CN115459973A - Secure communication authentication method, device, system and storage medium - Google Patents

Secure communication authentication method, device, system and storage medium Download PDF

Info

Publication number
CN115459973A
CN115459973A CN202211044455.4A CN202211044455A CN115459973A CN 115459973 A CN115459973 A CN 115459973A CN 202211044455 A CN202211044455 A CN 202211044455A CN 115459973 A CN115459973 A CN 115459973A
Authority
CN
China
Prior art keywords
electronic control
control module
message
safety
receiving
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211044455.4A
Other languages
Chinese (zh)
Inventor
阙菲
谭成宇
汪向阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing Changan Automobile Co Ltd
Original Assignee
Chongqing Changan Automobile Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing Changan Automobile Co Ltd filed Critical Chongqing Changan Automobile Co Ltd
Priority to CN202211044455.4A priority Critical patent/CN115459973A/en
Publication of CN115459973A publication Critical patent/CN115459973A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Selective Calling Equipment (AREA)
  • Lock And Its Accessories (AREA)

Abstract

The invention relates to the technical field of vehicle communication, and provides a safety communication authentication method, a device, a system and a storage medium, wherein the method comprises the following steps: connecting the electric detection equipment with the vehicle-end control equipment, generating a whole vehicle key SK by the electric detection equipment, and sequentially carrying out key canning on each electronic control module by the whole vehicle key SK; the electronic control module of the transmitting terminal constructs a safety message, wherein the safety message carries the message content PAYLOAD and the transmission message CANFD; the transmitting terminal electronic control module and the receiving terminal electronic control module adopt a preset strategy to jointly maintain a freshness value FV; the transmitting terminal electronic control module encrypts and generates a transmitting terminal MAC through a whole vehicle secret key SK, a freshness value FV, message content PAYLOAD and a transmission message CANFD ID, and puts the transmitting terminal MAC into a safe message; and the transmitting terminal electronic control module transmits the safety message to the receiving terminal electronic control module through the CANFD bus. The method and the device can reduce the threat of external attack on the communication information transmitted by the CANFD bus, and enhance the authenticity and the integrity of the communication information.

Description

Secure communication authentication method, device, system and storage medium
Technical Field
The invention belongs to the technical field of vehicle communication, and particularly relates to a method, a device and a system for safety communication authentication and a storage medium.
Background
Along with the frequent attack on the information security of the whole vehicle, the application of various information security measures by each large host factory is more important. The current attack modes mainly include near-end attack and remote attack, the remote attack refers to the related control or hijack of a vehicle through a TSP server, the near-end attack permeates a vehicle-mounted bus and WIFI/Bluetooth, and a deep defense strategy is provided for host computer factories threatening the vehicle.
With the increasing requirement on the communication rate of each electronic control module in a vehicle, bus protocols such as LIN/CAN/CANFD and the like are developed, wherein the CAN bus is most widely applied, but the traditional CAN bus only supports the transmission of 8 bytes, and the CAN bus cannot meet the requirements in the application scenes such as automatic driving, chassis control and the like with large data volume and low communication delay requirements.
And the CAN FD bus supports at most 64 byte transmission, and the transmission rate can reach 5Mbit/s. Therefore, the CANFD can meet application scenarios with large data volume and low communication delay requirement. However, the CANFD bus is also vulnerable to external attacks, and because the data volume of the CANFD is relatively large, once the external attacks penetrate into the bus, a huge threat will be posed to the communication information of the CANFD bus.
Disclosure of Invention
The purpose of the invention is: the present invention aims to provide a secure communication authentication method, device, system and storage medium, which are used to solve the problem that the CANFD bus pointed out in the background art is easily subjected to external attacks, and because the data volume of the CANFD bus is relatively large, once the external attacks penetrate into the bus, a huge threat is caused to the communication information of the CANFD bus.
In order to achieve the technical purpose, the technical scheme adopted by the invention is as follows:
in a first aspect, a secure communication authentication method is provided, which is applied to a secure communication authentication system, where the secure communication authentication system includes an electrical inspection device and a vehicle-side control device, the vehicle-side control device includes a plurality of electronic control modules, where the electronic control modules at two ends related to CANFD bus communication can transmit a secure packet through a CANFD bus, a transmitting party of the secure packet is a transmitting-side electronic control module, and a receiving party of the secure packet is a receiving-side electronic control module, and the method includes:
connecting the electric detection equipment with the vehicle-end control equipment, generating a whole vehicle secret key SK by the electric detection equipment, and sequentially carrying out secret key canning on each electronic control module by the whole vehicle secret key SK;
the transmission terminal electronic control module constructs a safety message, wherein the safety message carries a message content PAYLOAD and a transmission message CANFD;
the transmitting end electronic control module and the receiving end electronic control module adopt a preset strategy to jointly maintain a freshness value FV;
the transmitting end electronic control module encrypts the whole vehicle secret key SK, the freshness value FV, the message content PAYLOAD and the transmission message CANFD to generate a transmitting end MAC, and puts the transmitting end MAC into the safety message;
the transmitting terminal electronic control module transmits the safety message to the receiving terminal electronic control module through the CANFD bus;
the receiving end electronic control module encrypts the whole vehicle secret key SK, the freshness value FV, the message content PAYLOAD and the transmission message CANFD to generate a receiving end MAC;
the receiving end electronic control module judges whether the sending end MAC is equal to the receiving end MAC, if so, the receiving end electronic control module successfully receives the safety message, and if not, the receiving end electronic control module discards the safety message.
Further limiting, the electric detection device generates a whole vehicle secret key SK, and sequentially carries out secret key canning on each electronic control module by using the whole vehicle secret key SK, and the method comprises the following steps:
the electric detection equipment generates a whole vehicle secret key SK according to the Random number Random and salt adding value salt encryption;
the electric detection equipment is used for verifying the electronic control module, wherein the electronic control module is filled with a prefabricated secret key PK in advance, and the electric detection equipment is used for verifying the prefabricated secret key PK;
the electric detection equipment carries out security access authentication on the electronic control module and unlocks the read-write permission of the electronic control module;
and the electric detection equipment carries out key canning on the electronic control module by using the whole vehicle key SK.
Further, the preset strategy that the transmitting end electronic control module and the receiving end electronic control module jointly maintain the freshness value FV is as follows:
the transmitting terminal electronic control module generates a freshness value FV, and puts the freshness value FV into the secure message, wherein the freshness value FV is increased progressively according to the sending times of the secure message.
Further, the transmitting terminal electronic control module and the receiving terminal electronic control module respectively generate a transmitting terminal MAC and a receiving terminal MAC by using the same symmetric encryption algorithm.
Further, the symmetric encryption algorithm is an AES algorithm or a DES algorithm.
In a second aspect, a secure communication authentication apparatus is provided, which is applied to a secure communication authentication system, where the secure communication authentication system includes an electrical inspection device and a vehicle-side control device, the vehicle-side control device includes a plurality of electronic control modules, where the electronic control modules at two ends related to CANFD bus communication can transmit a secure packet through a CANFD bus, a transmitting party of the secure packet is a transmitting-side electronic control module, and a receiving party of the secure packet is a receiving-side electronic control module, the apparatus includes:
the key filling unit is used for generating a whole vehicle key SK through the electric detection equipment and sequentially carrying out key filling on each electronic control module by the whole vehicle key SK;
the message construction unit is used for constructing a safety message through the transmission terminal electronic control module, wherein the safety message carries a message content PAYLOAD and a transmission message CANFD;
the system maintenance unit is used for maintaining a freshness value FV through the transmitting terminal electronic control module and the receiving terminal electronic control module by adopting a preset strategy;
a first encryption unit, configured to encrypt, by the transmitting-end electronic control module, the entire vehicle key SK, the freshness value FV, the packet content PAYLOAD, and the transmission packet CANFD to generate a transmitting-end MAC, and put the transmitting-end MAC in the secure packet;
the message transmission unit is used for transmitting the safety message to the receiving end electronic control module through the CANFD bus by the transmitting end electronic control module;
a second encryption unit, configured to encrypt, by the receiving-end electronic control module, the entire vehicle key SK, the freshness value FV, the packet content PAYLOAD, and the transmission packet CANFD to generate a receiving-end MAC;
and the safety communication authentication unit is used for judging whether the sending end MAC is equal to the receiving end MAC or not through the receiving end electronic control module, if so, the receiving end electronic control module successfully receives the safety message, and if not, the receiving end electronic control module discards the safety message.
In a third aspect, a secure communication authentication system is provided, where the secure communication authentication system includes an electrical inspection device and a vehicle-side control device, the vehicle-side control device includes a plurality of electronic control modules, where the electronic control modules at two ends involved in CANFD bus communication can transmit a secure packet through a CANFD bus, a transmitting party of the secure packet is a transmitting-side electronic control module, a receiving party of the secure packet is a receiving-side electronic control module, and the vehicle-side control device and the plurality of electronic control modules each include a processor and a memory, where a computer program is stored in the memory, and when the computer program is executed by the processor, the secure communication authentication system is enabled to execute the secure communication authentication method according to any one of the first aspects.
In a fourth aspect, a computer-readable storage medium is provided, in which a computer program is stored which, when run on a computer, causes the computer to perform the method of any one of the first aspects.
The invention adopting the technical scheme has the following advantages:
according to the method, firstly, key canning is carried out on each electronic control module through a whole vehicle key SK generated by electric detection equipment, the key canning is used as the CANFD bus communication between the electronic control modules, and the key canning is used as the basis of subsequent safety communication authentication; then, the transmitting terminal electronic control module encrypts a vehicle key SK, a freshness value FV, a message content PAYLOAD and a transmission message CANFD ID to generate a transmitting terminal MAC, and the receiving terminal electronic control module encrypts the vehicle key SK, the freshness value FV, the message content PAYLOAD and the transmission message CANFD ID to generate a receiving terminal MAC; and finally, judging whether the MAC of the sending end is equal to the MAC of the receiving end, and enabling the electronic control module of the receiving end to successfully receive the safety message only when the MAC of the sending end is equal to the MAC of the receiving end, thereby finishing the safety communication authentication. The security message is encrypted and transmitted through the MAC generated by encrypting the four characteristics of the whole vehicle secret key SK, the freshness value FV, the message content PAYLOAD and the transmission message CANFD ID, so that the threat of external attack on the communication information transmitted by the CANFD bus can be reduced, and the authenticity and the integrity of the communication information can be enhanced.
Drawings
The invention is further illustrated by the non-limiting examples given in the accompanying drawings;
FIG. 1 is a schematic diagram of a secure communication authentication system according to the present invention;
FIG. 2 is a flow chart of a secure communication authentication method in the present invention;
FIG. 3 is a flow chart of key filling in the present invention;
FIG. 4 is a schematic diagram of a secure communication authentication apparatus according to the present invention;
the main element symbols are as follows:
1. an electrical detection device; 2. a vehicle-end control device; 21. a transmitting terminal electronic control module; 22. a receiving end electronic control module; 310. a key filling unit; 320. a message construction unit; 330. a maintenance unit; 340. a first encryption unit; 350. a message transfer unit; 360. a second encryption unit; 370. and a secure communication authentication unit.
Detailed Description
The present invention will be described in detail with reference to the drawings and specific embodiments, wherein like reference numerals are used for similar or identical parts in the drawings or the description, and implementations not shown or described in the drawings are known to those of ordinary skill in the art. In addition, directional terms, such as "upper", "lower", "top", "bottom", "left", "right", "front", "rear", and the like, used in the embodiments are only directions referring to the drawings, and are not intended to limit the scope of the present invention.
As shown in fig. 1, an embodiment of the present application provides a secure communication authentication system, which is applied to an onboard CANFD bus. The safety communication authentication system comprises an electric detection device 1 and a vehicle end control device 2, wherein the electric detection device 1 is the electric detection device 1 on a vehicle machine production line, and the electric detection device 1 can be connected with the vehicle end control device 2 through an OBD interface on a vehicle.
The vehicle end control device 2 comprises a plurality of electronic control modules, and all the electronic control modules are arranged on a CANFD bus. The electronic control modules at two ends related to CANFD bus communication can transmit safety messages through the CANFD bus. In this embodiment, the sender of the security message is defined as the sending-end electronic control module 21, and the receiver of the security message is defined as the receiving-end electronic control module 22.
It should be noted that, in the vehicle-end control device 2, as long as the electronic control modules capable of constructing and sending the safety message are all the transmitting-end electronic control modules 21, the number of the transmitting-end electronic control modules 21 is not limited; all the electronic control modules receiving the safety message are the receiving end electronic control modules 22, and the number of the receiving end electronic control modules 22 is not limited.
The vehicle-end control device 2 and the plurality of electronic control modules each include a processor and a memory, and the memory stores a computer program, and when the computer program is executed by the processor, the secure communication authentication system is caused to execute a secure communication authentication method as described below.
As shown in fig. 2, the present application further provides a secure communication authentication method, which can be applied to the secure communication authentication system described above, in which the electric inspection device 1 and the vehicle-end control device 2 cooperate with each other to implement the steps of the secure communication authentication method. The secure communication authentication method comprises the following steps:
step 110, connecting the electric detection device 1 with the vehicle-end control device 2, generating a whole vehicle key SK by the electric detection device 1, and sequentially carrying out key canning on each electronic control module by the whole vehicle key SK;
step 120, the transmitting-end electronic control module 21 constructs a security message, wherein the security message carries a message content PAYLOAD and a transmission message CANFD;
step 130, the transmitting terminal electronic control module 21 and the receiving terminal electronic control module 22 adopt a preset strategy to jointly maintain the freshness value FV;
step 140, the transmitting-end electronic control module 21 encrypts the vehicle key SK, the freshness value FV, the message content PAYLOAD and the transmission message CANFD to generate a transmitting-end MAC, and puts the transmitting-end MAC into the secure message;
step 150, the transmitting-end electronic control module 21 sends the security message to the receiving-end electronic control module 22 through the CANFD bus;
step 160, the receiving end electronic control module 22 encrypts the vehicle secret key SK, the freshness value FV, the message content PAYLOAD and the transmission message CANFD to generate a receiving end MAC;
step 170, the receiving end electronic control module 22 determines whether the sending end MAC is equal to the receiving end MAC, if the sending end MAC is equal to the receiving end MAC, the receiving end electronic control module 22 successfully receives the security message, and if the sending end MAC is not equal to the receiving end MAC, the receiving end electronic control module 22 discards the security message.
In the above embodiment, first, the key canning is performed on each electronic control module through the whole vehicle key SK generated by the electrical detection device 1, and the key canning is used as the communication between the electronic control modules in the CANFD bus and is used as the basis of the subsequent security communication authentication; then, the transmitting-end electronic control module 21 encrypts and generates a transmitting-end MAC through the whole vehicle key SK, the freshness value FV, the message content PAYLOAD and the transmission message CANFD ID, and the receiving-end electronic control module 22 encrypts and generates a receiving-end MAC through the whole vehicle key SK, the freshness value FV, the message content PAYLOAD and the transmission message CANFD ID; and finally, judging whether the MAC of the sending end is equal to the MAC of the receiving end, and only when the MAC of the sending end is equal to the MAC of the receiving end, enabling the electronic control module 22 of the receiving end to successfully receive the safety message to finish the safety communication authentication. The security message is encrypted and transmitted through the MAC generated by encrypting the four characteristics of the whole vehicle secret key SK, the freshness value FV, the message content PAYLOAD and the transmission message CANFD ID, so that the threat of external attack on the communication information transmitted by the CANFD bus can be reduced, and the authenticity and the integrity of the communication information can be enhanced.
The individual steps of the process are explained in detail below, as follows:
in step 110, each electronic control module in the vehicle-end control device 2 cannot transmit a security message through the CANFD bus when it leaves the factory, and it is necessary to perform key canning on each electronic control module through the electrical inspection device 1, so that the key canning is used as a basis for security communication authentication.
The electric detection equipment 1 is mainly connected with the vehicle-end control equipment 2 through an OBD interface on a vehicle, and the electric detection equipment 1 can detect out which electronic control modules are connected on a CANFD bus, namely which electronic control modules need safety communication authentication. After the electronic control modules are determined, the electric detection device 1 can automatically generate the whole vehicle key SK, and then sequentially carries out key canning on each electronic control module.
In step 120, the transmitting-end electronic control module 21 first constructs a security message. In the prior art, the security message may carry the message content PAYLOAD and the transmission message CANFD ID, and these two features may be used as reference features for subsequent encryption authentication, so as to enhance the defense performance.
In step 130, the transmitting electronic control module 21 and the receiving electronic control module 22 adopt a preset strategy to jointly maintain the freshness value FV. By introducing the freshness value FV, the authenticity and integrity of the safety message can be protected.
The preset strategy for maintaining the freshness value FV by the transmitting terminal electronic control module 21 and the receiving terminal electronic control module 22 together is as follows: the transmitting terminal electronic control module 21 generates a freshness value FV and puts the freshness value FV into the secure message, wherein the freshness value FV increases progressively according to the sending times of the secure message. It is understood that the security message may be sent periodically or aperiodically, but there are times of sending no matter what way it is sent. And the freshness value FV is increased progressively according to the sending times of the safety message, so that the threats that the CANFD bus is attacked by replay and man-in-the-middle can be reduced. After the subsequent transmitting-end electronic control module 21 sends the secure packet to the receiving-end electronic control module 22, the receiving-end electronic control module 22 verifies the freshness value FV in the secure packet, so as to ensure that the freshness value FV at this time is larger than the last freshness value FV.
In step 140, the transmitting-end electronic control module 21 encrypts and generates a transmitting-end MAC by using the vehicle secret key SK, the freshness value FV, the message content PAYLOAD, and the transmission message CANFD, where a generation formula of the transmitting-end MAC is:
sender MAC = Crypt2 (SK, CANFD ID, FV, PAYLOAD).
In step 150, the transmitting-end electronic control module 21 sends the security message to the receiving-end electronic control module 22 through the CANFD bus, and it can be understood that after the security message of the transmitting-end electronic control module 21 is constructed, the security message carrying the message content PAYLOAD, the transmission message CANFD and the freshness value FV can be sent to the receiving-end electronic control module 22 through the CANFD bus.
In step 160, after receiving the message sent by the transmitting-end electronic control module 21, the receiving-end electronic control module 22 encrypts the vehicle key SK, the freshness value FV, the message content PAYLOAD, and the transmission message CANFD ID to generate a receiving-end MAC, where the generating formula of the receiving-end MAC is:
receiving end MAC = Crypt2 (SK, CANFD ID, FV, PAYLOAD).
In this embodiment, the transmitting-side electronic control module 21 and the receiving-side electronic control module 22 respectively generate the transmitting-side MAC and the receiving-side MAC by using the same symmetric encryption algorithm, where the symmetric encryption algorithm is an AES algorithm or a DES algorithm. In other embodiments, other encryption algorithms are possible.
In step 170, if the sending terminal MAC is equal to the receiving terminal MAC, the security message is proved to be secure, and the transmitting terminal electronic control module 21 and the receiving terminal electronic control module 22 can perform authentication normally, and at this time, the receiving terminal electronic control module 22 successfully receives the security message without any risk. If the sending end MAC is not equal to the receiving end MAC, it may be that the CANFD bus is penetrated by external attack, and the security packet may be tampered by external attack, at this time, authentication is not performed between the transmitting end electronic control module 21 and the receiving end electronic control module 22, and the receiving end electronic control module 22 discards the security packet, thereby reducing the threat caused by external attack and enhancing the authenticity and integrity of the communication information. The receiving-end electronic control module 22 will successfully receive the security message when the sending-end MAC and the receiving-end MAC are next time.
As shown in fig. 3, in this embodiment, the key canning process of step 110 may further include the following steps:
step 111, the electric examination device 1 generates the whole car key SK according to the Random number Random and the salt added salt value salt encryption, and an encryption algorithm for generating the whole car key SK may be an Aes128 algorithm, wherein a generation formula of the whole car key SK is as follows:
SK=Crypt1(salt,Random)。
step 112, the electrical inspection device 1 verifies the electronic control module, where the electronic control module is filled with a pre-manufactured secret key PK in advance, and the electrical inspection device 1 verifies the pre-manufactured secret key PK.
It should be noted here that the pre-formed keys PK of the electronic control modules are filled by the supplier in advance, and the pre-formed keys PK of each electronic control module are different. If the PK verification of the prefabricated secret key fails, the electronic control module is not connected to a CANFD bus, secret key filling is not needed, and the secret key filling is directly finished after the PK verification fails; and if the verification is successful, entering the next step.
And 113, the electric detection equipment 1 performs security access authentication on the electronic control module, and unlocks the read-write permission of the electronic control module.
It should be noted here that the security access authentication is divided into two-level security access authentication, and first, the 1-level 27 security access authentication is performed, and after the security access authentication is successful, the 2-level 27 security access authentication is performed, so that the read-write permission of the electronic control module is unlocked, and the electronic control module can perform the key filling normally.
And step 114, the electric detection equipment 1 carries out key canning on the electronic control module by using the whole vehicle key SK.
If the electric inspection device 1 fails to fill one of the electronic control modules, a filling failure DTC is generated, and the filling failure DTC is also detected by the electric inspection device 1. When a filling failure DTC occurs in one electronic control module, returning to the step 112 for the electronic control module, and re-executing the step 112, the step 113 and the step 114 until the filling is successful.
After the successful filling, the vehicle identification number VIN and the whole vehicle secret key SK can be uploaded to a manufacturing management system and a vehicle cloud system, so that the subsequent maintenance is facilitated.
When all the electronic control modules are successfully filled, step 120 is executed.
As shown in fig. 4, this embodiment further provides a secure communication authentication apparatus, which is applied to the secure communication authentication system described above, and the secure communication authentication apparatus includes a key filling unit 310, a message construction unit 320, a maintaining unit 330, a first encryption unit 340, a message transmission unit 350, a second encryption unit 360, and a secure communication authentication unit 370, where each unit has the following functions:
the key filling unit 310 is configured to generate a complete vehicle key SK through the electrical inspection device 1, and sequentially perform key filling on each electronic control module by using the complete vehicle key SK;
a message constructing unit 320, configured to construct a security message through the transmitting-end electronic control module 21, where the security message carries a message content PAYLOAD and a transmission message CANFD ID;
a maintaining unit 330, configured to maintain the freshness value FV jointly by using a preset policy through the transmitting end electronic control module 21 and the receiving end electronic control module 22;
a first encrypting unit 340, configured to encrypt, by the transmitting-end electronic control module 21, the entire vehicle secret key SK, the freshness value FV, the message content PAYLOAD, and the transmission message CANFD to generate a transmitting-end MAC, and put the transmitting-end MAC into the secure message;
a message transmitting unit 350, configured to transmit the security message to the receiving-end electronic control module 22 through the CANFD bus by using the transmitting-end electronic control module 21;
a second encrypting unit 360, configured to encrypt the whole vehicle key SK, the freshness value FV, the packet content PAYLOAD, and the transmission packet CANFD by using the receiving-end electronic control module 22 to generate a receiving-end MAC;
a secure communication authentication unit 370, configured to determine, by the receiving-end electronic control module 22, whether the sending-end MAC is equal to the receiving-end MAC, if the sending-end MAC is equal to the receiving-end MAC, the receiving-end electronic control module 22 successfully receives the secure packet, and if the sending-end MAC is not equal to the receiving-end MAC, the receiving-end electronic control module 22 discards the secure packet.
In this embodiment, the key filling unit 310 is further configured to:
generating a whole vehicle secret key SK through the electric detection equipment 1 according to Random number Random and salt adding value salt encryption;
the electronic control module is verified through the electric detection equipment 1, wherein the electronic control module is filled with a prefabricated secret key PK in advance, and the electric detection equipment 1 verifies the prefabricated secret key PK;
the electronic control module is subjected to security access authentication through the electric detection equipment 1, and the read-write permission of the electronic control module is unlocked;
and carrying out key canning on the electronic control module by the whole vehicle key SK through the electric detection equipment 1.
The embodiment of the application also provides a computer readable storage medium. The computer-readable storage medium has stored therein a computer program which, when run on a computer, causes the computer to execute the secure communication authentication method as described in the above embodiments.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the present application may be implemented by hardware, or by software plus a necessary general hardware platform, and based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, or the like), and includes several instructions to enable a computer device (which may be a personal computer, a central control device, or a network device, or the like) to execute the method described in each implementation scenario of the present application.
The secure communication authentication method, apparatus, system and storage medium provided by the present invention are described in detail above. The description of the specific embodiments is only intended to facilitate an understanding of the method of the invention and its core ideas. It should be noted that, for those skilled in the art, without departing from the principle of the present invention, it is possible to make various improvements and modifications to the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.

Claims (8)

1. A safety communication authentication method is applied to a safety communication authentication system, the safety communication authentication system comprises an electric detection device and a vehicle end control device, the vehicle end control device comprises a plurality of electronic control modules, wherein the electronic control modules at two ends related to CANFD bus communication can transmit safety messages through a CANFD bus, a transmitting party of the safety messages is a transmitting end electronic control module, a receiving party of the safety messages is a receiving end electronic control module, and the method comprises the following steps:
connecting the electric detection equipment with the vehicle-end control equipment, generating a whole vehicle key SK by the electric detection equipment, and sequentially carrying out key canning on each electronic control module by the whole vehicle key SK;
the transmission terminal electronic control module constructs a safety message, wherein the safety message carries a message content PAYLOAD and a transmission message CANFD;
the transmitting end electronic control module and the receiving end electronic control module adopt a preset strategy to jointly maintain a freshness value FV;
the transmitting terminal electronic control module encrypts the vehicle key SK, the freshness value FV, the message content PAYLOAD and the transmission message CANFD to generate a transmitting terminal MAC, and puts the transmitting terminal MAC into the security message;
the transmitting terminal electronic control module transmits the safety message to the receiving terminal electronic control module through the CANFD bus;
the receiving end electronic control module encrypts the whole vehicle secret key SK, the freshness value FV, the message content PAYLOAD and the transmission message CANFD to generate a receiving end MAC;
the receiving end electronic control module judges whether the sending end MAC is equal to the receiving end MAC, if so, the receiving end electronic control module successfully receives the safety message, and if not, the receiving end electronic control module discards the safety message.
2. The secure communication authentication method according to claim 1, wherein the step of generating a vehicle key SK by the electrical detection device and key-canning the vehicle key SK to each electronic control module in turn comprises:
the electric detection equipment generates a whole vehicle key SK according to the Random number Random and salt adding value salt encryption;
the electric detection equipment is used for verifying the electronic control module, wherein the electronic control module is filled with a prefabricated secret key PK in advance, and the electric detection equipment is used for verifying the prefabricated secret key PK;
the electric detection equipment carries out security access authentication on the electronic control module and unlocks the read-write permission of the electronic control module;
and the electric detection equipment carries out key canning on the electronic control module by using the whole vehicle key SK.
3. The method according to claim 1 or 2, characterized in that the predetermined policy for the co-dimensioning of the freshness value FV of the transmitting electronic control module and the receiving electronic control module is:
the transmitting terminal electronic control module generates a freshness value FV, and puts the freshness value FV into the secure message, wherein the freshness value FV is increased progressively according to the sending times of the secure message.
4. The method according to claim 1, wherein the transmitting electronic control module and the receiving electronic control module respectively generate the transmitting MAC and the receiving MAC by using the same symmetric encryption algorithm.
5. The method according to claim 4, wherein the symmetric encryption algorithm is AES algorithm or DES algorithm.
6. The utility model provides a safety communication authentication device, its characterized in that is applied to safety communication authentication system, safety communication authentication system includes the electricity and examines equipment and car end control device, car end control device includes a plurality of electronic control module, wherein, relate to the electronic control module at the both ends of CANFD bus communication and can pass through CANFD bus transmission safety message, the transmission side of safety message is transmission end electronic control module, the receiver of safety message is receiving terminal electronic control module, the device includes:
the key filling unit is used for generating a whole vehicle key SK through the electric detection equipment and sequentially carrying out key filling on each electronic control module by the whole vehicle key SK;
the message construction unit is used for constructing a safety message through the transmission terminal electronic control module, wherein the safety message carries a message content PAYLOAD and a transmission message CANFD;
the system maintenance unit is used for maintaining a freshness value FV through the transmitting terminal electronic control module and the receiving terminal electronic control module by adopting a preset strategy;
a first encryption unit, configured to encrypt, by the transmitting-end electronic control module, the entire vehicle key SK, the freshness value FV, the packet content PAYLOAD, and the transmission packet CANFD to generate a transmitting-end MAC, and put the transmitting-end MAC in the secure packet;
the message transmission unit is used for transmitting the safety message to the receiving end electronic control module through the CANFD bus by the transmitting end electronic control module;
a second encryption unit, configured to encrypt, by the receiving-end electronic control module, the entire vehicle key SK, the freshness value FV, the packet content PAYLOAD, and the transmission packet CANFD to generate a receiving-end MAC;
and the safety communication authentication unit is used for judging whether the sending end MAC is equal to the receiving end MAC or not through the receiving end electronic control module, if so, the receiving end electronic control module successfully receives the safety message, and if not, the receiving end electronic control module discards the safety message.
7. A safety communication authentication system is characterized in that the safety communication authentication system comprises an electric detection device and a vehicle-end control device, the vehicle-end control device comprises a plurality of electronic control modules, wherein the electronic control modules at two ends related to CANFD bus communication can transmit safety messages through a CANFD bus, the transmitting party of the safety messages is a transmitting-end electronic control module, the receiving party of the safety messages is a receiving-end electronic control module, the vehicle-end control device and the electronic control modules respectively comprise a processor and a memory, a computer program is stored in the memory, and when the computer program is executed by the processor, the safety communication authentication system is enabled to execute the safety communication authentication method according to any one of claims 1-5.
8. A computer-readable storage medium, in which a computer program is stored which, when run on a computer, causes the computer to carry out the method according to any one of claims 1-5.
CN202211044455.4A 2022-08-30 2022-08-30 Secure communication authentication method, device, system and storage medium Pending CN115459973A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211044455.4A CN115459973A (en) 2022-08-30 2022-08-30 Secure communication authentication method, device, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211044455.4A CN115459973A (en) 2022-08-30 2022-08-30 Secure communication authentication method, device, system and storage medium

Publications (1)

Publication Number Publication Date
CN115459973A true CN115459973A (en) 2022-12-09

Family

ID=84301393

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211044455.4A Pending CN115459973A (en) 2022-08-30 2022-08-30 Secure communication authentication method, device, system and storage medium

Country Status (1)

Country Link
CN (1) CN115459973A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116232662A (en) * 2022-12-26 2023-06-06 广东为辰信息科技有限公司 Counter master-slave turnover processing method for safety communication in vehicle

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116232662A (en) * 2022-12-26 2023-06-06 广东为辰信息科技有限公司 Counter master-slave turnover processing method for safety communication in vehicle
CN116232662B (en) * 2022-12-26 2024-03-29 广东为辰信息科技有限公司 Counter master-slave turnover processing method for safety communication in vehicle

Similar Documents

Publication Publication Date Title
CN110635893B (en) Vehicle-mounted Ethernet information security protection method
CN107846395B (en) Method, system, medium, and vehicle for securing communications on a vehicle bus
CN107105060B (en) Method for realizing information security of electric automobile
CN104936180B (en) A kind of right discriminating system and method that authentication service is provided for unmanned plane and earth station
CN109033862B (en) A kind of distributed locomotive electronic system protecting information safety method
CN103079200B (en) The authentication method of a kind of wireless access, system and wireless router
KR101508497B1 (en) Data certification and acquisition method for vehicle
US20160173530A1 (en) Vehicle-Mounted Network System
CN111049803A (en) Data encryption and platform security access method based on vehicle-mounted CAN bus communication system
CN105429945B (en) A kind of method, apparatus and system of data transmission
CN113806772A (en) Information encryption transmission method and device based on block chain
US20170072875A1 (en) Data communication method for vehicle, electronic control unit and system thereof
CN103051616A (en) RSSP-II protocol-based datagram transmission method
CN115459973A (en) Secure communication authentication method, device, system and storage medium
CN110995662B (en) Data transmission method and system based on multi-path network media
CN106454825A (en) Vehicle auxiliary authentication method in Internet of Vehicles environment
CN117395001B (en) Internet of vehicles secure communication method and system based on quantum key chip
CN105025009B (en) A kind of method for strengthening mailing system access security and mail security access system
CN113098833B (en) Information safety control method of vehicle, client device and server device
Olivier et al. Hashing-based authentication for CAN bus and application to Denial-of-Service protection
CN114362997B (en) Data transmission method and device for intelligent equipment of transformer substation, intelligent equipment and medium
Carsten et al. A system to recognize intruders in controller area network (can)
CN110460972A (en) A method of the lightweight inter-vehicle communication certification towards In-vehicle networking
CN111274570A (en) Encryption authentication method and device, server, readable storage medium and air conditioner
CN113839775A (en) New energy automobile remote start control method based on 5GTBOX encryption technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination