WO2021109967A1 - 初始配置方法及终端设备 - Google Patents
初始配置方法及终端设备 Download PDFInfo
- Publication number
- WO2021109967A1 WO2021109967A1 PCT/CN2020/132712 CN2020132712W WO2021109967A1 WO 2021109967 A1 WO2021109967 A1 WO 2021109967A1 CN 2020132712 W CN2020132712 W CN 2020132712W WO 2021109967 A1 WO2021109967 A1 WO 2021109967A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- server
- certificate
- digital certificate
- security module
- security
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 113
- 238000004891 communication Methods 0.000 claims description 64
- 238000003860 storage Methods 0.000 claims description 31
- 238000004590 computer program Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 description 41
- 238000004519 manufacturing process Methods 0.000 description 33
- 230000006870 function Effects 0.000 description 22
- 238000005516 engineering process Methods 0.000 description 18
- 230000005540 biological transmission Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 16
- 238000012545 processing Methods 0.000 description 15
- 230000003993 interaction Effects 0.000 description 9
- 238000012795 verification Methods 0.000 description 8
- 238000004364 calculation method Methods 0.000 description 5
- 230000001413 cellular effect Effects 0.000 description 4
- 238000009826 distribution Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 241000497429 Obus Species 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000002407 reforming Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/037—Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/35—Protecting application or service provisioning, e.g. securing SIM application provisioning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/30—Services specially adapted for particular environments, situations or purposes
- H04W4/40—Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/84—Vehicles
Definitions
- the present disclosure relates to the technical field of the field of Internet of Vehicles, and in particular to an initial configuration method and terminal equipment.
- V2X Vehicle-to-Everything
- the online initial security configuration scheme proposed by 5GAA based on the Generic Bootstrapping Architecture avoids the production method of offline filling on the production line and the pre-configuration of X.509 digital certificates, which can save the cost of the security transformation of the production environment of the enterprise.
- the proposed scheme has the problem that the shared session key (Ks_NAF) is exposed outside the secure environment, and faces security risks such as physical attacks.
- the embodiments of the present disclosure provide an initial configuration method and terminal equipment to solve that the session key in the related technology needs to be transmitted between the USIM and HSM of the terminal equipment, so that the session key is transmitted outside the secure environment, and it is easy to be physically transmitted. Security risks such as attacks cannot guarantee the security of the initial configuration.
- an initial configuration method applied to a terminal device including:
- the security module establishes a secure channel with the certificate authority CA server;
- the security module is used to realize the function of the global user identification module USIM.
- the CA server is a registration certificate authority ECA server
- the digital certificate is a registration certificate EC
- the obtaining the digital certificate from the CA server includes:
- the security module generates a cryptographic public-private key pair for EC application
- the EC is obtained from the ECA server.
- the CA server is a registered certificate authority ECA server
- the digital certificate is a registered certificate EC
- the method further includes:
- the CA server is an anonymous certificate authority PCA server
- the digital certificate is an anonymous certificate PC
- the obtaining the digital certificate from the CA server includes:
- the security module uses the private key corresponding to the registration certificate EC to sign the PC application message;
- the PC is obtained from the PCA server.
- the obtaining the PC from the PCA server includes:
- the method further includes:
- the security module uses the private key corresponding to the PC to sign the direct communication service message of the PC5 interface;
- the CA server is a registration certificate authority ECA server
- the digital certificate is a registration certificate EC
- the method further includes:
- HSM performs EC storage.
- the obtaining the digital certificate from the CA server further includes:
- HSM generates a cryptographic public-private key pair for EC application
- HSM sends the cryptographic public key for EC application to the security module
- the security module uses the cryptographic public key to obtain the EC from the ECA server.
- the CA server is an anonymous certificate authority PCA server
- the digital certificate is an anonymous certificate PC
- the obtaining the digital certificate from the CA server includes:
- HSM performs PC storage.
- the obtaining the digital certificate from the CA server includes:
- HSM generates a password public and private key pair for PC application
- HSM sends the password public key for PC application to the security module
- the security module uses the cryptographic public key to obtain the PC from the PCA server.
- the method further includes:
- the security module uses the private key corresponding to the PC to sign the direct communication service message of the PC5 interface;
- the GBA security channel is established between the security module and the CA server by using the universal guidance architecture GBA based on the universal integrated circuit card UICC.
- the embodiment of the present disclosure also provides a terminal device, including:
- the security module is used to establish a secure channel with the certificate authority CA server;
- the security module is used to realize the function of the global user identification module USIM.
- the embodiment of the present disclosure also provides a terminal device, including a transceiver and a processor;
- the processor is used for:
- the security module is used to realize the function of the global user identification module USIM.
- the embodiments of the present disclosure also provide a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the steps in the above-mentioned initial configuration method are realized.
- a secure channel is directly established between a security module capable of realizing the function of USIM and the CA server, and the session key and digital certificate are obtained from the CA server through the secure channel, so that the session key used for the digital certificate application is It will not be transmitted in an environment other than a secure channel, which reduces the probability of a physical attack on the session key, reduces security risks, and improves the security of the initial configuration.
- Figure 1 shows a schematic diagram of an autonomous way of offline filling on a production line
- Figure 2 shows a schematic diagram of the DCM agent method for offline filling of the production line
- Figure 3 shows a schematic diagram of GBA
- FIG. 4 shows the architecture diagram of TLS-based PC certificate application
- Figure 5 shows a schematic diagram of security risks in the implementation of GBA terminals in related technologies
- Figure 6 shows the security risk diagram of 5GAA's GBA-based configuration scheme when applied to PC certificate applications
- FIG. 7 shows a schematic flowchart of an initial configuration method of an embodiment of the present disclosure
- FIG. 8 shows a schematic diagram of a GBA security implementation architecture of an EC application according to an embodiment of the present disclosure
- FIG. 9 shows a schematic diagram of a GBA security implementation architecture of a PC application according to an embodiment of the present disclosure
- FIG. 10 shows a schematic diagram of the USIM architecture of an embodiment of the present disclosure
- FIG. 11 shows a schematic diagram of modules of a terminal device according to an embodiment of the present disclosure.
- V2X terminal equipment including OBU, Road Side Unit (RSU), etc.
- RSU Road Side Unit
- V2X terminal equipment including OBU, Road Side Unit (RSU), etc.
- the initial configuration process of the OBU equipment before the production of a car with V2X function is taken as an example is introduced.
- Other types of V2X terminals also have a similar process.
- the production line worker triggers the HSM security module of the OBU device to generate a cryptographic public-private key pair through an external device, or the external cryptographic device generates a cryptographic public-private key pair and injects it into the HSM.
- the production line also injects the address information and digital certificate of the Enrollment Certificate Authority (ECA) server.
- ECA Enrollment Certificate Authority
- the production line workers trigger the OBU device to access the ECA server.
- the OBU device uses the digital certificate of the ECA server to prove the legitimacy of its identity and establish a secure communication channel between the two.
- the OBU device uploads the password public key to the ECA server, applies for and downloads the Enrollment Certificate (EC) digital certificate, and stores it securely in the HSM.
- ECA Enrollment Certificate Authority
- the working principle of the DCM agent method is basically the same as that of the autonomous method, but the implementation process is different.
- the production line needs to deploy DCM agent nodes, and perform mutual authentication with the ECA server in advance, establish a secure communication channel, and provide unified services for all vehicles that are about to go offline.
- DCM generates a password public and private key pair for the OBU device and replaces the OBU terminal device to interact with the ECA server to apply for and download the EC digital certificate.
- DCM injects the generated password public and private key pair, the obtained EC digital certificate, the certificate of the ECA server, and the address information of the ECA server into the HSM of the OBU in a secure manner, thereby completing the initial security configuration of the OBU device.
- 5GAA proposed a method for initial security configuration of V2X terminal equipment based on GBA technology.
- the solution uses USIM and its code number (e.g., International Mobile Subscriber Identification Number (IMSI), Mobile Station International Subscriber Directory Number, MSISDN), and Integrated Circuit Card Identification Number (Integrate Circuit). card identity, ICCID), etc.) are used as the identifier of the V2X terminal device at the initial moment to characterize the device identity.
- IMSI International Mobile Subscriber Identification Number
- MSISDN Mobile Station International Subscriber Directory Number
- ICCID Integrated Circuit Card Identification Number
- FIG. 3 shows the GBA general boot architecture, which consists of the following parts:
- A11 The software that provides GBA capability support on V2X terminal equipment-GAA Server (GAA Server);
- V2X client software on the V2X terminal, which interfaces with the GAA Server software;
- A14 Network Application Function (NAF) software in the ECA server;
- A15 Bootstrapping Server Function (BSF) core network element.
- BSF Bootstrapping Server Function
- the V2X terminal device can use the root key in the USIM card to perform two-way identity authentication with the mobile cellular network through the AKA mechanism, and negotiate with the BSF to generate the shared session key Ks_NAF. Subsequently, upon receiving the certificate application request of the V2X terminal device, the ECA server may interact with the BSF to obtain the session key Ks_NAF, and verify the identity of the V2X terminal device based on the Ks_NAF. After the identity authentication is passed, ECA accepts the EC certificate application request of the V2X terminal device, and issues an EC digital certificate for the V2X terminal device after the review is passed. In the above process, the application layer information interaction between the ECA server and the V2X terminal device is performed in a secure channel established based on the shared session key Ks_NAF, so the security of message transmission can also be guaranteed.
- the above GBA-based solution uses USIM as the initial identity of the V2X terminal device, without pre-configured any security credentials (such as X.509 digital certificate), and can establish a secure channel from the V2X terminal device to the ECA server through the mobile cellular network. , Complete the initial configuration of the device online.
- the initial safety configuration related operations and interactions are completed by the V2X terminal equipment itself, and there is no need to rely on the safety environment of the production line to ensure the safety of configuration operations like offline filling methods, thus greatly reducing the cost of upgrading the production line of the enterprise.
- this method can be applied to scenarios where the car production place and the car sales place are not in the same area.
- the network side configuration it allows the on-board OBU terminal to connect with the ECA at the place where the car is sold and used, and solves the problem of pre-configuring the X.509 digital certificate of the ECA server for the on-board OBU terminal during the car production process.
- the code number in the USIM can be used as the unique identifier of the V2X device, which prevents the V2X terminal device from indicating that it is not authenticated in the initial state, and the V2X terminal cannot be authenticated based on the X.509 digital certificate of the ECA server.
- the condition of the equipment is not authenticated in the initial state, and the V2X terminal cannot be authenticated based on the X.509 digital certificate of the ECA server.
- the applicable scenario of this specification is that the on-board unit (OBU) or roadside unit (RSU), when holding a valid registration certificate issued by ECA, uses it to apply for a communication (anonymous) certificate to the ACA in order to exchange information with the RSU or OBU , So as to obtain relevant information services and have the ability to perform signature verification on the obtained information.
- OBU on-board unit
- RSU roadside unit
- this specification is also applicable to scenarios where OBU applies to ACA for communication (anonymous) certificates and communicates with other OBUs.
- the program programming interface (API) in this specification adopts the Hypertext Transfer Security Protocol (HTTPS). It is recommended to use the Transport Layer Security Protocol (TLS) version 1.2 or more, and it is recommended to use the Transport Layer Security Protocol (TLS) version 1.3, which supports the standard HTTPS. Transmission control protocol (TCP) port 443, and use X.509 certificates for identity authentication between components.
- HTTPS Hypertext Transfer Security Protocol
- TLS Transport Layer Security Protocol
- TLS Transport Layer Security Protocol
- TCP Transmission control protocol
- X.509 certificates for identity authentication between components.
- an Authorization Certificate Authority refers to an organization that manages communication (anonymous) certificates, that is, the PCA referred to in this article.
- the TLS solution can be implemented on the V2X terminal using the solution shown in Figure 4.
- Pre-set X.509 device certificates for V2X terminal devices in HSM and establish a TLS secure channel between HSM and PCA server to ensure communication security.
- the PC certificate related password public and private key pair is generated inside the HSM security environment, and the public key and device information are reported through the TLS secure channel, and the PC digital certificate is applied for, downloaded, and stored safely.
- the entire program is carried out in a safe environment, which can ensure the safety of the entire process.
- 5GAA proposed a V2X terminal device initial security configuration method based on Generic Bootstrapping Architecture (GBA) technology. If this solution is used for PC certificate application, it can avoid pre-configuration of X.509 certificate and reduce the cost of enterprise production line transformation.
- GBA Generic Bootstrapping Architecture
- V2X terminal equipment Since the security initialization process of V2X terminal equipment involves the initial configuration of sensitive parameters and information such as keys and digital certificates, this process has very strict requirements for security. Therefore, it is necessary to ensure the security of production environment, terminal equipment, message interaction and other links. .
- the initial security configuration method for offline filling of the production line requires the generation of a password public-private key pair outside the V2X terminal device, and even the agent application for an EC digital certificate. This is for the production of the car manufacturer or the V2X terminal supplier (depending on who completes the initial security configuration work)
- the environment brings high safety requirements. Companies have to invest a lot of time and cost in upgrading and reforming production lines, and training production line workers to meet safety production requirements in compliance, auditing, management and control.
- 5GAA's current implementation method on the V2X terminal device side has security vulnerabilities, and there is a security risk of physical attacks on the shared session key Ks_NAF. The specific reasons are as follows:
- the sensitive security parameters and information involved in the process (such as password public and private key pairs, shared keys, various intermediate keys, etc.) be in the local security environment of the device Deal with it and cannot leave the local security environment of the terminal during its life cycle.
- the local security environment of the terminal is usually provided by hardware modules that have been evaluated and reach a certain security level, such as USIM, hardware security module (Hardware Security Module, HSM), etc.
- USIM hardware security module
- HSM hardware security module
- the security of message transmission needs to be ensured.
- the V2X terminal device Corresponding to the initial security configuration process of the V2X terminal device, it is required to communicate between the V2X terminal device and the ECA server through a secure communication channel, and the terminal side security channel should be terminated in the local security module of the device to ensure all information The interaction is in a safe environment.
- HSM is the object of the initial security configuration of V2X terminal equipment.
- the cryptographic public-private key pair used to apply for the EC certificate is generated by the HSM, and the shared session key Ks_NAF generated by the USIM based on GBA technology is used between the HSM and the ECA server to establish a TLS secure channel.
- the USIM is an independent security entity outside of the HSM. Therefore, the USIM needs to pass the shared session key Ks_NAF generated by the GBA mechanism to the HSM through a transmission channel outside the security environment.
- the GBA initial security configuration solution can only be used when the risk is controllable, which greatly limits the scope of application of the solution.
- the HSM is responsible for the generation of cryptographic public and private key pairs, the establishment of TLS secure channels, the application, download and storage of EC certificates, and the USIM is responsible for the relevant session keys based on GBA technology. generate.
- the terminal implementation cost is relatively high. This requires that the terminal must support both the USIM and HSM security modules at the same time.
- the HSM security hardware is expensive and the terminal implementation cost is high.
- the GBA-based initial configuration method proposed by 5GAA in the "Efficient Provisioning System Simplifications" research report is mainly used for the initial configuration of EC certificates.
- This method is mainly used to complete the initial configuration of the EC certificate, and is not designed for the initial application of the PC certificate. If it is used for PC certificate application, there will be potential security risks such as physical attacks on the terminal. Similar to the problem shown in Figure 5, this will expose the shared session key Ks_NAF to the secure environment during the transfer process, and there is a security risk of Ks_NAF being tampered with and leaked, as shown in Figure 6.
- This disclosure provides an initial configuration for the session key in the related technology that needs to be transmitted between the USIM and HSM of the terminal device, so that the transmission of the session key outside the secure environment is exposed, and there are security risks such as being vulnerable to physical attacks, and provides an initial configuration Method and terminal equipment.
- the initial configuration method of the embodiment of the present disclosure, applied to a terminal device includes:
- the security module establishes a secure channel with the certificate authority CA server;
- the session key is obtained through the secure channel, and the digital certificate is obtained from the CA server.
- the security module in the embodiment of the present disclosure is used to implement the function of the global user identification module (USIM), that is, when the security module only implements the function of the USIM, the security module is the USIM.
- USIM global user identification module
- HSM hardware security module
- this method is to directly establish a secure channel between the security module that can realize the functions of the USIM and the CA server.
- the session key is used to directly encrypt and encrypt the application message in the USIM. Protection does not require the USIM to send the session key to the HSM, so that the session key does not need to be exposed to the secure environment, reducing the probability of physical attacks on the session key.
- the terminal device mentioned in the embodiment of the present disclosure is a V2X terminal device based on GBA technology, which can be other types of V2X terminal devices such as OBU, RSU, pedestrian wearable devices, Internet of Things terminal devices, etc.; it can solve GBA
- GBA shared session key
- this embodiment can be used for both registration certificate (EC) application and anonymous certificate (PC) application.
- the CA server is the registration certificate authority (ECA) server ;
- the CA server is an anonymous certificate authority (PCA) server.
- the V2X terminal equipment includes: an application processor, an LTE-V2X communication module connected to the application processor, and an LTE-Uu communication module connected to the application processor Group
- the LTE-Uu communication module includes: Modem and USIM.
- a secure channel is established between the USIM and the ECA server, and the USIM obtains EC from the ECA server through the secure channel.
- the HSM may or may not exist.
- HSM can be omitted.
- the USIM before obtaining the EC from the ECA server, the USIM also needs to generate a cryptographic public-private key pair for EC application, so as to use the cryptographic public-private key pair to obtain the EC from the ECA server; after obtaining the EC, the USIM is also used to The EC is stored.
- the GBA secure channel is established between the USIM and the ECA server by using the universal boot architecture GBA (GBA_U) based on the universal integrated circuit card UICC; it should be noted that the GBA_U scheme can share the session key Ks_NAF or derive it
- GBA_U scheme can share the session key Ks_NAF or derive it
- the next level key is completely generated, stored, and used by the USIM to ensure that the secure channel between the V2X terminal device and the ECA server is terminated inside the USIM on the terminal side, which eliminates the need to share the session key Ks_NAF or
- the derived next-level key is transmitted to the HSM through an insecure environment and brings security risks such as physical attacks.
- the terminal device can also realize the transmission of direct communication services.
- the USIM uses the private key corresponding to the EC to sign the PC5 interface direct communication service message; the signed PC5 interface direct communication service message is sent To external equipment.
- the USIM is used as a local security module to realize the initial security configuration of the V2X terminal device, the generation, storage, and use of the session key and password public and private keys, and the application, storage and use of the EC are all secured by USIM Module to deal with.
- USIM is a multifunctional security entity with a security level of EAL4+. It has functions such as random number generation, cryptographic algorithm calculation, and secure storage. Therefore, it has the ability to safely implement the initial security configuration of V2X terminal equipment.
- the V2X terminal device triggers the USIM to generate a cryptographic public-private key pair for EC application.
- the V2X terminal device invokes the supported GBA security authentication capability, accesses the ECA server through the mobile cellular network and negotiates to generate the shared session key Ks_NAF, and establishes an initial security trust relationship between the V2X terminal device and the ECA server.
- the ECA server verifies whether the identity of the V2X terminal device is legal and valid according to the shared session key Ks_NAF. After the verification is passed, the ECA server and the V2X terminal device establish a secure transmission channel to ensure the security of data interaction between the two.
- the secure channel can be established using the session key Ks_NAF, or it can be established using the next-level session key derived from the Ks_NAF.
- the calculation of the derived key is performed in the USIM security environment.
- the main responsibilities of the USIM of the terminal equipment include:
- the V2X terminal equipment includes: an application processor, an LTE-V2X communication module connected to the application processor, and an LTE-Uu communication module connected to the application processor.
- the LTE-Uu The communication module includes: Modem and USIM. Specifically, a secure channel is established between the USIM and the PCA server, and the USIM obtains the PC from the PCA server through the secure channel.
- the HSM may or may not exist. Generally, in order to reduce the cost of generating terminal equipment, HSM can be omitted.
- the USIM before obtaining the PC from the PCA server, the USIM also needs to generate a cryptographic public-private key pair for PC application, so as to use the cryptographic public-private key pair to obtain the PC from the PCA server; after obtaining the PC, the USIM is also used to Said PC for storage.
- the role of EC is to prove the legitimacy of the identity of the V2X terminal device, it signs and protects the PC application message to apply for a PC certificate.
- the USIM uses the private key corresponding to the EC to sign the PC application message, and then The USIM obtains the PC from the PCA server according to the PC application message. That is to say, the application for the PC needs to be based on the EC, that is to say, the terminal device has already applied for the EC before the PC application. That is, after securely obtaining the EC, the V2X terminal device interacts with the PCA server to further apply for a PC digital certificate.
- the V2X terminal device should sign the sent PC application request message, and verify the received PC certificate application response message to ensure the authenticity and integrity of the message.
- the PC certificate request message should be signed with the private key corresponding to the EC certificate.
- the embodiment of the present disclosure proposes that the USIM completes the signature protection of the PC certificate application request message to eliminate the physical attack caused by the transmission of the EC certificate private key between the USIM and the HSM And other potential security risks.
- the verification of the PC certificate application response message can also be implemented by the USIM.
- USIM has the ability to perform dozens to hundreds of signature/verification processing per second, while the processing of PC digital certificate application messages does not have strong real-time requirements. Therefore, the above processing using USIM can fully meet the performance requirements of PC certificate applications. Claim.
- the V2X terminal device After the V2X terminal device completes the initial security configuration and obtains the EC digital certificate, it needs to use the EC digital certificate to further apply for the PC digital certificate to securely protect the communication service messages directly connected to the PC5 interface.
- the public key of the PCA server needs to be used to verify the received feedback message to obtain the PC.
- the embodiments of the present disclosure propose that the USIM is used as a local security module to be responsible for the initial security configuration of V2X terminal devices, the generation, storage, and use of session keys and passwords, public and private keys, and the application, storage, and use of PCs are all handled by the USIM security module.
- USIM is a multifunctional security entity with a security level of EAL4+. It has functions such as random number generation, cryptographic algorithm calculation, and secure storage. Therefore, it has the ability to safely implement the initial security configuration of V2X terminal equipment.
- the V2X terminal device triggers the USIM to generate a cryptographic public-private key pair used by the application PC.
- the V2X terminal device invokes the supported GBA security authentication capability, accesses the PCA server through the mobile cellular network and negotiates to generate the shared session key Ks_NAF, and establishes an initial security trust relationship between the V2X terminal device and the PCA server.
- the PCA server verifies whether the identity of the V2X terminal device is legal and valid according to the shared session key Ks_NAF. After the verification is passed, the PCA server and the V2X terminal device establish a secure transmission channel to ensure the security of data interaction between the two.
- the secure channel can be established using the session key Ks_NAF, or it can be established using the next-level session key derived from the Ks_NAF.
- the calculation of the derived key is performed in the USIM security environment.
- the USIM is used to generate the password public-private key pair required to apply for the PC digital certificate
- the GBA_U method is preferably used to establish a secure communication channel from the USIM to the PCA server. Through the GBA secure channel, the USIM interacts with the PCA, applies for a PC digital certificate, downloads the certificate of the PCA server, and stores the downloaded digital certificate and the password public and private key pair in the USIM locally.
- the PC certificate application message between the V2X terminal device and the PCA server should be digitally signed using the private key corresponding to the EC certificate stored in the USIM.
- the embodiment of the present disclosure proposes to use the USIM to sign and protect the PC5 direct communication service message, that is, when the PC5 service message is sent, the terminal AP (application processor) first sends the PC5 service message to the USIM, which uses the PC certificate to correspond After signing the message with the private key of, the service message is sent through the LTE-V2X communication group.
- USIM can send the obtained PC digital certificate to external modules or chips (such as AP, HSM, LTE-V2X communication modules), so that they can send PC5 services
- external modules or chips such as AP, HSM, LTE-V2X communication modules
- the PC certificate is sent along the road during the message to realize the point-to-point digital certificate distribution between the vehicle-vehicle and the vehicle-roadside facilities.
- the embodiments of the present disclosure can ensure all the keys related to the PC application (such as the private key corresponding to the EC certificate, the public and private key of the PC certificate, the shared session key Ks_NAF generated by GBA negotiation or the next level key derived from it) and passwords
- the calculations are all processed in the USIM security environment, and the GBA security channel is terminated inside the USIM security environment. Therefore, the process of application, transmission, processing, and storage of the PC certificate is safe, avoiding the potential physical attacks and other security risks of the 5GAA scheme. Since the PC digital certificate is allowed to be disclosed, sending the PC certificate to an external module or chip for processing will not affect the security of the solution.
- the main responsibilities of the USIM of the terminal equipment include:
- the embodiments of the present disclosure also provide a method of securely applying for a certificate based on GBA technology in the case of HSM generation, storage, and use of keys, so as to extend
- the security module also only implements the function of the USIM, that is, the security module is the USIM.
- the HSM After the USIM obtains the digital certificate from the CA server, it sends the digital certificate to the HSM; and the HSM stores the digital certificate. It should also be noted that before applying for a digital certificate, the HSM needs to generate a pair of public and private keys for the digital certificate application, and store the pair of passwords; then the HSM sends the public key for the digital certificate application to the USIM , USIM uses the public key of the password to apply for a digital certificate, and obtains the digital certificate from the CA server. In this case, the HSM realizes the sending of the direct communication service message, specifically: HSM first uses the private key corresponding to the digital certificate to sign the PC5 interface direct communication service message; then directly connects the signed PC5 interface The communication service message is sent to the external device.
- the HSM is used to generate the password public-private key pair required for the PC application, and the GBA_U method is preferred to establish a secure communication channel from the USIM to the PCA server.
- the HSM transmits the public key of the generated PC digital certificate to the USIM, and then the USIM interacts with the PCA to apply for the PC digital certificate and download the certificate of the PCA server. After that, the USIM sends the downloaded PC and PCA server certificate to the HSM for safe storage.
- the USIM uses the stored private key corresponding to the EC certificate to digitally sign the PC certificate application message.
- USIM/HSM can also send the obtained PC to other external modules or chips (such as AP, LTE-V2X communication module) so that they can send PC5 business messages.
- a V2X terminal device When a V2X terminal device sends a PC5 interface direct connection communication service message, the message is sent to the HSM, signed with the private key corresponding to the PC digital certificate, and then sent through the LTE-V2X communication group.
- the public key of the PC is transferred from the HSM to the USIM. Since the public key is allowed to be disclosed, there is no security risk of public key leakage, which improves security.
- the main responsibilities of the USIM of the terminal equipment include:
- the main responsibilities of the HSM of the terminal equipment include:
- the HSM is used to generate the cryptographic public-private key pair required to apply for the EC
- the GBA_U method is preferred to establish a secure communication channel from the USIM to the ECA server.
- the HSM sends the public key of the generated EC digital certificate to the USIM, and then the USIM interacts with the ECA to apply for the EC digital certificate and download the certificate of the ECA server. After that, the USIM sends the downloaded EC and ECA server certificates to the HSM for safe storage.
- USIM/HSM can also send the obtained EC to other external modules or chips (such as AP, LTE-V2X communication module), so that they can send PC5 business messages. Send the EC along the road to realize the point-to-point digital certificate distribution between vehicle-vehicle and vehicle-roadside facilities.
- other external modules or chips such as AP, LTE-V2X communication module
- the V2X terminal device sends a PC5 interface direct connection communication service message
- the message is sent to the HSM, signed with the private key corresponding to the EC digital certificate, and then sent through the LTE-V2X communication group.
- the public key of the EC is transmitted from the HSM to the USIM. Since the public key is allowed to be disclosed, there is no security risk of public key leakage, which improves security.
- the main responsibilities of the USIM of the terminal equipment include:
- the main responsibilities of the HSM of the terminal equipment include:
- the interface IF1 and USIM application functions are used to implement the GBA process
- Interface IF2 IF3 and certificate application functions are used to complete EC/PC certificate application and PC5 message signature processing.
- the certificate application module generates a public and private key pair, constructs a certificate request message, and requests the USIM application module through IF3 to use the Ks_NAF generated by GBA or the next level key derived to encrypt the certificate request;
- the certificate application module sends the protected certificate request to the ECA/PCA server through the AP through IF2, and applies for the EC/PC digital certificate;
- the digital certificate issued by the ECA/PCA server and the certificate of the ECA/PCA server are sent to the certificate application module through IF2, and the certificate application module calls the IF3 interface to request the USIM application module to use Ks_NAF or the next-level key derived to decrypt the message And verification;
- the certificate application module will securely store the decrypted EC/PC certificate and the certificate of the ECA/PCA server, and feed back the processing result.
- the certificate application module receives the PC certificate password public key generated by the external HSM through IF2;
- the certificate application module constructs a certificate request message, and requests the USIM application module through IF3 to use the Ks_NAF generated by GBA or the next level key derived to encrypt the certificate request;
- the certificate application module sends the protected certificate request to the PCA server through the AP through IF2, and applies for the PC digital certificate;
- the digital certificate issued by the PCA server and the certificate of the PCA server are sent to the certificate application module through IF2, and the certificate application module calls the IF3 interface to request the USIM application module to use Ks_NAF or the derived next-level key to decrypt and verify the message;
- the certificate application module sends the decrypted PC certificate and the certificate of the PCA server to the HSM for safe storage.
- the present disclosure eliminates security risks such as physical attacks in the initial security configuration process of GBA-based V2X terminal equipment, and ensures the security of the entire initial security configuration process;
- the present disclosure maximizes the capabilities of the USIM security module on the V2X terminal device, so that the terminal does not need to use the HSM hardware module, which improves the security of the entire system while reducing the cost of terminal implementation;
- the present disclosure is compatible with related technical solutions that generally use HSM to generate and manage keys in the automobile industry, and has good compatibility;
- the present disclosure lays a foundation for ensuring the security of the direct connection communication of the V2X terminal PC5 interface.
- the terminal device of the embodiment of the present disclosure includes:
- the security module 111 is used to establish a secure channel with the certificate authority CA server;
- the security module is used to realize the function of the global user identification module USIM.
- the CA server is a registered certificate authority ECA server
- the digital certificate is a registered certificate EC
- the security module 111 obtains a digital certificate from the CA server to implement:
- the EC is obtained from the ECA server.
- the CA server is a registration certificate authority ECA server
- the digital certificate is a registration certificate EC
- the security module 111 obtains the digital certificate from the CA server, it is further used to implement:
- the CA server is an anonymous certificate authority PCA server
- the digital certificate is an anonymous certificate PC
- the security module 111 obtains a digital certificate from the CA server to achieve:
- the PC is obtained from the PCA server.
- the security module 111 obtains a PC from a PCA server, and is used to implement:
- the security module 111 obtains the PC from the PCA server, it is also used to implement:
- the CA server is a registration certificate authority ECA server
- the digital certificate is a registration certificate EC
- the security module 111 obtains the digital certificate from the CA server, it is further used to implement:
- HSM used for EC storage.
- HSM is also used to achieve:
- the security module 111 is also used to obtain the EC from the ECA server by using the cryptographic public key.
- the CA server is an anonymous certificate authority PCA server
- the digital certificate is an anonymous certificate PC
- the security module 111 obtains a digital certificate from the CA server to achieve:
- HSM used for PC storage.
- the HSM is also used to implement: generating a cryptographic public-private key pair for PC application;
- HSM sends the password public key for PC application to the security module
- the security module 111 is also used to obtain the PC from the PCA server by using the password public key.
- the security module 111 obtains the digital certificate from the CA server, it is also used to implement:
- the GBA security channel is established between the security module and the CA server by using the universal guidance architecture GBA based on the universal integrated circuit card UICC.
- the terminal device provided by the embodiment of the present disclosure is a terminal device capable of executing the above-mentioned initial configuration method, and all the implementation methods in the above-mentioned initial configuration method embodiment are applicable to the terminal device, and all can achieve the same or similar The beneficial effects.
- the embodiment of the present disclosure also provides a terminal device, including a transceiver and a processor;
- the processor is used for:
- the security module is used to realize the function of the global user identification module USIM.
- the CA server is a registration certificate authority ECA server
- the digital certificate is a registration certificate EC
- the processor executes the acquisition of the digital certificate from the CA server, it is used to implement:
- the EC is obtained from the ECA server.
- the CA server is a registration certificate authority ECA server
- the digital certificate is a registration certificate EC
- the processor executes the acquisition of the digital certificate from the CA server, it is further used to implement:
- the CA server is an anonymous certificate authority PCA server
- the digital certificate is an anonymous certificate PC
- the processor executes the acquisition of the digital certificate from the CA server, it is used to achieve:
- the control security module uses the private key corresponding to the registration certificate EC to sign the PC application message;
- the PC is obtained from the PCA server.
- the processor executes the acquisition of the PC from the PCA server to implement:
- the control security module uses the private key corresponding to the PC to sign the direct communication service message of the PC5 interface;
- the CA server is a registration certificate authority ECA server
- the digital certificate is a registration certificate EC
- the processor executes the acquisition of the digital certificate from the CA server, it is further used to implement:
- HSM performs EC storage.
- the processor executes the acquisition of the digital certificate from the CA server, which is also used to implement:
- HSM sends the cryptographic public key for EC application to the security module
- the security module uses the cryptographic public key to obtain the EC from the ECA server.
- the processor executes to obtain a digital certificate from the CA server to achieve:
- HSM performs PC storage.
- the processor executes the acquisition of the digital certificate from the CA server to achieve:
- HSM generates a password public and private key pair for PC application
- HSM sends the password public key for PC application to the security module
- the security module uses the cryptographic public key to obtain the PC from the PCA server.
- the processor executes the acquisition of the digital certificate from the CA server, it is further used to implement:
- the control security module uses the private key corresponding to the PC to sign the direct communication service message of the PC5 interface;
- the GBA security channel is established between the security module and the CA server by using the universal guidance architecture GBA based on the universal integrated circuit card UICC.
- the embodiments of the present disclosure also provide a terminal device, including a memory, a processor, and a computer program stored on the memory and capable of running on the processor.
- the processor executes the program as described above.
- Each process in the embodiment of the initial configuration method can achieve the same technical effect. In order to avoid repetition, it will not be repeated here.
- the embodiment of the present disclosure also provides a computer-readable storage medium on which a computer program is stored.
- a computer program is stored.
- the program is executed by a processor, each process in the above-mentioned initial configuration method embodiment is realized, and the same technical effect can be achieved. To avoid repetition, I won’t repeat it here.
- the computer-readable storage medium such as read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk, or optical disk, etc.
- this application can be provided as methods, systems, or computer program products. Therefore, this application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-readable storage media (including but not limited to disk storage, optical storage, etc.) containing computer-usable program codes.
- These computer program instructions can also be stored in a computer-readable storage medium that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable storage medium produce paper products that include the instruction device,
- the instruction device realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
- These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that the computer or other programmable equipment executes a series of operation steps to produce computer-implemented processing, thereby executing instructions on the computer or other scientific programming equipment Provides steps for realizing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
- Each module, unit, sub-unit or sub-module may be one or more integrated circuits configured to implement the above methods, for example: one or more application specific integrated circuits (ASIC), or, one or more Microprocessor (digital signal processor, DSP), or, one or more Field Programmable Gate Array (Field Programmable Gate Array, FPGA), etc.
- ASIC application specific integrated circuit
- DSP digital signal processor
- FPGA Field Programmable Gate Array
- the processing element may be a general-purpose processor, such as a central processing unit (CPU) or other processors that can call program codes.
- these modules can be integrated together and implemented in the form of a system-on-a-chip (SOC).
- SOC system-on-a-chip
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Circuits Of Receivers In General (AREA)
- Electrical Discharge Machining, Electrochemical Machining, And Combined Machining (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
- Use Of Switch Circuits For Exchanges And Methods Of Control Of Multiplex Exchanges (AREA)
- Electrotherapy Devices (AREA)
- Input Circuits Of Receivers And Coupling Of Receivers And Audio Equipment (AREA)
Abstract
Description
Claims (15)
- 一种初始配置方法,应用于终端设备,包括:安全模块建立与证书授权CA服务器之间建立的安全通道;通过所述安全通道获取会话密钥,并从CA服务器获取数字证书;其中,所述安全模块用于实现全球用户识别模块USIM的功能。
- 根据权利要求1所述的初始配置方法,其中,在所述CA服务器为注册证书权威机构ECA服务器时,所述数字证书为注册证书EC,所述从CA服务器获取数字证书,包括:安全模块生成进行EC申请的密码公私钥对;利用所述密码公私钥对,从ECA服务器获取EC。
- 根据权利要求1所述的初始配置方法,其中,在所述CA服务器为注册证书权威机构ECA服务器时,所述数字证书为注册证书EC,所述从CA服务器获取数字证书之后,还包括:存储EC。
- 根据权利要求1-3任一项所述的初始配置方法,其中,在所述CA服务器为匿名证书权威机构PCA服务器时,所述数字证书为匿名证书PC,所述从CA服务器获取数字证书,包括:安全模块使用注册证书EC对应的私钥对PC申请消息进行签名;根据PC申请消息,从PCA服务器获取PC。
- 根据权利要求4所述的初始配置方法,其中,所述从PCA服务器获取PC,包括:接收PCA服务器发送的反馈消息,并利用PCA服务器的公钥对接收的所述反馈消息进行验签,获取PC。
- 根据权利要求4所述的初始配置方法,其中,在所述从PCA服务器获取PC之后,还包括:安全模块使用PC对应的私钥对PC5接口直连通信业务消息进行签名;将签名后的PC5接口直连通信业务消息发送给外部设备。
- 根据权利要求1所述的初始配置方法,其中,在所述CA服务器为注 册证书权威机构ECA服务器时,所述数字证书为注册证书EC,在所述从CA服务器获取数字证书之后,还包括:发送EC给硬件安全模块HSM;HSM进行EC的存储。
- 根据权利要求7所述的初始配置方法,其中,所述从CA服务器获取数字证书,还包括:HSM生成进行EC申请的密码公私钥对;HSM将进行EC申请的密码公钥发送给安全模块;安全模块利用所述密码公钥,从ECA服务器获取EC。
- 根据权利要求1、7或8所述的初始配置方法,其中,在所述CA服务器为匿名证书权威机构PCA服务器时,所述数字证书为匿名证书PC,所述从CA服务器获取数字证书,包括:发送PC给硬件安全模块HSM;HSM进行PC的存储。
- 根据权利要求9所述的初始配置方法,其中,所述从CA服务器获取数字证书,包括:HSM生成进行PC申请的密码公私钥对;HSM将进行PC申请的密码公钥发送给安全模块;安全模块利用所述密码公钥,从PCA服务器获取PC。
- 根据权利要求9所述的初始配置方法,其中,所述从CA服务器获取数字证书之后,还包括:安全模块使用PC对应的私钥对PC5接口直连通信业务消息进行签名;将签名后的PC5接口直连通信业务消息发送给外部设备。
- 根据权利要求1所述的初始配置方法,其中,所述安全模块与CA服务器之间采用基于通用集成电路卡UICC的通用引导架构GBA的方式建立GBA安全通道。
- 一种终端设备,包括:安全模块,用于建立与证书授权CA服务器之间建立的安全通道;通过所述安全通道获取会话密钥,并从CA服务器获取数字证书;其中,所述安全模块用于实现全球用户识别模块USIM的功能。
- 一种终端设备,包括收发机和处理器;所述处理器,用于:控制安全模块建立与证书授权CA服务器之间建立的安全通道;通过所述安全通道获取会话密钥,并从CA服务器获取数字证书;其中,所述安全模块用于实现全球用户识别模块USIM的功能。
- 一种计算机可读存储介质,其上存储有计算机程序,其中,该程序被处理器执行时实现如权利要求1-12任一项所述的初始配置方法中的步骤。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/781,840 US20230007480A1 (en) | 2019-12-03 | 2020-11-30 | Provisioning method and terminal device |
CA3160544A CA3160544A1 (en) | 2019-12-03 | 2020-11-30 | Provisioning method and terminal device |
EP20895692.0A EP4068716A4 (en) | 2019-12-03 | 2020-11-30 | INITIAL CONFIGURATION PROCEDURE AND TERMINAL DEVICE |
JP2022533202A JP2023505471A (ja) | 2019-12-03 | 2020-11-30 | プロビジョニング方法及び端末機器 |
AU2020396746A AU2020396746B2 (en) | 2019-12-03 | 2020-11-30 | Provisioning method and terminal device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911219000.X | 2019-12-03 | ||
CN201911219000.XA CN112910826B (zh) | 2019-12-03 | 2019-12-03 | 一种初始配置方法及终端设备 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021109967A1 true WO2021109967A1 (zh) | 2021-06-10 |
Family
ID=76103843
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/132712 WO2021109967A1 (zh) | 2019-12-03 | 2020-11-30 | 初始配置方法及终端设备 |
Country Status (7)
Country | Link |
---|---|
US (1) | US20230007480A1 (zh) |
EP (1) | EP4068716A4 (zh) |
JP (1) | JP2023505471A (zh) |
CN (1) | CN112910826B (zh) |
AU (1) | AU2020396746B2 (zh) |
CA (1) | CA3160544A1 (zh) |
WO (1) | WO2021109967A1 (zh) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115190450B (zh) * | 2022-06-28 | 2023-11-28 | 中汽数据(天津)有限公司 | 基于v2x证书建立tls通道的车联网通信方法和系统 |
CN115378745B (zh) * | 2022-10-26 | 2023-02-21 | 中国铁塔股份有限公司 | 通信认证方法、系统、装置、电子设备及存储介质 |
CN115633356B (zh) * | 2022-12-19 | 2023-03-10 | 中汽智联技术有限公司 | 基于x509数字证书申请v2x数字证书的方法和系统 |
CN117082520B (zh) * | 2023-10-13 | 2024-01-09 | 武汉信安珞珈科技有限公司 | 数字证书处理方法、装置、电子设备及存储介质 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102811224A (zh) * | 2012-08-02 | 2012-12-05 | 天津赢达信科技有限公司 | 一种ssl/tls连接的实现方法、装置及系统 |
WO2017192161A1 (en) * | 2016-05-06 | 2017-11-09 | Intel IP Corporation | Service authorization and credential provisioning for v2x communication |
CN107645471A (zh) * | 2016-07-20 | 2018-01-30 | 航天信息股份有限公司 | 一种用于移动终端用户身份认证的方法和系统 |
CN108282467A (zh) * | 2017-12-29 | 2018-07-13 | 北京握奇智能科技有限公司 | 数字证书的应用方法、系统 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2906096B1 (fr) * | 2006-09-19 | 2008-10-24 | Radiotelephone Sfr | Procede de securisation de sessions entre un terminal radio et un equipement dans un reseau |
KR101084938B1 (ko) * | 2007-10-05 | 2011-11-18 | 인터디지탈 테크날러지 코포레이션 | Uicc와 단말기간 보안 채널화를 위한 기술 |
US9112905B2 (en) * | 2010-10-22 | 2015-08-18 | Qualcomm Incorporated | Authentication of access terminal identities in roaming networks |
AU2014258980B2 (en) * | 2013-04-26 | 2016-02-04 | Visa International Service Association | Providing digital certificates |
CN106453196B (zh) * | 2015-08-04 | 2020-01-07 | 中国移动通信集团公司 | 一种针对可信执行环境的密钥写入装置、系统及方法 |
DE102017212994B3 (de) * | 2017-05-31 | 2018-11-29 | Apple Inc. | INSTALLATION UND TESTEN EINES ELEKTRONISCHEN TEILNEHMERIDENTITÄTSMODULS (eSIM) |
CN108809637B (zh) * | 2018-05-02 | 2020-11-03 | 西南交通大学 | 基于混合密码的lte-r车-地通信非接入层认证密钥协商方法 |
-
2019
- 2019-12-03 CN CN201911219000.XA patent/CN112910826B/zh active Active
-
2020
- 2020-11-30 CA CA3160544A patent/CA3160544A1/en active Pending
- 2020-11-30 EP EP20895692.0A patent/EP4068716A4/en active Pending
- 2020-11-30 WO PCT/CN2020/132712 patent/WO2021109967A1/zh unknown
- 2020-11-30 AU AU2020396746A patent/AU2020396746B2/en active Active
- 2020-11-30 JP JP2022533202A patent/JP2023505471A/ja active Pending
- 2020-11-30 US US17/781,840 patent/US20230007480A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102811224A (zh) * | 2012-08-02 | 2012-12-05 | 天津赢达信科技有限公司 | 一种ssl/tls连接的实现方法、装置及系统 |
WO2017192161A1 (en) * | 2016-05-06 | 2017-11-09 | Intel IP Corporation | Service authorization and credential provisioning for v2x communication |
CN107645471A (zh) * | 2016-07-20 | 2018-01-30 | 航天信息股份有限公司 | 一种用于移动终端用户身份认证的方法和系统 |
CN108282467A (zh) * | 2017-12-29 | 2018-07-13 | 北京握奇智能科技有限公司 | 数字证书的应用方法、系统 |
Non-Patent Citations (1)
Title |
---|
See also references of EP4068716A4 * |
Also Published As
Publication number | Publication date |
---|---|
AU2020396746A1 (en) | 2022-08-04 |
CA3160544A1 (en) | 2021-06-10 |
EP4068716A4 (en) | 2023-12-06 |
US20230007480A1 (en) | 2023-01-05 |
CN112910826A (zh) | 2021-06-04 |
CN112910826B (zh) | 2022-08-23 |
EP4068716A1 (en) | 2022-10-05 |
AU2020396746B2 (en) | 2023-06-22 |
JP2023505471A (ja) | 2023-02-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021109967A1 (zh) | 初始配置方法及终端设备 | |
CN110380852B (zh) | 双向认证方法及通信系统 | |
EP3723399A1 (en) | Identity verification method and apparatus | |
EP2255507B1 (en) | A system and method for securely issuing subscription credentials to communication devices | |
WO2021109963A1 (zh) | 初始安全配置方法、安全模块及终端 | |
US9385996B2 (en) | Method of operating a computing device, computing device and computer program | |
CN106788989B (zh) | 一种建立安全加密信道的方法及设备 | |
US10680835B2 (en) | Secure authentication of remote equipment | |
JP2008099267A (ja) | ネットワーク内で無線端末と設備との間のセッションを保護する方法 | |
WO2016106560A1 (zh) | 一种实现远程接入的方法、装置及系统 | |
CN112714053B (zh) | 通信连接方法及装置 | |
CN108809907B (zh) | 一种证书请求消息发送方法、接收方法和装置 | |
CN111131416A (zh) | 业务服务的提供方法和装置、存储介质、电子装置 | |
US20180069836A1 (en) | Tiered attestation for resource-limited devices | |
US20220311625A1 (en) | Certificate Application Method And Device | |
CN109583154A (zh) | 一种基于Web中间件访问智能密码钥匙的系统及方法 | |
WO2021082222A1 (zh) | 通信方法、存储方法、运算方法及装置 | |
CN108259176B (zh) | 基于手机卡的数字签名方法、系统以及终端 | |
CN114095919A (zh) | 一种基于车联网的证书授权处理方法及相关设备 | |
CN109361706A (zh) | 一种基于区块链的数据传输方法、装置及系统 | |
CN111901335B (zh) | 基于中台的区块链数据传输管理方法及系统 | |
CN113422753A (zh) | 数据处理方法、装置、电子设备及计算机存储介质 | |
WO2022199569A1 (zh) | 一种终端设备的配置方法、装置和通信设备 | |
WO2023240587A1 (zh) | 一种设备权限配置方法及装置、终端设备 | |
WO2024016124A1 (zh) | 一种设备配置方法及装置、通信设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20895692 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2022533202 Country of ref document: JP Kind code of ref document: A Ref document number: 3160544 Country of ref document: CA |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2020895692 Country of ref document: EP Effective date: 20220701 |
|
ENP | Entry into the national phase |
Ref document number: 2020396746 Country of ref document: AU Date of ref document: 20201130 Kind code of ref document: A |