CN118337371A

CN118337371A - Method and system for authenticating and grading encryption and decryption of lightweight node in vehicle interior network

Info

Publication number: CN118337371A
Application number: CN202410243540.6A
Authority: CN
Inventors: 曹进; 李泽健; 李晖; 尚超; 郭振洋; 马如慧; 尤伟
Original assignee: Xidian University
Current assignee: Xidian University
Filing date: 2024-03-04
Publication date: 2024-07-12

Abstract

The invention discloses an in-vehicle network lightweight node identity authentication and hierarchical encryption and decryption method and system, wherein the method comprises the following steps: at least two nodes obtain a session key aiming at the message of the target type through bus communication and symmetric encryption and decryption mode identity authentication and key negotiation based on the ID of the node, the ID of the message of the target type and a preset key corresponding to the message of the target type; the transmitting node in the at least two nodes generates a bus message frame and transmits at least part of the six data based on the data to be transmitted, the ID of the message of the target type, the session key, the target security level, the current value of a counter of the message of the target type and the current load rate of the bus; the receiving node in at least two nodes analyzes and processes the received bus message frame according to the ID of the message of the target type, the session key and the current value of the counter of the message of the target type, and at least part of the three data, thereby realizing the safety communication.

Description

Method and system for authenticating and grading encryption and decryption of lightweight node in vehicle interior network

Technical Field

The invention belongs to the technical field of in-vehicle networks, and particularly relates to an in-vehicle network lightweight node identity authentication and hierarchical encryption and decryption method and system.

Background

In recent years, in-vehicle network technology has been rapidly developed and is evolving continuously. Along with the transition from the automobile industry to intellectualization and electrodynamic technology, in-car network technology is continuously updated and upgraded.

The automotive industry introduced in 1970 an ECU for collecting information from sensors and controlling machine components. One ECU may request its sensor information from another ECU to make a correlation decision. The ECUs form an in-vehicle network to communicate with each other. For in-vehicle network communications, the most widely used network is CAN. Two of the most important objectives of CAN development are to reduce wiring complexity and cost. Early, the safety of communications between vehicle components was not important because the vehicle was a closed system and was unable to communicate with other devices or vehicles. Thus, automobile engineers have designed CAN according to the concept of broadcast-based serial communication, and any ECU connected to the CAN bus CAN read or send messages. However, as the number of in-vehicle devices increases, the functions of the in-vehicle network become more and more rich, the exchange of data from the CAN bus between vehicles becomes more convenient, and security on the CAN bus becomes more important. For example, attacks may be initiated On the in-vehicle network via an On-board diagnostic interface (On-Board Diagnostics, OBD) connection or a wireless connection, respectively. In addition, an internal attacker CAN interfere with the CAN protocol by disturbing, injecting spurious frames or replaying original frames. In 2022, month 1, a 19 year old teenager in germany controls more than 25 tesla cars in 13 countries, and remotely performs operations of unlocking car doors, opening car windows, starting keyless driving, adjusting air conditioning mode and temperature, controlling horn and light, and the like.

In-vehicle networking technology is currently being applied to many brands of automobiles and is being widely used. In-vehicle network technology enables automobiles to perform many new functions such as remote diagnostics, in-vehicle navigation, in-vehicle entertainment, in-vehicle safety monitoring, etc. For example, a tesla car may be put into a maintenance mode to allow a maintenance technician to remotely access the in-car network to complete an over-the-air upgrade and remote diagnostics of the vehicle sensors. For another example, the smart car with the hillside P5 is provided with a laser radar, and the intelligent driving assistance is realized through the linkage of the network in the car and the power and steering system.

As described above, with the development of the internet of things, more and more ECU devices are put into the in-vehicle network to realize various new functions, which also brings new challenges to the in-vehicle network technology. As the functions of ECU nodes in vehicles become more and more abundant, the number of ECU nodes in vehicles becomes more and more, and the exposure problem also increases. To date, in-vehicle networks are more vulnerable than ever to attacks such as firmware vulnerabilities or external interface intrusions. These attacks compromise the privacy and security of vehicle data. Therefore, the data security problem is that the development of in-vehicle network technology must take into account a significant aspect. At present, the problem of the in-vehicle CAN bus is as follows:

(1) No confidentiality: the data on the CAN bus is always transmitted in plain text.

(2) No authentication: the CAN protocol does not authenticate the data and entities thereon.

(3) Weak access control: any entity on the CAN bus CAN communicate at will and access data on other ECUs.

Therefore, in an in-vehicle network scenario, to avoid the damage and tampering of ECU data, a security mechanism needs to be established to protect the messages on the CAN bus. Current research on the safety mechanism of the in-vehicle network mainly starts from the following three aspects: firstly, a security authentication scheme for the CAN is designed by using cryptographic primitives, and authentication of entities on the CAN bus is realized by optimizing the performance of the security authentication scheme on the CAN bus. However, deploying identity authentication schemes in practice is challenging due to the low throughput and message length limitations of the CAN protocol. Secondly, according to the characteristics of the CAN bus, special encryption or verification schemes are designed by utilizing relevant physical characteristics, such as means of ID confusion, channel hiding, task rearrangement and the like, and little or no additional communication overhead is introduced in the schemes. Thirdly, an anomaly-based intrusion detection system (Intrusion Detection System, IDS) is deployed, and anomaly information on the CAN bus is actively analyzed to discover an attack behavior, so that a specific defense means is implemented.

However, the related art has the following problems:

(1) The existing CAN communication protocol is not added with safety measures during design, lacks protection of confidentiality, integrity and non-repudiation of messages, and is easy to attack by malicious nodes.

(2) The ECU node has limited computing resources, bandwidth of the CAN bus, communication mode, message length limitation and other problems, so that a safety mechanism aiming at other network systems is difficult to be directly applied to an in-vehicle network.

(3) The current safety schemes designed for the CAN bus are mostly destructive and incompatible with the standard CAN bus, and when the schemes are introduced, software and hardware of the vehicle interior network need to be greatly modified, so that the introduction cost is high.

Disclosure of Invention

In order to solve the problems in the prior art, the invention provides an in-vehicle network lightweight node identity authentication and hierarchical encryption and decryption method and system.

The technical problems to be solved by the invention are realized by the following technical scheme:

The invention provides an in-vehicle network lightweight node identity authentication and hierarchical encryption and decryption method, which comprises the following steps:

when a message of a target type needs to be transmitted between at least two nodes, the at least two nodes perform identity authentication and key negotiation through bus communication and a symmetric encryption and decryption mode based on the ID of the at least two nodes, the ID of the message of the target type and a preset key corresponding to the message of the target type, so as to obtain a session key aiming at the message of the target type; each node stores preset keys corresponding to a plurality of messages of preset types; each node has a counter for each preset type of message;

A transmitting node of the at least two nodes generates a bus message frame based on data to be transmitted, an ID of the message of the target class, the session key, a target security level selected from a plurality of different security levels, a current value of a counter of the transmitting node for the message of the target class, a current load factor of the bus, at least part of the six data, and transmits the bus message frame to the bus; the bus message frame contains type information; the type information characterizes the security level of the data to be sent or the effect of the data carried in the bus message frame;

And the receiving node in the at least two nodes analyzes the received bus message frame according to the ID of the message of the target type, the session key and the current value of the counter of the receiving node aiming at the message of the target type, and at least part of the three data so as to realize safe communication.

The invention also provides an in-vehicle network system, which comprises:

A plurality of ECUs and a gateway ECU, each ECU is used as a node of the system, and different nodes are communicated through buses; each node stores preset keys corresponding to a plurality of messages of preset types; each node has a counter for each preset type of message;

When a message of a target type needs to be transmitted between at least two nodes, the at least two nodes carry out key negotiation through bus communication and a symmetric encryption and decryption mode based on self ID, the ID of the message of the target type and a preset key corresponding to the message of the target type to obtain a session key aiming at the message of the target type;

A transmitting node of the at least two nodes generates a bus message frame based on data to be transmitted, an ID of the message of the target class, the session key, a target security level selected from a plurality of different security levels, a current value of a counter of the transmitting node for the message of the target class, a current load factor of the bus, at least part of the six data, and transmits the bus message frame to the bus; the bus message frame contains type information; the type information characterizes the level type of the target security level or the effect of data carried in the bus message frame;

Compared with the prior art, the invention has the beneficial effects that:

According to the invention, the preset key configured in the node is used for carrying out node identity authentication and key negotiation according to the subscribed message ID, and only corresponding encryption and decryption operation is needed, so that the calculation cost and the storage cost of the node are reduced, and the efficiency of in-vehicle network node identity authentication is improved; the invention sets up the message of multiple different security levels, according to the node calculation power, bus load condition and demand of message to the security measure, choose different security levels flexibly, can protect confidentiality, integrality and undeniability of the message, it is difficult to be attacked by malicious node, thus while meeting different security demands, have taken into account and calculated and communication expenses, have raised the efficiency of transmitting the message after introducing the security measure; the invention, while introducing security measures, complies with the standard bus protocol standard and is compatible with the standard bus.

The present invention will be described in further detail with reference to the accompanying drawings.

Drawings

Fig. 1 is a schematic flow chart of an in-vehicle network lightweight node identity authentication and hierarchical encryption and decryption method provided by an embodiment of the invention;

FIG. 2 is an exemplary schematic diagram of an in-vehicle network provided by an embodiment of the present invention;

FIG. 3 is a flow chart of key agreement between two nodes provided by an embodiment of the present invention;

FIG. 4 is a flow chart of key agreement among three or more nodes provided by an embodiment of the present invention;

FIG. 5 is a schematic diagram of an exemplary bus message frame provided by an embodiment of the present invention;

FIG. 6 is a schematic diagram of an exemplary first bus message frame generated when the target security level is an encryption-less level, provided by an embodiment of the present invention;

FIG. 7 is a schematic diagram of an exemplary first bus message frame generated when a target security level is an authentication level, provided by an embodiment of the present invention;

FIG. 8 is a schematic diagram of an exemplary first bus message frame generated when the target security level is an encryption level, provided by an embodiment of the present invention;

FIG. 9 is a schematic diagram of an exemplary first bus message frame generated when the target security level is an encryption authentication level, provided by an embodiment of the present invention;

fig. 10 is a schematic diagram of an exemplary generated second bus message frame provided by an embodiment of the present invention.

Detailed Description

The present invention will be described in further detail with reference to specific examples, but embodiments of the present invention are not limited thereto.

Fig. 1 is a schematic flow chart of an in-vehicle network lightweight node identity authentication and hierarchical encryption and decryption method provided by an embodiment of the present invention, where the method is applied to an in-vehicle network system, and exemplary, as shown in fig. 2, the in-vehicle network system includes a vehicle gateway (gateway ECU) and a plurality of ECUs, each ECU is used as a node of the system, and different nodes communicate through buses; each node stores preset keys corresponding to a plurality of messages of preset types; each node has a counter for each message of a preset type, and when a node negotiates to obtain a session key for a certain preset type, the value of the counter of the preset type is initialized for subsequent counting; the preset key can be configured when the automobile leaves the factory or updated and replaced later in a firmware upgrading mode. As shown in fig. 1, the method includes:

S101, when a message of a target type needs to be transmitted between at least two nodes, the at least two nodes perform identity authentication and key negotiation through a bus communication and a symmetric encryption and decryption mode based on the ID of the at least two nodes, the ID of the message of the target type and a preset key corresponding to the message of the target type, and a session key aiming at the message of the target type is obtained.

Here, the target category may be any one of the plurality of preset categories described above.

Here, ID means an identification, each node, and each kind of message has a unique identification.

Here, the bus may be a CAN bus, or may be a "LIN bus", "MOST fiber", or "FlexRay bus".

S102, a sending node in at least two nodes generates a bus message frame and sends the bus message frame to a bus based on data to be sent, an ID (identity) of a message of a target type, a session key, a target security level selected from a plurality of different security levels, a current value of a counter of the sending node for the message of the target type and a current load rate of the bus, wherein at least part of the data in the six data; the bus message frame contains type information; the type information characterizes the security level of the data to be transmitted or the role of the data carried in the bus message frame.

S103, the receiving node in the at least two nodes carries out corresponding analysis processing on the received bus message frame according to the ID of the message of the target type, the session key and the current value of the counter of the message of the target type of the receiving node, and at least part of the three data so as to realize safe communication.

In some embodiments, the above S101 includes the following two cases:

S1011, when the message of the target type needs to be transmitted between two nodes, the two nodes perform identity authentication and key negotiation through a bus communication and a symmetric encryption and decryption mode based on the ID of the two nodes, the ID of the message of the target type and a preset key corresponding to the message of the target type, so as to obtain a session key aiming at the message of the target type.

S1012, when the message of the target type needs to be transmitted among n nodes, the n nodes and the gateway node perform identity authentication and key negotiation through bus communication and a symmetric encryption and decryption mode based on the ID of the node, the ID of the message of the target type and a preset key corresponding to the message of the target type, so as to obtain a session key aiming at the message of the target type; n is an integer greater than or equal to 3.

Specifically, the two nodes may be the node ECU ₁ and the node ECU ₂, and based on this, as shown in fig. 3, the above S1011 may be implemented by S201 to S205:

S201, the node ECU ₁ generates a ciphertext C ₁ according to the random number R ₁, a preset key K _pre,l corresponding to the target type message and the ID of the node ECU ₁, and sends the ciphertext C ₁ to a bus; wherein C ₁＝F_enc(K_pre,l,R₁||EID₁),EID₁ is the ID of the node ECU ₁, "|" indicates a splicing operation, fenc () "indicates a function for performing an encryption operation, R ₁ is a random number generated by the node ECU ₁, and l in K _pre,l indicates that the target category is the first preset category of the plurality of preset categories.

For example, ascon algorithm can be used for encryption, and an encryption algorithm such as DES, IDEA, blowfish can also be used.

S202, the node ECU ₂ generates a ciphertext C ₂ according to the random number R ₂, a preset key K _pre,l corresponding to the target type message and the ID of the node ECU ₂, and sends the ciphertext C ₂ to a bus; wherein C ₂＝F_enc(K_pre,l,R₂||EID₂),EID₂ is the ID of the node ECU ₂, and R ₂ is a random number generated by the node ECU ₂.

S203, the node ECU ₁ decrypts the received ciphertext C ₂ by adopting a preset key K _pre,l corresponding to the target type of message, obtains a random number R ₂, calculates a session key according to the random number R ₂ and the random number R ₁, calculates a verification code of the random number R ₁ by adopting the session key, and sends the verification code to a bus, wherein the session key is K _sess,l＝F_kdf(R₁||R₂),F_kdf (), represents a key one-way function for key derivation, the verification code of the random number R ₁ is AUTH ₁＝F_mac(K_sess,l,R₁),F_mac (), and represents a message authentication function for generating a message verification code.

For example, the Ascon-mac algorithm may be used for message authentication, and the message authentication algorithms such as CMAC, poly1305, etc. may also be used.

S204, the node ECU ₂ adopts a preset key K _pre,l corresponding to the target type of message, decrypts the received ciphertext C ₁ to obtain a random number R ₁, calculates a session key K _sess,l according to the random number R ₁ and the random number R ₂, verifies the verification code of the received random number R ₁ by adopting the session key K _sess,l, indicates successful session negotiation when verification passes, calculates the verification code of the random number R ₂, and sends the verification code to the bus, wherein the verification code of the random number R ₂ is AUTH ₂＝F_mac(K_sess,l,R₂.

Here, the ECU ₂ regenerates the authentication code of the random number R ₁ based on the session keys K _sess,l、R₁ and F _mac (), when the authentication code of the received random number R ₁ is authenticated, and indicates that authentication is passed when the regenerated authentication code of the random number R ₁ is identical to the authentication code of the received random number R ₁.

S205, the node ECU ₁ verifies the received verification code of the random number R ₂ by using the session key K _sess,l, and indicates that the session negotiation is successful when the verification passes.

Here, S205 is the same as the verification principle in S204 described above, and will not be described here.

Specifically, the gateway node is ECU _m, as shown in fig. 4, and S1012 may be implemented by S301 to S305:

S301, the gateway node ECU _m generates a ciphertext C _m according to the random number R _m, a preset key K _pre,l corresponding to the target type message and the ID of the gateway node ECU _m, and sends the ciphertext C _m to the bus, wherein C _m＝F_enc(K_pre,l,R_m||EID_m),EID_m is the ID of the gateway node ECU _m.

Each node ECU _i in the n nodes decrypts the received C _m to obtain a random number R _m, generates a ciphertext C _i according to the random number R _i, a preset key K _pre,l corresponding to the target type of message, and the ID of the node ECU _i itself, and sends the ciphertext C _i to the bus, where C _i＝F_enc(K_pre,l,R_i||EID_i),EID_i is the ID of the node ECUi, i=1, 2.

S303, the gateway node ECU _m decrypts the ciphertext C _i of the n received nodes, calculates a session key K _sess,l according to the decryption result, encrypts the session key according to a preset key K _pre,l corresponding to the target type of message, generates a key ciphertext C _k, encrypts a random number R _m by using the session key to obtain a verification code AUTH _m of the random number R _m, and sends the key ciphertext C _k and the verification code of the random number R _m to a bus; after the received n and C _i are decrypted, n random numbers corresponding to the n nodes one by one, namely R ₁～R_n are obtained, and the verification code of the session key K_sess,l＝F_kdf(R_m||R₁||R₂||...||R_n),C_k＝F_enc(K_pre,l,K_sess,l), random number Rm is AUTH _m＝F_mac(K_sess,l,R_m).

S304, each node ECU _i decrypts the received key ciphertext C _k to obtain a session key K _sess,l, verifies the verification code AUTH _m of the received random number R _m according to the session key K _sess,l and the random number R _m, indicates that session negotiation is successful when verification is passed, calculates the verification code of the random number R _i by using the session key, and sends the verification code of the random number R _i to the bus, wherein the verification code of the random number R _i is AUTH _i＝F_mac(K_sess,l,R_i.

Here, S304 is the same as the verification principle in S204 described above, and will not be described here.

S305, the gateway node ECU _m adopts the session key K _sess,l to verify the verification code of the random number R _i, and indicates that the session negotiation is successful when the verification passes.

Here, S305 is the same as the verification principle in S204 described above, and will not be described here.

In some embodiments, the bus message frame includes: based on the first bus message frame and the second bus message frame, the above S102 is implemented by S1021 to S1025:

S1021, a transmitting node in at least two nodes generates a first bus message frame carrying data to be transmitted and type information used for representing the security level of the data to be transmitted based on the data to be transmitted, the ID of a message of a target type, a session key and a target security level selected from a plurality of different security levels.

Specifically, the plurality of different security levels include: no encryption level, authentication level, encryption authentication level. For example, when the bus is a CAN bus, as shown in fig. 5, each bus message frame includes an ID field of 11 bits and a data field of 64 bits, wherein the first 8 bits in the ID field are used to store the ID of the message of the target category, that is, MID _l, and the first 9 th to 11 th bits in the ID field are used to store the type information MTYPE and STYPE. For example, when MTYPE has a value of 0 and the STYPE has a value of 0, it indicates no encryption level; when MTYPE has a value of 0 and STYPE has a value of 1, the verification level is indicated; when MTYPE has a value of 0 and the STYPE has a value of 2, the encryption level is indicated; when MTYPE has a value of 0 and the STYPE has a value of 3, the encryption verification level is indicated; when MTYPE has a value of 1 and the STYPE has a value of 3, the data fields in the bus message frame where MTYPE and STYPE are located are verification codes of the data fields of the bus message frame before the bus message frame, and are used for performing message authentication on the bus message frame before the bus message frame.

Specifically, S1021 is implemented by any one of the following four ways:

1) When the target security level is an encryption-free level, the sending node puts the plaintext PM of the data to be sent into the data field of the message frame, and puts the ID of the message of the target type and the type information used for representing the encryption-free level into the ID field of the message frame to obtain a first bus message frame. For example, as shown in fig. 6, when the target security level is no encryption level and the bus is a CAN bus, a schematic diagram of the generated first bus message frame is shown in fig. 6, the first 8 bits in the ID field are used to store the ID of the target type message, that is, MID _l, the 9 th bits are storage type information MTYPE, and the 10 th to 11 th bits are storage type information STYPE, where the value of STYPE is 0 and the value of MTYPE is 0, to indicate any operation on the plaintext PM, and the 64 bits in the data field are the plaintext PM of the data to be transmitted.

2) When the target security level is the verification level, the sending node generates verification codes AUTH _PM＝F_mac(K_sess,l||CTR_l and PM of data to be sent according to the current value CTR _l of a counter of a message aiming at the target type, a session key K _sess,l and the plain PM of the data to be sent, and places the verification codes AUTH _PM of the data to be sent and the plain PM of the data to be sent in a data field of a message frame, places the ID of the message of the target type and type information used for representing the verification level in the ID field of the message frame to obtain a first bus message frame. For example, when the target security level is an authentication level and the bus is a CAN bus, a schematic diagram of the generated first bus message frame is shown in fig. 7, the first 8 bits in the ID field are used to store the ID of the message of the target type, that is, MID _l, the 9 th bit is storage type information MTYPE, and the 10 th to 11 th bits are storage type information STYPE, where the value of STYPE is 1 and the value of MTYPE is 0, to indicate that only message authentication is performed on the plaintext PM, the first 8 bits in the data field are AUTH _PM, and the remaining bits in the data field are the plaintext PM of the data to be transmitted.

3) When the target security level is an encryption level, the sending node encrypts a plaintext PM of data to be sent by using a session key K _sess,l to generate ciphertext CM '=f _enc(K_sess,l, PM), and places the ciphertext CM' in a data field of a message frame, and places an ID of a message of the target type and type information for representing the encryption level in an ID field of the message frame to obtain a first bus message frame. For example, when the target security level is an encryption level and the bus is a CAN bus, a schematic diagram of the generated first bus message frame is shown in fig. 8, the first 8 bits in the ID field are used to store the ID of the target type message, that is, MID _l, the 9 th bit is storage type information MTYPE, and the 10 th to 11 th bits are storage type information STYPE, where the value of STYPE is 2 and the value of MTYPE is 0, to indicate that only plaintext PM is encrypted, and the data field is ciphertext CM'.

4) When the target security level is the encryption verification level, the transmitting node generates verification codes AUTH _PM＝F_mac(K_sess,l||CTR_l and PM of data to be transmitted according to the current value CTR _l of a counter of a message of the target type, a session key K _sess,l and plaintext PM of the data to be transmitted, encrypts the plaintext PM of the data to be transmitted and the verification codes AUTH _PM of the data to be transmitted by adopting the session key K _sess,l to generate ciphertext CM "=f _enc(K_sess,l,AUTH_PM |pm), and places the ciphertext CM" in a data field of a message frame, places an ID of the message of the target type and type information for representing the encryption verification level in an ID field of the message frame to obtain a first bus message frame. For example, when the target security level is the encryption verification level and the bus is the CAN bus, a schematic diagram of the generated first bus message frame is shown in fig. 9, the first 8 bits in the ID field are used to store the ID of the target type message, that is, MID _l, the 9 th bit is storage type information MTYPE, and the 10 th to 11 th bits are storage type information STYPE, where the STYPE has a value of 3 and the MTYPE has a value of 0, and is used to indicate that the plaintext PM is encrypted and the message verification is performed on the plaintext PM, and the verification code of the plaintext PM is encrypted together with the plaintext PM, and the data field is the ciphertext CM.

And S1022, after the sending node sends the first bus message frame to the bus, adding one to the current value of the counter of the message aiming at the target type, and obtaining the updated current value of the counter of the message aiming at the target type.

S1023, the sending node determines whether the current load rate of the bus is smaller than a preset threshold value, if yes, based on the session key K _sess,l and an updated current value CTR _l of a counter of the message of the target type, calculating a verification code of a data field of a first bus message frame; the load rate characterizes the busyness of the bus.

Specifically, the case of calculating the verification code of the data field of the first bus message frame also includes four cases:

1) When the data field of the first bus message frame is the plaintext PM of the data to be transmitted, the verification code of the data field of the first bus message frame is auth=f _mac(K_sess,l||CTR_l, PM).

2) When the data field of the first bus message frame is the AUTH code AUTH _PM＝F_mac(K_sess,l||CTR_l, PM) of the plaintext PM of the data to be transmitted and the plaintext PM of the data to be transmitted, the AUTH code of the data field of the first bus message frame is auth=f _mac(K_sess,l||CTR_l,AUTH_PM ||pm.

3) When the data field of the first bus message frame is ciphertext CM '=f _enc(K_sess,l, PM), the authentication code of the data field of the first bus message frame is auth=f _mac(K_sess,l||CTR_l, CM').

4) When the data field of the first bus message frame is CM "=f _enc(K_sess,l,AUTH_PM ||pm), the authentication code of the data field of the first bus message frame is auth=f _mac(K_sess,l||CTR_l, CM").

S1024, the sending node generates a second bus message frame according to the verification code of the data field of the first bus message frame, the ID of the target type message and the type information used for representing the effect of the verification code of the data field of the first bus message frame, and sends the second bus message frame to the bus.

Specifically, the transmitting node puts the authentication code AUTH of the data field of the first bus message frame into the data field of the message frame, and puts the ID of the target type message, the type information MTYPE used for representing the action of the authentication code AUTH of the data field of the first bus message frame, and the type into the ID field of the message frame, so as to obtain the second bus message frame. For example, when the bus is a CAN bus, a schematic diagram of the generated second bus message frame is shown in fig. 10, in which the first 8 bits in the ID field are used to store the ID of the target type message, that is, MID _l, the 9 th bit is storage type information MTYPE, and the 10 th to 11 th bits are storage type information STYPE, where the STYPE has a value of 3 and the MTYPE has a value of 1, and the verification code is used to indicate that the data stored in the data field of the message frame is the data field of the first bus message frame, and is used to perform message authentication on the first bus message frame.

S1025, after the sending node sends the second bus message frame to the bus, the updated current value of the counter of the message of the target type is increased by one, and the second updated current value of the counter of the message of the target type is obtained.

In some embodiments, S103 is implemented by:

S1031, when the receiving node receives the first bus message frame, processing the first bus message frame according to the security level of the data to be sent, the session key, and the current value of the counter of the receiving node for the target type message, which are represented by the type information in the first bus message frame, and at least part of the four data, so as to obtain the plaintext data sent by the sending node.

Here, whether the bus message frame is the first bus message frame or the second bus message frame may be identified according to the type information carried in the bus message frame.

Specifically, the case where the receiving node processes the first bus message frame includes the following four cases:

1) And when the security level of the data to be transmitted, which is characterized by the type information in the first bus message frame, is an encryption-free level, directly taking out the data in the data field of the first bus message frame as plaintext data transmitted by a transmitting node.

2) When the security level of the data to be transmitted, which is characterized by the type information in the first bus message frame, is the verification level, the verification codes AUTH _PM＝F_mac(K_sess,l||CTR_l and PM) of the data to be transmitted and the plaintext PM of the data to be transmitted are taken out from the first bus message frame, the verification code of the PM is recalculated by adopting the session key K _sess,l, the current value CTR _l and PM of the counter of the receiving node for the message of the target type, and when the recalculated verification code is consistent with the verification code taken out from the first bus message frame, the obtained plaintext PM of the data to be transmitted is taken as the plaintext data transmitted by the transmitting node.

3) When the security level of the data to be transmitted, which is characterized by the type information in the first bus message frame, is an encryption level, ciphertext CM ' =f _enc(K_sess,l, PM) is taken out from the first bus message frame, and the ciphertext CM ' =f _enc(K_sess,l, PM) is decrypted by using the session key K _sess,l to obtain plaintext pm=f _dec(K_sess,l, CM), and the plaintext pm=f _dec(K_sess,l, CM ') is taken as plaintext data transmitted by the transmitting node.

4) When the security level of the data to be transmitted, which is characterized by the type information in the first bus message frame, is an encryption verification level, ciphertext CM "=f _enc(K_sess,l,AUTH_PM ||pm) is taken out of the first bus message frame, the CM" =f _enc(K_sess,l,AUTH_PM |pm) is decrypted by using a session key Ksess, l to obtain AUTH _PM||PM＝F_dec(K_sess,l, CM "), PM is obtained from the decrypted AUTH _PM |pm, then, one XAUTH _PM＝F_mac(K_sess,l||CTR_l, PM is recalculated according to the current value CTR _l, PM and the session key K _sess,l of the counter of the receiving node for the message of the target type, and when XAUTH _PM is the same as AUTH _PM, the verification of AUTH _PM＝＝F_mac(K_sess,l||CTR_l, PM) is passed, at this time, the obtained plaintext PM is taken as plaintext data transmitted by the transmitting node, otherwise, the verification fails, and the process is ended.

S1032, after obtaining the plaintext data sent by the sending node, the receiving node adds one to the current value of the counter of the message aiming at the target type, and obtains the updated current value of the counter of the message aiming at the target type.

S1033, when the receiving node receives the second bus message frame, according to the data in the data field in the second bus message frame, carrying out message authentication on the last first bus message frame of the second bus message frame, and when the authentication is passed, adding one to the updated current value of the counter of the message aiming at the target type, so as to obtain the current value of the counter of the message aiming at the target type after the second update.

Specifically, the receiving node checks the values of STYPE and MTYPE in the ID field of the second bus message frame, and if MTYPE has a value of 1 and STYPE has a value of 3, extracts AUTH in the data field of the second bus message frame, according to the above-mentioned method obtained in S1031The current value CTR _l of the counter of the receiving node itself for the message of the target class, the session key K _sess,l, recalculate XAUTH =f _mac(K_sess,l||CTR_l, T),And when XAUTH is the same as AUTH acquired from the data field of the second bus message frame, indicating that the message authentication of the first bus message frame before the second bus message frame is passed, otherwise, the authentication is not passed, sending out a warning message, and ending the flow.

In some embodiments, the step S103 may be performed by the dedicated node, where the in-vehicle network system further includes a dedicated node, and the transmitted bus message frames between any two transmitting nodes and the receiving node are transmitted to the dedicated node, and when the dedicated node receives the second bus message frame, the message authentication is performed on the last first bus message frame of the received second bus message frame by performing the step S103, and an alarm is given when the authentication fails.

The beneficial effects of the invention are as follows:

(1) The invention provides a lightweight node identity authentication and hierarchical encryption and decryption scheme aiming at the characteristics of limited ECU node resources, short message length of a CAN bus network, lack of effective safety measures and the like in an in-vehicle network scene. After the automobile is started, the node identity authentication and key negotiation are carried out according to the subscribed message ID through the preset key configured in the ECU, and only the hash and symmetric encryption and decryption operations are needed, so that the calculation cost and the storage cost of the ECU node are reduced, and the efficiency of the node identity authentication in the automobile is improved.

(2) Aiming at the problem of CAN bus message transmission in the vehicle interior, the invention flexibly selects different security levels according to the calculation power of the ECU, the bus load condition and the requirements of the messages on security measures by setting a plurality of messages with different security levels in a hierarchical encryption sending stage and a receiving and decryption verification stage, meets different security requirements, simultaneously considers calculation and communication expenditure, and improves the efficiency of transmitting the messages after the security measures are introduced.

(3) Under the condition of limited resources, the invention can support confidentiality, integrity and non-repudiation protection of the information while considering efficiency, and balances the safety and efficiency.

(4) The invention has higher compatibility, and CAN be introduced into the existing equipment by observing the standard CAN bus protocol standard while introducing security measures. The existing CAN bus hardware equipment CAN be utilized, and the key negotiation and hierarchical encryption and decryption functions CAN be supported through minor changes (such as adding or updating partial software and firmware). In this way, the vehicle manufacturer can introduce the scheme into the existing vehicle more conveniently, and communication security among the nodes in the vehicle is improved, without large-scale hardware replacement and redesign. The method reduces the cost introduced by the scheme, reduces the influence of the transformation process on the production and operation of the vehicle, and simultaneously maintains the existing compatibility and stability.

(6) The invention is based on the CAN bus design, but is not limited to the CAN bus network, and CAN be adapted to different in-vehicle networks such as LIN, MOST, flexRay and the like only by simple modification, and the scheme CAN be expanded to support more and stronger safety measures due to the improvement of hardware performance.

Safety analysis of the present invention:

(1) Mutual authentication and key agreement: in the session key negotiation stage of the proposed scheme, mutual authentication and key negotiation between two nodes or between a gateway node and other nodes are realized through a preset key K _pre,l between ECU nodes of the subscription message MID _l. In particular, during a two-node key negotiation process, ECU ₁ encrypts random number R ₁ and EID ₁ using preset key K _pre,l, and sent to the ECU ₂,ECU₂ as such. ECU ₁ and ECU ₂ then perform key derivation in the same manner, Generating the same session key K _sess,l.ECU₁ uses the random number R ₁ and the session key calculation AUTH ₁,ECU₂ to calculate and verify the identity of the ECU ₁ in the same manner. In turn, ECU ₁ verifies the identity of ECU ₂ in the same manner. The idea of three or more node key negotiations is similar, except that mutual authentication is performed between the gateway node ECU _m and the remaining node ECUs _i. thus, mutual authentication and key agreement can be achieved between ECU nodes or between gateway nodes and other nodes.

(2) Key confirmation: in the two-node session key negotiation phase, the node ECU ₁ and ECU ₂ subscribing to the message MID _l perform key derivation through the same steps to generate the session key K _sess,l. The ECU ₁ calculates AUTH ₁,ECU₂ using the random number R ₁ and the session key in the same manner to perform an authentication message that verifies the ECU ₁. In turn, the ECU ₁ verifies the authentication message AUTH ₂ of the ECU ₂ in the same manner, confirming that the session keys calculated by both parties are identical. In three and more key negotiations, the key confirmation is performed between the gateway node ECU _m and the remaining node ECUs _i, similarly. Thus, the proposed solution enables key validation.

(3) Confidentiality: in the message sending and receiving stage of the scheme, when the encryption level or the encryption verification level is used, ascon algorithm is used for encrypting and decrypting the transmitted data, and confidentiality can be ensured by the corresponding encryption and decryption algorithm.

(4) Integrity and non-repudiation: in the message transmitting and receiving stages of the present scheme, for the plaintext PM, when the sender sends the plaintext PM, the authentication code AUTH _PM for the plaintext is simultaneously generated and sent to the receiver together. The receiver uses the same key to verify AUTH _PM＝＝F_mac(K_sess,l||CTR_l, PM) to ensure the integrity of the plaintext and the source reliability. For ciphertext CM 'or CM ", the sender sends the authentication code AUTH _CM for the ciphertext to the receiver after sending CM' or CM". The recipient uses the same key to verify AUTH _CM'＝＝F_mac(K_sess,l||CTR_l, CM') or AUTH _CM"＝＝F_mac(K_sess,l||CTR_l, CM ") to ensure the integrity and source reliability of the ciphertext. After the verification is successful, the sender cannot deny the fact that the message has been sent.

(5) Anti-replay attack: in the message sending and receiving phases of the present scheme, the sender maintains a counter CTR _l when sending the message, and is used to calculate an authentification code AUTH _PM for plaintext and an authentification code AUTH _CM' or AUTH _CM" for ciphertext. When a replay attack is encountered, AUTH _PM＝＝F_mac(K_sess,l||CTR_l, PM) and AUTH _CM' or AUTH _CM "are verified, since the value of the counter CTR _l has been changed, the calculated AUTH _PM and AUTH _CM' or AUTH _CM" are inconsistent with the received, and thus the replay attack can be successfully resisted.

It should be noted that the terms "first," "second," and "second" are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implying a number of technical features being indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more features. In the description of the present invention, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.

In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Further, one skilled in the art can engage and combine the different embodiments or examples described in this specification.

In the description, the word "comprising" does not exclude other elements or steps, and the "a" or "an" does not exclude a plurality. Some measures are described in mutually different embodiments, but this does not mean that these measures cannot be combined to produce a good effect.

The foregoing is a further detailed description of the invention in connection with the preferred embodiments, and it is not intended that the invention be limited to the specific embodiments described. It will be apparent to those skilled in the art that several simple deductions or substitutions may be made without departing from the spirit of the invention, and these should be considered to be within the scope of the invention.

Claims

1. An in-car network lightweight node identity authentication and hierarchical encryption and decryption method is characterized by comprising the following steps:

2. The method for authenticating and grading encryption and decryption of lightweight nodes in an in-vehicle network according to claim 1, wherein the at least two nodes are communicatively connected with a gateway node; when a message of a target type needs to be transmitted between the at least two nodes, the at least two nodes perform identity authentication and key negotiation through a bus communication and a symmetric encryption and decryption mode based on an ID of the at least two nodes, an ID of the message of the target type and a preset key corresponding to the message of the target type to obtain a session key aiming at the message of the target type, and the method comprises the following steps:

when a message of a target type needs to be transmitted between two nodes, the two nodes carry out identity authentication and key negotiation through a bus communication and a symmetric encryption and decryption mode based on the ID of the two nodes, the ID of the message of the target type and a preset key corresponding to the message of the target type, so as to obtain a session key aiming at the message of the target type;

When n nodes need to transmit a message of a target type, the n nodes and the gateway node perform identity authentication and key negotiation through bus communication and a symmetric encryption and decryption mode based on own ID, the ID of the message of the target type and a preset key corresponding to the message of the target type to obtain a session key aiming at the message of the target type; n is an integer greater than or equal to 3.

3. The method for authenticating and classifying and decrypting the identity of the lightweight node in the vehicle interior according to claim 2, wherein the two nodes comprise a node ECU ₁ and a node ECU ₂; the two nodes perform identity authentication and key negotiation in a bus communication and symmetric encryption and decryption mode based on the ID of the two nodes, the ID of the message of the target type and a preset key corresponding to the message of the target type to obtain a session key aiming at the message of the target type, and the method comprises the following steps:

The node ECU ₁ generates a ciphertext C ₁ according to the random number R ₁, a preset key corresponding to the target type message, and the ID of the node ECU ₁, and sends the ciphertext C ₁ to the bus;

the node ECU ₂ generates a ciphertext C ₂ according to the random number R ₂, a preset key corresponding to the target type message, and the ID of the node ECU ₂, and sends the ciphertext C ₂ to the bus;

The node ECU ₁ decrypts the received ciphertext C ₂ by using a preset key corresponding to the target type of message to obtain the random number R ₂, calculates a session key according to the random number R ₂ and the random number R ₁, calculates a verification code of the random number R ₁ by using the session key, and sends the verification code to the bus;

The node ECU ₂ adopts a preset key corresponding to the target type of message to decrypt the received ciphertext C ₁ to obtain the random number R ₁, calculates a session key according to the random number R ₁ and the random number R ₂, verifies the received verification code of the random number R ₁ by adopting the session key, indicates successful session negotiation when verification passes, calculates a verification code of the random number R ₂ and sends the verification code to the bus;

The node ECU ₁ verifies the received verification code of the random number R ₂ by using the session key, and indicates that session negotiation is successful when verification passes.

4. The method for authenticating and grading encryption/decryption of lightweight nodes in an in-vehicle network according to claim 2, wherein the n nodes and the gateway node perform authentication and key negotiation by bus communication and symmetric encryption/decryption based on their own ID, the ID of the message of the target class, and a preset key corresponding to the message of the target class, to obtain a session key for the message of the target class, including:

The gateway node ECU _m generates a ciphertext C _m according to the random number R _m, a preset key corresponding to the target type message, and the ID of the gateway node ECU _m, and sends the ciphertext C _m to the bus;

Each node ECU _i in the n nodes decrypts the received C _m to obtain the random number R _m, generates a ciphertext C _i according to the random number R _i, a preset key corresponding to the target type message, and the ID of the node ECU _i itself, and sends the ciphertext C _i to the bus;

The gateway node ECU _m decrypts the ciphertext C _i of the n nodes received, calculates a session key according to the decryption result, encrypts the session key according to a preset key corresponding to the target type of message, generates a key ciphertext C _k, encrypts the random number R _m by using the session key to obtain a verification code of the random number R _m, and sends the key ciphertext C _k and the verification code of the random number R _m to the bus;

Each node ECU _i decrypts the received key ciphertext C _k to obtain the session key, verifies the received verification code of the random number R _m according to the session key and the random number R _m, indicates that session negotiation is successful when verification is passed, calculates the verification code of the random number R _i by using the session key, and sends the verification code to the bus;

The gateway node ECU _m uses the session key to verify the verification code of the random number R _i, and indicates that session negotiation is successful when verification passes.

5. The method for authenticating and grading encryption/decryption of lightweight nodes in an in-vehicle network according to claim 1, wherein the bus message frame comprises: a first bus message frame and a second bus message frame; a transmitting node of the at least two nodes generates a bus message frame based on at least part of data among the six data to be transmitted, an ID of the message of the target class, the session key, a target security level selected from a plurality of different security levels, a current value of a counter of the transmitting node for the message of the target class, and a current load factor of the bus, and transmits the bus message frame to the bus, including:

A transmitting node in the at least two nodes generates the first bus message frame carrying the data to be transmitted and type information for representing the security level of the data to be transmitted based on the data to be transmitted, the ID of the message of the target type, the session key and a target security level selected from a plurality of different security levels; wherein each bus message frame includes an ID field and a data field;

after the sending node sends the first bus message frame to the bus, adding one to the current value of the counter of the message aiming at the target type, so as to obtain the updated current value of the counter of the message aiming at the target type;

The sending node determines whether the current load rate of the bus is smaller than a preset threshold value, if yes, based on the session key and the updated current value of a counter of the message aiming at the target type, calculating a verification code of a data field of the first bus message frame;

The sending node generates the second bus message frame according to the verification code of the data field of the first bus message frame, the ID of the target type message and the type information used for representing the effect of the verification code of the data field of the first bus message frame, and sends the second bus message frame to the bus; the load rate represents the busyness of the bus;

And after the sending node sends the second bus message frame to the bus, adding one to the updated current value of the counter of the message of the target type to obtain the current value of the counter of the message of the target type after the second updating.

6. The method for authenticating and classifying encryption and decryption of lightweight nodes in an in-vehicle network according to claim 5, wherein the plurality of different security levels comprises: no encryption level, authentication level, encryption authentication level; the target security level is the encryption-free level; a transmitting node of the at least two nodes generates the first bus message frame carrying the data to be transmitted and type information for characterizing a level type of the target security level based on the data to be transmitted, an ID of the message of the target type, the session key, the target security level selected from a plurality of different security levels, including:

the transmitting node of the at least two nodes puts the plaintext of the data to be transmitted into the data field of the message frame;

And placing the ID of the message of the target type and the type information for representing the encryption-free level into an ID field of the message frame to obtain the first bus message frame.

7. The method for authenticating and classifying encryption and decryption of lightweight nodes in an in-vehicle network according to claim 5, wherein the plurality of different security levels comprises: no encryption level, authentication level, encryption authentication level; the target security level is the verification level; a transmitting node of the at least two nodes generates the first bus message frame carrying the data to be transmitted and type information for characterizing a level type of the target security level based on the data to be transmitted, an ID of the message of the target type, the session key, the target security level selected from a plurality of different security levels, including:

The transmitting node in the at least two nodes generates a verification code of the data to be transmitted according to the current value of a counter of the message of the target type, the session key and the plaintext of the data to be transmitted, and both the verification code of the data to be transmitted and the plaintext of the data to be transmitted are put into a data field of a message frame;

And placing the ID of the message of the target type and the type information used for representing the verification level into an ID field of the message frame to obtain the first bus message frame.

8. The method for authenticating and classifying encryption and decryption of lightweight nodes in an in-vehicle network according to claim 5, wherein the plurality of different security levels comprises: no encryption level, authentication level, encryption authentication level; the target security level is the encryption level; a transmitting node of the at least two nodes generates the first bus message frame carrying the data to be transmitted and type information for characterizing a level type of the target security level based on the data to be transmitted, an ID of the message of the target type, the session key, the target security level selected from a plurality of different security levels, including:

the transmitting node in the at least two nodes encrypts plaintext of data to be transmitted by adopting the session key to generate ciphertext CM ', and the ciphertext CM' is put into a data field of a message frame;

and placing the ID of the message of the target type and the type information for representing the encryption level into an ID field of the message frame to obtain the first bus message frame.

9. The method for authenticating and classifying encryption and decryption of lightweight nodes in an in-vehicle network according to claim 5, wherein the plurality of different security levels comprises: no encryption level, authentication level, encryption authentication level; the target security level is the encryption verification level; a transmitting node of the at least two nodes generates the first bus message frame carrying the data to be transmitted and type information for characterizing a level type of the target security level based on the data to be transmitted, an ID of the message of the target type, the session key, the target security level selected from a plurality of different security levels, including:

the transmitting node in the at least two nodes generates a verification code of the data to be transmitted according to the current value of a counter of the message of the target type, the session key and the plaintext of the data to be transmitted;

encrypting a plaintext of the data to be transmitted and a verification code of the data to be transmitted by adopting the session key to generate a ciphertext CM 'and putting the ciphertext CM' into a data field of a message frame;

and placing the ID of the message of the target type and the type information for representing the encryption verification level into an ID field of the message frame to obtain the first bus message frame.

10. An in-vehicle networking system, the system comprising: