CN115314556A - GNSS positioning system - Google Patents

GNSS positioning system Download PDF

Info

Publication number
CN115314556A
CN115314556A CN202210787880.6A CN202210787880A CN115314556A CN 115314556 A CN115314556 A CN 115314556A CN 202210787880 A CN202210787880 A CN 202210787880A CN 115314556 A CN115314556 A CN 115314556A
Authority
CN
China
Prior art keywords
gnss positioning
positioning module
cloud service
authentication
service platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210787880.6A
Other languages
Chinese (zh)
Other versions
CN115314556B (en
Inventor
任晓斌
兰晓明
王夏静
孙峰
武刚
武阳
胡木吉勒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unicore Communications Inc
Original Assignee
Unicore Communications Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unicore Communications Inc filed Critical Unicore Communications Inc
Priority to CN202210787880.6A priority Critical patent/CN115314556B/en
Publication of CN115314556A publication Critical patent/CN115314556A/en
Application granted granted Critical
Publication of CN115314556B publication Critical patent/CN115314556B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/03Cooperating elements; Interaction or communication between different cooperating elements or between cooperating elements and receivers
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/03Cooperating elements; Interaction or communication between different cooperating elements or between cooperating elements and receivers
    • G01S19/07Cooperating elements; Interaction or communication between different cooperating elements or between cooperating elements and receivers providing data for correcting measured positioning data, e.g. DGPS [differential GPS] or ionosphere corrections
    • G01S19/071DGPS corrections
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/03Cooperating elements; Interaction or communication between different cooperating elements or between cooperating elements and receivers
    • G01S19/10Cooperating elements; Interaction or communication between different cooperating elements or between cooperating elements and receivers providing dedicated supplementary positioning signals
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/38Determining a navigation solution using signals transmitted by a satellite radio beacon positioning system
    • G01S19/39Determining a navigation solution using signals transmitted by a satellite radio beacon positioning system the satellite radio beacon positioning system transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/40Correcting position, velocity or attitude
    • G01S19/41Differential correction, e.g. DGPS [differential GPS]
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/38Determining a navigation solution using signals transmitted by a satellite radio beacon positioning system
    • G01S19/39Determining a navigation solution using signals transmitted by a satellite radio beacon positioning system the satellite radio beacon positioning system transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/42Determining position
    • G01S19/51Relative positioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0813Configuration setting characterised by the conditions triggering a change of settings
    • H04L41/082Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Remote Sensing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a GNSS positioning system, which comprises a GNSS positioning module and a cloud service platform; the GNSS positioning module is configured to send an authentication request to the cloud service platform; interacting with the cloud service platform to perform authentication and certification; firmware upgrading is carried out according to firmware upgrading services provided by the cloud service platform; performing data processing according to the high-precision difference data service provided by the cloud service platform; the cloud service platform is configured to authenticate the GNSS positioning module according to the authentication request; and when the authentication passes, providing firmware upgrading service and high-precision differential data service for the GNSS positioning module according to the authority opened by the GNSS positioning module. The GNSS positioning system guarantees the safety and confidentiality of GNSS module information.

Description

GNSS positioning system
Technical Field
The present application relates to the field of GNSS positioning technologies, and in particular, to a GNSS positioning system.
Background
The GNSS positioning module is called a module end for short, and the cloud service is called a cloud service end for short. The cloud server provides remote high-precision differential data service and OTA upgrading service for the module, the module uses the high-precision differential data to perform RTK or DGPS relative positioning, and the positioning precision can reach centimeter level. The module end also realizes remote automatic upgrade through OTA upgrade service. At present, an overall security solution for the slave module side and the cloud service side is also lacking.
Disclosure of Invention
The application provides a GNSS positioning system, which guarantees the safety and confidentiality of GNSS module information.
The application provides a GNSS positioning system, which comprises a GNSS positioning module and a cloud service platform;
the GNSS positioning module is configured to send an authentication request to the cloud service platform; interacting with the cloud service platform to perform authentication and certification; firmware upgrading is carried out according to firmware upgrading services provided by the cloud service platform; positioning according to the high-precision differential data service provided by the cloud service platform;
the cloud service platform is configured to authenticate and authenticate the GNSS positioning module according to the authentication request; and when the authentication passes, providing firmware upgrading service and high-precision differential data service for the GNSS positioning module according to the authority opened by the GNSS positioning module.
In an exemplary embodiment, the authentication request includes a SN signature authentication packet of the GNSS positioning module;
the SN signature authentication packet of the GNSS positioning module is generated according to the following mode:
encrypting a serial number in the GNSS positioning module information through a private key of the GNSS positioning module to generate an SN signature authentication packet of the GNSS positioning module;
the GNSS positioning module information comprises a product number, a serial number and a capacitance wire identification number.
In an exemplary embodiment, authenticating and authenticating the GNSS positioning module according to the authentication request includes:
decrypting the SN signature authentication packet of the GNSS positioning module through the public key of the GNSS positioning module, and generating a random number; encrypting the random number through a private key of the cloud service platform to generate a random number signature authentication package; sending the random number signature authentication packet to the GNSS positioning module;
interacting with the cloud service platform, including:
the GNSS positioning module decrypts the random number signature authentication packet according to the public key of the cloud service platform to obtain the random number; calculating a first hash value according to the random number and the GNSS positioning module information; encrypting the first hash value through a private key of the GNSS positioning module to generate a first hash value authentication packet, and sending the first hash value authentication packet to the cloud service platform;
according to the authentication request, the authentication and authentication of the GNSS positioning module are carried out, and the method further comprises the following steps:
decrypting the first hash value authentication packet through the public key of the GNSS positioning module to obtain a first hash value; and calculating to obtain a second hash value according to the random number and the GNSS positioning module information obtained according to the serial number, and if the first hash value is the same as the second hash value, passing the authentication.
In an exemplary embodiment, the upgrading the firmware according to the firmware upgrading service provided by the cloud service platform includes:
after integrity verification is carried out on the credible release firmware provided by the firmware upgrading service, decryption and digital signature authentication are carried out on the credible release firmware through a public key of a preset algorithm and the preset algorithm, and if the authentication is passed, firmware upgrading is executed;
the public key of the preset algorithm is obtained by loading and executing a ROM public key access program in the firmware.
In an exemplary embodiment, the trusted release firmware is generated by:
digitally signing the compressed original upgrade firmware;
encrypting the digital signature through a private key of the preset algorithm;
adding a check head and a check tail to the encrypted digital signature to generate a trusted release firmware;
and the private key of the preset algorithm is stored in the physical USB equipment.
In an exemplary embodiment, the GNSS positioning module is further configured to perform a hierarchical encryption on the output information of the GNSS positioning module;
the step of encrypting the output information of the GNSS positioning module by stages comprises the following steps:
encrypting information used for authentication in a first secure encryption mode;
encrypting the data containing the preset geographic information in a second secure encryption mode;
and encrypting other data except the information for authentication and authorization and the data containing the preset geographic information in a third secure encryption mode.
In an exemplary embodiment, the GNSS positioning module and the cloud service platform are in network communication through a standard SSL/TLS protocol.
In an exemplary embodiment, the GNSS positioning module and the cloud service platform perform network communication through a standard SSL/TLS protocol, including:
the GNSS positioning module is in network communication with the cloud service platform through an SDK (software development kit) and a standard SSL/TLS (security socket layer/transport layer service) protocol;
the GNSS positioning module communicates with the SDK through a serial port.
In an exemplary embodiment, the predetermined algorithm is an ECDSA algorithm of asymmetric encryption.
In an exemplary embodiment, the cloud service platform is a cloud service platform adopting a main-standby redundancy design;
the cloud service platform comprises a plurality of physical nodes; and all the physical nodes are arranged in the area meeting the preset condition.
The application includes the following advantages:
according to at least one embodiment of the application, the overall security of the module end and the cloud server end is improved;
at least one embodiment of the application improves the safety of firmware release and upgrade;
according to at least one embodiment of the method, safety and efficiency of the information output by the GNSS positioning module can be considered;
according to at least one embodiment of the application, the safety and the confidentiality of the GNSS module information can be jointly guaranteed in multiple dimensions of physical safety, firmware upgrading safety, application safety and communication safety.
Of course, it is not necessary for any product to achieve all of the above-described advantages at the same time for the practice of the present application.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. Other advantages of the present application can be realized and attained by the instrumentalities and combinations particularly pointed out in the specification and the drawings.
Drawings
The accompanying drawings are included to provide an understanding of the present disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the examples serve to explain the principles of the disclosure and not to limit the disclosure.
FIG. 1 is a diagram illustrating a GNSS positioning system according to an embodiment of the present application;
FIG. 2 is a diagram illustrating authentication according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a firmware upgrade according to an embodiment of the present application;
FIG. 4 is a flowchart of firmware release according to an embodiment of the present application;
FIG. 5 is a diagram illustrating another GNSS positioning system according to an embodiment of the present application.
Detailed Description
Fig. 1 is a schematic diagram of a GNSS positioning system according to an embodiment of the present application, as shown in fig. 1, including a GNSS positioning module and a cloud service platform;
the GNSS positioning module is configured to send an authentication request to the cloud service platform; interacting with the cloud service platform to perform authentication and certification; firmware upgrading is carried out according to firmware upgrading services provided by the cloud service platform; positioning according to the high-precision differential data service provided by the cloud service platform;
the cloud service platform is configured to authenticate and authenticate the GNSS positioning module according to the authentication request; and when the authentication passes, providing firmware upgrading service and high-precision differential data service for the GNSS positioning module according to the authority opened by the GNSS positioning module.
In an exemplary embodiment, the cloud service platform only provides services in the authority for the authority opened by the module terminal. For example, the authority content for the firmware upgrade service includes a service ID, a module ID, a device ID, whether to open the service, a service expiration time, and other reserved authority fields. The authority content for the high-precision check service can include a service ID, a module ID, a device ID, whether the service is opened or not, service expiration time, a supported satellite system, a supported system frequency point, a used differential format, other reserved authority fields and the like. The module ID comprises a serial number SN and a capacitance wire identification number EfuseID; the service ID is a unique service ID which is generated by the cloud service platform according to the module information updated by the database and corresponds to the modules one to one; when the device ID is initialized by the SDK, the device ID is calculated according to the SN and the EfuseID of the module according to a fixed algorithm and has uniqueness.
It should be noted that, in the GNSS positioning module production link, the serial number SN, the product number PN, and the capacitance wire identification number Efuse ID of the module, which are automatically recorded by the production tool, are all information for identifying the uniqueness of the module.
In an exemplary embodiment, the authentication request includes an SN signature authentication packet of the GNSS positioning module;
the SN signature authentication packet of the GNSS positioning module is generated as follows:
encrypting a serial number in the GNSS positioning module information through a private key of the GNSS positioning module to generate an SN signature authentication packet of the GNSS positioning module;
the GNSS positioning module information comprises a product number, a serial number and a capacitance wire identification number.
In an exemplary embodiment, the private key of the GNSS positioning module is generated in a dedicated secure trusted environment based on an asymmetric encryption ECDSA algorithm. The private key of the GNSS positioning module is stored in the physical USB device, and a specially-assigned person is responsible for using encryption strictly according to a safety flow. The private KEY of the GNSS positioning module can be stored in three mutually backed-up special safe and credible USB KEY storage devices, the private KEY can only be accessed by an ECDSA algorithm inside the KEY, the private KEY cannot be accessed and read outside, and the private KEY cannot be read outside the KEY equipment technically.
In an exemplary embodiment, authenticating the GNSS positioning module according to the authentication request includes:
decrypting the SN signature authentication packet of the GNSS positioning module through the public key of the GNSS positioning module, and generating a random number; encrypting the random number through a private key of the cloud service platform to generate a random number signature authentication package; sending the random number signature authentication packet to the GNSS positioning module;
interacting with the cloud service platform, including:
decrypting the random number signature authentication packet according to the public key of the cloud service platform to obtain the random number;
the GNSS positioning module calculates a first hash value according to the random number and the GNSS positioning module information; encrypting the first hash value through a private key of the GNSS positioning module to generate a first hash value authentication packet, and sending the first hash value authentication packet to the cloud service platform;
according to the authentication request, the authentication and authentication of the GNSS positioning module are carried out, and the method further comprises the following steps:
decrypting the first hash value authentication packet through the public key of the GNSS positioning module to obtain a first hash value; and calculating to obtain a second hash value according to the random number and the GNSS positioning module information obtained according to the serial number, and if the first hash value is the same as the second hash value, passing authentication.
In an exemplary embodiment, some GNSS positioning modules have limited resources, and in order to reduce the amount of computation and reduce the complexity, an ECDSA algorithm is also used as an identity authentication algorithm between a cloud service end and a module end. The module end uses the same encryption algorithm library for encryption and decryption of the cloud service application and encryption and decryption of the firmware. The difference is that the encryption and decryption of the firmware only use one set of public key and private key pair, and the encryption and decryption of the cloud service application used by the module end use two sets of public key and private key pairs. The public key and the private key pair of the cloud server side are marked as (Apu, apr), and the public key and the private key pair of the module side are marked as (Bpu, bpr), so that the cloud server side-to-module side authentication and the module side-to-cloud server side authentication are realized.
For example, the authentication process can be as shown in fig. 2, and the whole process includes the following steps:
firstly, the module end encrypts SN by Bpr based on an ECDSA algorithm to generate a signature authentication packet of the SN, and the signature authentication packet is transmitted to the SDK through serial port communication, and then the SDK is transmitted to the cloud service end through the network.
And secondly, the cloud server decrypts the signature authentication packet of the SN by using the Bpu to obtain the SN, generates a random number R, and stores the random number R into a database according to the SN. And encrypting the random number R by using a cloud server private key Apr to generate an authentication packet for signing the R. And the SDK is transmitted to the SDK of the equipment through network communication and then transmitted to the module through the serial port.
And thirdly, the authentication module at the module end decrypts the signature authentication packet containing R by using Apu to obtain R, calculates a hash value H1 based on SN, PN, efuseID and R, signs the H1 through a Bpr key in the chip ROM and packs the H1 into the authentication packet containing H1. And the SDK is transmitted to the SDK through serial port communication, and then the SDK is transmitted to the cloud service terminal through the network.
And fourthly, the authentication service of the cloud service end decrypts the authentication packet containing the H1 by using the Bpu to obtain the H1. And acquiring information of PN, efuseID and R from the database based on the SN, and calculating to obtain a hash value H2. If H1 is equal to H2, the module passes the authentication and provides the opened intra-authority service of the module; and if the H1 is not equal to the H2, refusing to provide the service and feeding back the information of authentication failure.
Before the first step is executed, the method further comprises the following steps:
and manufacturing an encryption packet containing a module end Bpr according to a safe and credible release flow, wherein the encryption packet can be used as an independent upgrading packet only aiming at an encryption function, and can also be integrated into a big packet of upgrading firmware. When the module leaves the factory and writes the firmware or upgrades the sold module, the module end upgrades the Bpr encryption packet, and the LOADER part of the firmware can decrypt the encrypted Bpr, convert the encrypted Bpr into the encrypted Bpr combined with local information, and store the encrypted Bpr into the ROM of the chip.
In an exemplary embodiment, the upgrading the firmware according to the firmware upgrading service provided by the cloud service platform includes:
after integrity verification is carried out on the credible release firmware provided by the firmware upgrading service, decryption and digital signature authentication are carried out on the credible release firmware through a public key of a preset algorithm and the preset algorithm, and if the authentication is passed, firmware upgrading is executed;
the public key of the preset algorithm is obtained by loading and executing a ROM public key access program in firmware.
For example, FIG. 3 shows the entire firmware upgrade flow. And the module end uses TrustedFW to upgrade, after the module is electrified and started, the integrity of the TrustedFW is checked, and a decryption link is only entered if the integrity of the TrustedFW is checked and confirmed. And loading and executing a ROM public key access program, acquiring a public key used for decryption from the ROM, performing decryption and digital signature authentication through an elliptic curve digital signature algorithm (ECDSA algorithm), and loading and executing only the authenticated firmware.
In an exemplary embodiment, the trusted issuing firmware is generated according to the following steps:
digitally signing the compressed original upgrade firmware;
encrypting the digital signature through a private key of the preset algorithm;
adding a check head and a check tail to the encrypted digital signature to generate a trusted release firmware;
and the private key of the preset algorithm is stored in the physical USB equipment.
For example, fig. 4 illustrates a trusted publication flow: firstly, original upgrade Firmware (FW) is generated, the original firmware is compressed, the compressed FW is digitally signed, a firmware abstract is generated by adopting an SHA256 algorithm and is used as a digital signature, a Private Key (FW Private Key) of an ECDSA algorithm based on asymmetric encryption is used for encryption, a check head and a check tail are added for verifying the integrity of the firmware during upgrading, and credible release firmware (TrustedFW) is generated. FW Private Key is stored in the physical USB device, and a specially-assigned person is responsible for using encryption strictly according to a safety flow. ECDSA keys are generated in a dedicated secure trusted environment. The private KEYs are stored in three special safe and credible USB KEY storage devices which are mutually backed up, can only be accessed by an ECDSA algorithm inside the KEY, are inaccessible and unreadable outside, and cannot be read out of the KEY in technology.
In an exemplary embodiment, the GNSS positioning module is further configured to perform a hierarchical encryption on the output information of the GNSS positioning module;
the step of encrypting the output information of the GNSS positioning module by stages comprises the following steps:
encrypting information used for authentication in a first secure encryption mode;
encrypting the data containing the preset geographic information in a second secure encryption mode;
and encrypting other data except the information for authentication and authorization and the data containing the preset geographic information in a third secure encryption mode.
The information used for authentication may be important information for authentication, such as PN, SN, efuseID, and the like. The preset geographical information may be user-sensitive geographical information.
The first level of secure encryption methods may include adding information of integrity check headers and check trailers; performing digital signature by using SHA algorithm; and performing encryption based on an ECDSA algorithm of asymmetric encryption.
The second level of secure encryption may include a checksum header and a checksum trailer with added integrity, encrypted using the AES symmetric encryption algorithm.
The third level of secure encryption method may simply be to add an integrity check header and a check trailer.
In an exemplary embodiment, the GNSS positioning module and the cloud service platform communicate with each other via a standard SSL/TLS protocol.
It should be noted that the security and confidentiality of the SSL/TLS protocol has been verified in network communication applications in a number of industry areas. The SSL/TLS protocol uses the certificate of a third-party certificate authority to realize the network communication authentication of the equipment side and the cloud service side. The data transmitted by the network is encrypted, and the data is prevented from being stolen midway. The integrity of network transmission data is ensured, and the data is prevented from being tampered in the transmission process.
In an exemplary embodiment, the GNSS positioning module and the cloud service platform perform network communication through a standard SSL/TLS protocol, including:
the GNSS positioning module is in network communication with the cloud service platform through an SDK (software development kit) and a standard SSL/TLS (security socket layer/transport layer service) protocol;
the GNSS positioning module is communicated with the SDK through a serial port.
It should be noted that, when the user uses the positioning module, the network function of the module is not enabled, and the module end cannot interact with the cloud service end through the network. However, the user device is certainly interacted with the module through the serial port, so that a software development kit SDK (as shown in fig. 5) for encryption authentication is provided, the user device is interacted with the cloud service through the SDK interface by integrating the SDK, and the SDK is interacted with the module through the serial port to open a communication link.
In an exemplary embodiment, the predetermined algorithm is an ECDSA algorithm of asymmetric encryption.
In an exemplary embodiment, the cloud service platform is a cloud service platform adopting a main-standby redundancy design;
the cloud service platform comprises a plurality of physical nodes; and all the physical nodes are arranged in the area meeting the preset condition.
For example, core important devices affecting service provision all have a hot backup redundancy design, and when a certain core device is abnormal and cannot work, the core device can be quickly switched to a backup device to ensure normal service provision. The service physical equipment is deployed in multiple regions, and when a certain region cannot provide services due to force inefficacy factors, the services provided by the physical equipment in other regions can be quickly switched.
Physical access to network infrastructure such as network physical nodes, cables and the like and locations thereof can also be strictly limited through authorization management. And specific requirements (i.e. the preset conditions) are given to the temperature, humidity, dust, vibration, lightning and power of the area where the equipment is located, as shown in table 1.
The application fields of the embodiment of the application include but are not limited to any application fields that use GNSS location module and supporting service and have higher requirements on safety and confidentiality, such as measurement mapping, intelligent driving, driving test and driving training, unmanned aerial vehicle, mechanical control, vehicle navigation, industry time service, internet of things, wearable equipment, artificial intelligence and the like.
TABLE 1 specific requirements Table for the area in which the device is located
Figure BDA0003729391200000111
Figure BDA0003729391200000121
According to the specific professional field applied by the positioning module and the matched service, the embodiment of the application carries out professional design from the overall consideration. The safety design advantage of the general cloud integration is reserved, and the design of professional fields such as measurement and mapping is creatively added. For example, geographical sensitive information including location, etc., is subjected to a special encryption process. For example, the method is used for high-precision differential data required by RTK calculation, encryption processing is also required, and only the high-precision differential data in the authority is sent for the satellite system and the frequency point authority supported by the open service.
According to the embodiment of the application, the design of cooperative guarantee is carried out from multiple dimensions such as physical security, firmware upgrading security, application security, communication security and the like, and the security and confidentiality of the cloud and terminal integrated solution are effectively improved.
And in the aspect of physical safety, comprehensive design is carried out according to the cloud service end and the module end. The cloud server side comprehensively considers the design from the aspects of the safety of physical equipment, the position and environment safety of the equipment, the limitation of physical access and the safety of regional factors.
In the aspect of safety of the output information of the positioning module, based on the sensitivity and the importance of the output information, safety encryption methods of different levels are adopted, so that the safety is ensured, and meanwhile, the efficiency is also considered.
In the aspect of upgrading firmware safety, in order to ensure trusted release and upgrading, an SHA256 algorithm is adopted to generate a firmware abstract as a digital signature, and an ECDSA algorithm based on asymmetric encryption and decryption is adopted.
In the aspect of OTA upgrading, authentication based on an ECDSA algorithm is adopted to ensure the safety and reliability of upgrading.
The same ECDSA algorithm is adopted for the encryption and decryption of the firmware and the encryption and decryption of the authentication information, the same encryption algorithm library is used for the encryption and decryption of the cloud service application and the encryption and decryption of the firmware at the module end, and the complexity of processing logic is reduced.
The present application describes embodiments, but the description is illustrative rather than limiting and it will be apparent to those of ordinary skill in the art that many more embodiments and implementations are possible within the scope of the embodiments described herein. Although many possible combinations of features are shown in the drawings and discussed in the detailed description, many other combinations of the disclosed features are possible. Any feature or element of any embodiment may be used in combination with, or instead of, any other feature or element in any other embodiment, unless expressly limited otherwise.
Any features shown and/or discussed in this application may be implemented separately or in any suitable combination.
Further, in describing representative embodiments, the specification may have presented the method and/or process as a particular sequence of steps. However, to the extent that the method or process does not rely on the particular order of steps set forth herein, the method or process should not be limited to the particular sequence of steps described. Other orders of steps are possible as will be understood by those of ordinary skill in the art.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.

Claims (10)

1. A GNSS positioning system, characterized in that,
the GNSS positioning system comprises a GNSS positioning module and a cloud service platform;
the GNSS positioning module is configured to send an authentication request to the cloud service platform; interacting with the cloud service platform to perform authentication and certification; firmware upgrading is carried out according to firmware upgrading services provided by the cloud service platform; positioning according to the high-precision differential data service provided by the cloud service platform;
the cloud service platform is configured to authenticate the GNSS positioning module according to the authentication request; and when the authentication passes, providing firmware upgrading service and high-precision differential data service for the GNSS positioning module according to the authority opened by the GNSS positioning module.
2. The system of claim 1,
the authentication request comprises an SN signature authentication packet of the GNSS positioning module;
the SN signature authentication packet of the GNSS positioning module is generated as follows:
encrypting a serial number in the GNSS positioning module information through a private key of the GNSS positioning module to generate an SN signature authentication packet of the GNSS positioning module;
the GNSS positioning module information comprises a product number, a serial number and a capacitor wire identification number.
3. The system of claim 2,
and authenticating the GNSS positioning module according to the authentication request, wherein the authentication request comprises the following steps:
decrypting the SN signature authentication packet of the GNSS positioning module through the public key of the GNSS positioning module, and generating a random number; encrypting the random number through a private key of the cloud service platform to generate a random number signature authentication packet; sending the random number signature authentication packet to the GNSS positioning module;
interacting with the cloud service platform, including:
the GNSS positioning module decrypts the random number signature authentication packet according to the public key of the cloud service platform to obtain the random number; calculating a first hash value according to the random number and the GNSS positioning module information; encrypting the first hash value through a private key of the GNSS positioning module to generate a first hash value authentication packet, and sending the first hash value authentication packet to the cloud service platform;
according to the authentication request, the authentication and authentication of the GNSS positioning module are carried out, and the method further comprises the following steps:
decrypting the first hash value authentication packet through the public key of the GNSS positioning module to obtain a first hash value; and calculating to obtain a second hash value according to the random number and the GNSS positioning module information obtained according to the serial number, and if the first hash value is the same as the second hash value, passing the authentication.
4. The system of claim 1,
the firmware upgrading according to the firmware upgrading service provided by the cloud service platform comprises the following steps:
after integrity verification is carried out on the credible release firmware provided by the firmware upgrading service, decryption and digital signature authentication are carried out on the credible release firmware through a public key of a preset algorithm and the preset algorithm, and if the authentication is passed, firmware upgrading is executed;
the public key of the preset algorithm is obtained by loading and executing a ROM public key access program in the firmware.
5. The system of claim 4,
the trusted release firmware is generated according to the following steps:
digitally signing the compressed original upgrade firmware;
encrypting the digital signature through a private key of the preset algorithm;
adding a check head and a check tail to the encrypted digital signature to generate a trusted release firmware;
and storing the private key of the preset algorithm in the physical USB equipment.
6. The system of claim 1,
the GNSS positioning module is also configured to perform hierarchical encryption on the output information of the GNSS positioning module;
the step of encrypting the output information of the GNSS positioning module by stages comprises the following steps:
encrypting information used for authentication in a first secure encryption mode;
encrypting the data containing the preset geographic information in a second secure encryption mode;
and encrypting other data except the information for authentication and authorization and the data containing the preset geographic information in a third secure encryption mode.
7. The system of claim 1,
and the GNSS positioning module and the cloud service platform perform network communication through a standard SSL/TLS protocol.
8. The system of claim 7,
the GNSS positioning module and the cloud service platform perform network communication through a standard SSL/TLS protocol, and the network communication method comprises the following steps:
the GNSS positioning module is in network communication with the cloud service platform through an SDK (software development kit) and a standard SSL/TLS (security socket layer/transport layer service) protocol;
the GNSS positioning module is communicated with the SDK through a serial port.
9. The system of claim 4,
the preset algorithm is an ECDSA algorithm of asymmetric encryption.
10. The system of claim 1,
the cloud service platform is a cloud service platform adopting a main-standby redundancy design;
the cloud service platform comprises a plurality of physical nodes; and all the physical nodes are arranged in the area meeting the preset condition.
CN202210787880.6A 2022-07-04 2022-07-04 GNSS positioning system Active CN115314556B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210787880.6A CN115314556B (en) 2022-07-04 2022-07-04 GNSS positioning system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210787880.6A CN115314556B (en) 2022-07-04 2022-07-04 GNSS positioning system

Publications (2)

Publication Number Publication Date
CN115314556A true CN115314556A (en) 2022-11-08
CN115314556B CN115314556B (en) 2024-03-08

Family

ID=83856446

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210787880.6A Active CN115314556B (en) 2022-07-04 2022-07-04 GNSS positioning system

Country Status (1)

Country Link
CN (1) CN115314556B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120191340A1 (en) * 2009-10-05 2012-07-26 Bae Systems Plc Navigation systems
CN102622251A (en) * 2012-03-07 2012-08-01 深圳市凯立德欣软件技术有限公司 Method and server for managing navigation software upgrading
CN104486424A (en) * 2014-12-17 2015-04-01 广州吉欧电子科技有限公司 Network-based GNSS data processing system
CN107765264A (en) * 2017-09-22 2018-03-06 千寻位置网络有限公司 Terminal guidance RTK system and method
CN107797127A (en) * 2017-10-27 2018-03-13 千寻位置网络有限公司 High accuracy positioning high in the clouds calculation method and system
CN109696867A (en) * 2018-12-26 2019-04-30 上海司南卫星导航技术股份有限公司 Method, user terminal and the GNSS device management system of user terminal processes GNSS device data
CN113075705A (en) * 2020-04-23 2021-07-06 中移(上海)信息通信科技有限公司 Positioning software development kit, positioning method and chip
CN113805908A (en) * 2020-06-17 2021-12-17 瑞昱半导体股份有限公司 Firmware update system and method
CN113868672A (en) * 2021-12-01 2021-12-31 武汉天喻信息产业股份有限公司 Module wireless firmware upgrading method, security chip and wireless firmware upgrading platform

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120191340A1 (en) * 2009-10-05 2012-07-26 Bae Systems Plc Navigation systems
CN102622251A (en) * 2012-03-07 2012-08-01 深圳市凯立德欣软件技术有限公司 Method and server for managing navigation software upgrading
CN104486424A (en) * 2014-12-17 2015-04-01 广州吉欧电子科技有限公司 Network-based GNSS data processing system
CN107765264A (en) * 2017-09-22 2018-03-06 千寻位置网络有限公司 Terminal guidance RTK system and method
CN107797127A (en) * 2017-10-27 2018-03-13 千寻位置网络有限公司 High accuracy positioning high in the clouds calculation method and system
CN109696867A (en) * 2018-12-26 2019-04-30 上海司南卫星导航技术股份有限公司 Method, user terminal and the GNSS device management system of user terminal processes GNSS device data
CN113075705A (en) * 2020-04-23 2021-07-06 中移(上海)信息通信科技有限公司 Positioning software development kit, positioning method and chip
CN113805908A (en) * 2020-06-17 2021-12-17 瑞昱半导体股份有限公司 Firmware update system and method
CN113868672A (en) * 2021-12-01 2021-12-31 武汉天喻信息产业股份有限公司 Module wireless firmware upgrading method, security chip and wireless firmware upgrading platform

Also Published As

Publication number Publication date
CN115314556B (en) 2024-03-08

Similar Documents

Publication Publication Date Title
US11586709B2 (en) Secure provisioning and management of devices
US10425413B2 (en) Secure provisioning of devices for manufacturing and maintenance
EP3937043B1 (en) Blockchain integrated stations and blockchain networks
US11983282B2 (en) Data protection method, authentication server, data protection system, and data structure
US11070542B2 (en) Systems and methods for certificate chain validation of secure elements
CN111401902A (en) Service processing method, device and equipment based on block chain
CN115314556B (en) GNSS positioning system
JP2023120287A (en) Scalable certificate management system architecture
KR20190108888A (en) Electronic device and certification method in electronic device
US11616789B2 (en) Communication system, communication method, and computer program product
US20220216985A1 (en) Information processing terminal, information processing device, information processing method, program, and information processing system
CN117354001A (en) Access method of Internet of vehicles system, cloud server, controlled terminal and Internet of vehicles system
US20220350586A1 (en) Methods of Distributing Software/Firmware Updates
CN117879931A (en) Authorized access method and device for offline automobile data
CN117579696A (en) Cross-border transmission method and device for vehicle data
CN115484065A (en) Identity verification method, device and equipment based on block chain
CN116865969A (en) Electronic certificate generation method and device, electronic equipment and storage medium
CN115242396A (en) Unmanned aerial vehicle authentication method and system, electronic equipment and storage medium
CN113626878A (en) License application method and device
US20150296035A1 (en) Real time key collection in device provisioning
CN113239410A (en) Terminal certificate updating method, terminal and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant