CN115314556B - GNSS positioning system - Google Patents

GNSS positioning system Download PDF

Info

Publication number
CN115314556B
CN115314556B CN202210787880.6A CN202210787880A CN115314556B CN 115314556 B CN115314556 B CN 115314556B CN 202210787880 A CN202210787880 A CN 202210787880A CN 115314556 B CN115314556 B CN 115314556B
Authority
CN
China
Prior art keywords
gnss positioning
positioning module
cloud service
service platform
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210787880.6A
Other languages
Chinese (zh)
Other versions
CN115314556A (en
Inventor
任晓斌
兰晓明
王夏静
孙峰
武刚
武阳
胡木吉勒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unicore Communications Inc
Original Assignee
Unicore Communications Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unicore Communications Inc filed Critical Unicore Communications Inc
Priority to CN202210787880.6A priority Critical patent/CN115314556B/en
Publication of CN115314556A publication Critical patent/CN115314556A/en
Application granted granted Critical
Publication of CN115314556B publication Critical patent/CN115314556B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/03Cooperating elements; Interaction or communication between different cooperating elements or between cooperating elements and receivers
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/03Cooperating elements; Interaction or communication between different cooperating elements or between cooperating elements and receivers
    • G01S19/07Cooperating elements; Interaction or communication between different cooperating elements or between cooperating elements and receivers providing data for correcting measured positioning data, e.g. DGPS [differential GPS] or ionosphere corrections
    • G01S19/071DGPS corrections
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/03Cooperating elements; Interaction or communication between different cooperating elements or between cooperating elements and receivers
    • G01S19/10Cooperating elements; Interaction or communication between different cooperating elements or between cooperating elements and receivers providing dedicated supplementary positioning signals
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/38Determining a navigation solution using signals transmitted by a satellite radio beacon positioning system
    • G01S19/39Determining a navigation solution using signals transmitted by a satellite radio beacon positioning system the satellite radio beacon positioning system transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/40Correcting position, velocity or attitude
    • G01S19/41Differential correction, e.g. DGPS [differential GPS]
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/38Determining a navigation solution using signals transmitted by a satellite radio beacon positioning system
    • G01S19/39Determining a navigation solution using signals transmitted by a satellite radio beacon positioning system the satellite radio beacon positioning system transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/42Determining position
    • G01S19/51Relative positioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0813Configuration setting characterised by the conditions triggering a change of settings
    • H04L41/082Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Remote Sensing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a GNSS positioning system, which comprises a GNSS positioning module and a cloud service platform; the GNSS positioning module is arranged to send an authentication request to the cloud service platform; interaction with the cloud service platform is performed to perform authentication; firmware upgrading is carried out according to firmware upgrading service provided by the cloud service platform; performing data processing according to the high-precision differential data service provided by the cloud service platform; the cloud service platform is arranged for authenticating the GNSS positioning module according to the authentication request; and after the authentication passes, providing firmware upgrading service and high-precision differential data service for the GNSS positioning module according to the authority opened by the GNSS positioning module. The GNSS positioning system ensures the safety and confidentiality of GNSS module information.

Description

GNSS positioning system
Technical Field
The present disclosure relates to the field of GNSS positioning technologies, and in particular, to a GNSS positioning system.
Background
The GNSS positioning module is called as a module end for short, and the matched cloud service is called as a cloud service end for short. The cloud service end provides remote high-precision differential data service and OTA upgrading service for the module end, the module end uses the high-precision differential data to perform RTK or DGPS relative positioning, and the positioning precision can reach the centimeter level. The module end also realizes remote automatic upgrade through OTA upgrade service. Currently, there is also a lack of overall security solutions from the module side and cloud service side.
Disclosure of Invention
The application provides a GNSS positioning system, which ensures the safety and confidentiality of GNSS module information.
The application provides a GNSS positioning system, which comprises a GNSS positioning module and a cloud service platform;
the GNSS positioning module is arranged to send an authentication request to the cloud service platform; interaction with the cloud service platform is performed to perform authentication; firmware upgrading is carried out according to firmware upgrading service provided by the cloud service platform; positioning according to the high-precision differential data service provided by the cloud service platform;
the cloud service platform is arranged for authenticating the GNSS positioning module according to the authentication request; and after the authentication passes, providing firmware upgrading service and high-precision differential data service for the GNSS positioning module according to the authority opened by the GNSS positioning module.
In an exemplary embodiment, the authentication request includes an SN signature authentication package of the GNSS positioning module;
the SN signature authentication package of the GNSS positioning module is generated in the following way:
encrypting the serial number in the GNSS positioning module information through the private key of the GNSS positioning module to generate an SN signature authentication package of the GNSS positioning module;
the GNSS positioning module information comprises a product number, a serial number and a capacitance wire identification number.
In an exemplary embodiment, authenticating the GNSS positioning module according to the authentication request includes:
decrypting the SN signature authentication package of the GNSS positioning module by using the public key of the GNSS positioning module, and generating a random number; encrypting the random number through a private key of the cloud service platform to generate a random number signature authentication package; transmitting the random number signature authentication package to the GNSS positioning module;
interacting with the cloud service platform, comprising:
the GNSS positioning module decrypts the random number signature authentication package according to the public key of the cloud service platform to obtain the random number; a first hash value is calculated according to the random number and the GNSS positioning module information; encrypting the first hash value through a private key of the GNSS positioning module to generate a first hash value authentication packet, and sending the first hash value authentication packet to the cloud service platform;
authenticating the GNSS positioning module according to the authentication request, and further comprising:
decrypting the first hash value authentication packet through the public key of the GNSS positioning module to obtain a first hash value; and calculating a second hash value according to the random number and the GNSS positioning module information acquired according to the serial number, and if the first hash value is the same as the second hash value, passing the authentication.
In an exemplary embodiment, the firmware upgrade according to the firmware upgrade service provided by the cloud service platform includes:
after carrying out integrity check on the trusted release firmware provided by the firmware upgrading service, decrypting and digital signature authentication on the trusted release firmware through a public key of a preset algorithm and the preset algorithm, and if the authentication is passed, executing firmware upgrading;
the public key of the preset algorithm is obtained by loading and executing a ROM public key access program in firmware.
In an exemplary embodiment, the trusted release firmware is generated as follows:
digitally signing the compressed original upgraded firmware;
encrypting the digital signature through a private key of the preset algorithm;
adding a check head and a check tail to the encrypted digital signature to generate a trusted release firmware;
the private key of the preset algorithm is stored in the physical USB device.
In an exemplary embodiment, the GNSS positioning module is further configured to perform hierarchical encryption on output information of the GNSS positioning module;
the step of carrying out hierarchical encryption on the output information of the GNSS positioning module comprises the following steps:
encrypting the information for authentication by adopting a first secure encryption mode;
encrypting the data containing the preset geographic information in a second security encryption mode;
and encrypting other data except the information for authentication and the data containing the preset geographic information by adopting a third secure encryption mode.
In an exemplary embodiment, the GNSS positioning module communicates with the cloud service platform via a standard SSL/TLS protocol.
In an exemplary embodiment, the GNSS positioning module and the cloud service platform are in network communication through a standard SSL/TLS protocol, including:
the GNSS positioning module performs network communication with the cloud service platform through a standard SSL/TLS protocol by the SDK;
and the GNSS positioning module is communicated with the SDK through a serial port.
In an exemplary embodiment, the preset algorithm is an ECDSA algorithm of asymmetric encryption.
In an exemplary embodiment, the cloud service platform is a cloud service platform adopting a primary-backup redundancy design;
the cloud service platform comprises a plurality of physical nodes; and each physical node is arranged in an area meeting preset conditions.
The application comprises the following advantages:
according to at least one embodiment of the application, the overall safety of the module end and the cloud service end is improved;
according to at least one embodiment of the application, the safety of firmware release and upgrading is improved;
at least one embodiment of the application can consider the safety and the efficiency of the output information of the GNSS positioning module;
according to at least one embodiment of the application, the safety and confidentiality of GNSS module information can be jointly guaranteed through physical security, firmware upgrading security, application security and communication security.
Of course, not all of the above-described advantages need be achieved at the same time in practicing any one of the products of the present application.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. Other advantages of the present application may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
The accompanying drawings are included to provide an understanding of the technical aspects of the present application, and are incorporated in and constitute a part of this specification, illustrate the technical aspects of the present application and together with the examples of the present application, and not constitute a limitation of the technical aspects of the present application.
FIG. 1 is a schematic diagram of a GNSS positioning system according to an embodiment of the present application;
FIG. 2 is a schematic diagram of authentication in an embodiment of the present application;
FIG. 3 is a schematic diagram of a firmware upgrade according to an embodiment of the present application;
FIG. 4 is a flowchart of firmware release according to an embodiment of the present application;
FIG. 5 is a schematic diagram of another GNSS positioning system according to an embodiment of the present application.
Detailed Description
FIG. 1 is a schematic diagram of a GNSS positioning system according to an embodiment of the present application, as shown in FIG. 1, including a GNSS positioning module and a cloud service platform;
the GNSS positioning module is arranged to send an authentication request to the cloud service platform; interaction with the cloud service platform is performed to perform authentication; firmware upgrading is carried out according to firmware upgrading service provided by the cloud service platform; positioning according to the high-precision differential data service provided by the cloud service platform;
the cloud service platform is arranged for authenticating the GNSS positioning module according to the authentication request; and after the authentication passes, providing firmware upgrading service and high-precision differential data service for the GNSS positioning module according to the authority opened by the GNSS positioning module.
In an exemplary embodiment, the cloud service platform only provides services within the rights for the rights opened by the module end. For example, the rights content for the firmware upgrade service includes a service ID, a module ID, a device ID, whether to open the service, a service expiration time, and other reserved rights fields, etc. The rights content for the high-precision audit service may include service ID, module ID, device ID, whether to provision the service, service expiration time, supported satellite system, supported system frequency point, differential format used, and other reserved rights fields, etc. The module ID comprises a serial number SN and a capacitance wire identification number Efuse ID; the service ID is a unique service ID which is generated by the cloud service platform according to the module information updated by the database and corresponds to the modules one by one; when the device ID is initialized by the SDK, the device ID is calculated according to a fixed algorithm according to the SN and EfuseID of the module, and the device ID has uniqueness.
In the production link of the GNSS positioning module, the serial number SN, the product number PN, and the capacitor wire identification number Efuse ID of the module are automatically recorded by the production tool, and these information are all information for identifying the uniqueness of the module.
In an exemplary embodiment, the authentication request includes an SN signature authentication package of the GNSS positioning module;
the SN signature authentication package of the GNSS positioning module is generated in the following way:
encrypting the serial number in the GNSS positioning module information through the private key of the GNSS positioning module to generate an SN signature authentication package of the GNSS positioning module;
the GNSS positioning module information comprises a product number, a serial number and a capacitance wire identification number.
In an exemplary embodiment, the private key of the GNSS positioning module is generated in a dedicated secure trusted environment based on an asymmetric crypto ECDSA algorithm. The private key of the GNSS positioning module is stored in the physical USB equipment, and a special person takes charge of using encryption strictly according to a safety process. The private KEY of the GNSS positioning module can be stored in three special safe and reliable USB KEY storage devices which are mutually backed up, the private KEY can only be accessed by the ECDSA algorithm inside the KEY, the private KEY can not be accessed or read outside, and the private KEY can not be read outside the KEY device technically.
In an exemplary embodiment, authenticating the GNSS positioning module according to the authentication request includes:
decrypting the SN signature authentication package of the GNSS positioning module by using the public key of the GNSS positioning module, and generating a random number; encrypting the random number through a private key of the cloud service platform to generate a random number signature authentication package; transmitting the random number signature authentication package to the GNSS positioning module;
interacting with the cloud service platform, comprising:
decrypting the random number signature authentication package according to the public key of the cloud service platform to obtain the random number;
the GNSS positioning module calculates a first hash value according to the random number and the GNSS positioning module information; encrypting the first hash value through a private key of the GNSS positioning module to generate a first hash value authentication packet, and sending the first hash value authentication packet to the cloud service platform;
authenticating the GNSS positioning module according to the authentication request, and further comprising:
decrypting the first hash value authentication packet through the public key of the GNSS positioning module to obtain a first hash value; and calculating a second hash value according to the random number and the GNSS positioning module information acquired according to the serial number, and if the first hash value is the same as the second hash value, passing the authentication.
In an exemplary embodiment, in order to reduce the calculation amount and complexity, the ECDSA algorithm is also selected as the identity authentication algorithm of the cloud service end and the module end, which takes account of limited GNSS positioning module resources. And the encryption and decryption of the cloud service application and the encryption and decryption of the firmware are used by the module end by using the same encryption algorithm library. The method is characterized in that only one set of public key and private key pair is used for encryption and decryption of the firmware, and two sets of public key and private key pairs are used for encryption and decryption of the module end by using the cloud service application. The public key and private key pair of the cloud service end are marked as (Apu, apr), and the public key and private key pair of the module end are marked as (Bpu, bpr) and are used for authentication from the cloud service end to the module end and from the module end to the cloud service end.
For example, as shown in fig. 2, the authentication flow may include the following steps:
firstly, the module end encrypts the SN by using Bpr based on an ECDSA algorithm, generates a signature authentication packet of the SN, transmits the signature authentication packet to the SDK through serial port communication, and then transmits the SDK to the cloud service end through a network.
And secondly, decrypting the signature authentication packet of the SN by using the Bpu by the cloud service end to obtain the SN, generating a random number R, and storing the random number R into a database according to the SN. And encrypting the random number R by using the cloud service terminal private key Apr to generate an authentication package for signing the R. The SDK is transmitted to the equipment through network communication, and then the SDK is transmitted to the module through a serial port.
Thirdly, the authentication module at the module end decrypts the signature authentication package containing R by using Apu to obtain R, calculates a hash value H1 based on SN, PN, efuseID, R, signs H1 through a Bpr key in the chip ROM and packages the H1 into an authentication package containing H1. And the SDK is transmitted to the cloud server through the network.
Fourthly, the authentication and authentication service of the cloud service end decrypts the authentication package containing the H1 by using the Bpu to obtain the H1. The hash value H2 is calculated based on the SN information obtained PN, efuseID, R from the database. If H1 is equal to H2, providing the service in the opened authority of the module through authentication; if H1 is not equal to H2, refusing to provide service and feeding back authentication failure information.
The method further comprises the following steps before the first step:
and manufacturing an encryption packet containing the module end Bpr according to the safe and reliable issuing flow, wherein the encryption packet can be used as an independent upgrading packet aiming at the encryption function only, and can be integrated into a big packet of the upgrading firmware. When the module leaves a factory to write firmware or upgrade the sold module, the module upgrades the Bpr encryption packet, the load part of the firmware decrypts the encrypted Bpr, and the encrypted Bpr is converted into the encrypted Bpr combined with local information and stored in the ROM of the chip.
In an exemplary embodiment, the firmware upgrade according to the firmware upgrade service provided by the cloud service platform includes:
after carrying out integrity check on the trusted release firmware provided by the firmware upgrading service, decrypting and digital signature authentication on the trusted release firmware through a public key of a preset algorithm and the preset algorithm, and if the authentication is passed, executing firmware upgrading;
the public key of the preset algorithm is obtained by loading and executing a ROM public key access program in firmware.
For example, FIG. 3 illustrates the overall firmware upgrade flow. And upgrading the module end by using the TrustedFW, and after the module is electrified and started, checking the integrity of the TrustedFW, and entering a decryption link only if the integrity is checked and confirmed by the firmware. The ROM public key access program is loaded and executed, the public key used for decryption is obtained from the ROM, decryption and digital signature authentication are carried out through an elliptic curve digital signature algorithm (ECDSA algorithm), and only the firmware passing authentication is loaded and executed.
In an exemplary embodiment, the trusted release firmware is generated as follows:
digitally signing the compressed original upgraded firmware;
encrypting the digital signature through a private key of the preset algorithm;
adding a check head and a check tail to the encrypted digital signature to generate a trusted release firmware;
the private key of the preset algorithm is stored in the physical USB device.
For example, fig. 4 shows a trusted release flow: firstly, generating original upgrade firmware (FW for short), compressing the original firmware, digitally signing the compressed FW, generating a firmware abstract by adopting an SHA256 algorithm as a digital signature, encrypting by adopting a Private Key (FW Private Key) of an ECDSA algorithm based on asymmetric encryption, adding a check head and a check tail, and verifying the integrity of the firmware during upgrade to generate a trusted release firmware (TrustedFW for short). FW Private Key is stored in physical USB equipment, and a special person takes charge of using encryption strictly according to a security flow. ECDSA keys are generated in a specific secure trusted environment. The private KEY is stored in three special safe and reliable USB KEY storage devices which are mutually backed up, can only be accessed by the ECDSA algorithm in the KEY, is not accessible or readable from the outside, and cannot be read out of the KEY device technically.
In an exemplary embodiment, the GNSS positioning module is further configured to perform hierarchical encryption on output information of the GNSS positioning module;
the step of carrying out hierarchical encryption on the output information of the GNSS positioning module comprises the following steps:
encrypting the information for authentication by adopting a first secure encryption mode;
encrypting the data containing the preset geographic information in a second security encryption mode;
and encrypting other data except the information for authentication and the data containing the preset geographic information by adopting a third secure encryption mode.
The information for authentication may be, for example, important information for authentication, such as PN, SN, efuseID. The preset geographic information may be user-sensitive geographic information.
The first level of secure encryption method may include adding information of an integrity check header and a check trailer; carrying out digital signature by adopting an SHA algorithm; encryption is performed based on the ECDSA algorithm of asymmetric encryption.
The second level of secure encryption method may include increasing the integrity of the check header and check trailer, encrypting using the AES symmetric encryption algorithm.
The third level of secure encryption method may be simply to add an integrity check header and a check trailer.
In an exemplary embodiment, the GNSS positioning module communicates with the cloud service platform via a standard SSL/TLS protocol.
It should be noted that security and confidentiality of the SSL/TLS protocol has been verified in network communication applications in a number of industry areas. The SSL/TLS protocol uses a certificate of a third-party certificate authority to realize network communication authentication between the equipment end and the cloud service end. And encrypting the data transmitted by the network to prevent the data from being stolen halfway. The integrity of network transmission data is ensured, and the transmission process is prevented from being tampered.
In an exemplary embodiment, the GNSS positioning module and the cloud service platform are in network communication through a standard SSL/TLS protocol, including:
the GNSS positioning module performs network communication with the cloud service platform through a standard SSL/TLS protocol by the SDK;
and the GNSS positioning module is communicated with the SDK through a serial port.
It should be noted that, because the user has a network function condition that the module is not started when using the positioning module, the module end cannot interact with the cloud service end through the network. However, the user equipment can certainly interact with the module through the serial port, so that a software development kit SDK (shown in fig. 5) for encryption authentication is provided, the user interacts with the cloud service through an integrated SDK interface, and the SDK interacts with the module through the serial port to open a communication link.
In an exemplary embodiment, the preset algorithm is an ECDSA algorithm of asymmetric encryption.
In an exemplary embodiment, the cloud service platform is a cloud service platform adopting a primary-backup redundancy design;
the cloud service platform comprises a plurality of physical nodes; and each physical node is arranged in an area meeting preset conditions.
For example, core important devices influencing service provision have a hot backup redundancy design, and when a certain core device is abnormally inoperable, the core device can be quickly switched to the backup device, so that normal service provision is ensured. When the service physical equipment is deployed in multiple areas, and the service cannot be provided in a certain area due to the unreliability factor, the service physical equipment can be quickly switched to the service provided by the physical equipment in other areas.
Physical access to network infrastructure such as physical nodes, cables, etc. and their locales can also be restricted strictly by authorization management. And specific requirements (i.e. the above preset conditions) are given to the temperature, humidity, dust, vibration, lightning and electric power of the area where the equipment is located, as shown in table 1.
The application fields of the embodiments of the present application include, but are not limited to, any application field that uses a GNSS positioning module and a matching service and has a high requirement on safety and confidentiality, such as application fields of survey and mapping, intelligent driving, driving test driving training, unmanned aerial vehicle, mechanical control, vehicle navigation, industry time service, internet of things, wearable equipment, artificial intelligence, and the like.
Table 1 specific requirements table for the area where the equipment is located
According to the embodiment of the application, specialized design is carried out from the overall consideration according to the specific professional field of the positioning module and the matched service application. The safety design advantages of the general cloud integrated are reserved, and the design in the professional fields of measurement, mapping and the like is creatively added. Such as containing geographically sensitive information such as location, special encryption processing is performed. For example, the high-precision differential data required by RTK calculation is encrypted, and only the high-precision differential data in the authority is transmitted according to the satellite system and the frequency point authority supported by the opening service.
According to the embodiment of the application, the cooperative guarantee design is carried out on the multidimensional aspects such as physical security, firmware upgrading security, application security, communication security and the like, so that the security and confidentiality of the cloud and terminal integrated solution are effectively improved.
In the aspect of physical safety, comprehensive design is carried out according to the cloud service end and the module end. The cloud service end comprehensively considers the design in the aspects of safety of physical equipment, position and environment safety of the equipment, physical access restriction and regional factor safety.
In the aspect of safety of the output information of the positioning module, based on the sensitivity and importance of the output information, different levels of safety encryption methods are adopted, so that the safety is ensured, and meanwhile, the efficiency is considered.
In the aspect of upgrading firmware safety, in order to ensure trusted release and upgrading, a SHA256 algorithm is adopted to generate a firmware abstract as a digital signature, and an ECDSA algorithm based on asymmetric encryption and decryption is adopted.
In the aspect of OTA upgrading, authentication based on ECDSA algorithm is adopted, so that upgrading safety and reliability are ensured.
The encryption and decryption of the firmware and the encryption and decryption of the authentication information adopt the same ECDSA algorithm, the encryption and decryption of the cloud service application is used by the module end, and the encryption and decryption of the firmware use the same encryption algorithm library, so that the complexity of processing logic is reduced.
The present application describes a number of embodiments, but the description is illustrative and not limiting and it will be apparent to those of ordinary skill in the art that many more embodiments and implementations are possible within the scope of the embodiments described herein. Although many possible combinations of features are shown in the drawings and discussed in the detailed description, many other combinations of the disclosed features are possible. Any feature or element of any embodiment may be used in combination with or in place of any other feature or element of any other embodiment unless specifically limited.
Any of the features shown and/or discussed in this application may be implemented alone or in any suitable combination.
Furthermore, in describing representative embodiments, the specification may have presented the method and/or process as a particular sequence of steps. However, to the extent that the method or process does not rely on the particular order of steps set forth herein, the method or process should not be limited to the particular sequence of steps described. Other sequences of steps are possible as will be appreciated by those of ordinary skill in the art.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.

Claims (10)

1. A GNSS positioning system is characterized in that,
the system comprises a GNSS positioning module and a cloud service platform;
the GNSS positioning module is arranged to send an authentication request to the cloud service platform; interaction with the cloud service platform is performed to perform authentication; firmware upgrading is carried out according to firmware upgrading service provided by the cloud service platform; positioning according to the high-precision differential data service provided by the cloud service platform;
the cloud service platform is arranged for authenticating the GNSS positioning module according to the authentication request; when the authentication passes, providing firmware upgrading service and high-precision differential data service for the GNSS positioning module according to the authority opened by the GNSS positioning module;
the firmware upgrading according to the firmware upgrading service provided by the cloud service platform comprises the following steps: after the integrity check is carried out on the trusted release firmware provided by the firmware upgrading service, the trusted release firmware is decrypted and digital signature authenticated through a public key of a preset algorithm and the preset algorithm, and if the authentication is passed, the firmware upgrading is executed.
2. The system of claim 1, wherein,
the authentication request comprises an SN signature authentication package of the GNSS positioning module;
the SN signature authentication package of the GNSS positioning module is generated in the following way:
encrypting the serial number in the GNSS positioning module information through the private key of the GNSS positioning module to generate an SN signature authentication package of the GNSS positioning module;
the GNSS positioning module information comprises a product number, a serial number and a capacitance wire identification number.
3. The system of claim 2, wherein,
authenticating the GNSS positioning module according to the authentication request, including:
decrypting the SN signature authentication package of the GNSS positioning module by using the public key of the GNSS positioning module, and generating a random number; encrypting the random number through a private key of the cloud service platform to generate a random number signature authentication package; transmitting the random number signature authentication package to the GNSS positioning module;
interacting with the cloud service platform, comprising:
the GNSS positioning module decrypts the random number signature authentication package according to the public key of the cloud service platform to obtain the random number; a first hash value is calculated according to the random number and the GNSS positioning module information; encrypting the first hash value through a private key of the GNSS positioning module to generate a first hash value authentication packet, and sending the first hash value authentication packet to the cloud service platform;
authenticating the GNSS positioning module according to the authentication request, and further comprising:
decrypting the first hash value authentication packet through the public key of the GNSS positioning module to obtain a first hash value; and calculating a second hash value according to the random number and the GNSS positioning module information acquired according to the serial number, and if the first hash value is the same as the second hash value, passing the authentication.
4. The system of claim 1, wherein,
the public key of the preset algorithm is obtained by loading a ROM public key access program in the execution firmware.
5. The system of claim 1, wherein,
the trusted release firmware is generated according to the following steps:
digitally signing the compressed original upgraded firmware;
encrypting the digital signature through a private key of the preset algorithm;
adding a check head and a check tail to the encrypted digital signature to generate a trusted release firmware;
the private key of the preset algorithm is stored in the physical USB device.
6. The system of claim 1, wherein,
the GNSS positioning module is further arranged to conduct hierarchical encryption on output information of the GNSS positioning module;
the step of carrying out hierarchical encryption on the output information of the GNSS positioning module comprises the following steps:
encrypting the information for authentication by adopting a first secure encryption mode;
encrypting the data containing the preset geographic information in a second security encryption mode;
and encrypting other data except the information for authentication and the data containing the preset geographic information by adopting a third secure encryption mode.
7. The system of claim 1, wherein,
and the GNSS positioning module and the cloud service platform are in network communication through a standard SSL/TLS protocol.
8. The system of claim 7, wherein the system comprises a plurality of sensors,
the GNSS positioning module and the cloud service platform perform network communication through a standard SSL/TLS protocol, and the GNSS positioning module comprises:
the GNSS positioning module performs network communication with the cloud service platform through a standard SSL/TLS protocol by the SDK;
and the GNSS positioning module is communicated with the SDK through a serial port.
9. The system of claim 4, wherein,
the preset algorithm is an ECDSA algorithm of asymmetric encryption.
10. The system of claim 1, wherein,
the cloud service platform is a cloud service platform adopting a main and standby redundant design;
the cloud service platform comprises a plurality of physical nodes; and each physical node is arranged in an area meeting preset conditions.
CN202210787880.6A 2022-07-04 2022-07-04 GNSS positioning system Active CN115314556B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210787880.6A CN115314556B (en) 2022-07-04 2022-07-04 GNSS positioning system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210787880.6A CN115314556B (en) 2022-07-04 2022-07-04 GNSS positioning system

Publications (2)

Publication Number Publication Date
CN115314556A CN115314556A (en) 2022-11-08
CN115314556B true CN115314556B (en) 2024-03-08

Family

ID=83856446

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210787880.6A Active CN115314556B (en) 2022-07-04 2022-07-04 GNSS positioning system

Country Status (1)

Country Link
CN (1) CN115314556B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102622251A (en) * 2012-03-07 2012-08-01 深圳市凯立德欣软件技术有限公司 Method and server for managing navigation software upgrading
CN104486424A (en) * 2014-12-17 2015-04-01 广州吉欧电子科技有限公司 Network-based GNSS data processing system
CN107765264A (en) * 2017-09-22 2018-03-06 千寻位置网络有限公司 Terminal guidance RTK system and method
CN107797127A (en) * 2017-10-27 2018-03-13 千寻位置网络有限公司 High accuracy positioning high in the clouds calculation method and system
CN109696867A (en) * 2018-12-26 2019-04-30 上海司南卫星导航技术股份有限公司 Method, user terminal and the GNSS device management system of user terminal processes GNSS device data
CN113075705A (en) * 2020-04-23 2021-07-06 中移(上海)信息通信科技有限公司 Positioning software development kit, positioning method and chip
CN113805908A (en) * 2020-06-17 2021-12-17 瑞昱半导体股份有限公司 Firmware update system and method
CN113868672A (en) * 2021-12-01 2021-12-31 武汉天喻信息产业股份有限公司 Module wireless firmware upgrading method, security chip and wireless firmware upgrading platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2486418B1 (en) * 2009-10-05 2018-12-12 BAE Systems PLC Improvements in or relating to radio navigation

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102622251A (en) * 2012-03-07 2012-08-01 深圳市凯立德欣软件技术有限公司 Method and server for managing navigation software upgrading
CN104486424A (en) * 2014-12-17 2015-04-01 广州吉欧电子科技有限公司 Network-based GNSS data processing system
CN107765264A (en) * 2017-09-22 2018-03-06 千寻位置网络有限公司 Terminal guidance RTK system and method
CN107797127A (en) * 2017-10-27 2018-03-13 千寻位置网络有限公司 High accuracy positioning high in the clouds calculation method and system
CN109696867A (en) * 2018-12-26 2019-04-30 上海司南卫星导航技术股份有限公司 Method, user terminal and the GNSS device management system of user terminal processes GNSS device data
CN113075705A (en) * 2020-04-23 2021-07-06 中移(上海)信息通信科技有限公司 Positioning software development kit, positioning method and chip
CN113805908A (en) * 2020-06-17 2021-12-17 瑞昱半导体股份有限公司 Firmware update system and method
CN113868672A (en) * 2021-12-01 2021-12-31 武汉天喻信息产业股份有限公司 Module wireless firmware upgrading method, security chip and wireless firmware upgrading platform

Also Published As

Publication number Publication date
CN115314556A (en) 2022-11-08

Similar Documents

Publication Publication Date Title
US11586709B2 (en) Secure provisioning and management of devices
EP3937043B1 (en) Blockchain integrated stations and blockchain networks
US20240313984A1 (en) Scalable certificate management system architectures
CN110765437B (en) Module for securely providing assets to a target device
KR102024339B1 (en) Memory system and binding method between the same and host
US9160723B2 (en) Framework for provisioning devices with externally acquired component-based identity data
US20100083006A1 (en) Memory controller, nonvolatile memory device, nonvolatile memory system, and access device
CN115314556B (en) GNSS positioning system
JP2023120287A (en) Scalable certificate management system architecture
US11616789B2 (en) Communication system, communication method, and computer program product
CN118353648A (en) Communication equipment authentication method, authentication server and storage medium in Internet of things
CN117354001A (en) Access method of Internet of vehicles system, cloud server, controlled terminal and Internet of vehicles system
CN116865969A (en) Electronic certificate generation method and device, electronic equipment and storage medium
US20150296035A1 (en) Real time key collection in device provisioning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant