: any entity or device capable of carrying a computer program, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer Memory, read-Only Memory (ROM), random Access Memory (RAM), software distribution medium, and the like. The computer program includes computer program code. The computer program code may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable storage medium may include: any entity or device capable of carrying computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer Memory, read-Only Memory (ROM), random Access Memory (RAM), software distribution medium, and the like.
In some embodiments of the present invention, the apparatus may include a controller, and the controller is a single chip integrated with a processor, a memory, a communication module, and the like. The processor may refer to a processor included in the controller. The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable gate array (FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware component, etc.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the various examples have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (7)
1. A vehicle network communication encryption system based on a central computing platform is characterized by comprising:
the service interface module is at least used for providing data encryption and decryption services for the application program, cloud platform interaction services, certificate and key management services, remote upgrading services and calling log information read-write services;
the encryption link module is at least used for integrating communication protocols under different environments, dynamically adapts the communication protocols in an application layer according to a communication link security encryption channel protocol used by a communication object, and can dynamically call according to the message type of a service;
the encryption chip is at least used for integrating algorithms of password encryption and decryption under different environments and processing data packets under different communication protocols for encryption or decryption; the encryption chip comprises a first encryption unit and a second encryption unit, wherein the first encryption unit is used for directly encrypting the service message in a soft encryption mode; the second encryption unit is used for encrypting the unstructured data to the service message at least based on a cryptographic algorithm;
the communication protocol module is at least used for integrating a MacSec network security protocol, and different encryption and decryption algorithms are correspondingly called for encryption transmission in a link layer and a network layer based on the security strategy grades of different domain control functions in the link layer; the communication protocol module comprises a network layer encryption unit, wherein the network layer encryption unit is at least used for integrating an IPsec network security protocol, and ensures that a receiving node can be recombined according to a queue and is complete after acquiring message rearrangement by utilizing a split message and inserting a queue serial number;
the service interface module, the encryption link module, the encryption chip and the communication protocol module are all in communication connection with a central computing platform and are in communication with an external actuator through the central computing platform.
2. The central computing platform-based vehicle network communication encryption system of claim 1, further comprising a policy configuration module, wherein the policy configuration module is at least configured to dynamically allocate a data packet to the encryption chip for encryption and decryption according to an encryption and decryption adaptation relationship corresponding to a preset service and function.
3. The central computing platform based vehicle network communication encryption system of claim 2, further comprising a cloud server, wherein the cloud server is at least configured to implant an adaptation relationship between the encryption and decryption modules corresponding to the service and functional domains into the policy configuration module through an over-the-air technology.
4. The central computing platform-based in-vehicle network communication encryption system of claim 1, further comprising a freshness configuration module at least for adding a freshness value to an encrypted message.
5. The central computing platform based vehicle network communication encryption system of claim 1, wherein the communication protocol module comprises a link layer encryption unit to at least encrypt link layer protocol transmissions based on an AES-256-GCM algorithm.
6. The central computing platform based vehicle network communication encryption system of claim 1, wherein the encryption link module is disposed at an application layer of a vehicle network communication protocol, and is adapted to at least a TLS1.2 communication protocol.
7. A vehicle comprising the central computing platform based on-board network communication encryption system of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211106638.4A CN115208694B (en) | 2022-09-13 | 2022-09-13 | Vehicle-mounted network communication encryption system based on central computing platform and vehicle |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211106638.4A CN115208694B (en) | 2022-09-13 | 2022-09-13 | Vehicle-mounted network communication encryption system based on central computing platform and vehicle |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115208694A CN115208694A (en) | 2022-10-18 |
| CN115208694B true CN115208694B (en) | 2023-01-13 |
Family
ID=83572827
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211106638.4A Active CN115208694B (en) | 2022-09-13 | 2022-09-13 | Vehicle-mounted network communication encryption system based on central computing platform and vehicle |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115208694B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109714421A (en) * | 2018-12-28 | 2019-05-03 | 国汽(北京)智能网联汽车研究院有限公司 | Intelligent network based on bus or train route collaboration joins automobilism system |
| CN109729056A (en) * | 2017-10-30 | 2019-05-07 | 北京长城华冠汽车科技股份有限公司 | Vehicle network safety protection method and the vehicle network architecture based on car networking |
| CN113242251A (en) * | 2021-05-20 | 2021-08-10 | 北京九州云驰科技有限公司 | Vehicle-mounted network safety protection system and application method thereof |
| CN114364062A (en) * | 2021-12-13 | 2022-04-15 | 广东电网有限责任公司 | Method for accessing gateway safely in Internet of vehicles |
| CN114785543A (en) * | 2022-03-09 | 2022-07-22 | 西安电子科技大学 | In-vehicle network cross-domain communication method, computer equipment and intelligent terminal |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105897819A (en) * | 2015-10-21 | 2016-08-24 | 乐卡汽车智能科技(北京)有限公司 | Data communication method and system and gateway applied to in-vehicle network comprising multiple sub-networks |
| US20190281052A1 (en) * | 2018-03-08 | 2019-09-12 | Auton, Inc. | Systems and methods for securing an automotive controller network |
| CN111049803A (en) * | 2019-11-20 | 2020-04-21 | 江苏物联网络科技发展有限公司 | Data encryption and platform security access method based on vehicle-mounted CAN bus communication system |
| CN114584385B (en) * | 2022-03-09 | 2023-02-03 | 西安电子科技大学 | In-vehicle network safety communication method, computer equipment, medium and terminal |
-
2022
- 2022-09-13 CN CN202211106638.4A patent/CN115208694B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109729056A (en) * | 2017-10-30 | 2019-05-07 | 北京长城华冠汽车科技股份有限公司 | Vehicle network safety protection method and the vehicle network architecture based on car networking |
| CN109714421A (en) * | 2018-12-28 | 2019-05-03 | 国汽(北京)智能网联汽车研究院有限公司 | Intelligent network based on bus or train route collaboration joins automobilism system |
| CN113242251A (en) * | 2021-05-20 | 2021-08-10 | 北京九州云驰科技有限公司 | Vehicle-mounted network safety protection system and application method thereof |
| CN114364062A (en) * | 2021-12-13 | 2022-04-15 | 广东电网有限责任公司 | Method for accessing gateway safely in Internet of vehicles |
| CN114785543A (en) * | 2022-03-09 | 2022-07-22 | 西安电子科技大学 | In-vehicle network cross-domain communication method, computer equipment and intelligent terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115208694A (en) | 2022-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9843585B2 (en) | Methods and apparatus for large scale distribution of electronic access clients | |
| US8813243B2 (en) | Reducing a size of a security-related data object stored on a token | |
| CN102404727B (en) | The method of controlling security and device of mobile terminal | |
| US6591095B1 (en) | Method and apparatus for designating administrative responsibilities in a mobile communications device | |
| US9385996B2 (en) | Method of operating a computing device, computing device and computer program | |
| US20050188219A1 (en) | Method and a system for communication between a terminal and at least one communication equipment | |
| US9356994B2 (en) | Method of operating a computing device, computing device and computer program | |
| US9319219B2 (en) | Method of operating a computing device, computing device and computer program | |
| JP2016167835A (en) | Methods and apparatus for storage and operation of access control clients | |
| CN105939515B (en) | Car-mounted terminal virtual SIM card information update system and method | |
| CN101986598B (en) | Authentication method, server and system | |
| WO2022160124A1 (en) | Service authorisation management method and apparatus | |
| WO2021120924A1 (en) | Method and device for certificate application | |
| WO2023221591A1 (en) | Data transmission method, and related apparatus, device and storage medium | |
| EP3541106A1 (en) | Methods and apparatus for euicc certificate management | |
| CN114079915A (en) | Method, system and device for determining user plane security algorithm | |
| CN113114683B (en) | Firewall policy processing method and device | |
| CN115208694B (en) | Vehicle-mounted network communication encryption system based on central computing platform and vehicle | |
| EP1790116B1 (en) | Method and system for managing authentication and payment for use of broadcast material | |
| CN103916404A (en) | Data management method and system | |
| CN108791188A (en) | The control method of vehicle, apparatus and system | |
| CN115766023A (en) | Encryption algorithm-based vehicle cross-functional domain secret key and certificate dynamic updating system | |
| EP2471237B1 (en) | Mobile electronic device configured to establish secure wireless communication | |
| EP3667530A1 (en) | Secure access to encrypted data from a user terminal | |
| CN116723555A (en) | Terminal access and data distribution method and system based on 5G-R |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |