CN115664691A - Communication security car networking system - Google Patents

Communication security car networking system Download PDF

Info

Publication number
CN115664691A
CN115664691A CN202210938513.1A CN202210938513A CN115664691A CN 115664691 A CN115664691 A CN 115664691A CN 202210938513 A CN202210938513 A CN 202210938513A CN 115664691 A CN115664691 A CN 115664691A
Authority
CN
China
Prior art keywords
vehicle
security
data
safety
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210938513.1A
Other languages
Chinese (zh)
Other versions
CN115664691B (en
Inventor
阙秀震
李思豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electric Vehicle Lianxin An Technology Co ltd
Original Assignee
China Electric Vehicle Lianxin An Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electric Vehicle Lianxin An Technology Co ltd filed Critical China Electric Vehicle Lianxin An Technology Co ltd
Priority to CN202210938513.1A priority Critical patent/CN115664691B/en
Publication of CN115664691A publication Critical patent/CN115664691A/en
Application granted granted Critical
Publication of CN115664691B publication Critical patent/CN115664691B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The invention discloses a communication safety Internet of vehicles system, which comprises a vehicle-mounted terminal and a vehicle-mounted networking platform, wherein the vehicle-mounted networking platform comprises a safety system, a safety subsystem and a data safety standard database, the vehicle-mounted terminal and the vehicle-mounted networking platform are connected through a communication link, the vehicle-mounted terminal comprises TBOX equipment and a safety gateway, and the vehicle-mounted networking platform is used for providing safety requirements of the vehicle-mounted networking platform. According to the invention, a security system is arranged in the Internet of vehicles platform, and a set of encryption and authentication system suitable for embedded equipment such as vehicle-mounted terminals and the like and fast moving scenes is constructed. The certificate use process is customized according to the communication requirements of the Internet of vehicles, safety protection is completed through SSL and signature verification technologies, and experience is accumulated for establishing a safety certification standard system of the Internet of vehicles.

Description

Communication security car networking system
Technical Field
The invention relates to the technical field of vehicle networking communication, in particular to a communication safety vehicle networking system.
Background
The TBOX (tunnel boring machine), namely the vehicle networking system, combines various technologies such as sensors, wireless transmission, big data, internet of things and intelligent device communication, and the number of devices involved in a communication network is large, the real-time requirement is high, and the device is easily attacked and damaged to cause life danger and damage to road facilities and is difficult to remedy. Therefore, the information security in the internet of vehicles is of great importance, and the future development and implementation strength of the internet of vehicles are influenced. The domestic Internet of vehicles application is mainly vehicle cloud communication, and vehicle roads and vehicle and passenger communication are basically in a test stage. The vehicle cloud communication mainly comprises front-loading and rear-loading applications, wherein the front-loading market is mainly dominated by a vehicle factory, the vehicle factory with certain strength builds a vehicle networking platform, and the vehicle factory pre-loading T-BOX equipment realizes vehicle cloud communication; the aftermarket is mainly dominated by industry governing departments, such as transportation, environmental protection and the like, vehicle cloud communication is realized by additionally arranging a data acquisition terminal on a vehicle, and the application type mainly takes industry management as a main part.
The safety of the internet of vehicles and the data safety at the present stage are in the exploration starting stage, and the safety problem of the internet of vehicles presents a faster growth situation. Certain safety means are adopted in both front-loading and back-loading market applications, but the self-set standards of enterprises and departments are mainly used, and standard guidance is lacked. The existing car networking safety system mainly has the following problems.
(1) The method is characterized by comprising the following steps that authentication is safe, the conventional vehicle-mounted terminal generally adopts a fixed identity ID (easy to be attacked), an enterprise private encryption algorithm (the safety depends on the confidentiality degree of an enterprise to the algorithm and is completely uncontrollable) and the like, and the first safety of the method is low and easy to be attacked; secondly, interconnection and intercommunication among different manufacturers cannot be realized;
most enterprises do not pass authentication of any key system, only adopt modes such as equipment preset user name and password or equipment and chip ID to carry out identity authentication, and a few enterprises establish identity authentication and key systems by themselves, but the security depends on the technical strength of the enterprises and can not realize interconnection;
(2) The system safety, the TBOX system self safety, generally based on LINUX kernel or singlechip open embedded operating system, is almost not guaranteed, and is easy to be attacked. The safety of the car networking platform system does not have mandatory safety requirements on the car networking platform, such as equal security evaluation and the like, so that the safety precaution capacities of car networking service platforms of various manufacturers and industries are different. The car networking platform should have a third-level security protection capability of level protection, namely, the car networking platform should be capable of defending against main resource damage caused by malicious attacks launched by external organized groups, threat sources with abundant resources, serious natural disasters and other threats with considerable harm degrees under a unified security strategy, and can timely discover and monitor attack behaviors and dispose security events, and after the car networking platform is damaged, most functions can be quickly recovered;
(3) The communication is safe, the physical link of the TBOX and the Internet of vehicles platform is safe, most factories directly use the common Internet of things channel of operators, and the physical link safety protection is lacked;
(4) The data is safe, the TBOX and the vehicle networking platform are safe in data transmission, and encryption transmission is rarely adopted by vehicle enterprises at present; the TBOX and the ECU and other vehicle-mounted systems are safe in communication, the 27 protocols in ISO14229 are mainly adopted, the identity authentication is carried out on the seed encryption verification result by means of the private encryption algorithm of a vehicle factory, and the vehicle-mounted systems are easily attacked due to algorithm leakage. Data communication between the TBOX and the vehicle networking platform lacks a reliable verification mechanism, data cannot be prevented from being tampered, and therefore data of a platform operator cannot be used for data support of important scenes.
Disclosure of Invention
The present invention has been made in view of the above-mentioned problems in terms of secure communication in the existing internet of vehicles.
Therefore, one of the objectives of the present invention is to provide a communication security car networking system and a car terminal thereof, which utilize a security system built in a car networking platform, customize the certificate usage flow according to the communication requirements of the car networking, complete security protection by SSL and signature verification technology, improve the cracking difficulty by the technology of performing block signature on data and forming a signature block chain, prevent data tampering, improve the security subsystem, be used for different car networking platforms of a car factory, a government department, etc., propose the system and application security requirements of the car networking platform, and gradually perfect the system and application security requirements to become the standard specifications of risk assessment and security detection of the car networking platform.
In order to solve the technical problems, the invention provides the following technical scheme that the system comprises a vehicle-mounted terminal, a vehicle networking platform and an application mounting end, wherein the vehicle networking platform comprises a safety system, a safety subsystem and a data safety standard database; the vehicle-mounted terminal comprises TBOX equipment and a safety gateway, wherein the TBOX equipment is used for realizing vehicle data acquisition, 5G network transmission and vehicle positioning functions, and the safety gateway is connected with the TBOX equipment and is used for realizing identity authentication and data encryption functions; the vehicle networking platform is used for providing the safety requirements of the vehicle networking platform and providing at least one set of safety evaluation system and emergency response mechanism aiming at the vehicle networking platform; the safety system is used for constructing at least one set of encryption and authentication system suitable for the vehicle-mounted terminal and the fast moving scene and accumulating empirical data for a vehicle networking safety authentication standard system; the safety system comprises a vehicle networking safety certificate management system, a data encryption system and a safety situation perception system, wherein the vehicle networking safety certificate management system is provided with four different safety domains, namely a CA core region, an external service region, a safety management region and an internet access region, according to different safety levels, and the four different safety domains are protected by adopting safety protection equipment and a safety protection strategy to form a safety system; the system comprises a data security standard database, a security subsystem and a security system, wherein the data security standard database is used for uploading data, remote upgrading data, vehicle networking platform operation data and security system operation data to a vehicle networking platform by a vehicle-mounted terminal; the data safety standard database is used for uploading data, remote upgrading data, vehicle networking platform operation data and safety system operation data to the vehicle networking platform by the vehicle-mounted terminal; the digital certificate generated by starting the vehicle-mounted terminal is input into the security system through a communication link with the vehicle networking platform and is used for the vehicle networking communication data security monitoring work of the vehicle-mounted terminal, namely a vehicle networking communication data encryption and authentication system of the fast moving vehicle is constructed; and the application mounting end is connected with the safety system through the safety subsystem and is used for setting standard specifications of risk assessment and safety detection of the vehicle networking communication data in the vehicle networking platform, namely the application mounting end is perfected to become the standard specifications of the risk assessment and safety detection of the vehicle networking platform.
As a preferable aspect of the present invention, wherein: the Internet of vehicles security certificate management system comprises a certificate generation module, a certificate burning module and a certificate updating module; the certificate generation module is used for generating certificates at the cloud end of the Internet of vehicles and at the two sides of the vehicle-mounted terminal, wherein the certificates at the vehicle-mounted terminal are generated and encrypted in batches, specifically, the certificates are encrypted by digital envelopes to generate symmetric keys, and the symmetric keys are used for encrypting the digital certificates; specifically, the symmetric key generated in the first step is encrypted by using a public key of a decryptor, and the encrypted certificate and the encrypted symmetric key are packaged into a digital envelope, namely a digital certificate; the certificate burning module is used for decrypting the digital certificate on a special key burning terminal device and burning the decrypted digital certificate to a vehicle-mounted device end; the certificate updating module is used for checking the validity period of the digital certificate by an SDK (software development kit) in a terminal when the digital certificate of the vehicle-mounted equipment terminal is ignited each time, wherein the digital certificate enters a preset grace period time before an expiration time, and the certificate updating module automatically updates the certificate; the certificate updating step is the same as the certificate issuing step of the vehicle-mounted system; the data encryption system is used for realizing identity identification of each entity, data channel encryption and data tamper-proof protection measures by means of certificates and related security technologies in the data communication process of the vehicle-mounted terminal; the safety situation awareness system is used for specialized safety situation awareness operation of the Internet of vehicles.
As a preferable aspect of the present invention, wherein: the data encryption system comprises an SSL server certificate and a signature verification tag, and specifically, safety protection is completed through SSL and signature verification tag technologies, and a signature block chain is formed by performing block signature on communication link data of the vehicle-mounted terminal; the cracking difficulty is improved, and data tampering is prevented; the security situation awareness system comprises a full-flow analysis module, a threat information module, a UEBA user entity behavior analysis module, a machine learning module and a big data association analysis module, and is used for risk assessment work of the vehicle networking platform of the application mounting end, specifically screening threat information in a corresponding flow channel after data flow analysis, feeding back to a security subsystem for security detection and risk assessment after UEBA user entity behavior analysis, artificial intelligent machine learning and big data association, and further sensing the risk level corresponding to the threat information through security situation, wherein the vehicle networking platform automatically updates vehicle networking communication data encryption and authentication operation of the vehicle terminal through the security system according to the corresponding risk level.
As a preferable aspect of the present invention, wherein: the security detection module is used for receiving threat information data analyzed, processed and associated by the security situation awareness system, performing abnormal feature detection on the threat information data, performing network attack judgment, processing a network attack event of the vehicle-mounted terminal, specifically acquiring the threat information data, performing abnormal feature detection by comparing a preset data threshold value, acquiring an abnormal feature item, marking an item where the abnormal feature item is located, performing feature matching calculation on the abnormal feature item and an attack feature library downloaded from a big data association analysis module in the security situation awareness system, and processing the network attack event of the vehicle-mounted terminal for risk assessment after the judgment of the network attack event is met; the risk evaluation module is used for receiving the network attack event information of the vehicle-mounted terminal, extracting risk characteristic keywords in the network attack event information of the vehicle-mounted terminal, inputting the risk characteristic keywords into a big data correlation analysis module in the security situation perception system, performing hierarchical correlation to risk levels corresponding to the risk characteristic keywords, determining corresponding risk levels according to a preset threshold calibration table, and then performing corresponding risk level processing. The safety subsystem provides a safety subsystem for the vehicle networking platform, functions comprise identity authentication, data encryption and decryption, data signature and the like, the safety subsystem has a good cross-platform characteristic, can be used for different vehicle networking platforms of a vehicle factory, a government department and the like, provides system and application safety requirements of the vehicle networking platform, and is gradually perfected to become standard specifications of risk assessment and safety detection of the vehicle networking platform.
As a preferable aspect of the present invention, wherein: the communication link is based on a 5G network credibility authentication technology and a 5G + V2X network security situation perception technology, a special data security transmission channel is provided for the 5G + V2X intelligent internet application, and connection between a security gateway in the vehicle-mounted terminal and the vehicle networking platform based on the 5G network is established.
As a preferable aspect of the present invention, wherein: the security gateway of the security internet of vehicles system comprises an application layer, a core application layer, a CAN layer and a hardware architecture layer; the application layer comprises power management, diagnosis management, storage management, CAN communication management, wireless communication management, remote control management and value-added service management; the core application layer is used for providing bottom layer encapsulation and support for the core function of the vehicle-mounted gateway, and comprises a GPS core application for realizing real-time positioning and online navigation of the gateway, a 4G/5G core application for receiving or preparing to send signals through a 4G/5G network for encapsulation and realizing remote communication, and a storage module core application for storing valuable data information generated in the working process; the CAN layer is further subdivided within it for functions related to the CAN network and according to the actual functional requirements and logical hierarchy.
As a preferable aspect of the present invention, wherein: the TBOX equipment comprises a 5G module, an encryption chip, a vehicle specification MCU chip and a PHY port physical layer, wherein the PHY port physical layer and an SIM card are connected to the 5G module to realize data frame transmission and are externally connected with a 100M/1000M network port, the encryption chip is connected with the 5G module and the vehicle specification MCU chip, the 5G module is in an SRM815 model, and the encryption chip is in a CIU98 model setting.
As a preferable aspect of the present invention, wherein: the TBOX equipment further comprises a sensor, a memory, a buzzer, an RS485 converter, a high-side driver, a circuit converter, a CAN transceiver and a vehicle gauge power supply management circuit, wherein the sensor, the memory, the buzzer, the RS485 converter, the high-side driver, the circuit converter and the CAN transceiver are connected with the vehicle gauge MCU chip, and the vehicle gauge power supply management circuit is used for supplying power.
The invention has the beneficial effects that: according to the invention, a security system is arranged in the Internet of vehicles platform, a set of encryption and authentication system suitable for embedded equipment such as vehicle-mounted terminals and the like and a fast moving scene is constructed, and experience is accumulated for establishing an Internet of vehicles security authentication standard system. The method is characterized in that the certificate use flow is customized according to the communication requirement of the Internet of vehicles, safety protection is completed through SSL and signature verification technology, the cracking difficulty is improved through the technology of carrying out block signature on data and forming a signature block chain, data tampering is prevented, a safety subsystem is improved, the method is used for different Internet of vehicles platforms such as a vehicle factory and a government department, the system and application safety requirements of the Internet of vehicles platforms are provided, and the method becomes the standard specification of risk assessment and safety detection of the Internet of vehicles platforms gradually. Meanwhile, the data security standard database forms a plurality of data security systems such as data uploading, remote upgrading, data storage and use of the vehicle networking platform, data tamper resistance and the like from the vehicle-mounted terminal to the vehicle networking platform.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise. Wherein:
FIG. 1 is a schematic block diagram of a modular architecture for a TBOX device communication secure car networking system in an embodiment of the invention;
FIG. 2 is a schematic diagram of a security domain of a security certificate management system of the Internet of vehicles according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a modular structure of a vehicle terminal TBOX device in the embodiment of the invention;
fig. 4 is a framework diagram of a car networking network security and data security standard system in an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the drawings of the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the description of the embodiments of the invention given above, are within the scope of protection of the invention.
The existing vehicle-mounted TBOX CAN realize remote control of the vehicle and read vehicle state information through CAN network communication. The vehicle-mounted TBOX is communicated with the cloud server through a 4G wireless network, and is communicated with external equipment such as a smart phone or a tablet computer through the cloud server. In the prior art, effective information in communication is generally directly placed on a TCP/IP layer for transmission, data is not encrypted, and data security threats of authentication, a security system, secure communication and secure data exist.
Based on this, referring to fig. 1 and fig. 2, an embodiment of the present invention provides a communication security car networking system, which includes a car networking platform and a car networking terminal, where the car networking platform includes a security system, a security subsystem and a data security standard database, the car networking platform and the car networking terminal are connected through a communication link, and the communication link is used to implement security protection of the car networking platform and an in-car communication link; the vehicle-mounted terminal comprises a TBOX device and a safety gateway, wherein the TBOX device is used for realizing vehicle data acquisition, 5G network transmission and vehicle positioning functions, and the safety gateway is connected with the TBOX device and is used for realizing identity authentication and data encryption functions; the vehicle networking platform is used for providing safety requirements of the vehicle networking platform and providing at least one set of safety evaluation system and emergency response mechanism aiming at the vehicle networking platform; the safety system is used for constructing at least one set of encryption and authentication system suitable for the vehicle-mounted terminal and the fast moving scene and accumulating experience data for the vehicle networking safety authentication standard system; the security system comprises a vehicle networking security certificate management system, a data encryption system and a security situation perception system, wherein the vehicle networking security certificate management system is provided with four different security domains, namely a CA core region, an external service region, a security management region and an internet access region, according to different security levels, and the four different security domains are protected by security protection equipment and a security protection strategy to form a security system; and the data safety standard database is used for uploading data, remote upgrading data, vehicle networking platform operation data and safety system operation data to the vehicle networking platform by the vehicle-mounted terminal. The safety subsystem comprises an identity authentication module, a data encryption and decryption module, a data signature module, a risk evaluation module and a safety detection module, and the application mounting end is connected with the safety system through the safety subsystem; the data safety standard database is used for uploading data, remote upgrading data, vehicle networking platform operation data and safety system operation data to the vehicle networking platform by the vehicle-mounted terminal;
the digital certificate generated by starting the vehicle-mounted terminal is input into the security system through a communication link with the vehicle networking platform and is used for the vehicle networking communication data security monitoring work of the vehicle-mounted terminal, namely a vehicle networking communication data encryption and authentication system of the fast moving vehicle is constructed; and the application mounting end is connected with the safety system through the safety subsystem and is used for setting standard specifications of risk assessment and safety detection of the vehicle networking communication data in the vehicle networking platform, namely the application mounting end is perfected to become the standard specifications of the risk assessment and safety detection of the vehicle networking platform.
In this embodiment, the security certificate management system of the internet of vehicles specifically includes a certificate generation module, a certificate burning module and a certificate updating module; the certificate generation module is used for generating certificates at the cloud end of the Internet of vehicles and at the two sides of the vehicle-mounted terminal, wherein the certificates at the vehicle-mounted terminal are generated and encrypted in batches, specifically, the certificates are encrypted by digital envelopes to generate symmetric keys, and the symmetric keys are used for encrypting the digital certificates; specifically, the symmetric key generated in the first step is encrypted by using a public key of a decryptor, and the encrypted certificate and the encrypted symmetric key are packaged into a digital envelope, namely a digital certificate; the certificate burning module is used for decrypting the digital certificate on the special key burning terminal equipment and burning the decrypted digital certificate to the vehicle-mounted equipment end; the certificate updating module is used for checking the validity period of the digital certificate by an SDK (software development kit) in the terminal when the digital certificate of the vehicle-mounted equipment terminal is ignited each time, wherein the digital certificate enters a preset grace period before expiration time, and the certificate updating module automatically updates the certificate; the certificate updating step is the same as the certificate issuing step of the vehicle-mounted system; the data encryption system is used for realizing identity identification of each entity, data channel encryption and data tamper-proof protection measures by relying on certificates and related security technologies in the data communication process of the vehicle-mounted terminal; the security situation awareness system is used for specialized security situation awareness operation of the Internet of vehicles application.
In this embodiment, the data encryption system includes an SSL server certificate and a signature verification tag, and specifically, the security protection is completed by SSL and signature verification tag technologies, and a signature block chain is formed by performing block signature on communication link data of the vehicle-mounted terminal; the cracking difficulty is improved, and data tampering is prevented; the security situation awareness system comprises a full-flow analysis module, a threat information module, a UEBA user entity behavior analysis module, a machine learning module and a big data association analysis module, and is used for risk assessment work of a vehicle networking platform of a mounting end, specifically screening threat information in a corresponding flow channel after data flow analysis, feeding back to a security subsystem for security detection and risk assessment after UEBA user entity behavior analysis, artificial intelligent machine learning and big data association, and further performing risk grade corresponding to the security situation awareness threat information.
The safety detection module is used for receiving threat information data analyzed, processed and associated by the safety situation perception system, carrying out abnormal characteristic detection on the threat information data, carrying out network attack judgment, processing a network attack event of the vehicle-mounted terminal, specifically acquiring the threat information data, carrying out abnormal characteristic detection by comparing a preset data threshold value, acquiring an abnormal characteristic item, marking an item where the abnormal characteristic item is located, carrying out characteristic matching calculation on the abnormal characteristic item and an attack characteristic library downloaded from the big data association analysis module in the safety situation perception system, and carrying out risk assessment on the network attack event of the vehicle-mounted terminal after the judgment of the network attack event is met; the risk evaluation module is used for receiving the network attack event information of the vehicle-mounted terminal, extracting risk characteristic keywords in the network attack event information of the vehicle-mounted terminal, inputting the risk characteristic keywords into the big data association analysis module in the security situation perception system, performing hierarchical association to risk levels corresponding to the risk characteristic keywords, determining corresponding risk levels according to a preset threshold calibration table, and then performing corresponding risk level processing. The safety subsystem provides a safety subsystem for the vehicle networking platform, functions comprise identity authentication, data encryption and decryption, data signature and the like, the safety subsystem has a good cross-platform characteristic, can be used for different vehicle networking platforms of a vehicle factory, a government department and the like, provides system and application safety requirements of the vehicle networking platform, and is gradually perfected to become standard specifications of risk assessment and safety detection of the vehicle networking platform.
Preferably, in this embodiment, the communication link is based on a 5G network trusted authentication technology and a 5g + v2x network security situation awareness technology, a dedicated data secure transmission channel is provided for the 5g + v2x intelligent internet application, and a connection between a security gateway in the vehicle-mounted terminal and the vehicle networking platform based on the 5G network is established.
Preferably, the security gateway of the secure internet of vehicles system includes an application layer, a core application layer, a CAN layer and a hardware architecture layer; the application layer, which finally embodies the service requirements, is located at the uppermost layer of the software architecture. The application layer comprises parts such as power supply management, diagnosis management, storage management, CAN communication management, wireless communication management, remote control management and the like, and the rich and various functions of the vehicle-mounted gateway are realized by forming an instruction aiming at an application program and transmitting a corresponding control command through a communication CAN network. The application layer also comprises functions for serving users, and value-added services can be provided. The core application layer is independent of the final service requirement, provides bottom layer encapsulation for the application layer, and correspondingly encapsulates the bottom layer control program and software related to data management on the basis of combining the hardware requirement of the gateway system and the logic requirement defined by the related interface, thereby facilitating the application layer. The core application layer provides bottom layer encapsulation and support aiming at the core function of the vehicle-mounted gateway. The method comprises the following steps: the GPS core application realizes the functions of real-time positioning, on-line navigation and the like for the gateway; the 4G/5G core application encapsulates signals received or ready to be sent through a 4G/5G network, and provides support for the gateway system to realize functions such as remote communication and the like; and the storage module core application is used for storing valuable data information generated in the working process, so that the system can conveniently perform related diagnosis and online control. The CAN layer is used for forming an independent software part aiming at functions related to the CAN network based on the complexity and importance of related applications, and is further subdivided in the CAN layer according to actual functional requirements and logic levels. The instructions for the application are mainly transmitted through the CAN network. And the hardware architecture layer is designed in a software architecture, software encapsulation is carried out on the hardware environment and the control requirement of the whole gateway, and application layer software adapts to different hardware systems through the hardware architecture layer.
Further illustratively, the security gateway is a hardware architecture based on TBOX, and the main functional differences compared with TBOX are as follows: the hardware architecture does not contain a communication module, so that the number of interfaces is reduced, and only the CAN interface is contained; the software functions do not comprise various vehicle-mounted applications supported by TBOX, and only comprise the functions of data receiving and sending, data encryption, data signature and identity authentication based on a CAN network.
Preferably, in this embodiment, the TBOX device includes a 5G module, an encryption chip, a vehicle-specific MCU chip, and a PHY port physical layer, where the PHY port physical layer is connected to the 5G module with an SIM card to implement data frame transmission, and is externally connected to a 100M/1000M network port, the encryption chip is connected to the 5G module and the vehicle-specific MCU chip, the 5G module is of SRM815 type, and the encryption chip is set to be of CIU98 type. The TBOX equipment further comprises a sensor, a memory, a buzzer, an RS485 converter, a high-side driver, a circuit converter, a CAN transceiver and a vehicle gauge power supply management circuit, wherein the sensor, the memory, the buzzer, the RS485 converter, the high-side driver, the circuit converter and the CAN transceiver are connected with the vehicle gauge MCU chip, and the vehicle gauge power supply management circuit is used for supplying power.
Further, the 5G module, the american SRM815, is a reliable communication module capable of providing 5G wireless access capability and having a high security encryption technology and a high reliability proprietary bearer channel. The system can be integrated into multi-industry terminal equipment through a standard communication interface, and provides reliable communication of high-speed maneuvering. The trusted module provides high-safety and high-reliability transmission links and rich networking scenes for industrial customers. Aiming at different networking environments and customer requirements, a high-quality and credible cloud access and networking scheme can be provided for customers in various industries. And the method supports the fusion networking and link backup with the original MV private line, cloud resources and the like of an enterprise, and realizes the services of visual network monitoring, elastic bandwidth, intelligent routing, flow SLA scheduling and the like. An SE product developed based on a Huada high-security chip CIU98_ B is integrated into terminal equipment as a trust root aiming at the information security requirements in the field of Internet of things, provides various password service functions, and supports various security applications of unique identification, communication encryption, security storage, security starting, security upgrading and the like of an equipment end. The encryption chip can realize the safety authentication and safety communication functions of the vehicle-mounted terminal. The MCU chip properly reduces the frequency and specification of the CPU, and integrates the interfaces such as a memory, a counter, a USB, A/D conversion, PLC and the like, even an LCD driving circuit on the same chip, and has the characteristics of high performance, low power consumption, programmability, high flexibility and the like. The PHY, referred to as the port physical layer, can send and receive data frames of the ethernet.
TBOX equipment connection process introduction: the 5G trusted module, the encryption Huada chip and the vehicle-mounted MCU are three major components of the T-BOX product. The PHY and SIM card are connected to the 5G module to realize data frame transmission and are externally connected with a 100M/1000M network port. The encryption chip is connected with the 5G module and the vehicle gauge MCU, so that the encryption function of data transmission is realized, and the calculation force requirement of a security authentication system on the vehicle-mounted terminal is reduced. The vehicle-gauge MCU chip is connected with various sensors (acceleration sensors), a memory, a buzzer and other external devices to read and process various signals. The vehicle-scale power management circuit provides DC24V/12V power supply for the whole T-BOX hardware system.
Based on the above, the vehicle-mounted terminal security authentication and security communication may adopt two methods: the method is realized by software based on the existing processor (CPU/MPU/NPU) and adopts a special security chip. The former completes the authentication and the realization of an encryption algorithm through a processor of the vehicle-mounted terminal, and the latter adopts a special chip, and the processor obtains a processing result from the encryption chip. The scheme adopts a special safety chip scheme, has the advantages of reducing the calculation force requirement of a safety certification system on the vehicle-mounted terminal, basically having no influence on chip type selection and development, and ensuring the safety, the reliability and the like by adopting the special safety chip.
It should be noted that the vehicle networking security standard system is divided into 6 parts, such as the general and basic commonalities, the terminal and facility network security, the networking communication security, the data security, the application service security, the security guarantee and the support, in the construction guideline of the Ministry of industry and communications, as shown in fig. 6 below, after the scheme of this embodiment is adopted, the processes and requirements of the parts, such as 201, 202, 301, 302, 402, 405, 501, 502, 601, 602, 603, etc., in the above security standard can be completed.
In conclusion, the invention establishes a set of encryption and authentication system suitable for embedded equipment such as vehicle-mounted terminals and the like and fast moving scenes by setting a security system in the vehicle networking platform, and accumulates experience for establishing a vehicle networking security authentication standard system. The application process of the certificate is customized according to the communication requirement of the Internet of vehicles, safety protection is completed through SSL and signature verification technology, the cracking difficulty is improved through the technology of carrying out block signature on data and forming a signature block chain, data tampering is prevented, a safety subsystem is improved, the safety subsystem is used for different Internet of vehicles platforms such as a vehicle factory and a government department, the system and the application safety requirement of the Internet of vehicles platform are provided, and the safety subsystem becomes the standard of risk assessment and safety detection of the Internet of vehicles platform. Meanwhile, the data security standard database forms a plurality of data security systems such as data uploading, remote upgrading, data storage and use of the vehicle networking platform, data tamper resistance and the like from the vehicle-mounted terminal to the vehicle networking platform.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. All or part of the steps of the method of the above embodiments may be implemented by hardware that is configured to be instructed to perform the relevant steps by a program, which may be stored in a computer-readable storage medium, and which, when executed, includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module may also be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. The storage medium may be a read-only memory, a magnetic or optical disk, or the like.
While the present invention has been described with reference to the preferred embodiments, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (9)

1. A communication safety Internet of vehicles system is characterized by comprising a vehicle-mounted terminal, an Internet of vehicles platform and an application mounting end, wherein the Internet of vehicles platform comprises a safety system, a safety subsystem and a data safety standard database, and the vehicle-mounted terminal is connected with the Internet of vehicles platform through a communication link;
the vehicle-mounted terminal comprises TBOX equipment and a security gateway, wherein the TBOX equipment is used for realizing functions of vehicle data acquisition, 5G network transmission and vehicle positioning, and the security gateway is connected with the TBOX equipment and is used for realizing functions of identity authentication and data encryption;
the security system comprises a car networking security certificate management system, a data encryption system and a security situation perception system, wherein the car networking security certificate management system deploys four different security domains, namely a CA core area, an external service area, a security management area and an internet access area, according to different security levels;
the safety subsystem comprises an identity authentication module, a data encryption and decryption module, a data signature module, a risk evaluation module and a safety detection module, and the application mounting end is connected with the safety system through the safety subsystem;
the data safety standard database is used for uploading data, remote upgrading data, vehicle networking platform operation data and safety system operation data to the vehicle networking platform by the vehicle-mounted terminal;
the digital certificate generated by starting the vehicle-mounted terminal is input into the security system through a communication link with the vehicle networking platform and is used for the vehicle networking communication data security monitoring work of the vehicle-mounted terminal, namely a vehicle networking communication data encryption and authentication system of the fast moving vehicle is constructed; and
the application mounting end is connected with the safety system through the safety subsystem and is used for setting standard specifications of risk assessment and safety detection of the vehicle networking communication data in the vehicle networking platform, namely the application mounting end is perfected to become the standard specifications of the risk assessment and safety detection of the vehicle networking platform.
2. The communication security internet of vehicles system of claim 1, wherein the internet of vehicles security certificate management system comprises a certificate generation module, a certificate burning module and a certificate updating module;
the certificate generation module is used for generating certificates at the cloud end of the Internet of vehicles and at the two sides of the vehicle-mounted terminal, wherein the certificates at the vehicle-mounted terminal are generated and encrypted in batches, specifically, the certificates are encrypted by digital envelopes to generate symmetric keys, and the symmetric keys are used for encrypting the digital certificates;
the certificate burning module is used for decrypting the digital certificate on a special key burning terminal device and burning the decrypted digital certificate to a vehicle-mounted device end;
the certificate updating module is used for checking the validity period of the digital certificate by an SDK (software development kit) in a terminal when the digital certificate of the vehicle-mounted equipment terminal is ignited each time, wherein the digital certificate enters a preset grace period time before an expiration time, and the certificate updating module automatically updates the certificate;
the data encryption system is used for realizing identity identification of each entity, data channel encryption and data tamper-proof protection measures by means of certificates and related security technologies in the data communication process of the vehicle-mounted terminal;
the safety situation awareness system is used for specialized safety situation awareness operation of the Internet of vehicles.
3. The communication security car networking system of claim 2, wherein the data encryption system comprises an SSL server certificate and a signature verification tag, and particularly, the security protection is achieved through the SSL and signature verification tag technology, and the communication link data of the vehicle-mounted terminal is subjected to block signature to form a signature block chain;
the security situation awareness system comprises a full-flow analysis module, a threat information module, a UEBA user entity behavior analysis module, a machine learning module and a big data association analysis module, is used for risk assessment work of the vehicle networking platform of the application mounting end, specifically screens threat information in corresponding flow channels after data flow analysis, feeds the threat information back to a security subsystem for security detection and risk assessment after UEBA user entity behavior analysis, artificial intelligence machine learning and big data association are carried out, and further senses the risk level corresponding to the threat information, and the vehicle networking platform automatically updates vehicle networking communication data encryption and authentication operation of the vehicle terminal through the security system correspondingly according to the corresponding risk level.
4. The communication security car networking system according to claim 3, wherein the security detection module is configured to receive threat intelligence data analyzed, processed and associated by the security posture sensing system, perform abnormal feature detection on the threat intelligence data, perform network attack judgment, process a network attack event of the car terminal, specifically collect the threat intelligence data, perform abnormal feature detection by comparing a preset data threshold value, obtain an abnormal feature item, mark the item where the abnormal feature item is located, perform feature matching calculation on the abnormal feature item and an attack feature library downloaded from a big data association analysis module in the security posture sensing system, and process the network attack event of the car terminal for risk assessment after the judgment that the network attack event is met;
the risk evaluation module is used for receiving the network attack event information of the vehicle-mounted terminal, extracting risk characteristic keywords in the network attack event information of the vehicle-mounted terminal, inputting the risk characteristic keywords into a big data correlation analysis module in the security situation perception system, performing hierarchical correlation to risk levels corresponding to the risk characteristic keywords, determining corresponding risk levels according to a preset threshold calibration table, and then performing corresponding risk level processing.
5. The communication security Internet of vehicles system of claim 1, wherein the communication link is based on a 5G network trusted authentication technology and a 5G + V2X network security situation awareness technology, a dedicated data security transmission channel is provided for a 5G + V2X intelligent Internet application, and a connection between a security gateway in a vehicle-mounted terminal based on a 5G network and a platform of the Internet of vehicles is established.
6. The system of claim 1, wherein a security gateway of the system comprises an application layer, a core application layer, a CAN layer, and a hardware architecture layer;
the application layer comprises power management, diagnosis management, storage management, CAN communication management, wireless communication management, remote control management and value-added service management;
the core application layer is used for providing bottom layer encapsulation and support for the core function of the vehicle-mounted gateway, and comprises a GPS core application for realizing real-time positioning and online navigation of the gateway, a 4G/5G core application for receiving or preparing to send signals through a 4G/5G network for encapsulation and realizing remote communication, and a storage module core application for storing valuable data information generated in the working process.
7. The communication security car networking system of claim 1, wherein the TBOX device comprises a 5G module, an encryption chip, a car MCU chip, and a PHY port physical layer, wherein the PHY port physical layer is connected to the 5G module with an SIM card to implement data frame transmission and is externally connected to a 100M/1000M network port, and the encryption chip is connected to the 5G module and the car MCU chip.
8. The communication security car networking system of claim 7, wherein the 5G module is an SRM815 model, and the encryption chip is a CIU98 model.
9. The system of claim 7, wherein the TBOX device further comprises a sensor, a memory, a buzzer, an RS485 converter, a high side drive, a circuit switch and a CAN transceiver connected to the vehicle gauge MCU chip, and a vehicle gauge power management circuit for supplying power.
CN202210938513.1A 2022-08-05 2022-08-05 Communication security car networking system Active CN115664691B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210938513.1A CN115664691B (en) 2022-08-05 2022-08-05 Communication security car networking system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210938513.1A CN115664691B (en) 2022-08-05 2022-08-05 Communication security car networking system

Publications (2)

Publication Number Publication Date
CN115664691A true CN115664691A (en) 2023-01-31
CN115664691B CN115664691B (en) 2023-04-11

Family

ID=85024338

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210938513.1A Active CN115664691B (en) 2022-08-05 2022-08-05 Communication security car networking system

Country Status (1)

Country Link
CN (1) CN115664691B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116436632A (en) * 2023-02-08 2023-07-14 中电车联信安科技有限公司 Network safety identification system based on hardware components of Internet of vehicles
CN116827544A (en) * 2023-08-31 2023-09-29 北京云驰未来科技有限公司 Method and system for replacing on-board OBU trust root
CN118410586A (en) * 2024-07-03 2024-07-30 厦门金龙联合汽车工业有限公司 New generation V2X vehicle-mounted terminal design method

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704245A (en) * 2016-04-12 2016-06-22 成都景博信息技术有限公司 IOV (Internet of Vehicles) based mass data processing method
CN109714344A (en) * 2018-12-28 2019-05-03 国汽(北京)智能网联汽车研究院有限公司 Intelligent network based on " end-pipe-cloud " joins automobile information security platform
CN109714421A (en) * 2018-12-28 2019-05-03 国汽(北京)智能网联汽车研究院有限公司 Intelligent network based on bus or train route collaboration joins automobilism system
CN111131231A (en) * 2019-12-23 2020-05-08 北京蜂云科创信息技术有限公司 Method and equipment for accessing data of vehicle-mounted terminal into Internet of vehicles monitoring platform
US20200280842A1 (en) * 2019-03-01 2020-09-03 Xiruo Liu Security certificate management and misbehavior vehicle reporting in vehicle- to-everything (v2x) communication
CN111917685A (en) * 2019-05-07 2020-11-10 华为技术有限公司 Method for applying for digital certificate
CN113242251A (en) * 2021-05-20 2021-08-10 北京九州云驰科技有限公司 Vehicle-mounted network safety protection system and application method thereof

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704245A (en) * 2016-04-12 2016-06-22 成都景博信息技术有限公司 IOV (Internet of Vehicles) based mass data processing method
CN109714344A (en) * 2018-12-28 2019-05-03 国汽(北京)智能网联汽车研究院有限公司 Intelligent network based on " end-pipe-cloud " joins automobile information security platform
CN109714421A (en) * 2018-12-28 2019-05-03 国汽(北京)智能网联汽车研究院有限公司 Intelligent network based on bus or train route collaboration joins automobilism system
US20200280842A1 (en) * 2019-03-01 2020-09-03 Xiruo Liu Security certificate management and misbehavior vehicle reporting in vehicle- to-everything (v2x) communication
CN111917685A (en) * 2019-05-07 2020-11-10 华为技术有限公司 Method for applying for digital certificate
CN111131231A (en) * 2019-12-23 2020-05-08 北京蜂云科创信息技术有限公司 Method and equipment for accessing data of vehicle-mounted terminal into Internet of vehicles monitoring platform
CN113242251A (en) * 2021-05-20 2021-08-10 北京九州云驰科技有限公司 Vehicle-mounted network safety protection system and application method thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
胡文;姜立标;: "智能网联汽车的多级安全防护方案设计和分析" *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116436632A (en) * 2023-02-08 2023-07-14 中电车联信安科技有限公司 Network safety identification system based on hardware components of Internet of vehicles
CN116436632B (en) * 2023-02-08 2023-10-10 中电车联信安科技有限公司 Network safety identification system based on hardware components of Internet of vehicles
CN116827544A (en) * 2023-08-31 2023-09-29 北京云驰未来科技有限公司 Method and system for replacing on-board OBU trust root
CN116827544B (en) * 2023-08-31 2023-11-07 北京云驰未来科技有限公司 Method and system for replacing on-board OBU trust root
CN118410586A (en) * 2024-07-03 2024-07-30 厦门金龙联合汽车工业有限公司 New generation V2X vehicle-mounted terminal design method

Also Published As

Publication number Publication date
CN115664691B (en) 2023-04-11

Similar Documents

Publication Publication Date Title
CN115664691B (en) Communication security car networking system
EP3690643B1 (en) Vehicle-mounted device upgrading method and related device
US8004404B2 (en) Information storage device, information storage program, verification device and information storage method
Lam et al. ANT-centric IoT security reference architecture—Security-by-design for satellite-enabled smart cities
US20210216306A1 (en) Secure deployment of software on industrial control systems
CN113254947B (en) Vehicle data protection method, system, equipment and storage medium
CN110381075B (en) Block chain-based equipment identity authentication method and device
AU2020104272A4 (en) Blockchain-based industrial internet data security monitoring method and system
CN111711627B (en) Industrial Internet data security monitoring method and system based on block chain
CN113452526B (en) Electronic file certification method, verification method and corresponding devices
CN115147956A (en) Data processing method and device, electronic equipment and storage medium
KR20200141402A (en) Method and system for collecting and managing event data which is recorded by vehicle
CN114189359B (en) Internet of things equipment capable of avoiding data tampering, data safety transmission method and system
US20070266250A1 (en) Mobile Data Transmission Method and System
US20210216060A1 (en) Management of a reliable industrial control system via dedicated cellular network
CN111654591B (en) Picture tamper-proof method, computer device and storage medium
Feng et al. Autonomous vehicles' forensics in smart cities
WO2022106885A1 (en) Industrial control system
CA3103971A1 (en) Secure deployment of software on industrial control systems
CN117149521A (en) Network-connected automobile data backup method and system
CN113836564B (en) Block chain-based network-connected automobile information security system
CN114827200A (en) Intelligent automobile basic map data safety protection assembly
CN115225365A (en) Data secure transmission method, platform and system based on cryptographic algorithm
CN113988862A (en) Block chain data uplink method, and safety early warning system and method applying block chain data uplink method
CN117440019B (en) Laboratory Internet of things method and system based on blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant