CN115664691B - Communication security car networking system - Google Patents
Communication security car networking system Download PDFInfo
- Publication number
- CN115664691B CN115664691B CN202210938513.1A CN202210938513A CN115664691B CN 115664691 B CN115664691 B CN 115664691B CN 202210938513 A CN202210938513 A CN 202210938513A CN 115664691 B CN115664691 B CN 115664691B
- Authority
- CN
- China
- Prior art keywords
- vehicle
- safety
- data
- security
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention discloses a communication safety Internet of vehicles system, which comprises a vehicle-mounted terminal and a vehicle-mounted networking platform, wherein the vehicle-mounted networking platform comprises a safety system, a safety subsystem and a data safety standard database, the vehicle-mounted terminal and the vehicle-mounted networking platform are connected through a communication link, the vehicle-mounted terminal comprises TBOX equipment and a safety gateway, and the vehicle-mounted networking platform is used for providing safety requirements of the vehicle-mounted networking platform. According to the invention, a security system is arranged in the Internet of vehicles platform, and a set of encryption and authentication system suitable for embedded equipment such as vehicle-mounted terminals and the like and fast moving scenes is constructed. The certificate use process is customized according to the communication requirements of the Internet of vehicles, safety protection is completed through SSL and signature verification technologies, and experience is accumulated for establishing a safety certification standard system of the Internet of vehicles.
Description
Technical Field
The invention relates to the technical field of vehicle networking communication, in particular to a communication safety vehicle networking system.
Background
The TBOX is a vehicle networking system, multiple technologies such as sensors, wireless transmission, big data, the Internet of things and intelligent device communication are combined, the number of devices involved in a communication network is large, the real-time requirement is high, life danger and road facility damage are easily caused by attack and damage, and the repair is difficult. Therefore, the information security in the internet of vehicles is of great importance, and the future development and implementation strength of the internet of vehicles are influenced. The domestic Internet of vehicles application is mainly vehicle cloud communication, and vehicle roads and vehicle and passenger communication are basically in a test stage. The vehicle cloud communication mainly comprises front-loading application and rear-loading application, the front-loading market is mainly dominated by a vehicle factory, the vehicle factory with certain strength builds a vehicle networking platform, and the vehicle leaves a factory and is preloaded with T-BOX equipment to realize vehicle cloud communication; the aftermarket is mainly dominated by industry governing departments, such as transportation, environmental protection and the like, vehicle cloud communication is realized by additionally arranging a data acquisition terminal on a vehicle, and the application type mainly takes industry management as a main part.
The safety of the internet of vehicles and the data safety at the present stage are in the exploration starting stage, and the safety problem of the internet of vehicles presents a faster growth situation. The front-loading and back-loading market application adopts a certain safety measure, but basically takes the self-set standards of enterprises and departments as the main and lacks of standard guidance. The existing car networking safety system mainly has the following problems.
(1) The method is characterized by comprising the following steps that authentication is safe, the conventional vehicle-mounted terminal generally adopts a fixed identity ID (easy to be attacked), an enterprise private encryption algorithm (the safety depends on the confidentiality degree of an enterprise to the algorithm and is completely uncontrollable) and the like, and the first safety of the method is low and easy to be attacked; secondly, interconnection and intercommunication among different manufacturers cannot be realized;
the TBOX and the vehicle networking platform are communicated, most enterprises do not pass any key system authentication, only authentication is carried out by adopting the modes of equipment preset user name and password or equipment and chip ID and the like, and few enterprises build identity authentication and key systems by themselves, but the security depends on the technical strength of the enterprises and the interconnection and the intercommunication cannot be realized;
(2) The system safety and the self safety of the TBOX system are generally based on an LINUX kernel or a singlechip open embedded operating system, the safety is almost not ensured, and the TBOX system is easy to attack. The safety of the car networking platform system does not have mandatory safety requirements on the car networking platform, such as equal security evaluation and the like, so that the safety precaution capacities of car networking service platforms of various manufacturers and industries are different. The car networking platform should have a third-level security protection capability of level protection, namely, the car networking platform should be capable of defending against main resource damage caused by malicious attacks launched by external organized groups, threat sources with abundant resources, serious natural disasters and other threats with considerable harm degrees under a unified security strategy, and can timely discover and monitor attack behaviors and dispose security events, and after the car networking platform is damaged, most functions can be quickly recovered;
(3) The communication is safe, the TBOX and the vehicle networking platform are safe in communication physical link, most factories directly use the common Internet of things channel of an operator, and the physical link safety protection is lacked;
(4) The data is safe, the TBOX and the vehicle networking platform are safe in data transmission, and encryption transmission is rarely adopted by vehicle enterprises at present; the TBOX and the ECU and other vehicle-mounted systems are safe in communication, the 27 protocols in ISO14229 are mainly adopted, the identity authentication is carried out on the seed encryption verification result by means of the private encryption algorithm of a vehicle factory, and the vehicle-mounted systems are easily attacked due to algorithm leakage. Data communication between the TBOX and the vehicle networking platform lacks a reliable and reliable verification mechanism, and data cannot be prevented from being tampered, so that data of a platform operator cannot be used for data support of important scenes.
Disclosure of Invention
The present invention has been made in view of the above-mentioned problems in terms of secure communication in the existing internet of vehicles.
Therefore, one of the objectives of the present invention is to provide a communication security car networking system and a car terminal thereof, which utilize a security system built in a car networking platform, customize the certificate usage flow according to the communication requirements of the car networking, complete security protection by SSL and signature verification technology, improve the cracking difficulty by the technology of performing block signature on data and forming a signature block chain, prevent data tampering, improve the security subsystem, be used for different car networking platforms of a car factory, a government department, etc., propose the system and application security requirements of the car networking platform, and gradually perfect the system and application security requirements to become the standard specifications of risk assessment and security detection of the car networking platform.
In order to solve the technical problems, the invention provides the following technical scheme that the system comprises a vehicle-mounted terminal, a vehicle networking platform and an application mounting end, wherein the vehicle networking platform comprises a safety system, a safety subsystem and a data safety standard database, the vehicle-mounted terminal and the vehicle networking platform are connected through a communication link, and the communication link is used for realizing the safety protection of the vehicle networking platform and a communication link in a vehicle; the vehicle-mounted terminal comprises TBOX equipment and a safety gateway, wherein the TBOX equipment is used for realizing vehicle data acquisition, 5G network transmission and vehicle positioning functions, and the safety gateway is connected with the TBOX equipment and is used for realizing identity authentication and data encryption functions; the system comprises a vehicle networking platform, a safety evaluation system and an emergency response mechanism, wherein the vehicle networking platform is used for providing safety requirements of the vehicle networking platform and providing at least one set of safety evaluation system and emergency response mechanism aiming at the vehicle networking platform; the safety system is used for constructing at least one set of encryption and authentication system suitable for the vehicle-mounted terminal and the fast moving scene and accumulating empirical data for a vehicle networking safety authentication standard system; the safety system comprises a vehicle networking safety certificate management system, a data encryption system and a safety situation perception system, wherein the vehicle networking safety certificate management system is used for deploying four different safety domains, namely a CA core area, an external service area, a safety management area and an internet access area, according to different safety levels, and the four different safety domains are protected by adopting safety protection equipment and a safety protection strategy to form a safety system; the system comprises a data security standard database, a security subsystem and a security system, wherein the data security standard database is used for storing uploading data, remote upgrading data, vehicle networking platform operation data and security system operation data of a vehicle-mounted terminal to a vehicle networking platform; the data safety standard database is used for storing uploading data, remote upgrading data, vehicle networking platform operation data and safety system operation data of the vehicle-mounted terminal to the vehicle networking platform; the digital certificate generated by starting the vehicle-mounted terminal is input into the security system through a communication link with a vehicle networking platform, and is used for the vehicle networking communication data security monitoring work of the vehicle-mounted terminal, namely, a vehicle networking communication data encryption and authentication system of the fast moving vehicle is constructed; and the application mounting end is connected with the safety system through the safety subsystem and is used for setting standard specifications of risk assessment and safety detection of the vehicle networking communication data in the vehicle networking platform, namely the application mounting end is perfected to become the standard specifications of the risk assessment and safety detection of the vehicle networking platform.
As a preferable aspect of the present invention, wherein: the Internet of vehicles security certificate management system comprises a certificate generation module, a certificate burning module and a certificate updating module; the certificate generation module is used for generating certificates at the cloud end of the Internet of vehicles and at the two sides of the vehicle-mounted terminal, wherein the certificates at the vehicle-mounted terminal are generated and encrypted in batches, specifically, the certificates are encrypted by digital envelopes to generate symmetric keys, and the symmetric keys are used for encrypting the digital certificates; specifically, the public key of the decryptor is used for encrypting the symmetric key generated in the first step, and the encrypted certificate and the encrypted symmetric key are packaged into a digital envelope, namely a digital certificate; the certificate burning module is used for decrypting the digital certificate on a special key burning terminal device and burning the decrypted digital certificate to a vehicle-mounted device end; the certificate updating module is used for checking the validity period of the digital certificate by an SDK (software development kit) in a terminal when the digital certificate of the vehicle-mounted equipment terminal is ignited each time, wherein the digital certificate enters a preset grace period time before an expiration time, and the certificate updating module automatically updates the certificate; the certificate updating step is the same as the certificate issuing step of the vehicle-mounted system; the data encryption system is used for realizing identity identification of each entity, data channel encryption and data tamper-proof protection measures by means of certificates and related security technologies in the data communication process of the vehicle-mounted terminal; the security situation awareness system is used for specialized security situation awareness operation of the Internet of vehicles.
As a preferable aspect of the present invention, wherein: the data encryption system comprises an SSL server certificate and a signature verification tag, and specifically, safety protection is completed through SSL and signature verification tag technologies, and a signature block chain is formed by performing block signature on communication link data of the vehicle-mounted terminal; the cracking difficulty is improved, and data tampering is prevented; the security situation awareness system comprises a full-flow analysis module, a threat information module, a UEBA user entity behavior analysis module, a machine learning module and a big data association analysis module, and is used for risk assessment work of the vehicle networking platform of the application mounting end, specifically screening threat information in a corresponding flow channel after data flow analysis, feeding back to a security subsystem for security detection and risk assessment after UEBA user entity behavior analysis, artificial intelligent machine learning and big data association, and further sensing the risk level corresponding to the threat information through security situation, wherein the vehicle networking platform automatically updates vehicle networking communication data encryption and authentication operation of the vehicle terminal through the security system according to the corresponding risk level.
As a preferable aspect of the present invention, wherein: the security detection module is used for receiving threat information data analyzed, processed and associated by the security situation awareness system, performing abnormal feature detection on the threat information data, performing network attack judgment, processing a network attack event of the vehicle-mounted terminal, specifically acquiring the threat information data, performing abnormal feature detection by comparing a preset data threshold value, acquiring an abnormal feature item, marking an item where the abnormal feature item is positioned, performing feature matching calculation on the abnormal feature item and an attack feature library downloaded from a big data association analysis module in the security situation awareness system, and performing risk assessment on the network attack event of the vehicle-mounted terminal after the judgment of the network attack event is met; the risk evaluation module is used for receiving the network attack event information of the vehicle-mounted terminal, extracting risk characteristic keywords in the network attack event information of the vehicle-mounted terminal, inputting the risk characteristic keywords into a big data correlation analysis module in the security situation perception system, performing hierarchical correlation to risk levels corresponding to the risk characteristic keywords, determining corresponding risk levels according to a preset threshold calibration table, and then performing corresponding risk level processing. The safety subsystem provides a safety subsystem for the vehicle networking platform, functions comprise identity authentication, data encryption and decryption, data signature and the like, the safety subsystem has a good cross-platform characteristic, can be used for different vehicle networking platforms of a vehicle factory, a government department and the like, provides system and application safety requirements of the vehicle networking platform, and is gradually perfected to become standard specifications of risk assessment and safety detection of the vehicle networking platform.
As a preferable aspect of the present invention, wherein: the communication link is based on a 5G network credibility authentication technology and a 5G + V2X network security situation perception technology, a special data security transmission channel is provided for the 5G + V2X intelligent internet application, and connection between a security gateway in the vehicle-mounted terminal and the vehicle networking platform based on the 5G network is established.
As a preferable aspect of the present invention, wherein: the security gateway of the security internet of vehicles system comprises an application layer, a core application layer, a CAN layer and a hardware architecture layer; the application layer comprises power management, diagnosis management, storage management, CAN communication management, wireless communication management, remote control management and value-added service management; the core application layer is used for providing bottom layer encapsulation and support for the core function of the vehicle-mounted gateway, and comprises a GPS core application for realizing real-time positioning and online navigation of the gateway, a 4G/5G core application for receiving or preparing to send signals through a 4G/5G network for encapsulation and realizing remote communication, and a storage module core application for storing valuable data information generated in the working process; the CAN layer is further subdivided within it for functions related to the CAN network and according to the actual functional requirements and logical hierarchy.
As a preferable aspect of the present invention, wherein: the TBOX equipment comprises a 5G module, an encryption chip, a vehicle-specification MCU chip and a PHY port physical layer, wherein the PHY port physical layer and an SIM card are connected to the 5G module to realize data frame transmission and are externally connected with a 100M/1000M network port, the encryption chip is connected with the 5G module and the vehicle-specification MCU chip, the 5G module is in an SRM815 model, and the encryption chip is in a CIU98 model setting.
As a preferable aspect of the present invention, wherein: the TBOX equipment further comprises a sensor, a memory, a buzzer, an RS485 converter, a high-side driver, a circuit converter, a CAN transceiver and a vehicle gauge power supply management circuit, wherein the sensor, the memory, the buzzer, the RS485 converter, the high-side driver, the circuit converter and the CAN transceiver are connected with the vehicle gauge MCU chip, and the vehicle gauge power supply management circuit is used for supplying power.
The invention has the beneficial effects that: the invention utilizes a security system arranged in the vehicle networking platform to construct a set of encryption and authentication system suitable for embedded equipment such as vehicle-mounted terminals and the like and fast moving scenes, and accumulates experience for establishing a vehicle networking security authentication standard system. The method is characterized in that the certificate use flow is customized according to the communication requirement of the Internet of vehicles, safety protection is completed through SSL and signature verification technology, the cracking difficulty is improved through the technology of carrying out block signature on data and forming a signature block chain, data tampering is prevented, a safety subsystem is improved, the method is used for different Internet of vehicles platforms such as a vehicle factory and a government department, the system and application safety requirements of the Internet of vehicles platforms are provided, and the method becomes the standard specification of risk assessment and safety detection of the Internet of vehicles platforms gradually. Meanwhile, a data security standard database forms a plurality of data security systems such as data uploading, remote upgrading, data storage and use of the vehicle networking platform, data tamper prevention and the like from the vehicle-mounted terminal to the vehicle networking platform.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise. Wherein:
FIG. 1 is a schematic block diagram of a modular architecture for a TBOX device communication secure car networking system in an embodiment of the invention;
FIG. 2 is a schematic diagram of a security domain of a security certificate management system of the Internet of vehicles according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a modular structure of a vehicle terminal TBOX device in the embodiment of the invention;
fig. 4 is a framework diagram of a car networking network security and data security standard system in an embodiment of the present invention.
Detailed description of the preferred embodiments
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the drawings of the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the described embodiments of the invention, are within the scope of the invention.
The existing vehicle-mounted TBOX CAN realize remote control of the vehicle and read vehicle state information through CAN network communication. The vehicle-mounted TBOX is communicated with the cloud server through a 4G wireless network, and is communicated with external equipment such as a smart phone or a tablet computer through the cloud server. In the prior art, effective information in communication is generally directly placed on a TCP/IP layer for transmission, data is not encrypted, and data security threats of authentication, a security system, secure communication and secure data exist.
Based on this, referring to fig. 1 and fig. 2, an embodiment of the present invention provides a communication security car networking system, which includes a car networking platform and a car networking terminal, where the car networking platform includes a security system, a security subsystem and a data security standard database, the car networking platform and the car networking terminal are connected through a communication link, and the communication link is used to implement security protection of the car networking platform and an in-car communication link; the vehicle-mounted terminal comprises a TBOX device and a safety gateway, wherein the TBOX device is used for realizing vehicle data acquisition, 5G network transmission and vehicle positioning functions, and the safety gateway is connected with the TBOX device and is used for realizing identity authentication and data encryption functions; the vehicle networking platform is used for providing safety requirements of the vehicle networking platform and providing at least one set of safety evaluation system and emergency response mechanism aiming at the vehicle networking platform; the safety system is used for constructing at least one set of encryption and authentication system suitable for the vehicle-mounted terminal and a fast moving scene and accumulating empirical data for a vehicle networking safety authentication standard system; the safety system comprises a vehicle networking safety certificate management system, a data encryption system and a safety situation perception system, wherein the vehicle networking safety certificate management system is provided with four different safety domains, namely a CA core area, an external service area, a safety management area and an internet access area, according to different safety levels, and the four different safety domains are protected by adopting safety protection equipment and a safety protection strategy to form a safety system; and the data safety standard database is used for storing uploading data, remote upgrading data, operation data of the vehicle networking platform and operation data of a safety system from the vehicle-mounted terminal to the vehicle networking platform. The safety subsystem comprises an identity authentication module, a data encryption and decryption module, a data signature module, a risk evaluation module and a safety detection module, and the application mounting end is connected with the safety system through the safety subsystem; the data safety standard database is used for storing uploading data, remote upgrading data, operation data of the Internet of vehicles platform and operation data of a safety system from the vehicle-mounted terminal to the Internet of vehicles platform;
the digital certificate generated by starting the vehicle-mounted terminal is input into the security system through a communication link with the vehicle networking platform and is used for the vehicle networking communication data security monitoring work of the vehicle-mounted terminal, namely a vehicle networking communication data encryption and authentication system of the fast moving vehicle is constructed; and the application mounting end is connected with the safety system through the safety subsystem and is used for setting standard specifications of risk assessment and safety detection of the vehicle networking communication data in the vehicle networking platform, namely the application mounting end is perfected to become the standard specifications of the risk assessment and safety detection of the vehicle networking platform.
In this embodiment, the security certificate management system of the internet of vehicles includes a certificate generation module, a certificate burning module, and a certificate updating module; the certificate generation module is used for generating certificates at the cloud end of the Internet of vehicles and at the two sides of the vehicle-mounted terminal, wherein the certificates at the vehicle-mounted terminal are generated and encrypted in batches, specifically, the certificates are encrypted by digital envelopes to generate symmetric keys, and the symmetric keys are used for encrypting the digital certificates; specifically, the symmetric key generated in the first step is encrypted by using a public key of a decryptor, and the encrypted certificate and the encrypted symmetric key are packaged into a digital envelope, namely a digital certificate; the certificate burning module is used for decrypting the digital certificate on the special key burning terminal equipment and burning the decrypted digital certificate to the vehicle-mounted equipment end; the certificate updating module is used for checking the valid period of the digital certificate by an SDK (software development kit) in the terminal when the digital certificate of the vehicle-mounted equipment terminal is ignited each time, wherein the digital certificate enters a preset grace period time before expiration time, and the certificate updating module automatically updates the certificate; the certificate updating step is the same as the certificate issuing step of the vehicle-mounted system; the data encryption system is used for realizing identity identification of each entity, data channel encryption and data tamper-proof protection measures by relying on certificates and related security technologies in the data communication process of the vehicle-mounted terminal; the security situation awareness system is used for specialized security situation awareness operation of the Internet of vehicles application.
In this embodiment, the data encryption system includes an SSL server certificate and a signature verification tag, and specifically, the security protection is completed by using SSL and signature verification techniques, and a block signature is performed on communication link data of the vehicle-mounted terminal to form a signature block chain; the cracking difficulty is improved, and data tampering is prevented; the security situation awareness system comprises a full-flow analysis module, a threat information module, a UEBA user entity behavior analysis module, a machine learning module and a big data association analysis module, and is used for risk assessment work of a vehicle networking platform of a mounting end, specifically screening threat information in a corresponding flow channel after data flow analysis, feeding back to a security subsystem for security detection and risk assessment after UEBA user entity behavior analysis, artificial intelligent machine learning and big data association, and further performing risk grade corresponding to the security situation awareness threat information.
The safety detection module is used for receiving threat information data analyzed, processed and associated by the safety situation perception system, carrying out abnormal characteristic detection on the threat information data, carrying out network attack judgment, processing a network attack event of the vehicle-mounted terminal, specifically acquiring the threat information data, carrying out abnormal characteristic detection by comparing a preset data threshold value, acquiring an abnormal characteristic item, marking an item where the abnormal characteristic item is located, carrying out characteristic matching calculation on the abnormal characteristic item and an attack characteristic library downloaded from the big data association analysis module in the safety situation perception system, and carrying out risk assessment on the network attack event of the vehicle-mounted terminal after the judgment of the network attack event is met; the risk evaluation module is used for receiving the network attack event information of the vehicle-mounted terminal, extracting risk characteristic keywords in the network attack event information of the vehicle-mounted terminal, inputting the risk characteristic keywords into the big data association analysis module in the security situation perception system, performing hierarchical association to risk levels corresponding to the risk characteristic keywords, determining corresponding risk levels according to a preset threshold calibration table, and then performing corresponding risk level processing. The safety subsystem provides a safety subsystem for the car networking platform, functions of the safety subsystem comprise identity authentication, data encryption and decryption, data signature and the like, the safety subsystem has a good cross-platform characteristic, can be used for different car networking platforms of car factories, government departments and the like, provides system and application safety requirements of the car networking platform, and gradually perfects the standard specification of risk assessment and safety detection of the car networking platform.
Preferably, in this embodiment, the communication link provides a dedicated data security transmission channel for the intelligent internet application of 5g + v2x based on a 5G network trusted authentication technology and a 5g + v2x network security situation awareness technology, and establishes a connection between a security gateway in the vehicle-mounted terminal based on the 5G network and the vehicle networking platform.
Preferably, in this embodiment, the security gateway of the secure internet of vehicles system includes an application layer, a core application layer, a CAN layer, and a hardware architecture layer; the application layer, which finally embodies the service requirements, is located at the uppermost layer of the software architecture. The application layer comprises parts such as power supply management, diagnosis management, storage management, CAN communication management, wireless communication management, remote control management and the like, and the rich and various functions of the vehicle-mounted gateway are realized by forming an instruction aiming at an application program and transmitting a corresponding control command through a communication CAN network. The application layer also comprises functions for serving users, and value-added services can be provided. The core application layer is independent of the final service requirement, provides bottom layer encapsulation for the application layer, and correspondingly encapsulates the bottom layer control program and software related to data management on the basis of combining the hardware requirement of the gateway system and the logic requirement defined by the related interface, thereby facilitating the application layer. The core application layer provides bottom layer encapsulation and support aiming at the core function of the vehicle-mounted gateway. The method comprises the following steps: the GPS core application realizes the functions of real-time positioning, on-line navigation and the like for the gateway; the 4G/5G core application encapsulates signals received or ready to be sent through a 4G/5G network, and provides support for the gateway system to realize functions such as remote communication and the like; and the storage module core application is used for storing valuable data information generated in the working process, so that the system can conveniently perform related diagnosis and online control. The CAN layer is used for forming an independent software part aiming at functions related to the CAN network based on the complexity and importance of related applications, and is further subdivided in the CAN layer according to actual functional requirements and logic levels. The instructions for the application are mainly transmitted through the CAN network. And the hardware architecture layer is designed in a software architecture, software encapsulation is carried out on the hardware environment and the control requirement of the whole gateway, and application layer software adapts to different hardware systems through the hardware architecture layer.
Further illustratively, the security gateway is a hardware architecture based on TBOX, and the main functional differences compared with TBOX are as follows: the hardware architecture does not comprise a communication module, so that the number of interfaces is reduced, and only the CAN interface is included; the software functions do not comprise various vehicle-mounted applications supported by TBOX, and only comprise the functions of data receiving and sending, data encryption, data signature and identity authentication based on a CAN network.
Preferably, in this embodiment, the TBOX device includes a 5G module, an encryption chip, a vehicle-specific MCU chip, and a PHY port physical layer, where the PHY port physical layer is connected to the 5G module with an SIM card to implement data frame transmission, and is externally connected to a 100M/1000M network port, the encryption chip is connected to the 5G module and the vehicle-specific MCU chip, the 5G module is of SRM815 type, and the encryption chip is set to be of CIU98 type. The TBOX equipment further comprises a sensor, a memory, a buzzer, an RS485 converter, a high-side driver, a circuit converter, a CAN transceiver and a vehicle gauge power supply management circuit, wherein the sensor, the memory, the buzzer, the RS485 converter, the high-side driver, the circuit converter and the CAN transceiver are connected with the vehicle gauge MCU chip, and the vehicle gauge power supply management circuit is used for supplying power.
Further, the 5G module, the american SRM815, is a reliable communication module capable of providing 5G wireless access capability and having a high security encryption technology and a high reliability proprietary bearer channel. The system can be integrated into multi-industry terminal equipment through a standard communication interface, and provides reliable communication of high-speed maneuvering. The trusted module provides high-safety and high-reliability transmission links and rich networking scenes for industrial customers. Aiming at different networking environments and customer requirements, a high-quality and credible cloud access and networking scheme can be provided for customers in various industries. And the method supports the fusion networking and link backup with the original MV private line, cloud resources and the like of an enterprise, and realizes the services of visual network monitoring, elastic bandwidth, intelligent routing, flow SLA scheduling and the like. An SE product developed based on a Huada high-security chip CIU98_ B is integrated into terminal equipment as a trust root aiming at the information security requirements in the field of Internet of things, provides various password service functions, and supports various security applications of unique identification, communication encryption, security storage, security starting, security upgrading and the like of an equipment end. The encryption chip can realize the safety authentication and safety communication functions of the vehicle-mounted terminal. The MCU chip properly reduces the frequency and specification of the CPU, integrates the interfaces of a memory, a counter, a USB, A/D conversion, PLC and the like, even an LCD drive circuit on the same chip, and has the characteristics of high performance, low power consumption, programmability, high flexibility and the like. The PHY, referred to as the port physical layer, can send and receive data frames of the ethernet.
TBOX equipment connection process introduction: the 5G trusted module, the encryption Huada chip and the vehicle-mounted MCU are three major components of the T-BOX product. The PHY and SIM card are connected to the 5G module to realize data frame transmission and are externally connected with 100M/1000M network port. The encryption chip is connected with the 5G module and the vehicle gauge MCU, so that the encryption function of data transmission is realized, and the calculation force requirement of a security authentication system on the vehicle-mounted terminal is reduced. The vehicle-gauge MCU chip is connected with various sensors (acceleration sensors), a memory, a buzzer and other external devices to read and process various signals. The vehicle-scale power management circuit provides DC24V/12V power supply for the whole T-BOX hardware system.
Based on the above, the vehicle-mounted terminal security authentication and security communication may adopt two methods: the method is realized by software based on the existing processor (CPU/MPU/NPU) and adopts a special security chip. The former completes the authentication and the realization of an encryption algorithm through a processor of the vehicle-mounted terminal, and the latter adopts a special chip, and the processor obtains a processing result from the encryption chip. The scheme adopts a special safety chip scheme, has the advantages of reducing the calculation force requirement of a safety certification system on the vehicle-mounted terminal, basically having no influence on chip type selection and development, and ensuring the safety, the reliability and the like by adopting the special safety chip.
The vehicle networking safety standard system is divided into 6 parts such as general and basic commonalities, terminal and facility network safety, networking communication safety, data safety, application service safety, safety guarantee and support in the construction guidance of the Ministry of industry and communications, and after the scheme of the embodiment is adopted, the processes and requirements of the parts 201, 202, 301, 302, 402, 405, 501, 502, 601, 602, 603 and the like in the safety standard can be completed.
In conclusion, the invention establishes a set of encryption and authentication system suitable for embedded equipment such as vehicle-mounted terminals and the like and fast moving scenes by setting a security system in the vehicle networking platform, and accumulates experience for establishing a vehicle networking security authentication standard system. The method is characterized in that the certificate use flow is customized according to the communication requirement of the Internet of vehicles, safety protection is completed through SSL and signature verification technology, the cracking difficulty is improved through the technology of carrying out block signature on data and forming a signature block chain, data tampering is prevented, a safety subsystem is improved, the method is used for different Internet of vehicles platforms such as a vehicle factory and a government department, the system and application safety requirements of the Internet of vehicles platforms are provided, and the method becomes the standard specification of risk assessment and safety detection of the Internet of vehicles platforms gradually. Meanwhile, a data security standard database forms a plurality of data security systems such as data uploading, remote upgrading, data storage and use of the vehicle networking platform, data tamper prevention and the like from the vehicle-mounted terminal to the vehicle networking platform.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. All or part of the steps of the method of the above embodiments may be implemented by hardware that is configured to be instructed to perform the relevant steps by a program, which may be stored in a computer-readable storage medium, and which, when executed, includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module may also be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. The storage medium may be a read-only memory, a magnetic or optical disk, or the like.
While the present invention has been described with reference to the preferred embodiments, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (6)
1. A communication safety Internet of vehicles system is characterized by comprising a vehicle-mounted terminal, an Internet of vehicles platform and an application mounting end, wherein the Internet of vehicles platform comprises a safety system, a safety subsystem and a data safety standard database, and the vehicle-mounted terminal is connected with the Internet of vehicles platform through a communication link;
the vehicle-mounted terminal comprises TBOX equipment and a security gateway, wherein the TBOX equipment is used for realizing functions of vehicle data acquisition, 5G network transmission and vehicle positioning, and the security gateway is connected with the TBOX equipment and is used for realizing functions of identity authentication and data encryption;
the security system comprises a car networking security certificate management system, a data encryption system and a security situation perception system, wherein the car networking security certificate management system deploys four different security domains, namely a CA core area, an external service area, a security management area and an internet access area, according to different security levels;
the safety subsystem comprises an identity authentication module, a data encryption and decryption module, a data signature module, a risk evaluation module and a safety detection module, and the application mounting end is connected with the safety system through the safety subsystem;
the data safety standard database is used for storing uploading data, remote upgrading data, vehicle networking platform operation data and safety system operation data of the vehicle-mounted terminal to the vehicle networking platform;
the digital certificate generated by starting the vehicle-mounted terminal is input into the safety system through a communication link with a vehicle networking platform, and is used for the vehicle networking communication data safety monitoring work of the vehicle-mounted terminal, namely a vehicle networking communication data encryption and authentication system of the fast moving vehicle is constructed; and
the application mounting end is connected with the safety system through the safety subsystem and is used for setting standard specifications of risk evaluation and safety detection of the Internet of vehicles communication data in the Internet of vehicles platform, namely the application mounting end is perfected to become the standard specifications of the risk evaluation and safety detection of the Internet of vehicles platform;
the Internet of vehicles security certificate management system comprises a certificate generation module, a certificate burning module and a certificate updating module;
the certificate generation module is used for generating certificates at the cloud end of the Internet of vehicles and at the two sides of the vehicle-mounted terminal, wherein the certificates at the vehicle-mounted terminal are generated and encrypted in batches, specifically, the certificates are encrypted by digital envelopes to generate symmetric keys, and the symmetric keys are used for encrypting the digital certificates;
the certificate burning module is used for decrypting the digital certificate on a special key burning terminal device and burning the decrypted digital certificate to a vehicle-mounted device end;
the certificate updating module is used for checking the validity period of the digital certificate by an SDK (software development kit) in a terminal when the digital certificate of the vehicle-mounted equipment terminal is ignited each time, wherein the digital certificate enters a preset grace period time before an expiration time, and the certificate updating module automatically updates the certificate;
the data encryption system is used for realizing identity identification of each entity, data channel encryption and data tamper-proof protection measures by means of certificates and related security technologies in the data communication process of the vehicle-mounted terminal;
the safety situation awareness system is used for specialized safety situation awareness operation of the Internet of vehicles application;
the data encryption system comprises an SSL server certificate and a signature verification tag, particularly, safety protection is completed through SSL and signature verification tag technologies, and a signature block chain is formed by carrying out block signature on communication link data of the vehicle-mounted terminal;
the security situation awareness system comprises a full-flow analysis module, a threat information module, a UEBA user entity behavior analysis module, a machine learning module and a big data association analysis module, is used for risk assessment work of the vehicle networking platform of the application mounting end, specifically screens threat information in corresponding flow channels after data flow analysis, feeds the threat information back to a security subsystem for security detection and risk assessment after UEBA user entity behavior analysis, artificial intelligent machine learning and big data association are carried out, and further senses the risk level corresponding to the threat information according to the security situation, and the vehicle networking platform automatically updates vehicle networking communication data encryption and authentication operations of the vehicle terminal through the security system according to the corresponding risk level;
the security detection module is used for receiving threat information data analyzed, processed and associated by the security situation awareness system, performing abnormal feature detection on the threat information data, performing network attack judgment, processing a network attack event of the vehicle-mounted terminal, specifically acquiring the threat information data, performing abnormal feature detection by comparing a preset data threshold value, acquiring an abnormal feature item, marking an item where the abnormal feature item is positioned, performing feature matching calculation on the abnormal feature item and an attack feature library downloaded from a big data association analysis module in the security situation awareness system, and performing risk assessment on the network attack event of the vehicle-mounted terminal after the judgment of the network attack event is met;
the risk evaluation module is used for receiving the network attack event information of the vehicle-mounted terminal, extracting risk characteristic keywords in the network attack event information of the vehicle-mounted terminal, inputting the risk characteristic keywords into the big data association analysis module in the security situation awareness system, performing hierarchical association to risk levels corresponding to the risk characteristic keywords, determining corresponding risk levels according to a preset threshold calibration table, and then performing corresponding risk level processing.
2. The communication safety car networking system of claim 1, wherein the communication link is based on a 5G network trusted authentication technology and a 5G + V2X network safety situation awareness technology, a special data safety transmission channel is provided for a 5G + V2X intelligent internet application, and connection between a safety gateway in the car terminal and the car networking platform based on the 5G network is established.
3. The system of claim 1, wherein a security gateway of the system comprises an application layer, a core application layer, a CAN layer, and a hardware architecture layer;
the application layer comprises power management, diagnosis management, storage management, CAN communication management, wireless communication management, remote control management and value-added service management;
the core application layer is used for providing bottom layer encapsulation and support for the core function of the vehicle-mounted gateway, and comprises a GPS core application for realizing real-time positioning and online navigation of the gateway, a 4G/5G core application for receiving or preparing to send signals through a 4G/5G network for encapsulation and realizing remote communication, and a storage module core application for storing valuable data information generated in the working process.
4. The communication security car networking system of claim 1, wherein the TBOX device comprises a 5G module, an encryption chip, a car MCU chip, and a PHY port physical layer, wherein the PHY port physical layer is connected to the 5G module with an SIM card to implement data frame transmission and is externally connected to a 100M/1000M network port, and the encryption chip is connected to the 5G module and the car MCU chip.
5. The communication security car networking system of claim 4, wherein the 5G module is an SRM815 model, and the encryption chip is provided for a CIU98 model.
6. The system of claim 5, wherein the TBOX device further comprises a sensor, a memory, a buzzer, an RS485 converter, a high side drive, a circuit switch and a CAN transceiver connected to the MCU chip, and a vehicle power management circuit for supplying power.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210938513.1A CN115664691B (en) | 2022-08-05 | 2022-08-05 | Communication security car networking system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210938513.1A CN115664691B (en) | 2022-08-05 | 2022-08-05 | Communication security car networking system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115664691A CN115664691A (en) | 2023-01-31 |
| CN115664691B true CN115664691B (en) | 2023-04-11 |
Family
ID=85024338
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210938513.1A Active CN115664691B (en) | 2022-08-05 | 2022-08-05 | Communication security car networking system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664691B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116436632B (en) * | 2023-02-08 | 2023-10-10 | 中电车联信安科技有限公司 | Network safety identification system based on hardware components of Internet of vehicles |
| CN116827544B (en) * | 2023-08-31 | 2023-11-07 | 北京云驰未来科技有限公司 | Method and system for replacing on-board OBU trust root |
| CN118410586A (en) * | 2024-07-03 | 2024-07-30 | 厦门金龙联合汽车工业有限公司 | New generation V2X vehicle-mounted terminal design method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105704245A (en) * | 2016-04-12 | 2016-06-22 | 成都景博信息技术有限公司 | IOV (Internet of Vehicles) based mass data processing method |
| CN109714344A (en) * | 2018-12-28 | 2019-05-03 | 国汽(北京)智能网联汽车研究院有限公司 | Intelligent network based on " end-pipe-cloud " joins automobile information security platform |
| CN109714421A (en) * | 2018-12-28 | 2019-05-03 | 国汽(北京)智能网联汽车研究院有限公司 | Intelligent network based on bus or train route collaboration joins automobilism system |
| CN111131231A (en) * | 2019-12-23 | 2020-05-08 | 北京蜂云科创信息技术有限公司 | Method and equipment for accessing data of vehicle-mounted terminal into Internet of vehicles monitoring platform |
| CN111917685A (en) * | 2019-05-07 | 2020-11-10 | 华为技术有限公司 | Method for applying for digital certificate |
| CN113242251A (en) * | 2021-05-20 | 2021-08-10 | 北京九州云驰科技有限公司 | Vehicle-mounted network safety protection system and application method thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11445362B2 (en) * | 2019-03-01 | 2022-09-13 | Intel Corporation | Security certificate management and misbehavior vehicle reporting in vehicle-to-everything (V2X) communication |
-
2022
- 2022-08-05 CN CN202210938513.1A patent/CN115664691B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105704245A (en) * | 2016-04-12 | 2016-06-22 | 成都景博信息技术有限公司 | IOV (Internet of Vehicles) based mass data processing method |
| CN109714344A (en) * | 2018-12-28 | 2019-05-03 | 国汽(北京)智能网联汽车研究院有限公司 | Intelligent network based on " end-pipe-cloud " joins automobile information security platform |
| CN109714421A (en) * | 2018-12-28 | 2019-05-03 | 国汽(北京)智能网联汽车研究院有限公司 | Intelligent network based on bus or train route collaboration joins automobilism system |
| CN111917685A (en) * | 2019-05-07 | 2020-11-10 | 华为技术有限公司 | Method for applying for digital certificate |
| CN111131231A (en) * | 2019-12-23 | 2020-05-08 | 北京蜂云科创信息技术有限公司 | Method and equipment for accessing data of vehicle-mounted terminal into Internet of vehicles monitoring platform |
| CN113242251A (en) * | 2021-05-20 | 2021-08-10 | 北京九州云驰科技有限公司 | Vehicle-mounted network safety protection system and application method thereof |
Non-Patent Citations (1)
| Title |
|---|
| 胡文 ; 姜立标 ; .智能网联汽车的多级安全防护方案设计和分析.网络安全技术与应用.2017,(02),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115664691A (en) | 2023-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115664691B (en) | Communication security car networking system | |
| US8004404B2 (en) | Information storage device, information storage program, verification device and information storage method | |
| CN113254947B (en) | Vehicle data protection method, system, equipment and storage medium | |
| EP3848794A1 (en) | Secure deployment of software on industrial control systems | |
| CN110381075B (en) | Block chain-based equipment identity authentication method and device | |
| AU2020104272A4 (en) | Blockchain-based industrial internet data security monitoring method and system | |
| CN112270005B (en) | Data transmission method and system | |
| CN111711627B (en) | Industrial Internet data security monitoring method and system based on block chain | |
| CN104464114A (en) | System and method for managing and monitoring safety of application of financial terminals | |
| CN113452526B (en) | Electronic file certification method, verification method and corresponding devices | |
| CN115147956A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN114189359B (en) | Internet of things equipment capable of avoiding data tampering, data safety transmission method and system | |
| CN111654375A (en) | Block chain-based edge calculation security encryption method, device and system | |
| US20070266250A1 (en) | Mobile Data Transmission Method and System | |
| US20210216060A1 (en) | Management of a reliable industrial control system via dedicated cellular network | |
| US20140245017A1 (en) | Digital Tachograph | |
| CN111654591B (en) | Picture tamper-proof method, computer device and storage medium | |
| Feng et al. | Autonomous vehicles' forensics in smart cities | |
| US20030079141A1 (en) | Method for securing the authenticity of hardware and software in a networked system | |
| WO2022106885A1 (en) | Industrial control system | |
| CA3103971A1 (en) | Secure deployment of software on industrial control systems | |
| CN112883425A (en) | Data processing method based on block chain and block chain link point | |
| CN113518071A (en) | Robot sensor information security enhancing device and method | |
| CN117557173A (en) | Order processing method and system based on take-out dispatch | |
| CN117149521A (en) | Network-connected automobile data backup method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |