WO2022178871A1 - 获取密钥的方法、装置及密钥管理系统 - Google Patents

获取密钥的方法、装置及密钥管理系统 Download PDF

Info

Publication number
WO2022178871A1
WO2022178871A1 PCT/CN2021/078283 CN2021078283W WO2022178871A1 WO 2022178871 A1 WO2022178871 A1 WO 2022178871A1 CN 2021078283 W CN2021078283 W CN 2021078283W WO 2022178871 A1 WO2022178871 A1 WO 2022178871A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
information
node
communication domain
obtaining
Prior art date
Application number
PCT/CN2021/078283
Other languages
English (en)
French (fr)
Inventor
盛德
耿峰
殷新星
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2021/078283 priority Critical patent/WO2022178871A1/zh
Priority to EP21927307.5A priority patent/EP4290790A4/en
Priority to CN202180000702.8A priority patent/CN113056898B/zh
Publication of WO2022178871A1 publication Critical patent/WO2022178871A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Definitions

  • the present application relates to the technical field of smart cars and connected cars, and in particular, to a method, device and key management system for obtaining keys.
  • the Internet of Vehicles is considered to be one of the fields with the most industrial potential and the clearest market demand in the Internet of Things system. It has the characteristics of wide application space, great industrial potential and strong social benefits. It is of great significance to promote the innovation and development of the automobile and information and communication industries, build new models and new formats of automobile and transportation services, promote the innovation and application of autonomous driving technology, and improve the level of traffic efficiency and safety. Therefore, the Internet of Vehicles has received more and more attention.
  • Information security In the Internet of Vehicles, information security has always been the focus of attention. Information security can be divided into in-vehicle information security and out-of-vehicle information security.
  • in-vehicle information security before the in-vehicle equipment leaves the factory, the key will be filled on the production line by means of key filling, and then assembled to the vehicle. Subsequently, the in-vehicle devices will communicate through the filled key to ensure the safety of in-vehicle information.
  • the above keys are managed by the car factory's key management system.
  • This application provides a method, device and key management system for obtaining keys, which can be deployed in smart cars, smart home scenarios or data centers, which can not only improve communication security, but also update keys at any time. Convenient.
  • an embodiment of the present application provides a method for obtaining a key, the method is applied to a key management system, the key management system includes a key server, and a first node communicatively connected to the key server, the first The node is a key client or a key agent, and the method includes: the key server obtains first key information, the first key information includes the first key material and the identifier of the first communication domain, and the first key material uses In generating the first key, the identifier of the first communication domain is used to indicate the first communication domain, the first key is applied to the first communication domain, and the first communication domain includes at least two nodes in the key management system, at least The two nodes include a first node; the key server sends the first key information to the first node.
  • the key server can configure a first key for each node in the first communication domain, and subsequently, the nodes in the first communication domain can communicate through the first key .
  • the first key is stored by a node in the first communication domain and is not easily leaked. Even if it is leaked, it will not affect the security of other communication domains, so communication security can be improved.
  • the key server can update the key at any time, which is very convenient. In addition, the storage space occupied by the first key is small, and the hardware and software costs of nodes in the key management system are not increased. The first key also does not need to be managed by the car factory, and will not increase the management cost of the car factory.
  • the first communication domain is determined according to at least one of the following information: the connection mode of the nodes in the key management system, the function of the nodes in the key management system, or the type of communication information in the key management system.
  • the communication domain can be divided based on different granularities, which improves the diversity and flexibility of dividing the communication domain.
  • communication domains based on different granularities can cover various scenarios of communication between nodes in the key management system, for example, communication scenarios between nodes with the same connection method, communication scenarios or communication information between nodes with the same function Communication scenarios between nodes of the same type, etc. Any one of the multiple scenarios may correspond to one or more keys, thereby improving communication security.
  • the method further includes: the key server generates a first verification code according to the first verification information, and the first verification information includes at least one of the following information: a first key, a first key material, a first key One piece of information, or the identification of the key server, the first information includes at least one of the following information: the identification of the first communication domain, the identification of the first key or the first random number; the key server sends the first node the first information and first verification code.
  • the key server can send the first information and the first verification code to the first node, so that the first node can verify the availability of the first key between the first node and the key server through the first verification code , in order to prevent the failure or error of the first key generation, resulting in failure of normal communication between the first node and the key server.
  • the method further includes: the key server receives second information and a second verification code from the first node, the second verification code is generated according to the second verification information, and the second verification information includes the following information At least one of: the first key, the first key material, the second information, the identification of the first node, or the first random number, the second information includes the identification of the first communication domain, and/or the first encryption The identification of the key; the key server verifies the second verification code.
  • the key server can verify the availability of the first key between the first node and the key server through the second verification code, so as to prevent the first key generation failure or error, resulting in the first node and the key server The key servers cannot communicate properly.
  • the method further includes: the key server establishes a first secure channel with the first node according to the first protocol, and the first secure channel is used to transmit information between the key server and the first node. Based on the above method, a first secure channel can be established between the key server and the first node, so as to improve the security of the communication between the key server and the first node.
  • the number of the first nodes is greater than 1, and the first security channel includes a point-to-point security channel between a key server and each first node; or, the first security channel includes a key server and each A point-to-multipoint secure channel of the first node; or, the first secure channel includes a point-to-point secure channel between a key server and a part of the first node, and a point-to-multipoint secure channel between the key server and another part of the first node safe channel.
  • the first secure channel may include various forms, which increases the diversity and flexibility of the communication between the first node and the key server.
  • the first protocol includes a transport layer security protocol, an internet key exchange protocol, a hypertext transport security protocol, a data packet transport layer security protocol or a custom protocol.
  • the nodes in the key management system can support multiple protocols, which can improve the flexibility and diversity of communication between the nodes in the key management system.
  • the first node is a key agent
  • the key management system further includes a second node communicatively connected to the first node
  • the second node is a key client.
  • the second node is included in the first communication domain.
  • the key client communicatively connected to the key agent can also be included in the first communication domain, and the key server can also configure the first encryption key for the key client in the first communication domain through the key agent. key. Subsequently, the key client can communicate with the nodes in the first communication domain through the first key.
  • the method further includes: the key server receives first notification information from the first node, where the first notification information is used to notify the nodes in the first communication domain of the verification result.
  • the first node can notify the key server of the verification result of the nodes in the first communication domain, so that the key server can respond. For example, if the verification fails, the key server reconfigures the key for the node in the first communication domain. For another example, if the verification is successful, the key server may enable the first key.
  • the method further includes: the key server obtains first configuration information, where the first configuration information is used to indicate at least one of the following information: an identifier of a node in the key management system, an identifier of a node in the key management system How the node is connected, or information about other nodes that communicate with the node in the key management system.
  • the key server can acquire the first configuration information, so that the key server allocates the configuration information corresponding to the node to the node in the key management system, so that the node in the key management system can Information that determines the communication domain in which the node is located.
  • the method further includes: the key server sends second configuration information to the first node, where the second configuration information is used to indicate at least one of the following information: an identifier of the first node, an identifier of the first node Connection mode, or information about other nodes that communicate with the first node.
  • the key server can send the second configuration information to the first node, so that the first node can determine the information of the communication domain where the first node is located according to the second configuration information.
  • the first node is a key agent
  • the key management system further includes a second node communicatively connected to the first node
  • the second node is a key client
  • the second configuration information is also used to indicate the following: At least one of the information: the identifier of the second node, the connection mode of the second node, or information of other nodes that communicate with the second node.
  • the second configuration information may also include related configuration information of the second node, for example, the identifier of the second node, the connection mode of the second node, or the information of other nodes that communicate with the second node, so that the first node can
  • the related configuration information is allocated to the second node, so that the second node can determine the information of the communication domain where the second node is located according to the configuration information.
  • the method further includes: the key server determines the information of the communication domain where the key server is located according to the first configuration information, and the information of the communication domain where the key server is located is used to indicate at least one of the following information : The identifier of the communication domain where the key server is located, the communication mode of the nodes in the communication domain where the key server is located, the connection mode between the key server and the nodes other than the key server in the communication domain where the key server is located, the key Information about other nodes except the key server in the communication domain where the server is located, or the key information for constructing the key of the communication domain where the key server is located. Based on the above method, the key server can determine the relevant information of the communication domain where the key server is located according to the first configuration information, so as to subsequently configure the key for the communication domain where the key server is located.
  • the method further includes: the key server receives the first confirmation information from the key management tool; or the key server receives the first confirmation information from the first terminal; or the key server receives the first confirmation information from the first terminal.
  • the key server can be triggered to configure the key for the key agent or key client through various methods.
  • an embodiment of the present application provides a method for obtaining a key.
  • the method is applied to a key management system.
  • the key management system includes a key server, and a first node communicatively connected to the key server.
  • the first node Being a key client or key agent, the method includes: the first node receives information of a first key from a key server, the information of the first key includes the first key material and the identification of the first communication domain, The identifier of the first communication domain is used to indicate the first communication domain; the first node generates a first key according to the first key material, the first key is applied to the first communication domain, and the first communication domain includes the key management system.
  • the at least two nodes include the first node.
  • the first node can receive the information of the first key from the key server, generate the first key according to the first key material included in the information of the first key, and then follow , the first node can communicate with other nodes in the first communication domain through the first key.
  • the first key is stored by a node in the first communication domain and is not easily leaked. Even if it is leaked, it will not affect the security of other communication domains, so communication security can be improved.
  • the key server can update the key at any time, which is very convenient.
  • the storage space occupied by the first key is small, and the hardware and software costs of nodes in the key management system are not increased.
  • the first key also does not need to be managed by the car factory, and will not increase the management cost of the car factory.
  • the first communication domain is determined according to at least one of the following information: the connection mode of the nodes in the key management system, the function of the nodes in the key management system, or the type of communication information in the key management system.
  • the communication domain can be divided based on different granularities, which improves the diversity and flexibility of dividing the communication domain.
  • the communication domains divided based on different granularities can cover various scenarios of communication between nodes in the key management system, and any of the various scenarios can correspond to one or more keys, thereby improving communication security.
  • the method further includes: the first node receives first information and a first verification code from the key server, the first verification code is generated according to the first verification information, and the first verification information includes the following information At least one of: the first key, the first key material, the first information, or the identification of the key server, the first information includes at least one of the following information: the identification of the first communication domain, the identification of the first key The identifier or the first random number; the first node verifies the first verification code.
  • the first node can use the first verification code to verify the availability of the first key between the first node and the key server, so as to prevent a failure or error in the generation of the first key, causing the first node to The key servers cannot communicate properly.
  • the method further includes: the first node generates a second verification code according to the second verification information, and the second verification information includes at least one of the following information: a first key, a first key material, a first key Second information, the identifier of the first node, or the first random number, the second information includes the identifier of the first communication domain, and/or the identifier of the first key; the first node sends the second information and the first key to the key server Two verification codes.
  • the first node can send the second information and the second verification code to the key server, so that the key server can verify the availability of the first key between the first node and the key server through the second verification code , in order to prevent the failure or error of the first key generation, resulting in failure of normal communication between the first node and the key server.
  • the method further includes: the first node establishes a first secure channel with the key server according to the first protocol, and the first secure channel is used to transmit information between the key server and the first node. Based on the above method, a first secure channel can be established between the key server and the first node, so as to improve the security of the communication between the key server and the first node.
  • the number of the first nodes is greater than 1, and the first security channel includes a point-to-point security channel between a key server and each first node; or, the first security channel includes a key server and each A point-to-multipoint secure channel of the first node; or, the first secure channel includes a point-to-point secure channel between a key server and a part of the first node, and a point-to-multipoint secure channel between the key server and another part of the first node safe channel.
  • the first secure channel may include various forms, which increases the diversity and flexibility of the communication between the first node and the key server.
  • the first node is a key agent
  • the key management system further includes a second node communicatively connected to the first node
  • the second node is a key client.
  • the second node is included in the first communication domain; the method further includes: the first node sending the first key material and the identifier of the first communication domain to the second node.
  • the key server may further configure the first key for the second node through the first node. Subsequently, the second node can also communicate with the nodes in the first communication domain through the first key.
  • the method further includes: the first node generates a third verification code according to third verification information, and the third verification information includes at least one of the following information: a first key, a first key material, a first key Three information, or the identification of the first node, the third information includes at least one of the following information: the identification of the first communication domain, the identification of the first key or the second random number; the first node sends the third information to the second node. information and a third verification code.
  • the first node can send the third information and the third verification code to the second node, so that the second node can verify the availability of the first key between the first node and the second node through the third verification code , in order to prevent the first key generation failure or error, resulting in failure of normal communication between the first node and the second node.
  • the method further includes: the first node receives fourth information and a fourth verification code from the second node, the fourth verification code is obtained according to the fourth verification information, and the fourth verification information includes the following information: At least one of: the first key, the first key material, the fourth information, the identification of the second node, or the second random number, the fourth information includes the identification of the first communication domain, and/or, the first key ; the first node verifies the fourth verification code.
  • the first node can use the fourth verification code to verify the availability of the first key between the first node and the second node, so as to prevent the first key generation failure or error, causing the first node and the second node to fail to generate the first key.
  • the two nodes cannot communicate normally.
  • the method further includes: the first node sends first notification information to the key server, where the first notification information is used to notify the nodes in the first communication domain of the verification result.
  • the first node can notify the key server of the verification result of the nodes in the first communication domain, so that the key server can respond. For example, if the verification fails, the key server reconfigures the key for the node in the first communication domain. For another example, if the verification is successful, the key server may enable the first key.
  • the method further includes: the first node establishes a second secure channel with the second node according to the first protocol, and the second secure channel is used to transmit information between the first node and the second node. Based on the above method, a second secure channel may be established between the first node and the second node, so as to improve the security of the communication between the first node and the second node.
  • the number of the second nodes is greater than 1, and the second security channel includes a point-to-point security channel between the first node and each second node; or, the second security channel includes the first node and each A point-to-multipoint secure channel of the second node; or, the second secure channel includes a point-to-point secure channel between the first node and a part of the second node, and a point-to-multipoint secure channel between the first node and another part of the second node safe channel.
  • the second secure channel may include various forms, which increases the diversity and flexibility of the communication between the first node and the second node.
  • the first protocol includes a transport layer security protocol, an internet key exchange protocol, a hypertext transport security protocol, a data packet transport layer security protocol or a custom protocol.
  • the nodes in the key management system can support multiple protocols, which can improve the flexibility and diversity of communication between the nodes in the key management system.
  • the method further includes: the first node receives second configuration information from the key server, where the second configuration information is used to indicate at least one of the following information: an identifier of the first node, the first node connection mode, or information of other nodes that communicate with the first node.
  • the first node can receive the second configuration information from the key server, so that the first node can determine the information of the communication domain where the first node is located according to the second configuration information.
  • the first node is a key agent
  • the key management system further includes a second node communicatively connected to the first node
  • the second node is a key client
  • the second configuration information is also used to indicate the following: At least one of the information: the identifier of the second node, the connection mode of the second node, or the information of other nodes that communicate with the second node
  • the method further includes: the first node sends the third configuration information to the second node,
  • the third configuration information is used to indicate at least one of the following information: an identifier of the second node, a connection mode of the second node, or information of other nodes that communicate with the second node.
  • the first node can send the third configuration information to the second node, so that the second node can determine the information of the communication domain where the second node is located according to the third configuration information.
  • the method further includes: the first node determines information of the communication domain where the first node is located according to the second configuration information, and the information of the communication domain where the first node is located is used to indicate at least one of the following information: The identifier of the communication domain where the first node is located, the communication mode of the nodes in the communication domain where the first node is located, the connection mode between the first node and the nodes other than the first node in the communication domain where the first node is located, the first node Information of other nodes except the first node in the communication domain where the first node is located, or key information for constructing the key of the communication domain where the first node is located.
  • the first node can determine the relevant information of the communication domain where the first node is located according to the second configuration information, so that the key server subsequently configures the key for the communication domain where the first node is located.
  • an embodiment of the present application provides a method for obtaining a key, and the method is applied to a key management system, where the key management system includes a key server, a key agent communicatively connected to the key server, and a key agent connected to the key server.
  • a key client connected to a key agent communication, the method comprising: the key client receiving first key material from the key agent and an identification of the first communication domain, where the identification of the first communication domain is used to indicate the first communication domain
  • the key client generates a first key according to the first key material, the first key is applied to the first communication domain, the first communication domain includes at least two nodes in the key management system, and the at least two nodes include a key key client.
  • the key client can receive the information of the first key from the key agent, and generate the first key according to the first key material included in the information of the first key, Subsequently, the key client can communicate with other nodes in the first communication domain through the first key.
  • the first key is stored by a node in the first communication domain and is not easily leaked. Even if it is leaked, it will not affect the security of other communication domains, so communication security can be improved.
  • the key server can update the key at any time, which is very convenient.
  • the storage space occupied by the first key is small, and the hardware and software costs of nodes in the key management system are not increased.
  • the first key also does not need to be managed by the car factory, and will not increase the management cost of the car factory.
  • the first communication domain is determined according to at least one of the following information: the connection mode of the nodes in the key management system, the function of the nodes in the key management system, or the type of communication information in the key management system.
  • the communication domain can be divided based on different granularities, which improves the diversity and flexibility of dividing the communication domain.
  • the communication domains divided based on different granularities can cover various scenarios of communication between nodes in the key management system, and any of the various scenarios can correspond to one or more keys, thereby improving communication security.
  • the method further includes: the key client receives third information and a third verification code from the key agent, the third verification code is obtained according to the third verification information, and the third verification information includes the following information At least one of: the first key, the first key material, the third information, or the identification of the key agent, the third information includes at least one of the following information: the identification of the first communication domain, the identification of the first key ID or second random number; key client verifies the third verification code.
  • the key client can use the third verification code to verify the availability of the first key between the key client and the key agent, so as to prevent the first key generation failure or error, resulting in the key client Communication between the client and the key broker is not working.
  • the method further includes: the key client generates a fourth verification code according to fourth verification information, and the fourth verification information includes at least one of the following information: a first key, a first key material, The fourth information, the identification of the key client, or the second random number, the fourth information includes the identification of the first communication domain, and/or the identification of the first key; the key client sends the fourth information to the key agent and the fourth verification code.
  • the key client can send the fourth information and the fourth verification code to the key agent, so that the key agent can pass the fourth verification code to the availability of the first key between the key client and the key agent. Validation is performed to prevent the first key generation failure or error, resulting in normal communication between the key client and the key broker.
  • the method further includes: the key client establishes a second secure channel with the key proxy according to the first protocol, and the second secure channel is used to transmit information between the key client and the key proxy. Based on the above method, a second secure channel can be established between the key agent and the key client, so as to improve the security of the communication between the key agent and the key client.
  • the number of key clients is greater than 1; the second secure channel includes a point-to-point secure channel between the key agent and each key client; or, the second secure channel includes the key agent and each key client.
  • the second secure channel may include various forms, which increases the diversity and flexibility of the communication between the first node and the second node.
  • the first protocol includes a transport layer security protocol, an internet key exchange protocol, a hypertext transport security protocol, a data packet transport layer security protocol or a custom protocol.
  • the nodes in the key management system can support multiple protocols, which can improve the flexibility and diversity of communication between the nodes in the key management system.
  • the method further includes: the key client receives third configuration information from the key agent, where the third configuration information is used to indicate at least one of the following information: an identifier of the key client, a key How the client is connected, or information about other nodes that communicate with the key client.
  • the key client can receive the third configuration information from the key agent, so that the key client can determine the information of the communication domain where the key client is located according to the third configuration information.
  • the method further includes: the key client determines the information of the communication domain where the key client is located according to the third configuration information, and the information of the communication domain where the key client is located is used to indicate at least one of the following information: One: the identification of the communication domain where the key client is located, the communication mode of the nodes in the communication domain where the key client is located, and the communication domain between the key client and the key client except the key client. The connection mode of the node, the information of other nodes except the key client in the communication domain where the key client is located, or the key information for constructing the key of the communication domain where the key client is located. Based on the above method, the key client can determine the relevant information of the communication domain where the key client is located according to the third configuration information, so that the key server subsequently configures the key for the communication domain where the key client is located.
  • an embodiment of the present application provides an apparatus for obtaining a key, which can implement the method in the first aspect or any possible implementation manner of the first aspect.
  • the apparatus comprises corresponding units or components for carrying out the above-described method.
  • the units included in the apparatus may be implemented by software and/or hardware.
  • the apparatus may be, for example, a key server, or a chip, a chip system, or a processor that can support the key server to implement the above method.
  • an embodiment of the present application provides an apparatus for obtaining a key, which can implement the method in the second aspect or any possible implementation manner of the second aspect.
  • the apparatus comprises corresponding units or components for carrying out the above-described method.
  • the units included in the apparatus may be implemented by software and/or hardware.
  • the apparatus may be the first node, or may be a chip, a chip system, or a processor that can support the first node to implement the above method.
  • an embodiment of the present application provides an apparatus for obtaining a key, which can implement the method in the third aspect or any possible implementation manner of the third aspect.
  • the apparatus comprises corresponding units or components for carrying out the above-described method.
  • the units included in the apparatus may be implemented by software and/or hardware.
  • the apparatus can be, for example, a key client, or a chip, a chip system, or a processor that can support the key client to implement the above method.
  • an embodiment of the present application provides an apparatus for obtaining a key, including: a processor, the processor is coupled to a memory, and the memory is used to store a program or an instruction, when the program or instruction is processed by the When the device is executed, the device is made to implement the method described in the first aspect or any possible implementation manner of the first aspect.
  • an embodiment of the present application provides an apparatus for obtaining a key, including: a processor, where the processor is coupled to a memory, and the memory is used to store a program or an instruction, and when the program or instruction is processed by the When the device is executed, the device is made to implement the method described in the second aspect or any possible implementation manner of the second aspect.
  • an embodiment of the present application provides an apparatus for obtaining a key, comprising: a processor, where the processor is coupled to a memory, and the memory is used to store a program or an instruction, and when the program or instruction is processed by the When the device is executed, the device is made to implement the method described in the third aspect or any possible implementation manner of the third aspect.
  • an embodiment of the present application provides a computer-readable medium on which a computer program or instruction is stored, and when the computer program or instruction is executed, enables a computer to execute the first aspect or any possibility of the first aspect. method described in the implementation of .
  • an embodiment of the present application provides a computer-readable medium on which a computer program or instruction is stored, and when the computer program or instruction is executed, causes a computer to execute the second aspect or any one of the second aspect. methods described in possible implementations.
  • embodiments of the present application provide a computer-readable medium on which a computer program or instruction is stored, and when the computer program or instruction is executed, causes a computer to execute the third aspect or any of the third aspects. methods described in possible implementations.
  • an embodiment of the present application provides a computer program product, which includes computer program code, and when the computer program code runs on a computer, the computer program code enables the computer to execute the first aspect or any of the possible first aspects. Implement the method described in the method.
  • an embodiment of the present application provides a computer program product, which includes computer program code, and when the computer program code is run on a computer, enables the computer to execute the second aspect or any of the possible possibilities of the second aspect. Implement the method described in the method.
  • an embodiment of the present application provides a computer program product, which includes computer program code, and when the computer program code runs on a computer, the computer program code enables the computer to execute the third aspect or any of the possible third aspects. Implement the method described in the method.
  • an embodiment of the present application provides a chip system, where the chip system includes at least one processor configured to support implementing the functions involved in the first aspect or any possible implementation manner of the first aspect, For example, data and/or information involved in the above-described methods are transceived or processed.
  • an embodiment of the present application provides a chip system, where the chip system includes at least one processor configured to support implementing the functions involved in the second aspect or any possible implementation manner of the second aspect, For example, data and/or information involved in the above-described methods are transceived or processed.
  • an embodiment of the present application provides a chip system, where the chip system includes at least one processor, configured to support implementing the functions involved in the third aspect or any possible implementation manner of the third aspect, For example, data and/or information involved in the above-described methods are transceived or processed.
  • the chip system further includes a memory for storing program instructions and data, and the memory is located in the processor or processes outside the device.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • an embodiment of the present application provides a key management system.
  • the system includes the device described in the fourth aspect and/or the fifth aspect and/or the sixth aspect, or the system includes the seventh aspect and/or the eighth aspect and/or the ninth aspect.
  • device, or the system includes the computer-readable medium described in the tenth aspect and/or the eleventh aspect and/or the twelfth aspect, or the system includes the thirteenth aspect and/or the tenth aspect.
  • the computer program product according to the fourth aspect and/or the fifteenth aspect, or the system includes the chip system according to the sixteenth aspect and/or the seventeenth aspect and/or the eighteenth aspect.
  • any of the above-mentioned devices, chip systems, computer-readable media, computer program products or key management systems for obtaining keys are used to execute the corresponding methods provided above.
  • beneficial effects that can be achieved reference may be made to the beneficial effects in the corresponding method, which will not be repeated here.
  • FIG. 1A is a schematic diagram 1 of the architecture of a key management system provided by an embodiment of the present application.
  • FIG. 1B is a second schematic diagram of the architecture of a key management system provided by an embodiment of the present application.
  • FIG. 2A is a schematic diagram 1 of the architecture of a smart car according to an embodiment of the present application.
  • FIG. 2B is a second schematic diagram of the architecture of a smart car according to an embodiment of the present application.
  • 2C is a schematic diagram of the deployment of a key management system provided by an embodiment of the present application.
  • FIG. 3 is a schematic diagram of a hardware structure of an apparatus for obtaining a key provided by an embodiment of the present application
  • 4-12 are schematic flowcharts of a method for obtaining a key provided by an embodiment of the present application.
  • FIG. 13 is a schematic diagram of a message format of the first type of information and a message format of the second type of information provided by an embodiment of the present application;
  • TLV type, length, value
  • 15-16 are schematic structural diagrams of an apparatus for obtaining a key provided by an embodiment of the present application.
  • the key Before the in-vehicle equipment leaves the factory, the key will be filled on the production line by means of key filling, and then assembled to the vehicle. Subsequently, the in-vehicle devices will communicate through the filled key to ensure the safety of in-vehicle information.
  • the above keys are managed by the key management system of the car factory. If the key vault of the car factory is leaked, the in-vehicle security of all vehicles in the car factory will be greatly threatened.
  • the certificate Before the communication between the in-vehicle devices, the certificate needs to be authenticated, and the communication can only be done after the authentication is passed. For this method, at least one certificate needs to be deployed on the in-vehicle device, which increases the hardware and software costs of the in-vehicle device and the cost of the car factory's management certificate.
  • an embodiment of the present application provides a method for obtaining a key, which can be applied to a key management system.
  • the key server in the key management system can configure the first key for each node in the first communication domain, and subsequently, the nodes in the first communication domain can communicate through the first key.
  • the first key is stored by a node in the first communication domain and is not easily leaked. Even if it is leaked, it will not affect the security of other communication domains, so communication security can be improved, and the key management system of the car factory does not affect the security of other communication domains.
  • the need to manage the keys of each vehicle reduces the burden on the key management system of the depot.
  • the key server can update the key at any time, which is very convenient.
  • the storage space occupied by the first key is small, and the hardware and software costs of nodes in the key management system are not increased.
  • the first key also does not need to be managed by the car factory, and will not increase the management cost of the car factory.
  • the method for obtaining a key provided by the embodiments of the present application can be used in various short-distance communication scenarios or communication scenarios between devices in a closed space, such as a smart car, a smart home, or a data center.
  • the method for obtaining a key provided by the embodiments of the present application may be applied to communication between different devices in a smart home or a data center.
  • the method for obtaining a key provided by the embodiment of the present application can also be applied to an intelligent cockpit of a vehicle, an intelligent cockpit of a train, or an intelligent cockpit of an airplane, and the like.
  • the following embodiments of the present application are described by taking a smart car as an example. For the introduction of other situations, reference may be made to the description of the smart car in the embodiments of the present application, and no further description will be given.
  • the base key may be a key (eg, a long-term key or a temporary key, etc.) that is relied upon in the process of identity authentication or key negotiation according to a security protocol. Understandably, the base key will not be lost after the device is powered off, nor will it expire after the session is disconnected.
  • a key eg, a long-term key or a temporary key, etc.
  • the temporary key may be a key temporarily derived or negotiated during the process of identity authentication or key negotiation according to the security protocol.
  • the temporary key is lost when the device is powered off, and expires when the session is disconnected.
  • Fixed keys are usually not updated. Taking a smart car as an example, the fixed key can be filled in the device in the smart car when the device in the smart car leaves the factory, or when the device in the smart car needs to be replaced, so that the devices in the smart car can use the same key.
  • a fixed key is used for communication to improve communication security.
  • the fixed key can also be used as the base key to derive other keys, for example, long-term keys. It should be understood that, in a specific application, the fixed key can also be updated if the fixed security storage allows it.
  • Long-term keys are usually updated periodically or irregularly to increase the security of the underlying key from which the long-term key is derived. Understandably, the long-term key can also be used as the base key to derive other keys.
  • the base key and the temporary key are divided according to the nature of the key.
  • the base key is not easily lost and can be used in one or more communications.
  • Temporary keys are easily lost and are usually derived for a single communication.
  • the fixed key and the long-term key are divided according to the timeliness of the key, and the use time of the fixed key is generally longer than the use time of the long-term key.
  • the non-volatile security zone storing long-term keys or temporary keys does not support the key update function, that is, if the information stored in the non-volatile security zone cannot be updated, the non-volatile security zone can be stored in the non-volatile security zone.
  • the basic key of long-term key or temporary key is stored in the volatile security area (the basic key may not be updated), and the long-term key or temporary key is encrypted and stored in the ordinary area outside the non-volatile security area. derived material. When the long-term key or the temporary key needs to be updated, the derived material can be updated, so as to realize the update of the long-term key or the temporary key.
  • the usage scope of the key can also be referred to as the protection scope of the key or the sharing scope of the key.
  • the key can be used in the depot, the whole vehicle or the communication domain.
  • the scope of use of the key includes a car factory, all smart cars belonging to the car factory can use the key.
  • the scope of use of the key includes the entire vehicle, the device in the entire vehicle can use the key.
  • the scope of use of the key includes the communication domain, all devices included in the communication domain can use the key.
  • the communication domain may include all or part of the devices in the smart car.
  • FIG. 1A is a key management system provided by an embodiment of the present application.
  • FIG. 1A is only a schematic diagram, and does not constitute a limitation on the key management system provided by the present application.
  • the key management system 10 includes a key server 101 , and a key client 102 - a key client 104 communicatively connected to the key server 101 .
  • the key server 101 may be used to configure keys for nodes in the key management system 10 , such as the key client 102 .
  • the key server 101 may also allocate configuration information related to the node to a node in the key management system 10, for example, the identifier of the node, the connection mode of the node, and the like.
  • the key clients in FIG. 1A such as key client 102-key client 104, can be used to generate keys for the communication domain where the key clients are located.
  • the key server 101 may be configured to obtain the first key information, and send the first key information to the first node in the first communication domain.
  • the first node may be key client 102 , key client 103 or key client 104 .
  • the first node may be configured to receive the first key information from the key server 101, and generate the first key according to the first key information. This process will be described in detail in the embodiments shown in FIGS. 4-6 below.
  • the key server 101 can configure keys for nodes in one or more communication domains in the key management system 10, so that the nodes in the same communication domain can use the keys configured by the key server 101 communication.
  • the key server 101 can update the key at any time, which is very convenient.
  • the storage space occupied by the first key is small, and the hardware and software costs of the nodes in the key management system 10 will not be increased.
  • the first key also does not need to be managed by the car factory, and will not increase the management cost of the car factory.
  • the key management system 10 further includes a key management tool (not shown in FIG. 1A ).
  • the key management tool may be in communication with the key server 101 for triggering the key server 101 to configure keys for nodes in one or more communication domains in the key management system 10.
  • the key management system 10 shown in FIG. 1A is only used for example, and is not used to limit the technical solution of the present application. Those skilled in the art should understand that in the specific implementation process, the key management system 10 may also include other nodes, and the number of key servers or key clients may also be determined according to specific needs, which is not limited.
  • the key client can communicate directly with the key server.
  • the key client can also communicate with the key server through the key agent.
  • FIG. 1B another key management system provided by an embodiment of the present application is provided.
  • FIG. 1B is only a schematic diagram, and does not constitute a limitation on the key management system provided by the present application.
  • the key management system 11 includes a key server 111 , a key client 112 communicatively connected to the key server 111 , a key agent 113 - a key agent 114 , and a key communicatively connected to the key agent 113 Client 115 - Key Client 116 , and Key Client 117 in communication with Key Broker 114 .
  • the key server 111 may be used to configure keys for nodes in the key management system 11 , such as the key agent 113 , the key client 115 or the key client 112 .
  • the key server 111 may also allocate configuration information related to the node to the node in the key management system 11, for example, the identifier of the node, the connection mode of the node, and the like.
  • the key agent in FIG. 1A may be used to receive information sent by the key server.
  • the key agent in FIG. 1A can also be used to forward information sent by the key server to the key client.
  • the key agent in FIG. 1A can also be used to generate keys for the communication domain where the key agent is located.
  • the key clients in FIG. 1A eg, key client 102-key client 104, may be used to generate keys for the communication domain in which the key clients reside.
  • the key server 111 may be configured to obtain the first key information, and send the first key information to the first node in the first communication domain.
  • the first node may be a key client 112 , a key broker 113 or a key broker 114 .
  • the first node may be configured to receive the first key information from the key server 111, and generate the first key according to the first key information.
  • the first node may also be configured to send the first key information to the second node in the first communication domain.
  • the second node is a node communicatively connected to the first node.
  • the second node may be key client 115 or key client 116, and if the first node is key broker 114, then the second node may be key client 117.
  • the second node may be configured to receive first key information from the first node, and generate the first key according to the first key information. This process will be described in detail in the embodiments shown in FIGS. 7-11 below.
  • the key server 111 can configure keys for nodes in one or more communication domains in the key management system 11, so that the nodes in the same communication domain can communicate using the keys configured by the key server 111. .
  • the key server 111 can update the key at any time, which is very convenient.
  • the storage space occupied by the first key is small, and the hardware and software costs of the nodes in the key management system 11 will not be increased.
  • the first key also does not need to be managed by the car factory, and will not increase the management cost of the car factory.
  • the key management system 11 further includes a key management tool (not shown in FIG. 1B ).
  • the key management tool may be communicatively connected to the key server 111 for triggering the key server 111 to configure keys for nodes in one or more communication domains in the key management system 11 .
  • the key management system 11 shown in FIG. 1B is only used for example, and is not used to limit the technical solution of the present application. Those skilled in the art should understand that in the specific implementation process, the key management system 11 may also include other nodes, and the number of key servers, key agents or key clients may also be determined according to specific needs, which is not limited .
  • FIG. 2A and FIG. 2B are the architecture of the smart car provided by the embodiment of the present application.
  • 2A and 2B are only schematic diagrams, and do not constitute a limitation on the architecture of the smart car provided by the present application.
  • the smart car 20 includes a telematics box (TBox) 201, a gateway 202 communicatively connected to the TBox 201, a body control module (BCM) 203 communicatively connected to the gateway 202, and an intelligent cockpit domain control system.
  • TBox telematics box
  • BCM body control module
  • MDC multi domain controller
  • VCU vehicle control unit
  • ECU electronic control unit
  • the TBox 201 and the gateway 202 can be connected through Ethernet.
  • Ethernet Between gateway 202 and BCM 203, CDC 204, MDC 205 and VCU 206, between BCM 203 and ECU 207-ECU 208, between CDC 204 and ECU 209-ECU 210, between MDC 205 and ECU 211, between VCU 206 and
  • the ECU 212 can communicate with each other through Ethernet, controller area network (CAN), CAN with flexible data-rate (CAN FD), local internet (local interconnect network, LIN), Media oriented system transport (MOST) or FlexRay connection.
  • CAN controller area network
  • CAN FD CAN with flexible data-rate
  • LIN local internet
  • MOST Media oriented system transport
  • gateway 202 and BCM 203 between BCM 203 and ECU 207-ECU 208 can be connected through CAN
  • between gateway 202 and CDC 204, between CDC 204 and ECU 209-ECU 210 can be connected through LIN.
  • the TBox 201 in FIG. 2A may have the ability to communicate with the external devices of the smart car 20 and the internal devices of the smart car 20 .
  • the gateway 202 is the core component of the smart car 20, and the gateway 202 can route network data such as CAN, LIN, MOST or FlexRay in different networks.
  • BCM 203 can be used to control hardware devices such as doors, windows, seats, and lights.
  • the CDC 204 may have functions related to human-machine interaction (HMI) and intelligent cockpit. The CDC 204 may also be capable of communicating with external devices of the smart car 20 as well as with internal devices of the smart car 20 .
  • MDC 205 can access signals from different sensors, analyze and process the signals, and issue control commands.
  • the VCU 206 may be used to coordinate and control the powertrain of the smart vehicle 20 .
  • the ECU in FIG. 2A can be a microcomputer controller of the smart car 20, and can have the ability to perform preset control functions.
  • the ECU 212 can be used to control the operation of the engine, and the ECU 211 can be used to protect the safety of the smart car.
  • the smart car 20 shown in FIG. 2A is only used for example, and is not used to limit the technical solution of the present application. Those skilled in the art should understand that in the specific implementation process, the smart car 20 may also include other nodes, and the number of TBox, gateway, BCM, CDC, MDC, VCU or ECU may also be determined according to specific needs, which is not limited .
  • the smart car 22 includes a CDC 221, a vehicle domain controller (Vehicle domain controller, VDC)/vehicle integrated/integration unit (VIU) 222 communicatively connected with the CDC 221, and a VDC/VIU 222 TBox 223 communicatively connected, VDC/VIU 224 and VDC/VIU 225, VDC/VIU 226 communicatively connected to VDC/VIU 224, ECU 229-ECU 230 communicatively connected to VDC/VIU 226, and VDC/VIU 225
  • the MDC 227 and the ECU 228 are communicatively connected.
  • the VDC/VIU 226 is also connected in communication with the VDC/VIU 225 and the MDC 227.
  • VDC/VIU can be understood as VDC or VIU.
  • the VDC in FIG. 2B can divide each device in the smart car 22 into multiple domains by function, and manage each domain.
  • Multiple VIUs in Figure 2B can form a ring network to achieve high bandwidth (specifically, high-definition cameras, or high-definition displays, etc.), low latency, and high-reliability processing capabilities.
  • the ring network can also simplify the vehicle network. Configure and improve upgrade and maintenance efficiency.
  • TBox, CDC, MDC and ECU in FIG. 2B reference may be made to the description of the TBox, CDC, MDC and ECU in FIG. 2A above, which will not be repeated here.
  • the smart car 22 shown in FIG. 2B is only used for example, and is not used to limit the technical solution of the present application. Those skilled in the art should understand that in the specific implementation process, the smart car 22 may also include other nodes, and the number of TBox, VDC/VIU, CDC, MDC or ECU may also be determined according to specific needs, which is not limited.
  • the key management system shown in FIG. 1A and FIG. 1B can be deployed in the smart car shown in FIG. 2A or FIG. 2B .
  • the key server in FIG. 1A or FIG. 1B can be deployed in the smart car 20 or the smart car 22 on a device with communication capability and sufficient storage resources, such as: TBox, gateway, BCM, CDC, MDC, VCU, VDC or on VIU.
  • the key client in FIG. 1A or FIG. 1B can be deployed on a TBox, gateway, BCM, CDC, MDC, VCU, VDC, VIU or ECU in the smart car 20 or the smart car 22 .
  • FIG. 1B can be deployed on a TBox, gateway, BCM, CDC, MDC, VCU, VDC or VIU in the smart car 20 or the smart car 22 .
  • the key management system in FIG. 1A or FIG. 1B further includes a key management tool
  • the key management tool can be deployed on TBox, gateway, BCM, CDC, MDC, VCU, VDC or VIU.
  • FIG. 2C is a schematic diagram of the deployment of the key management system.
  • key server is deployed on CDC 221
  • key agent is deployed on VDC/VIU 222, TBox 223, VDC/VIU 224, VDC/VIU 225, VDC/VIU 226, and MDC 227, ECU 228-ECU
  • the key client is deployed on the 230.
  • the device is the execution body of the method for obtaining a key provided by the embodiment of the present application.
  • the key server is deployed on the CDC
  • the key agent is deployed on the MDC
  • the key client is deployed on the ECU
  • the execution subjects of the method for obtaining a key provided by the embodiment of the present application are the CDC, the MDC, and the ECU, respectively.
  • each node in FIG. 1A and FIG. 1B in the embodiment of the present application may be a functional module in one device.
  • the functional module can be an element in a hardware device, for example, a communication chip or a communication component in an in-vehicle device, or a software functional module running on hardware, or a platform (for example, a cloud platform). ) on the virtualized function instantiated.
  • FIG. 3 is a schematic diagram of a hardware structure of an apparatus for obtaining a key that is applicable to an embodiment of the present application.
  • the apparatus 30 for obtaining a key includes at least one processor 301 and at least one communication interface 304, and is used to implement the method provided by the embodiment of the present application.
  • the apparatus 30 for obtaining a key may further include a communication line 302 and a memory 303 .
  • the processor 301 can be a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more processors for controlling the execution of the programs of the present application. integrated circuit.
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • Communication line 302 may include a path, such as a bus, to transfer information between the components described above.
  • the communication interface 304 can be any device such as a transceiver, such as an Ethernet interface, a radio access network (RAN) interface, a wireless local area network (WLAN) interface, a transceiver, a pin , bus, or transceiver circuit, etc.
  • RAN radio access network
  • WLAN wireless local area network
  • Memory 303 may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or other types of information and instructions It can also be an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, CD-ROM storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being executed by a computer Access any other medium without limitation.
  • the memory may exist independently and be coupled to the processor 301 through the communication line 302 .
  • the memory 303 may also be integrated with the processor 301 .
  • the memory provided by the embodiments of the present application may generally be non-volatile.
  • the memory 303 is used for storing computer-executed instructions involved in executing the solutions provided by the embodiments of the present application, and the execution is controlled by the processor 301 .
  • the processor 301 is configured to execute the computer-executed instructions stored in the memory 303, so as to implement the method provided by the embodiments of the present application.
  • the computer-executed instructions in the embodiments of the present application may also be referred to as application program codes, which are not specifically limited in the embodiments of the present application.
  • the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules.
  • the processor 301 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 3 .
  • the apparatus 30 for obtaining a key may include multiple processors, such as the processor 301 and the processor 307 in FIG. 3 .
  • Each of these processors can be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor.
  • a processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).
  • the apparatus 30 for obtaining a key may further include an output device 305 and/or an input device 306 .
  • Output device 305 is coupled to processor 301 and can display information in a variety of ways.
  • the output device 305 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector (projector) Wait.
  • Input device 306 is coupled to processor 301 and can receive user input in a variety of ways.
  • the input device 306 may be a touch screen device or a sensing device or the like.
  • the above-mentioned apparatus 30 for obtaining a key may be a general-purpose device or a special-purpose device.
  • the apparatus 30 for obtaining a key may be a wireless terminal device, an embedded device, or a device with a similar structure in FIG. 3 .
  • This embodiment of the present application does not limit the type of the apparatus 30 for obtaining the key.
  • the method, device, and key management system for obtaining a key provided by the embodiments of this application can be applied to multiple fields, such as: unmanned driving field, automatic driving field, assisted driving field, intelligent driving field, network connection Driving field, intelligent network driving field, car sharing field, etc.
  • A/B may indicate A or B
  • a and/or may be used to describe There are three kinds of relationships between related objects, for example, A and/or B, which can be expressed as: the existence of A alone, the existence of A and B at the same time, and the existence of B alone, where A and B can be singular or plural.
  • words such as “first” and “second” may be used to distinguish technical features with the same or similar functions.
  • the words “first”, “second” and the like do not limit the quantity and execution order, and the words “first”, “second” and the like do not limit the difference.
  • words such as “exemplary” or “for example” are used to represent examples, illustrations or illustrations, and any embodiment or design solution described as “exemplary” or “for example” should not be construed are preferred or advantageous over other embodiments or designs.
  • the use of words such as “exemplary” or “such as” is intended to present the relevant concepts in a specific manner to facilitate understanding.
  • the key server, and/or the key agent, and/or the key client may perform some or all of the steps in the embodiments of the present application. These steps are only examples. The application embodiments may also perform other steps or variations of various steps. In addition, various steps may be performed in different orders presented in the embodiments of the present application, and it may not be necessary to perform all the steps in the embodiments of the present application.
  • the specific structure of the execution body of the method for obtaining a key is not particularly limited in the embodiments of the present application, as long as the methods provided by the embodiments of the present application can be implemented.
  • the execution body of the method for obtaining a key provided by this embodiment of the present application may be a key server, or a component applied in the key server, such as a chip, which is not limited in this application.
  • the execution subject of the method for obtaining a key provided by the embodiment of the present application may be a key agent, or a component applied to the key agent, such as a chip, which is not limited in this application.
  • the execution body of the method for obtaining a key provided by this embodiment of the present application may be a key client, or a component applied to the key client, such as a chip, which is not limited in this application.
  • the following embodiments are described by taking an example that the execution bodies of the method for obtaining a key are a key server, a key agent, and a key client, respectively.
  • an embodiment of the present application provides a method for obtaining a key, and the method for obtaining a key can be applied to a key management system.
  • the key management system includes a key server, and a first node in communication with the key server.
  • the first node is the key client.
  • the key management system may be the key management system 10 shown in FIG. 1A , in this case, the key server may be the key server 101 in FIG. 1A , and the first node may be the key server 101 in FIG. 1A Key Client 102, Key Client 103 or Key Client 104.
  • the key management system can be deployed on the smart car 20 of FIG. 2A or the smart car 22 of FIG. 2B , in this case, the key server can be deployed in the smart car 20 or the smart car 22 On devices with communication capabilities and sufficient storage resources, such as: TBox, gateway, BCM, CDC, MDC, VCU, VDC or VIU.
  • the first node can be deployed on the TBox, gateway, BCM, CDC, MDC, VCU, VDC, VIU or ECU of the smart car 20 or the smart car 22 .
  • a node in the key management system may be configured with one or more fixed keys.
  • the fixed key may also be called an initial key, and the scope of use of the fixed key is the key management system.
  • the fixed key Before the key is obtained according to the method for obtaining a key provided in this embodiment of the present application, the fixed key can be used for communication between nodes in the key management system to improve the information security of the key management system. It can also be used as the base key to derive the key for the communication domain in the key management system.
  • the nodes in the key management system may also not configure a fixed key, and directly obtain keys of multiple communication domains according to the method for obtaining keys provided in the embodiments of the present application.
  • the specific process of configuring one or more fixed keys for nodes in the key management system will be described below. For details, please refer to the following S1-S2.
  • S1 The key management tool sends the first request information to the third node.
  • the key management tool may or may not be included in the key management system. If the key management tool is included in the key management system, the key management tool may be the key management tool described above in FIG. 1A . If the key management tool is not included in the key management system, the key management tool may be a key management tool set by the car factory.
  • the third node may be any node in the key management system. Taking the key management system 10 shown in FIG. 1A as an example, the third node may be a key server 101 , a key client 102 , a key client 103 or a key client 104 .
  • the first request information may be used to request to configure one or more fixed keys for the third node.
  • the first request information may include the identification of the smart vehicle on which the key management system is deployed and the second key material.
  • the identifier of the smart car on which the key management system is deployed may be the serial number of the smart car.
  • the identification of the smart car deploying the key management system can be read locally by the key management tool or manually input.
  • the identifier of the smart car on which the key management system is deployed may also be obtained by the key management tool from a cloud key management center or a key server. For example, the key management tool sends request information for obtaining relevant information of the smart car to the key server or the cloud key management center.
  • the key server or the cloud key management center After receiving the request information, the key server or the cloud key management center sends the response information for obtaining the relevant information of the smart car to the key management tool.
  • the response information includes relevant information of the smart car on which the key management system is deployed, such as the identification and architecture of the smart car on which the key management system is deployed.
  • the second key material may be used to generate the second key.
  • the second key material includes one or more random numbers that can be used to generate the second key; alternatively, the second key material includes the second key.
  • the first request information further includes type information of the second key.
  • the type information of the second key may be used to indicate the type of the second key.
  • the information of the type of the second key may include an identification of the type of the second key.
  • the type of the second key may include a fixed key.
  • the key management tool when the device deploying the third node leaves the factory, or when the second key needs to be updated, the key management tool sends the first request information to the third node.
  • a first communication channel may also be established between the key management tool and the third node.
  • a first communication channel is established between the key management tool and the third node through an asymmetric algorithm.
  • the asymmetric algorithm may include an elliptic curve Diffie-Hellman (elliptic curve Diffie-Hellman, ECDH) algorithm or a Diffie-Hellman algorithm, and the like.
  • the first communication channel may be used to transmit information between the key management tool and the third node, for example, the above-mentioned first request information, the response information of the following first request information, the following fifth verification code, and the like.
  • the key management tool obtains the second key material from the cloud key management center.
  • the key management tool sends the second request information to the cloud key management center.
  • the second request information is used to request the second key material.
  • the second request information may include an identification of the smart car on which the key management system is deployed.
  • the cloud key management center may be set by the car factory to manage the keys used by the smart cars managed by the car factory, for example, a fixed key used by each smart car managed by the car factory.
  • the fixed key used by each smart car managed by the depot can be the same or different.
  • the response information of the second request information includes the identification of the smart car on which the key management system is deployed and the second key material.
  • the key management tool can include the identification of the smart car on which the key management system is deployed and the second key material in the first request message and send it to the third node.
  • the second request information and the response information of the second request information may further include type information of the second key.
  • a third secure channel can be established between the key management tool and the cloud key management center.
  • a third secure channel may be established between the key management tool and the cloud key management center according to the first protocol.
  • the first protocol may be a transport layer security (TLS) protocol, a hypertext transfer protocol secure (HTTPs), a datagram transport layer security (DTLS) protocol, Custom agreement, or other agreement.
  • the third secure channel may be used to transmit information between the key management tool and the cloud key management center, for example, the above-mentioned second request information, the response information of the above-mentioned second request information, and the like.
  • the key management tool may send the first request information to multiple third nodes at a time, or may send the first request information to one third node at a time, which is not limited.
  • the third node receives the first request information from the key management tool.
  • S2 The third node generates the second key according to the first request information.
  • the third node generates the second key according to the second key material. If the second key material includes one or more random numbers, the third node calculates the one or more random numbers through one or more algorithms to obtain a second key, and stores the second key. If the second key material includes the second key, the third node stores the second key.
  • the type of the second key is the type indicated in the type information of the second key. It can be understood that, before the third node stores the second key, the storage area for storing the key in the third node may be cleared to zero.
  • the third node sends the response information of the first request information to the key management tool.
  • the response information of the first request information is used to indicate whether the third node succeeds in generating the second key.
  • the third node sends the fifth verification code to the key management tool.
  • the fifth verification code is obtained by calculating the fifth verification information according to one or more algorithms.
  • the fifth verification information includes at least one item of the following information: the second key, the identification of the smart car in which the key management system is deployed, or the type information of the second key.
  • the fifth verification code may be used to verify whether the fifth verification information has been modified.
  • the fifth verification code may be a message authentication code (message authentication code, MAC).
  • the third node may or may not use the second key in the process of calculating the fifth verification code. If the fifth verification information does not include the second key, the third node uses the second key in the process of calculating the fifth verification code.
  • the key management tool verifies the fifth verification code.
  • the key management tool generates a fifth verification code according to the fifth verification information. If the fifth verification code generated by the key management tool is the same as the received fifth verification code, the verification is successful, that is, the second key is generated. Correct; if the fifth verification code generated by the key management tool is different from the received fifth verification code, the verification fails, that is, the second key generation error or failure. It can be understood that the key management tool uses the same algorithm as when the third node generates the fifth verification code to calculate the fifth verification information to obtain the fifth verification code.
  • the third node can also directly obtain the second key material from the cloud key management center.
  • the cloud key management center sends the third request information to the third node.
  • the third request information may include the identification of the smart car on which the key management system is deployed and the second key material.
  • the third request information may further include type information of the second key.
  • the third node may generate the second key according to the third request information.
  • the third node may also send third notification information to the cloud key management center.
  • the third notification information is used to indicate whether the third node succeeds in generating the second key.
  • the third node can also verify with the cloud key management center whether the second key is correctly generated through MAC.
  • the second key can be used for communication to improve key management. Information security of the system.
  • the nodes in the key management system that need to be configured with the second key may include all or part of the nodes in the key management system.
  • the second key is the basic key for deriving the key of the communication domain in the key management system. If an attacker can easily configure the second key for the key management system through the cloud key management center or key management tool. keys, the keys managed by the key management system will no longer be secure.
  • dedicated software can be used to execute the above S1-S2 , after the execution is complete, uninstall or erase the special software.
  • the dedicated software is different from the software that executes the method for obtaining a key provided by the embodiment of the present application.
  • a software in a compatibility mode can be used, and the software in the compatibility mode can not only execute the above S1-S2, but also The method provided by the embodiment of the present application is executed, but the above S1-S2 and the method for obtaining a key provided by the embodiment of the present application correspond to different modes of the compatible mode software.
  • the software in the compatibility mode is switched to the mode corresponding to the above S1-S2, and when the key in the communication domain needs to be obtained, the software in the compatibility mode is Switch to the mode corresponding to the method for obtaining a key provided by the embodiment of the present application.
  • the authority of the above-mentioned dedicated software and the authority to switch the software mode belong to the car factory, so that an attacker can be prevented from easily configuring a second key for the key management system.
  • a node in the key management system may be configured with relevant configuration information, and the node in the subsequent key management system may be configured according to the relevant configuration.
  • the information executes the method to get the key. It should be understood that if the relevant configuration information is not changed after the nodes in the key management system are configured, then each time the method for obtaining a key provided by the embodiment of the present application is executed, it is not necessary to re-configure the key again.
  • the configuration information related to the node configuration in the management system if the related configuration information changes, the updated related configuration information can be configured for the nodes in the key management system, and the updated configuration information can be configured for the nodes in the key management system.
  • the process of the related configuration information is similar to the process of configuring the related configuration information for the nodes in the key management system.
  • S3-S4 For the specific process of configuring the relevant configuration information for the nodes in the key management system, reference may be made to the following S3-S4.
  • the first configuration information may be used to indicate the relevant configuration of the node in the key management system, for example, the first configuration information indicates at least one of the following information: the identifier of the node in the key management system, the How the node is connected, or information about other nodes that communicate with the node in the key management system.
  • the identifier of the node in the key management system is used to identify the device deploying the node in the key management system.
  • the identifier of the key server may be the identifier of the CDC; if the key client is deployed on the ECU, the identifier of the key client may be the identifier of the ECU.
  • the identity of the node in the key management system can be configured by the car factory.
  • the identifier of the node in the key management system may be a serial number, or may be the name of the device that deploys the node in the key management system. If the identifier of the node in the key management system is a number, the number may also be allocated by the key server after the smart car is assembled.
  • connection mode of a node in the key management system can be used to indicate the connection mode of each port of the node.
  • Connections of nodes in a key management system include Ethernet, CAN, CAN FD, LIN, MOST or FlexRay connections.
  • the connection mode of a node in the key management system can also be used to indicate the address of each port of the node, for example, an Internet Protocol (Internet Protocol, IP) address and/or a media access control (media access control, MAC) address.
  • IP address Internet Protocol
  • media access control media access control
  • the IP address may be a transmission control protocol (transmission control protocol, TCP) and a port number of 50001.
  • connection mode between any two nodes or the connection mode of any node includes Ethernet, CAN, CAN FD, LIN, MOST or FlexRay connection, a unified description is made here, and will not be repeated later.
  • the information of the other node in communication with the node in the key management system can be used to indicate the identity of the other node and the connection mode of the other node with the node in the key management system.
  • the identity of the other node is used to identify the device on which the other node is deployed.
  • the information of other nodes in communication with the node in the key management system can also be used to indicate the address of the port through which the other node is connected to the node in the key management system, such as an IP address and/or a MAC address.
  • the first configuration information may include the information of the key server 101, the information of the key client 102, the information of the key client 103 and the key client. terminal 104 information.
  • the information of the key server 101 can be as shown in Table 1.
  • the information of the key server 101 includes the identification of the key server 101, the information of the connection mode of each port of the key server 101, and the information of other nodes communicating with the key server 101.
  • the information of the connection mode of each port of the key server 101 includes the identification of each port of the key server 101 (port 1, port 2 and port 3), the identification of the connection mode of each port of the key server 101 (Eth , CAN and CAN), and the address of each port of the key server 101 (IP 1, CAN ID 1 and CAN ID 2).
  • the information of other nodes communicating with the key server 101 includes the identities of the other nodes communicating with the key server 101 (the identity of the key client 102, the identity of the key client 103 and the identity of the key client 104) and other Information about the connection method between the node and the key server 101 .
  • the information on the connection method between other nodes and the key server 101 includes the information on the connection method between the key client 102 and the key server 101 , the information on the connection method between the key client 103 and the key server 101 , and the key client 104 Information on the connection method with the key server 101 .
  • the information of the connection mode between the key client 102 and the key server 101 includes the identification (Eth) of the connection mode between the key client 102 and the key server 101, and the port of the connection between the key client 102 and the key server 101. IP address (IP 4).
  • the information of the connection mode of the key client 103 and the key server 101 includes the identification (CAN) of the connection mode of the key client 103 and the key server 101, and the port of the connection between the key client 103 and the key server 101. address (CAN ID3).
  • the information of the connection mode of the key client 104 and the key server 101 includes the identification (CAN) of the connection mode of the key client 104 and the key server 101, and the port of the connection between the key client 104 and the key server 101. address (CAN ID 4).
  • the information of the key client 102 may be as shown in Table 2.
  • the information of the key client 102 includes the identification of the key client 102, the information of the connection mode of each port of the key client 102, and the information of other nodes communicating with the key client 102.
  • the information of the connection mode of each port of the key client 102 includes the identification (Eth) of the connection mode of each port of the key client 102, and the IP address (IP 4) of each port of the key client 102 .
  • the information of other nodes communicating with the key client 102 includes the identity of the other nodes communicating with the key client 102 (identity of the key server 101 ) and the information of the connection mode of the other nodes and the key client 102 .
  • the information on the connection mode between other nodes and the key client 102 includes the identification of the port (port 1) where the key server 101 and the key client 102 are connected, and the identification of the connection mode between the key server 101 and the key client 102 ( Eth), and the IP address (IP 1) of the port where the key server 101 is connected to the key client 102.
  • the information of the key client 103 can be as shown in Table 3.
  • the information of the key client 103 includes the identification of the key client 103, the information of the connection mode of each port of the key client 103, and the information of other nodes that communicate with the key client 103.
  • the information of the connection mode of each port of the key client 103 includes the identification (CAN) of the connection mode of each port of the key client 103, and the address of each port of the key client 103 (CAN ID 3) .
  • the information of other nodes communicating with the key client 103 includes the identity of the other nodes communicating with the key client 103 (identity of the key server 101 ) and the information of the connection mode of the other nodes and the key client 103 .
  • the information of the connection mode of other nodes and the key client 103 includes the identification of the port (port 2) where the key server 101 is connected to the key client 103, the identification of the connection mode of the key server 101 and the key client 103 ( CAN), and the address (CAN ID 1) of the port where the key server 101 is connected to the key client 103.
  • the information of the key client 104 may be as shown in Table 4.
  • the information of the key client 104 includes the identification of the key client 104, the information of the connection mode of each port of the key client 104, and the information of other nodes that communicate with the key client 104.
  • the information of the connection mode of each port of the key client 104 includes the identification (CAN) of the connection mode of each port of the key client 104, and the address of each port of the key client 104 (CAN ID 4) .
  • the information of other nodes in communication with the key client 104 includes the identification of the other nodes in communication with the key client 104 (identity of the key server 101 ) and information on the connection mode of the other nodes with the key client 104 .
  • the above Tables 1 to 4 are only examples of the first configuration information.
  • the first configuration information may include less or more information than Table 1-Table 4, which is not limited.
  • the key server receives the first configuration information from the key management tool or the cloud key management center. That is, the key server can obtain the first configuration information from the key management tool or the cloud key management center.
  • the key server may send fourth request information to the key management tool.
  • the fourth request information may be used to request the first configuration information.
  • the fourth request information includes the model of the smart car on which the key management system is deployed. Further, the fourth request information may further include the version number of the key management system.
  • the key management tool can send the fifth request information to the cloud key management center.
  • the fifth request information may be used to request the first configuration information.
  • the fifth request information includes the model of the smart car on which the key management system is deployed. Further, the fifth request information may further include the version number of the key management system.
  • the cloud key management center may send the response information of the fifth request information to the key management tool.
  • the response information of the fifth request information may include the first configuration information.
  • the key management tool may send the response information of the fourth request information to the key server.
  • the response information of the fourth request information may include the first configuration information.
  • the employees of the car factory can configure the relevant information of the smart car on which the key management system is deployed (for example, the smart car's model or architecture information), or, after the key management tool reads the relevant information of the smart car on which the key management system is deployed, the key management tool sends fourth notification information to the key server.
  • the fourth notification information is used to notify the key server to start the process of acquiring the first configuration information. Subsequently, the key server sends fourth request information to the key management center.
  • a fourth secure channel can be established between the key management tool and the key server.
  • a fourth secure channel may be established between the key management tool and the key server according to the first protocol.
  • the fourth secure channel may be used to transmit information between the key management tool and the key server, for example, the above-mentioned fourth request information, the response information of the above-mentioned fourth request information, and the like.
  • a fifth secure channel may be established between the key management tool and the cloud key management center according to the first protocol.
  • the fifth secure channel may be used to transmit information between the key management tool and the cloud key management center, for example, the fifth request information, the response information of the fifth request information, and the like.
  • the key server may send sixth request information to the cloud key management center.
  • the sixth request information may be used to request the first configuration information.
  • the sixth request information includes the model of the smart car on which the key management system is deployed. Further, the sixth request information may further include the version number of the key management system.
  • the cloud key management center may send the response information of the sixth request information to the key server.
  • the response information of the sixth request information may include the first configuration information.
  • the first configuration information may also be included in the first request information or the third request information and sent to the key server.
  • S4 The key server sends the second configuration information to the first node.
  • the second configuration information may be used to indicate at least one of the following information: an identifier of the first node, a connection mode of the first node, or information of other nodes that communicate with the first node.
  • the identifier of the first node is used to identify the device on which the first node is deployed.
  • the identifier of the first node may be the identifier of the ECU.
  • the connection mode of the first node may be used to indicate the connection mode of each port of the first node.
  • the connection manner of the first node may also be used to indicate the address of each port of the first node, such as an IP address and/or a MAC address.
  • the information of the other node in communication with the first node may be used to indicate the identity of the other node and the connection manner of the other node and the first node.
  • the identity of the other node is used to identify the device on which the other node is deployed.
  • the information of the other node in communication with the first node may also be used to indicate the address of the port through which the other node is connected to the first node, such as an IP address and/or a MAC address.
  • the second configuration information may be as shown in Table 2. If the first node is the key client 103, the second configuration information may be as shown in Table 3. If the first node is the key client 104, the second configuration information may be as shown in Table 4.
  • the key server may also send a first distribution progress notification to the key management tool or the cloud key management center.
  • the first distribution progress notification may be used to indicate the progress of the key server distributing the second configuration information to each node.
  • the key server may also send a distribution completion notification to the key management tool or the cloud key management center, which is used to indicate that the key server has completed sending the second configuration information.
  • the node in the key management system may determine the information of the communication domain where the node is located according to the configuration information received by the node.
  • the communication domain may be divided according to different granularities. Communication domains based on different granularities can cover various scenarios of communication between nodes in the key management system, for example, communication scenarios between nodes with the same connection method, communication scenarios between nodes with the same function, or types of communication information Communication scenarios between the same nodes, etc. Any one of the multiple scenarios can correspond to one or more keys, thereby improving communication security.
  • the intersection between communication domains can be understood as one communication domain and another communication domain including common nodes.
  • the lack of intersection between communication domains can be understood as the fact that the nodes included in one communication domain are completely different from the nodes included in another communication domain.
  • the following three methods are used as examples to introduce the method of dividing the communication domain.
  • Mode 1 The communication domain can be determined according to the connection mode of the nodes in the key management system
  • different communication domains can be divided for nodes connected in different connection modes.
  • nodes connected by Ethernet may be included in a communication domain; alternatively, nodes connected by CAN may be included in a communication domain; alternatively, nodes connected by LIN may be included in a communication domain; or, nodes connected by MOST may be included in a communication domain
  • Connected nodes may be included in one communication domain; alternatively, nodes connected through FlexRay may be included in one communication domain.
  • the key server 101 and the key client 102 may be included in one communication domain. At least two nodes of the key server 101, the key client 103 and the key client 104 may be included in one communication domain.
  • the communication domain can be determined according to the function of the device deploying the node in the key management system
  • different communication domains can be divided for devices with different functions.
  • key server 101 is deployed on gateway 202
  • key client 102 is deployed on BCM 203
  • key client 103 is deployed on CDC 204
  • key client 104 is deployed on MDC 205, BCM 203, CDC 204 and If the functions of the MDC 205 are different, the key server 101 and the key client 102 may be included in one communication domain, the key server 101 and the key client 103 may be included in one communication domain, and the key server 101 and the key client 103 may be included in one communication domain.
  • Clients 104 may be included in a communication domain.
  • Mode 3 The communication domain can be determined according to the type of communication information between nodes in the key management system
  • the type of communication information between nodes in the key management system includes information that involves privacy or information that does not involve privacy.
  • the information sent by the MDC 205 may involve privacy, and the information sent by the BCM 203 and the VCU 206 does not involve privacy, so the key server 101 and the key client 104 can be included in a communication In the domain, at least two nodes of the key server 101, the key client 102 and the key client 103 may be included in one communication domain.
  • the information related to privacy can be divided according to different users or accounts, so different communication domains can also be divided for different users or accounts.
  • both the communication domain 1 and the communication domain 2 include the key server 101 and the key client 102, but the users corresponding to the communication domain 1 and the communication domain 2 are different.
  • the communication domain may also be determined according to the level of privacy information. That is, different communication domains can be divided for nodes transmitting different levels of privacy information.
  • the level of the privacy information transmitted by the key server 101 and the key client 102 is 1, and the level of the privacy information transmitted by the key server 101, the key client 103 and the key client 104 is 2, the key The server 101 and the key client 102 may be included in one communication domain, and at least two nodes of the key server 101 , the key client 103 and the key client 104 may be included in one communication domain.
  • the division is performed according to communication needs, that is, the nodes that need to communicate are divided into a communication domain, and the division can also be made according to applications, logical ports, or the purpose of the information that needs to be communicated.
  • the following describes a specific process for a node in the key management system to determine the information of the communication domain where the node is located according to the configuration information received by the node. For details, refer to the following S5-S6.
  • the key server determines the information of the communication domain where the key server is located according to the first configuration information.
  • the key server determines the communication domain where the key server is located by using any one of the above manners 1 to 3, and determines the information of each communication domain according to the first configuration information.
  • the information of the communication domain where the key server is located in S5 may be used to indicate at least one of the following information: the application scope of the communication domain where the key server is located, the identifier of the communication domain where the key server is located, the communication domain where the key server is located.
  • the application scope of the communication domain where the key server is located includes the whole vehicle, within the functional domain, between cross-functional domains and the main device.
  • the functional domain can be understood to be divided according to the functions of the devices in the smart car, for example, the power domain, the power domain, or the entertainment domain.
  • the nodes included in the communication domain where the key server is located are deployed in a functional domain, for example, deployed in the power domain.
  • Cross-functional domains can be understood as nodes in the communication domain where the key server is located, including nodes deployed in different functional domains, for example, deployed in the power domain and the power domain.
  • the master device can be CDC, BCM, MDC, VCU, VDC, VIU, TBox, or gateway, etc.
  • the communication mode of the nodes in the communication domain where the key server is located includes point-to-point communication or point-to-multipoint communication.
  • Point-to-point communication can be understood as the number of senders and receivers of information is 1.
  • Point-to-multipoint communication can be understood as the number of information senders is 1, and the number of information receivers is greater than 1.
  • the sender of the information or the receiver of the information may be any node in the communication domain.
  • the information of other nodes other than the key server in the communication domain where the key server is located can be used to indicate at least one of the following information: the identifier of the other node, the port through which the other node and the key server are connected, the other The node name of the node, or the protocols or algorithms that this other node supports.
  • the node name of the other node includes key server, key agent or key client.
  • the protocol or algorithm supported by the other node includes at least one of the following: the protocol of the message supported by the other node (for example, user data protocol (user data protocol, UDP) or TCP, etc.), multiple algorithms supported by the other node (for example, an integrity algorithm, an encryption algorithm, an authentication algorithm, or a derivation algorithm for a temporary key, etc.) or information about the base key used to derive the key of the communication domain where the key server is located (for example, the storage of the base key) location information, type information of the base key, etc.).
  • the protocol of the message supported by the other node for example, user data protocol (user data protocol, UDP) or TCP, etc.
  • multiple algorithms supported by the other node for example, an integrity algorithm, an encryption algorithm, an authentication algorithm, or a derivation algorithm for a temporary key, etc.
  • information about the base key used to derive the key of the communication domain where the key server is located for example, the storage of the base key
  • type information of the base key etc.
  • the key information for constructing the key of the communication domain where the key server is located may be used to indicate the storage location of the key of the communication domain where the key server is located. Further, the key information for constructing the key of the communication domain where the key server is located can also be used to indicate the type of the key of the communication domain where the key server is located.
  • the type of key can include fixed key or long-term key.
  • the information of the communication domain where the key server 101 is located may include the information of the communication domain 1 and the information of the communication domain 2.
  • the information of the communication domain 1 can be shown in Table 5.
  • the information of the communication domain 1 includes the application scope of the communication domain 1 (between master devices), the identification of the communication domain 1, the communication mode of the nodes in the communication domain 1 ( point-to-point), information on the connection method between the key server 101 and the key client 102, information on the key client 102, and key information for constructing the key of the communication domain 1.
  • the information of the connection method between the key server 101 and the key client 102 includes the identification of the port (port 1 of the key server 101) where the key server 101 and the key client 102 are connected, and the key server 101 and the key client 102 connection method (Eth) and the IP address (IP 1) of the port where the key server 101 and the key client 102 are connected.
  • the information of the key client 102 includes the identification of the key client 102, the identification of the port where the key client 102 and the key server 101 are connected (port 2 of the key client 102), the name of the key client 102 ( key client), and the protocols or algorithms supported by key client 102 (AES_CMAC_128 and AES_CBC_128).
  • the key information for constructing the key of the secret communication domain 1 includes the storage location of the key of the communication domain 1 (storage location 1) and the type of the key of the communication domain 1 (long-term key). Among them, AES_CMAC_128 is the integrity/message check code algorithm, and AES_CBC_128 is the encryption algorithm.
  • the information of the communication domain 2 can be shown in Table 6.
  • the information of the communication domain 2 includes the application scope (cross-functional domain) of the communication domain 2, the identification of the communication domain 2, the communication mode of the nodes in the communication domain 2 (point to multipoint), the information of the connection method between the key server 101 and the key client 103, the information of the connection method between the key server 101 and the key client 104, the information of the key client 103, the information of the key client 104 information and the key information for constructing the key of communication domain 2.
  • the information on the connection method between the key server 101 and the key client 103 includes the identification of the port (port 1 of the key server 101) where the key server 101 and the key client 103 are connected, and the key server 101 and the key client 103 connection mode (CAN) and the address (CAN ID 1) of the port where the key server 101 is connected to the key client 103.
  • the information of the connection mode between the key server 101 and the key client 104 includes the identification of the port (port 3 of the key server 101) where the key server 101 and the key client 104 are connected, and the key server 101 and the key client 104 connection mode (CAN) and the address (CAN ID 2) of the port where the key server 101 is connected to the key client 104.
  • the information of the key client 103 includes the identification of the key client 103, the identification of the port where the key client 103 and the key server 101 are connected (port 1 of the key client 103), the name of the key client 103 ( key client), and the protocols or algorithms (AES_CMAC_128 and AES_CBC_128) supported by the key client 103.
  • the information of the key client 104 includes the identification of the key client 104, the identification of the port where the key client 104 and the key server 101 are connected (port 3 of the key client 104), the name of the key client 104 ( key client), and the protocols or algorithms supported by key client 104 (AES_CMAC_128 and AES_CBC_128).
  • the key information for constructing the key of the secret communication domain 2 includes the storage location of the key of the communication domain 2 (storage location 2) and the type of the key of the communication domain 2 (long-term key).
  • Tables 5 and 6 are only examples of the information of the communication domain where the key server is located.
  • the information of the communication domain where the key server is located may also include more or more information than Tables 5 and 6. Less information, no restrictions.
  • the first node determines the information of the communication domain where the first node is located according to the second configuration information.
  • the first node determines the communication domain where the first node is located by using any of the foregoing manners 1 to 3, and determines information of each communication domain according to the second configuration information.
  • the information of the communication domain where the first node is located in S6 may be used to indicate at least one of the following information: the application scope of the communication domain where the first node is located, the identifier of the communication domain where the first node is located, the communication domain where the first node is located.
  • the application scope of the communication domain where the first node is located includes the entire vehicle, within a functional domain, across functional domains and between master devices and the like.
  • the communication mode of the nodes in the communication domain where the first node is located includes point-to-point communication or point-to-multipoint communication.
  • the interaction mode of the first node in the communication domain where the first node is located includes directly communicating with the key server or communicating with the key server through a key agent.
  • the protocol or algorithm supported by the first node includes at least one of the following: a protocol of the packet supported by the first node (for example, UDP or TCP, etc.), multiple algorithms supported by the first node (for example, an integrity algorithm, an encryption algorithm, identity authentication algorithm or the derivation algorithm of the temporary key, etc.) or the information of the base key used to derive the key of the communication domain where the first node is located (for example, the storage location information of the base key, the type information of the base key, etc. ).
  • a protocol of the packet supported by the first node for example, UDP or TCP, etc.
  • multiple algorithms supported by the first node for example, an integrity algorithm, an encryption algorithm, identity authentication algorithm or the derivation algorithm of the temporary key, etc.
  • the information of the base key used to derive the key of the communication domain where the first node is located for example, the storage location information of the base key, the type information of the base key, etc.
  • the information of other nodes other than the first node in the communication domain where the first node is located may be used to indicate at least one of the following information: the identifier of the other node, the port connecting the other node and the first node, or the Protocols or algorithms supported by other nodes.
  • the key information for constructing the key of the communication domain where the first node is located may be used to indicate the storage location of the key of the communication domain where the first node is located. Further, the key information for constructing the key of the communication domain where the first node is located may also be used to indicate the type of the key of the communication domain where the first node is located.
  • the information of the communication domain 1 determined by the key client 102 can be as shown in Table 7
  • the information of the communication domain 1 includes the application range of the communication domain 1 (between master devices), the identification of the communication domain 1, the communication mode of the nodes in the communication domain 1 (point-to-point), the key client 102
  • the information of the connection method between the key client 102 and the key server 101 includes the identification of the port where the key client 102 is connected to the key server 101 (port 2 of the key client 102) and the connection between the key client 102 and the key server 101.
  • the connection method (Eth) of the server 101 includes the identification of the key server 101, and the identification of the port (port 1 of the key server 101) to which the key server 101 and the key client 102 are connected.
  • the key information for constructing the key of the secret communication domain 1 includes the storage location of the key of the communication domain 1 (storage location 1) and the type of the key of the communication domain 1 (long-term key).
  • the information of the communication domain 2 determined by the key client 103 can be as shown in Table 8.
  • the communication domain The information of 2 includes the application scope of the communication domain 2 (cross-functional domain), the identification of the communication domain 2, the communication mode of the nodes in the communication domain 2 (point-to-multipoint), the connection mode of the key client 103 and the key server 101 information, the interaction mode of the key client 103 in the communication domain 1 (communication directly with the key server), the protocols or algorithms supported by the key client 103 (AES_CMAC_128 and AES_CBC_128), the information of the key server 101 and the construction of communication The key information of the key of domain 2.
  • the information of the connection method between the key client 103 and the key server 101 includes the identification of the port where the key client 103 is connected to the key server 101 (port 1 of the key client 103) and the key client 103 and the key The connection method (CAN) of the server 101 .
  • the information of the key server 101 includes the identification of the key server 101 and the identification of the port (port 2 of the key server 101 ) to which the key server 101 and the key client 103 are connected.
  • the key information for constructing the key of the secret communication domain 2 includes the storage location of the key of the communication domain 2 (storage location 2) and the type of the key of the communication domain 2 (long-term key).
  • the information of the communication domain 2 determined by the key client 104 may be as shown in Table 9.
  • the communication domain The information of 2 includes the application scope of communication domain 2 (cross-functional domain), the identification of communication domain 2, the communication mode of nodes in communication domain 2 (point-to-multipoint), the connection mode of key client 104 and key server 101 information, how the key client 104 interacts in the communication domain 1 (communicating directly with the key server), the protocols or algorithms supported by the key client 104 (AES_CMAC_128 and AES_CBC_128), the information of the key server 101 and constructing the communication The key information of the key of domain 2.
  • the information of the connection method between the key client 104 and the key server 101 includes the identification of the port where the key client 104 is connected to the key server 101 (port 3 of the key client 104) and the key client 104 and the key The connection method (CAN) of the server 101 .
  • the information of the key server 101 includes the identification of the key server 101, and the identification of the port (port 3 of the key server 101) to which the key server 101 and the key client 104 are connected.
  • the key information for constructing the key of the secret communication domain 2 includes the storage location of the key of the communication domain 2 (storage location 2) and the type of the key of the communication domain 2 (long-term key).
  • Tables 7 to 9 are only examples of the information of the communication domain where the first node is located.
  • the information of the communication domain where the first node is located may also include more information than Table 7, Table 8 or Table 9. More or less information without limitation.
  • the nodes in the key management system can obtain the key of each communication domain.
  • the method for obtaining a key provided by the embodiment of the present application is specifically described below, and the method for obtaining a key includes S401-S403.
  • S401 The key server obtains first key information.
  • the first key information may be used to configure a key for a node in the first communication domain.
  • the first key information may include first key material.
  • the first key information may further include an identifier of the first communication domain and/or type information of the first key.
  • the first key material can be used to generate the first key.
  • the first key material includes one or more random numbers that can be used to generate the first key; alternatively, the first key material includes the first key.
  • the first key may have at least one of the following functions: used to encrypt communication information between nodes in the first communication domain, used to verify the integrity of communication information between nodes in the first communication domain, or used as a basis for The key derives other keys.
  • Other keys may include temporary keys or other long-term keys for inter-node communication in the first communication domain, or the like.
  • the first key material is obtained according to the second key.
  • the identification of the first communication domain may be used to indicate the first communication domain.
  • the first key may be applied to the first communication domain, or in other words, the scope of use of the first key is the first communication domain. That is, the first key can be applied to the communication domain indicated by the identification of the first communication domain.
  • the first communication domain is any communication domain in the key management system, for example, the communication domain indicated in the information of the communication domain where the first node is located, or the communication domain indicated in the information of the communication domain where the key server is located.
  • the first communication domain includes at least two nodes in the key management system, the at least two nodes including the first node, the key client. For the division method of the first communication domain, reference may be made to the corresponding descriptions in the foregoing manners 1 to 3.
  • the first communication domain includes at least two key clients among the key client 102 and the key client 104; or, the first communication domain includes a key server 101 , and at least one of the key clients 102 - the key clients 104 .
  • the first key can also be applied to the entire vehicle, or in other words, the scope of use of the first key is the entire vehicle.
  • the type information of the first key may be used to indicate the type of the first key.
  • the information of the type of the first key may include an identification of the type of the first key.
  • the type of the first key may include a fixed key, a long-term key or an ephemeral key.
  • the first key and/or the second key are key sensitive information in the device, which needs to be stored securely and non-volatilely, and cannot be updated or deleted at will, or even need to be prohibited from being read.
  • Hardware mechanisms that can provide secure non-volatile storage include: hardware security module (HSM), secure hardware extension (SHE), and persistence in trusted execution environment (TEE). secure storage, etc.
  • the key server receives the first confirmation information from the key management tool; or, the key server receives the first confirmation information from the first terminal; or, the key server receives the first confirmation information from the key management tool.
  • the key server obtains the first key information; or, the key server receives the first confirmation information from the cloud key management center.
  • the first confirmation information may be used to trigger the key server to acquire the first key information. That is, the key server can be triggered to configure keys for the nodes in the first communication domain through the key management tool, the first terminal, the second terminal or the cloud key management center.
  • the key server detects that the key of the first communication domain has expired or is about to expire, and sends the first request trigger information to the key management tool, the first terminal, the second terminal or the cloud key management center, which is used to indicate the first The key for the communication domain has expired or is about to expire.
  • the key management tool or the cloud key management center can notify the administrator, so that the administrator can confirm whether to trigger the key server to configure the key for the node in the first communication domain.
  • the first terminal or the second terminal may notify the user, so that the user can confirm whether to trigger the key server to configure the key for the node in the first communication domain.
  • the key management tool, the first terminal, the second terminal or the cloud key management center may also send response information for the first request trigger information to the key server.
  • the response information of the first request trigger information may be used to indicate that the first request trigger information is received.
  • the key server can send the response information of the first confirmation information to the key management tool, the first terminal, the second terminal or the cloud key management center, which is used to indicate that it has received the first confirmation information.
  • the first confirmation information can also be used to instruct to start the construction process of the key of the first communication domain, that is, start to execute S401.
  • the key management tool is a key management tool set by the car factory
  • the key management tool can be connected to the smart car through the diagnostic port of the smart car to trigger the key server to configure the encryption key for the node in the first communication domain.
  • a sixth secure channel may also be established between the key management tool and the key server according to the first protocol. The sixth secure channel is used to transmit information between the key server and the key management tool, for example, the first confirmation information.
  • the above-mentioned first terminal may be a user equipment (user equipment, UE), where the UE includes a handheld device, a wearable device or a computing device with a wireless communication function.
  • the UE may be a mobile phone, a tablet computer, or a computer with a wireless transceiver function.
  • the above-mentioned second terminal may be a vehicle-mounted device, and may also be referred to as a device in a smart car, such as a TBox, a gateway, a BCM, a CDC, an MDC, a VCU, a VDC, or a VIU.
  • Software that can communicate with the key server is installed on the first terminal or the second terminal.
  • the first confirmation information may be triggered and sent by an in-vehicle infotainment (IVI) system deployed on the device in the smart car.
  • IVI system may be a system with one or more of the following functions: navigation, playing music, playing video, voice recognition, making calls, information interaction, and the like.
  • a possible implementation is that when the smart car is used for the first time, or it is determined that the key of the first communication domain needs to be updated, or the device in the smart car is replaced, the key management tool, the first terminal , the second terminal or the cloud key management center to trigger the key server to configure keys for the nodes in the first communication domain.
  • the first communication domain may be instructed through the key management tool, the first terminal, the second terminal or the cloud key management center, for example, the first communication domain
  • the confirmation information may indicate the first communication domain. After the key server receives the first confirmation information, it can determine the type information of the first key and generate the first key material.
  • the node in the first communication domain may delete the key before the update.
  • the first key information may also include the key before the update.
  • the ID of the key Alternatively, after the key of the first communication domain is updated, for example, after S403, the key server triggers the node in the first communication domain to delete the key before the update.
  • the key server sends first request deletion information to the key client.
  • the first deletion request information is used to request deletion of the key before updating.
  • the first request to delete information may include the identification of the key before updating.
  • the first deletion request information may further include the identification of the first communication domain and/or the type of the key before updating.
  • the key client After receiving the first deletion request information from the key server, the key client sends response information of the first deletion request information to the key server, which is used to indicate that the first deletion request information is received. Subsequently, after the key client deletes the pre-update key, the key client may send first completion information to the key server to indicate that the pre-update key has been deleted.
  • the first completion information may include an identifier of the key before updating and indication information that the key before updating has been deleted.
  • the first completion information may also include the identification of the first communication domain and/or the type of the key before updating.
  • the key server After receiving the first completion information, the key server may send response information of the first completion information to the key client to indicate receipt of the first completion information.
  • the key server may instruct to stop deleting the pre-update key.
  • the key server sends the first stop deletion information to the key client.
  • the first stop deletion information is used to instruct to stop deleting the key before updating.
  • the first stop deletion information may include the identification of the key before updating.
  • the first stop deletion information may further include the identification of the first communication domain and/or the type of the key before updating.
  • the key client stops deleting the key before updating, and sends response information of the first stop deleting information to the key server to indicate that the deletion of the key before updating has been stopped.
  • the above method of triggering the key server to configure the key for the node in the first communication domain is only exemplary, and in specific applications, there may be other methods, for example, the cloud server of the car factory triggers the key server to be the first one.
  • the cloud server of the car factory triggers the key server to be the first one.
  • a node in a communication domain configures a key, etc., which are not specifically limited in this embodiment of the present application.
  • the key server After the key server obtains the first key information, the key server generates the first key according to the first key material.
  • the type of the first key is the type indicated in the type information of the first key, and the communication domain in which the first key acts is the first communication domain.
  • the key server sends the information of the first key to the key client.
  • the number of key clients is greater than or equal to 1.
  • the key server 101 sends the first key to the key client 102. information; if the first communication domain includes the key client 102 and the key client 103 , the key server 101 sends the information of the first key to the key client 102 and the key client 103 .
  • the key server establishes a first secure channel with the key client according to the first protocol.
  • the key client establishes the first secure channel with the key server according to the first protocol.
  • the first secure channel is used to transmit information between the key server and the key client.
  • the key used by the key server and the key client in the process of establishing the first secure channel is the second key.
  • the first secure channel includes a point-to-point secure channel between the key server and the key client. If the number of key clients is greater than 1, the first secure channel includes a point-to-point secure channel between the key server and each key client; or, the first secure channel includes a point-to-point secure channel between the key server and each key client A multipoint secure channel; or, the first secure channel includes a point-to-point secure channel between a key server and a part of key clients, and a point-to-multipoint secure channel between the key server and another part of key clients.
  • the point-to-point security channel can be understood as the security channel can be used for communication between two nodes.
  • the point-to-multipoint security channel can be understood as the security channel can be used for communication between any two or more nodes in the point and multipoint.
  • the first secure channel includes the secure channel between the key server 101 and the key client 102, and the key A secure channel between server 101 and key client 103, and a secure channel between key server 101 and key client 104.
  • the secure channel between the key server 101 and the key client 102 is used for the communication between the key server 101 and the key client 102
  • the secure channel between the key server 101 and the key client 103 is used for the communication between the key server 101 and the key client 102.
  • the secure channel between the key server 101 and the key client 104 is used for the communication between the key server 101 and the key client 104 .
  • the first secure channel includes a point-to-multipoint secure channel between the key server 101 and the key client 102-key client 104.
  • the point-to-multipoint secure channel between the key server 101 and the key client 102-key client 104 is used for any two of the key server 101 and the key client 102-key client 104 or Communication between multiple nodes.
  • the first secure channel includes a secure channel between the key server 101 and the key client 102, and a point-to-multipoint secure channel between the key server and the key client 103-key client 104.
  • the secure channel between the key server 101 and the key client 102 is used for the communication between the key server 101 and the key client 102, and the key server 101 and the key client 103-key client 104
  • the point-to-multipoint secure channel is used for communication between any two or more nodes in the key server 101 and the key client 103-key client 104.
  • the key server sends the information of the first key to the key client through the first secure channel.
  • the key client receives the first key information from the key server. Further, the key client receives the first key information from the key server through the first secure channel.
  • the key client may send response information of the first key information to the key server.
  • the response information of the first key information may be used to indicate that the key client receives the first key information.
  • the key client generates a first key according to the first key information.
  • the key client generates the first key according to the first key material.
  • the type of the first key is the type indicated in the type information of the first key, and the communication domain in which the first key acts is the first communication domain.
  • the key client sends fifth notification information to the key server.
  • the fifth notification information is used to indicate whether the key client succeeds in generating the first key.
  • the key server may also periodically feedback the progress of obtaining the key to the key management tool, the first terminal, the second terminal or the cloud key management center.
  • the key server sends the first progress notification information to the key management tool, the first terminal, the second terminal or the cloud key management center.
  • the first progress notification information may be used to indicate the progress of acquiring the key.
  • the first progress notification information may include an identifier of the smart car, an identifier of the first communication domain, and progress information. Progress information is used to indicate the progress of obtaining the key.
  • the nodes in the key management system can execute the above S401-S403 multiple times, so that the key server can configure keys corresponding to the communication domains for multiple communication domains.
  • the key server may configure a first key for each node in the first communication domain, and subsequently, the nodes in the first communication domain may communicate through the first key.
  • the first key is stored by a node in the first communication domain and is not easily leaked. Even if it is leaked, it will not affect the security of other communication domains, so communication security can be improved.
  • the key server can update the key at any time, which is very convenient. In addition, the storage space occupied by the first key is small, and the hardware and software costs of nodes in the key management system are not increased. The first key also does not need to be managed by the car factory, and will not increase the management cost of the car factory.
  • the actions of the key server or the key client in the above S401-S403 may be executed by the processor 301 in the apparatus 30 for obtaining keys shown in FIG. 3 calling the application code stored in the memory 303. There are no restrictions on this.
  • the key client may verify the availability of the first key between the key client and the key server, so as to prevent the first key.
  • the method shown in FIG. 4 further includes S501-S503.
  • S501 The key server generates a first verification code according to the first verification information.
  • the first verification information may include at least one of the following information: a first key, first key material, first information, or an identifier of a key server.
  • the first information includes at least one of the following information: the identifier of the first communication domain, the identifier of the first key and the first random number.
  • the first verification code may be used to verify whether the first verification information has been modified.
  • the first verification code may be a MAC.
  • the key server may use one or more algorithms to calculate the first verification information to obtain the first verification code.
  • the first random number is any random number generated by the key server.
  • the key server may or may not use the first key in the process of calculating the first verification code. If the first verification information does not include the first key, the key server uses the first key in the process of calculating the first verification code.
  • the key server sends the first information and the first verification code to the key client.
  • the key server sends the first information and the first verification code to the key client through the first secure channel.
  • the key client receives the first information and the first verification code from the key server. Further, the key client receives the first information and the first verification code from the key server through the first secure channel.
  • the key client verifies the first verification code, including: the key client generates the first verification code according to the first verification information, if the first verification code generated by the key client is the same as the received first verification code. If the verification codes are the same, the verification is successful; if the first verification code generated by the key client is different from the received first verification code, the verification fails.
  • the key client uses the same algorithm as when the key server generates the first verification code to calculate the first verification information to obtain the first verification code.
  • the key client sends the second completion information to the key server.
  • the second completion information is used to indicate whether the key client succeeds in verifying the first verification code.
  • the second completion information may include an identifier of the first key and indication information of whether the verification is successful.
  • the second completion information may also include the identification of the first communication domain and/or the type of the first key.
  • the key server may send response information of the second completion information to the key client to indicate receipt of the second completion information. If the second completion information indicates that the key client successfully verifies the first verification code, the response information of the second completion information may also indicate that the key verification ends. It is understandable that if the key client fails to verify, or the key server does not receive the second completion information within the first preset time period, the key server may re-send the information for configuring the key to the key client.
  • the key client can send the second completion information to the key server through the first secure channel. If the first secure channel is a point-to-multipoint secure channel, other key clients in the first communication domain can also receive the second completion information. Other key clients may determine whether the key client succeeds in verifying the first verification code according to the second completion information, or may ignore the second completion information.
  • the key client can use the first verification code to verify the availability of the first key between the key client and the key server, so as to prevent the first key generation failure or error, resulting in There is no proper communication between the key client and the key server.
  • the actions of the key server or the key client in the above S501-S503 can be executed by the processor 301 in the apparatus 30 for obtaining keys shown in FIG.
  • the example does not impose any restrictions on this.
  • the key server may verify the availability of the first key between the key client and the key server, so as to prevent the first key.
  • a build failure or error prevents proper communication between the key client and key server.
  • the method shown in FIG. 5 further includes S601-S603.
  • S601 The key client generates a second verification code according to the second verification information.
  • the second verification information may include at least one of the following information: a first key, a first key material, second information, an identifier of a key client, or a first random number.
  • the second information includes the identification of the first communication domain, and/or the identification of the first key.
  • the second verification code may be used to verify whether the second verification information has been modified.
  • the second verification code may be a MAC.
  • the key client can use one or more algorithms to calculate the first verification information to obtain the first verification code.
  • the key client may use the first key or not use the first key in the process of calculating the second verification code. If the second verification information does not include the first key, the key client uses the first key in the process of calculating the second verification code.
  • the random number included in the second verification information may also be a random number generated by the key client.
  • the second verification information includes at least one of the following: a first key, a first key material, a second information, or an identification of the key client.
  • the second information includes at least one of the following information: the identification of the first communication domain, the identification of the first key or the third random number.
  • the third random number is any random number generated by the key client. The third random number is the same as or different from the first random number.
  • S602 The key client sends the second information and the second verification code to the key server.
  • the key client sends the second information and the second verification code to the key server through the first secure channel.
  • the key server receives the second information and the second verification code from the key client. Further, the key server receives the second information and the second verification code from the key client through the first secure channel.
  • the key server verifying the second verification code includes: the key server generates the second verification code according to the second verification information, if the second verification code generated by the key server and the received second verification code If they are the same, the verification is successful; if the second verification code generated by the key server is different from the received second verification code, the verification fails.
  • the key server sends seventh notification information to the key client.
  • the seventh notification information is used to instruct the key server whether the verification of the second verification code is successful. It is understandable that if the key server verification fails, the key server may re-send the information for configuring the key to the key client.
  • S501-S503 may be executed first, and then S601-S603 may be executed, or S601-S603 may be executed first, and then S501-S503 may be executed.
  • one of the key server and the key client only needs to verify the feasibility of the first key. That is, the embodiment of the present application may not include S501-S503 or S601-S603.
  • the key server can use the second verification code to verify the availability of the first key between the key client and the key server, so as to prevent the first key generation failure or error, resulting in the encryption
  • the key client and key server cannot communicate properly.
  • the actions of the key server or key client in the above S601-S603 can be executed by the processor 301 in the apparatus 30 for obtaining keys shown in FIG.
  • the example does not impose any restrictions on this.
  • the above-mentioned methods shown in FIG. 4 to FIG. 6 take the key management system 10 shown in FIG. 1A as an example to introduce the method for obtaining a key provided by the embodiment of the present application.
  • the key management system 11 shown in FIG. 1B is taken as an example below to introduce the method for obtaining a key provided by the embodiment of the present application.
  • the method for obtaining a key can be applied to a key management system.
  • the key management system includes a key server, and a first node in communication with the key server.
  • the first node is a key broker or key client. If the first node is a key agent, the key management system further includes a second node communicatively connected to the first node, and the second node is a key client.
  • the key management system may be the key management system 11 shown in FIG. 1B , in this case, the key server may be the key server 111 in FIG. 1B , and the first node may be the key server 111 in FIG. 1B Key Client 112, Key Broker 113 or Key Broker 114. If the first node is the key client 112 in FIG. 1B , for the specific process of another method for obtaining a key provided by this embodiment of the present application, reference may be made to the embodiments shown in FIG. 4 to FIG. 6 above. If the first node is key agent 113 in FIG. 1B , the second node may be key client 115 or key client 116 . If the first node is the key agent 114 in FIG. 1B , the second node may be the key client 117 .
  • the key management system can be deployed on the smart car 20 of FIG. 2A or the smart car 22 of FIG. 2B , in this case, the key server can be deployed in the smart car 20 or the smart car 22 On devices with communication capabilities and sufficient storage resources, such as: TBox, gateway, BCM, CDC, MDC, VCU, VDC or VIU.
  • the first node can be deployed on the TBox, gateway, BCM, CDC, MDC, VCU, VDC, VIU or ECU of the smart car 20 or the smart car 22 .
  • the second node may be deployed on a TBox, gateway, BCM, CDC, MDC, VCU, VDC, VIU or ECU in the smart car 20 or the smart car 22 .
  • a node in the key management system may be configured with one or more fixed keys.
  • key Fixed keys are used in key management systems.
  • the fixed key communication can be used between nodes in the key management system to improve the information security of the key management system.
  • the fixed key can also be used as the key for the communication domain in the base key derivation key management system.
  • the nodes in the key management system may also not configure a fixed key, and directly obtain keys of multiple communication domains according to the method for obtaining keys provided in the embodiments of the present application.
  • the third node in S1 is any node in the key management system. Taking the key management system 11 shown in FIG. 1B as an example, the third node may be a key server 111, a key client 112, a key agent 113, a key agent 114, a key client 115, and a key client 116 or key client 117.
  • the nodes in the key management system may be configured with relevant configuration information, and the nodes in the subsequent key management system may The relevant configuration information executes the method to obtain the key. It should be understood that if the relevant configuration information is not changed after the nodes in the key management system are configured, then each time the method for obtaining a key provided by the embodiment of the present application is executed, it is not necessary to re-configure the key again.
  • the nodes in the management system are configured with related configuration information. If the related configuration information is changed, the updated related configuration information can be configured for the nodes in the key management system.
  • S7-S9 For the specific process of configuring the relevant configuration information for the nodes in the key management system, reference may be made to the following S7-S9.
  • the first configuration information may include the information of the key server 111 , the information of the key client 112 , the information of the key agent 113 , and the information of the key agent 114 .
  • information, key client 115 information, key client 116 information, and key client 117 information can be as shown in Table 10.
  • the information of the key server 111 includes the identification of the key server 111, the information of the connection mode of each port of the key server 111, and the information of other nodes communicating with the key server 111.
  • the information of the connection mode of each port of the key server 111 includes the identification of each port of the key server 111 (port 1, port 2 and port 3), the identification of the connection mode of each port of the key server 111 (Eth , CAN and CAN), and the address of each port of the key server 111 (IP 1, CAN ID 1, and CAN ID 2).
  • the information of other nodes communicating with the key server 111 includes the identities of the other nodes communicating with the key server 111 (the identity of the key client 112, the identity of the key agent 113 and the identity of the key agent 114) and the identity of the other nodes with Information on the connection method of the key server 111 .
  • the information on the connection method between other nodes and the key server 111 includes the information on the connection method between the key client 112 and the key server 111, the information on the connection method between the key agent 113 and the key server 111, and the information on the connection method between the key agent 114 and the key server 111. information on the connection method of the key server 111.
  • the information of the connection method between the key client 112 and the key server 111 includes the identification (Eth) of the connection method between the key client 112 and the key server 111, and the port of the connection between the key client 112 and the key server 111. IP address (IP 4).
  • the information of the connection method between the key agent 113 and the key server 111 includes the identification (CAN) of the connection method between the key agent 113 and the key server 111, and the address (CAN) of the port through which the key agent 113 and the key server 111 are connected. ID 3).
  • the information of the connection method between the key agent 114 and the key server 111 includes the identification (CAN) of the connection method between the key agent 114 and the key server 111, and the address (CAN) of the port where the key agent 114 is connected to the key server 111. ID 4).
  • the information of the key client 112 can be as shown in Table 11.
  • the information of the key client 112 includes the identification of the key client 112, the information of the connection mode of each port of the key client 112, and the information of other nodes that communicate with the key client 112.
  • the information of the connection mode of each port of the key client 112 includes the identification (Eth) of the connection mode of each port of the key client 112, and the IP address (IP 4) of each port of the key client 112 .
  • the information of other nodes communicating with the key client 112 includes the identity of the other nodes communicating with the key client 112 (identity of the key server 111 ) and information of the connection mode of the other nodes and the key client 112 .
  • the information of the connection mode between other nodes and the key client 112 includes the identification of the port (port 1) where the key server 111 and the key client 112 are connected, and the identification of the connection mode between the key server 111 and the key client 112 ( Eth), and the IP address (IP 1) of the port where the key server 111 is connected to the key client 112.
  • the information of the key agent 113 can be as shown in Table 12.
  • the information of the key agent 113 includes the identification of the key agent 113, the information of the connection mode of each port of the key agent 113, and the information of other nodes that communicate with the key agent 113.
  • the information of the connection mode of each port of the key agent 113 includes the identification of each port of the key agent 113 (port 1, port 2 and port 3), the identification of the connection mode of each port of the key agent 113 (CAN , CAN, CAN), and the address of each port of the key agent 113 (CAN ID 3, CAN ID 5, and CAN ID 6).
  • the information of the other nodes in communication with the key agent 113 includes the identification of the other nodes in communication with the key agent 113 (the identification of the key server 111, the identification of the key client 115 and the identification of the key client 116) and the identification of the other nodes Information on how to connect with the key broker 113 .
  • the information on the connection method between other nodes and the key agent 113 includes the information on the connection method between the key server 111 and the key agent 113, the information on the connection method between the key client 115 and the key agent 113, and the connection method between the key client 116 and the key agent 113. Information on the connection method of the key agent 113.
  • the information of the connection mode between the key server 111 and the key agent 113 includes the identification of the port (port 2) where the key server 111 and the key agent 113 are connected, and the identification (CAN) of the connection mode between the key server 111 and the key agent 113 , and the address (CAN ID 1) of the port where the key server 111 is connected to the key agent 113.
  • the information of the connection mode of the key client 115 and the key agent 113 includes the identification (CAN) of the connection mode of the key client 115 and the key agent 113, the address of the port where the key client 115 and the key agent 113 are connected (CAN ID 7).
  • the information of the connection method between the key client 116 and the key agent 113 includes the identification (CAN) of the connection method between the key client 116 and the key agent 113, the address of the port where the key client 116 and the key agent 113 are connected (CAN ID 8).
  • the information of the key agent 114 may be as shown in Table 13.
  • the information of the key agent 114 includes the identification of the key agent 114, the information of the connection mode of each port of the key agent 114, and the information of other nodes that communicate with the key agent 114.
  • the information of the connection mode of each port of the key agent 114 includes the identification of each port of the key agent 114 (port 1 and port 2), the identification of the connection mode of each port of the key agent 114 (CAN and CAN) , and the address of each port of the key agent 114 (CAN ID 4 and CAN ID 9).
  • the information of other nodes that communicate with the key agent 114 includes the identification of the other nodes that communicate with the key agent 114 (identity of the key server 111), the information of the connection method between the key server 111 and the key agent 114, and the key client information on how the terminal 117 is connected to the key agent 114.
  • the information on the connection mode between the key server 111 and the key agent 114 includes the identification of the port (port 3) where the key server 111 is connected to the key agent 114, the identification of the connection mode between the key server 111 and the key agent 114 (CAN ), and the address (CAN ID 2) of the port where the key server 111 is connected to the key agent 114.
  • the information of the connection mode of the key client 117 and the key agent 114 includes the identification (CAN) of the connection mode of the key client 117 and the key agent 114, and the port of the key client 117 and the key agent 114. address (CAN ID 10).
  • the information of the key client 115 may be as shown in Table 14.
  • the information of the key client 115 includes the identification of the key client 115, the information of the connection mode of each port of the key client 115, and the information of other nodes that communicate with the key client 115.
  • the information of the connection mode of each port of the key client 115 includes the identification (CAN) of the connection mode of each port of the key client 115, and the address of each port of the key client 115 (CAN ID 7) .
  • the information of other nodes in communication with the key client 115 includes the identification of the other nodes in communication with the key client 115 (the identification of the key agent 113 ) and the information of the connection mode of the other nodes with the key client 115 .
  • the information of the connection mode between other nodes and the key client 115 includes the identification of the port (port 2) where the key agent 113 is connected to the key client 115, the identification of the connection mode between the key agent 113 and the key client 115 ( CAN), and the address (CAN ID 5) of the port where the key agent 113 is connected to the key client 115.
  • the information of the key client 116 may be as shown in Table 15.
  • the information of the key client 116 includes the identification of the key client 116, the information of the connection mode of each port of the key client 116, and the information of other nodes that communicate with the key client 116.
  • the information of the connection mode of each port of the key client 116 includes the identification (CAN) of the connection mode of each port of the key client 116, and the address of each port of the key client 116 (CAN ID 8) .
  • the information of other nodes in communication with the key client 116 includes the identification of the other nodes in communication with the key client 116 (the identification of the key agent 113) and the information of the connection mode of the other nodes with the key client 116.
  • the information of the connection mode between other nodes and the key client 116 includes the identification of the port (port 3) where the key agent 113 is connected to the key client 116, the identification of the connection mode between the key agent 113 and the key client 116 ( CAN), and the address (CAN ID 6) of the port where the key agent 113 is connected to the key client 116.
  • the information of the key client 117 can be as shown in Table 16.
  • the information of the key client 117 includes the identification of the key client 117, the information of the connection mode of each port of the key client 117, and the information of other nodes that communicate with the key client 117.
  • the information of the connection mode of each port of the key client 117 includes the identification (CAN) of the connection mode of each port of the key client 117, and the address of each port of the key client 117 (CAN ID 10) .
  • the information of other nodes in communication with the key client 117 includes the identification of the other nodes in communication with the key client 117 (the identification of the key agent 114 ) and the information of the connection mode of the other nodes with the key client 117 .
  • the information of the connection mode between other nodes and the key client 117 includes the identification of the port (port 2) where the key agent 114 is connected to the key client 117, the identification of the connection mode between the key agent 114 and the key client 117 ( CAN), and the address (CAN ID 9) of the port where the key agent 114 is connected to the key client 117.
  • the port 1 of the key server 111 is connected to the key client 112
  • the port 2 of the key server 111 is connected to the key agent 113
  • the port 3 of the key server 111 is connected to the key agent 114 connections.
  • Port 1 of the key agent 113 is connected to the key server 111
  • port 2 of the key agent 113 is connected to the key client 115
  • port 3 of the key agent 113 is connected to the key client 116 .
  • Port 1 of the key agent 114 is connected to the key server 111
  • port 2 of the key agent 114 is connected to the key client 117 .
  • the above-mentioned Tables 10-16 are only examples of the first configuration information.
  • the first configuration information may include less or more information than Table 10-Table 16, without limitation.
  • the key server receives the first configuration information from the key management tool or the cloud key management center. That is, the key server can obtain the first configuration information from the key management tool or the cloud key management center.
  • the key server can obtain the first configuration information from the key management tool or the cloud key management center.
  • the second configuration information may be used to indicate at least one of the following information: an identifier of the first node, a connection mode of the first node, or information of other nodes that communicate with the first node. Further, the second configuration information may also be used to indicate at least one of the following information: the identifier of the second node, the connection mode of the second node, or information of other nodes that communicate with the second node.
  • the identification of the second node is used to identify the device on which the second node is deployed. For example, if the second node is deployed on the ECU, the identifier of the second node may be the identifier of the ECU.
  • the connection mode of the second node may be used to indicate the connection mode of each port of the second node.
  • the connection manner of the second node may also be used to indicate the address of each port of the second node, such as an IP address and/or a MAC address.
  • the information of the other node in communication with the second node may be used to indicate the identity of the other node and the connection manner of the other node and the second node.
  • the identity of the other node is used to identify the device on which the other node is deployed.
  • the information of the other node in communication with the second node may also be used to indicate the address of the port through which the other node is connected to the second node, such as an IP address and/or a MAC address.
  • the second configuration information may be as shown in Table 11. If the first node is the key agent 113, the second configuration information may include the contents shown in Table 12, Table 14 and Table 15. If the first node is the key agent 114, the second configuration information may include the contents shown in Table 13 and Table 16.
  • the key server may also send a first distribution progress notification to the key management tool or the cloud key management center.
  • the first distribution progress notification may be used to indicate the progress of the key server distributing the second configuration information to each node.
  • S9 The first node sends the third configuration information to the second node.
  • the third configuration information may be used to indicate at least one of the following information: an identifier of the second node, a connection mode of the second node, or information of other nodes that communicate with the second node.
  • the third configuration information can be as shown in Table 14. Show. If the first node is the key agent 113 and the second node is the key client 116, the third configuration information may be as shown in Table 15. If the first node is the key agent 114 and the second node is the key client 117, the third configuration information may be as shown in Table 16.
  • the first node may also send a second distribution progress notification to the key management tool or the cloud key management center through the key server.
  • the second distribution progress notification may be used to indicate the progress of the distribution of the third configuration information by the first node to each node.
  • the key server may also send a distribution completion notification to the key management tool or the cloud key management center, which is used to indicate that the nodes in the key management system have all received their respective configuration information.
  • the node in the key management system can determine the information of the communication domain where the node is located according to the configuration information received by the node. Specifically, reference may be made to the following S10-S12.
  • the key server determines the information of the communication domain where the key server is located according to the first configuration information.
  • the first node determines the information of the communication domain where the first node is located according to the second configuration information.
  • the second node determines the information of the communication domain where the second node is located according to the third configuration information.
  • the second node determines the communication domain where the second node is located by using any of the foregoing manners 1 to 3, and determines information of each communication domain according to the third configuration information. Specifically, reference may be made to the corresponding description in the information for determining the communication domain in S5 or S6.
  • the information of the communication domain where the second node is located in S12 may be used to indicate at least one of the following information: the application scope of the communication domain where the second node is located, the identifier of the communication domain where the second node is located, the communication domain where the second node is located. The communication mode of the nodes in the domain, the connection mode between the second node and the nodes other than the second node in the communication domain where the second node is located, the interaction mode of the second node in the communication domain where the second node is located, the second node and The address of the port to which nodes other than the second node are connected in the communication domain where the second node is located, the protocol or algorithm supported by the second node, and the information of other nodes except the second node in the communication domain where the second node is located , or construct the key information of the key of the communication domain where the second node is located.
  • the application scope of the communication domain where the second node is located includes the entire vehicle, within a functional domain, across functional domains and between master devices, and the like.
  • the communication mode of the nodes in the communication domain where the second node is located includes point-to-point communication or point-to-multipoint communication.
  • the interaction mode of the second node in the communication domain where the second node is located includes directly communicating with the key server or communicating with the key server through a key agent.
  • the protocol or algorithm supported by the second node includes at least one of the following: the protocol of the packet supported by the second node (for example, UDP or TCP, etc.), multiple algorithms supported by the second node (for example, an integrity algorithm, an encryption algorithm, identity authentication algorithm or the derivation algorithm of the temporary key, etc.) or the information of the base key used to derive the key of the communication domain where the second node is located (for example, the storage location information of the base key, the type information of the base key, etc. ).
  • the protocol of the packet supported by the second node for example, UDP or TCP, etc.
  • multiple algorithms supported by the second node for example, an integrity algorithm, an encryption algorithm, identity authentication algorithm or the derivation algorithm of the temporary key, etc.
  • the information of the base key used to derive the key of the communication domain where the second node is located for example, the storage location information of the base key, the type information of the base key, etc.
  • the information of other nodes other than the second node in the communication domain where the second node is located may be used to indicate at least one of the following information: the identifier of the other node, the port connecting the other node and the second node, or the Protocols or algorithms supported by other nodes.
  • the key information for constructing the key of the communication domain where the second node is located may be used to indicate the storage location of the key of the communication domain where the second node is located. Further, the key information for constructing the key of the communication domain where the second node is located may also be used to indicate the type of the key of the communication domain where the second node is located.
  • the node in the key management system can obtain the key of each communication domain.
  • the method for obtaining a key provided by the embodiment of the present application is specifically described below, and the method for obtaining a key includes S701-S705.
  • the key server obtains first key information.
  • the first key information in S701 also includes the information of the second node.
  • the information of the second node is used to indicate the second node, and the second node is a key client in the first communication domain that is communicatively connected to the key agent.
  • the first key information includes the information of the second node to indicate to the key agent which key clients need to send the first key material and the identifier of the first communication domain and other information.
  • the first key information may not include the information of the second node, and the key agent determines the second node by itself after receiving the first key information.
  • the nodes included in the first communication domain in S701 are different from those in the first communication domain in S401.
  • the first communication domain includes at least two nodes in the key management system, and the at least two nodes include the second node.
  • the at least two nodes may or may not include the first node.
  • the first communication domain includes at least two key clients; alternatively, the first communication domain includes at least one key client, at least one key agent, and a key server; alternatively, the first communication domain includes at least one key client and key server; alternatively, the first communication domain includes at least one key client and at least one key broker.
  • the first communication domain includes key client 115-key client 116; or, the first communication domain includes key server 111, key agent 114 and key client terminal 117; alternatively, the first communication domain includes key server 111 and key client 112; alternatively, the first communication domain includes key agent 114 and key client 117; alternatively, the first communication domain includes key server 111 and key client 115.
  • the key server sends the first deletion request message to the key agent.
  • the first deletion request information is used to request deletion of the key before updating.
  • the first request to delete information may include the identification of the key before the update.
  • the first request to delete information may further include the identification of the first communication domain and/or the type of the key before updating.
  • the key agent may send response information of the first deletion request information to the key server, which is used to indicate that the first deletion request information is received.
  • the key agent may also send the second deletion request information to the second node.
  • the second deletion request information is used to request the second node to delete the key before updating.
  • the second deletion request information may include the identification of the key before updating.
  • the second deletion request information may further include the identification of the first communication domain and/or the type of the key before updating.
  • the second node After receiving the second deletion request information from the key agent, the second node deletes the pre-update key, and sends response information of the second request deletion information to the key agent to indicate that the pre-update key has been deleted.
  • the key agent sends the first completion information to the key server for indicating The pre-update key has been deleted. If the key agent is not included in the first communication domain, after receiving the response information for the second request to delete the information, the key agent sends first completion information to the key server to indicate that the key before the update has been deleted.
  • the first completion information may include an identifier of the key before updating and indication information that the key before updating has been deleted.
  • the first completion information may also include the identification of the first communication domain and/or the type of the key before updating.
  • the key server may send response information of the first completion information to the key client to indicate receipt of the first completion information.
  • the key agent may also periodically or aperiodically feed back the deletion progress to the key server.
  • the key agent sends the second progress notification information to the key server.
  • the second progress notification information may be used to indicate the progress of deleting the key before updating.
  • the second progress notification information may include the identification of the key before the update and progress information.
  • Progress information is used to indicate the progress of deleting the pre-update key.
  • the key server sends the information of the first key to the key agent.
  • the key agent is included in the first communication domain or not included in the first communication domain.
  • the number of key brokers is greater than or equal to 1. Exemplarily, taking the key management system shown in FIG. 1B as an example, if the first communication domain includes the key server 111 and the key agent 113, the key server 111 sends the information of the first key to the key agent 113; If the first communication domain includes the key agent 113 and the key agent 114 , the key server 111 sends the information of the first key to the key agent 113 and the key agent 114 .
  • the key server before S702, establishes a first secure channel with the key agent according to the first protocol.
  • the key agent establishes the first secure channel with the key server according to the first protocol.
  • the first secure channel in S702 is used to transmit information between the key server and the key agent.
  • the key server sends the information of the first key to the key agent through the first secure channel.
  • the key agent receives the first key information from the key server. Further, the key agent receives the first key information from the key server through the first secure channel.
  • the key agent may send response information of the first key information to the key server.
  • the response information of the first key information may be used to indicate that the key agent receives the first key information.
  • S703 The key agent generates a first key according to the first key information.
  • the key agent performs S703. If the key agent is not included in the first communication domain, the key agent may not perform S703. If the first key information includes the information of the second node, after receiving the first key information, the key agent sends the first key material and the identifier of the first communication domain to the second node according to the information of the second node. If the first key information does not include the information of the second node, after receiving the first key information and determining the second node, the key agent sends the first key information to the second node.
  • the key agent sends the first key material and the identifier of the first communication domain to the second node.
  • the key agent establishes a second secure channel with the second node according to the first protocol.
  • the second node establishes the second secure channel with the key agent according to the first protocol.
  • the second secure channel may be used to transmit information between the key agent and the second node.
  • the second secure channel includes a point-to-point secure channel between the key agent and the second node. If the number of second nodes is greater than 1, the second secure channel includes a point-to-point secure channel between the key agent and each second node; or, the second secure channel includes a point-to-point secure channel between the key agent and each second node A multipoint secure channel; alternatively, the second secure channel includes a point-to-point secure channel between the key agent and a portion of the second node, and a point-to-multipoint secure channel between the key agent and another portion of the second node.
  • the key agent sends the first key material and the identifier of the first communication domain to the second node through the second secure channel.
  • the key agent sends third completion information to the key server.
  • the third completion information may be used to instruct the key agent to complete the sending of the first key material and the identification of the first communication domain.
  • the key server may send response information of the third completion information to the key agent.
  • the response information of the third completion information is used to indicate that the key server receives the third completion information.
  • the key agent sends third progress notification information to the key server, and the third progress notification information can be used to instruct the key agent to send to the second node.
  • the third progress notification information may include the identification of the first communication domain and indication information of the progress of sending the first key material and the identification of the first communication domain.
  • the third progress notification information may also include the type of the first key.
  • the key agent sends the first key material, the identifier of the first communication domain and the type information of the first key to the second node.
  • the key key agent can also send the information of the second node to the second node, so that the second node can determine the nodes included in the first communication domain. .
  • S703 may be executed first and then S704 may be executed, or S704 may be executed first and then S703 may be executed, or S703 and S704 may be executed simultaneously.
  • the second node receives the first key material and the identification of the first communication domain from the key agent. Further, the second node receives the first key material and the identification of the first communication domain from the key agent through the second secure channel.
  • the second node may send the first response information to the key agent.
  • the first response information may be used to indicate that the second node has received the first key material and the identification of the first communication domain.
  • S705 The second node generates a first key according to the first key material.
  • the key server can configure a first key for each node in the first communication domain, and subsequently, the nodes in the first communication domain can communicate through the first key.
  • the first key is stored by a node in the first communication domain and is not easily leaked. Even if it is leaked, it will not affect the security of other communication domains, so communication security can be improved.
  • the key server can update the key at any time, which is very convenient. In addition, the storage space occupied by the first key is small, and the hardware and software costs of nodes in the key management system are not increased. The first key also does not need to be managed by the car factory, and will not increase the management cost of the car factory.
  • the actions of the key server, key agent or key client in the above S701-S705 can be executed by the processor 301 in the apparatus 30 for obtaining keys shown in FIG. 3 calling the application code stored in the memory 303,
  • This embodiment of the present application does not impose any limitation on this.
  • the key agent may exchange information between the key server and the key agent for the first key.
  • the availability is verified to prevent the failure or error of the first key generation, resulting in normal communication between the key server and the key agent.
  • the method shown in FIG. 7 further includes S801-S803.
  • the key server generates a first verification code according to the first verification information.
  • the key server sends the first information and the first verification code to the key agent.
  • S801-S803 can be executed first, then S704-S704 can be executed, or S704-S705 can be executed first, and then S801-S803 can be executed, and S801-S803 and S704-S705 can be executed simultaneously without limitation.
  • the key agent can verify the availability of the first key between the key server and the key agent through the first verification code, so as to prevent the first key generation failure or error, resulting in the key There is no proper communication between the server and the key broker.
  • the actions of the key server or key agent in the above S801-S803 can be executed by the processor 301 in the apparatus 30 for obtaining keys shown in FIG.
  • the example does not impose any restrictions on this.
  • the key server may verify the availability of the first key between the key server and the key agent to prevent the first key from being generated. A failure or error that prevents proper communication between the key server and the key broker.
  • the method shown in FIG. 8 further includes S901-S903.
  • S901 The key agent generates a second verification code according to the second verification information.
  • S902 The key agent sends the second information and the second verification code to the key server.
  • S901-S903 can be executed first, then S801-S803 can be executed, or S801-S803 can be executed first, then S901-S903 can be executed, and S901-S903 and S801-S803 can be executed at the same time without limitation.
  • one of the key server and the key agent may also verify the feasibility of the first key. That is, the embodiment of the present application may not include S801-S803 or S901-S903.
  • the key server can verify the availability of the first key between the key server and the key agent through the second verification code, so as to prevent the first key generation failure or error, resulting in the key There is no proper communication between the server and the key broker.
  • the actions of the key server or key agent in the above S901-S903 can be executed by the processor 301 in the apparatus 30 for obtaining keys shown in FIG.
  • the example does not impose any restrictions on this.
  • the second node may verify the availability of the first key between the key agent and the second node to prevent the first key from being generated. A failure or error that prevents proper communication between the key agent and the second node.
  • the method shown in FIG. 7 further includes S1001-S1003.
  • S1001 The key agent generates a third verification code according to the third verification information.
  • the third verification information may include at least one of the following information: the first key, the first key material, the third information, or the identification of the key agent.
  • the third information includes at least one of the following information: the identification of the first communication domain, the identification of the first key, and the second random number.
  • the third verification code can be used to verify whether the third verification information has been modified.
  • the third verification code may be a MAC.
  • the key agent can use one or more algorithms to calculate the third verification information to obtain the third verification code.
  • the second random number is any random number generated by the key agent, and the second random number is the same as or different from the first random number; or, the second random number is the first random number.
  • the key agent may or may not use the first key in the process of calculating the third verification code. If the third verification information does not include the first key, the key agent uses the first key in the process of calculating the first verification code.
  • S1002 The key agent sends third information and a third verification code to the second node.
  • the key agent sends the third information and the third verification code to the second node through the second secure channel.
  • the key agent periodically or aperiodically feeds back the key verification progress to the key server.
  • the key agent sends fourth progress notification information to the key server, and the fourth progress notification information may be used to indicate the progress of the key verification between the second node and the key agent.
  • the fourth progress notification information may include an identification of the first communication domain and indication information of the progress of verifying the first key.
  • the fourth progress notification information may further include the type of the first key.
  • the second node receives the third information and the third verification code from the key agent. Further, the second node receives the third information and the third verification code from the key agent through the second secure channel.
  • the second node verifies the third verification code, including: the second node generates the third verification code according to the third verification information, if the third verification code generated by the second node and the received third verification code If they are the same, the verification is successful; if the third verification code generated by the second node is different from the received third verification code, the verification fails.
  • the second node uses the same algorithm as when the key agent generates the third verification code to calculate the third verification information to obtain the third verification code.
  • the second node sends eighth notification information to the key agent.
  • the eighth notification information is used to instruct the second node to verify whether the third verification code is successful.
  • the second node may send the eighth notification information to the key agent through the second secure channel. If the second secure channel is a point-to-multipoint secure channel, other second nodes in the second communication domain may also receive the eighth notification information. Other second nodes may determine whether the second node succeeds in verifying the third verification code according to the eighth notification information, or may ignore the eighth notification information.
  • the key agent after receiving the eighth notification information from one or more second nodes, the key agent sends the first notification information to the key server.
  • the first notification information may be used to notify the verification results of the nodes within the first communication domain, eg, the verification results of the one or more second nodes. If the node verification of one or more second nodes fails, or the key server does not receive the first notification information within the second preset time period, the key server may re-send the information for configuring the key to the key agent .
  • the key server after receiving the first notification information, the key server sends response information to the key agent.
  • the response information is used to indicate that the first notification information is received. If the response information is not received within the third preset time period, the key agent may resend the response information.
  • the first preset duration, the second preset duration and the third preset duration may be the same or different.
  • S1001-S1003 may also be executed before S801, after S803, before S901, or after S903, which is not limited in this embodiment of the present application.
  • S1001-S1003 are executed before S901, or executed after S903, S1001 and S901 may be combined. That is, the key agent can generate a verification code that can be used both to verify the availability of the first key between the second node and the key agent, and to verify that the first key is available between the key server and the key agent. Availability between key brokers.
  • the second node can use the third verification code to verify the availability of the first key between the second node and the key agent, so as to prevent the failure or error of the first key generation, resulting in the second There is no proper communication between the node and the key broker.
  • the actions of the key agent or the key client in the above S1001-S1003 can be executed by the processor 301 in the apparatus 30 for obtaining keys shown in FIG.
  • the example does not impose any restrictions on this.
  • the key agent may communicate the first key between the second node and the key agent.
  • the availability is verified to prevent the failure or error of the first key generation, resulting in normal communication between the second node and the key agent.
  • the method shown in FIG. 10 further includes S1101-S1103.
  • the second node generates a fourth verification code according to the fourth verification information.
  • the fourth verification information may include at least one of the following information: a first key, a first key material, fourth information, an identifier of the second node, or a second random number.
  • the fourth information includes the identification of the first communication domain, and/or the identification of the first key.
  • the fourth verification code can be used to verify whether the fourth verification information has been modified.
  • the fourth verification code may be a MAC.
  • the second node may use one or more algorithms to calculate the fourth verification information to obtain the fourth verification code.
  • the second node may or may not use the first key in the process of calculating the fourth verification code. If the fourth verification information does not include the first key, the second node uses the first key in the process of calculating the fourth verification code.
  • the random number included in the fourth verification information may also be a random number generated by the second node.
  • the fourth verification information includes the first key, and/or, the first key material, and/or, the fourth information, and/or, the identification of the second node.
  • the fourth information includes at least one of the following information: an identification of the first communication domain, an identification of the first key, or a fourth random number.
  • the fourth random number is any random number generated by the second node.
  • the fourth random number is the same as or different from the second random number.
  • S1102 The second node sends the fourth information and the fourth verification code to the key agent.
  • the second node sends the fourth information and the fourth verification code to the key agent through the second secure channel.
  • the key agent receives the fourth information and the fourth verification code from the second node. Further, the key agent receives the fourth information and the fourth verification code from the second node through the second secure channel.
  • the key agent verifies the fourth verification code, including: the key agent generates the fourth verification code according to the fourth verification information, if the fourth verification code generated by the key agent and the received fourth verification code If they are the same, the verification is successful; if the fourth verification code generated by the key agent is different from the received fourth verification code, the verification fails.
  • the key agent sends the first notification information to the key server.
  • the first notification information may be used to notify the verification result of the node in the first communication domain, for example, the verification result of the key agent. It can be understood that if the verification of the nodes in the first communication domain fails, or the key server does not receive the first notification information within the second preset time period, the key server can re-send the information for configuring the key to the key agent. .
  • the key server after receiving the first notification information, the key server sends response information to the key agent.
  • the response information is used to indicate that the first notification information is received. If the response information is not received within the third preset time period, the key agent may resend the response information.
  • S1001-S1003 may be executed first, and then S1101-S1103 may be executed, or S1101-S1103 may be executed first, and then S1001-S1003 may be executed.
  • one of the key agent and the second node may also verify the feasibility of the first key. That is, the embodiment of the present application may not include S1001-S1003 or S1101-S1103.
  • S1101-S1103 may also be executed before S801, after S803, before S901, or after S903, which is not limited in this embodiment of the present application.
  • the key agent can verify the availability of the first key between the second node and the key agent through the fourth verification code, so as to prevent the failure or error of the first key generation, resulting in the second There is no proper communication between the node and the key broker.
  • the actions of the key agent or the key client in the above S1101-S1103 can be executed by the processor 301 in the apparatus 30 for obtaining keys shown in FIG.
  • the example does not impose any restrictions on this.
  • the center may send the first request stop information to the key server.
  • the first request to stop information may be used to request to stop configuring a key for a node in the first communication domain, and the first request to stop information may include an identification of the smart car and an identification of the first communication domain.
  • the first request stop information may also include the type of key to stop configuration.
  • the key server can send the response information of the first request to stop the information to the key management tool, the first terminal, the second terminal or the cloud key management center, and the response information of the first request to stop the information. Can be used to indicate that the key server receives the first request to stop information. Or, after receiving the first stop request information, the key server sends the second stop request information to each node in the first communication domain. The second request stop information is used to instruct to stop configuring keys for nodes in the first communication domain. After receiving the second stop request information, each node may send response information for the second stop request information to the key server. The response information of the second request to stop the information may be used to indicate that the configuration key has been stopped.
  • the key server After receiving the response information of the second request stop information from each node, the key server sends the response information of the first request stop information to the key management tool, the first terminal, the second terminal or the cloud key management center.
  • the response information of the first request to stop the information may be used to indicate that each node in the first communication domain has stopped configuring the key.
  • the response information for the first request for the stop information may include the identifier of the smart car and the identifier of the first communication domain. Further, the response information for the first request to stop the information may further include the type of the key to be stopped from being configured and/or the indication information that the configuration of the key has been stopped.
  • the key server may send a fourth completion message to the key management tool, the first terminal, the second terminal, or the cloud key management center.
  • the fourth completion information may be used to indicate that the node configuration key in the first communication domain is complete.
  • the fourth completion information may include the identification of the smart car and the identification of the first communication domain.
  • the fourth completion information may also include the type of the first key.
  • the key management tool, the first terminal, the second terminal or the cloud key management center may send response information of the fourth completion information to the key server.
  • the response information of the fourth completion information is used to indicate that the fourth completion information is received.
  • the response information of the fourth completion information may include the identification of the smart car and/or the indication information that the node configuration key in the first communication domain is completed.
  • the key server may send third request stop information to the first node.
  • the third request stop information may be used to request to stop the key verification, and the third request stop information may include the identification of the first communication domain and the identification of the key to be verified.
  • the third request stop information may also include the type of key for which verification is to be stopped.
  • the first node may send response information for the third stop request information to the key server, and the response information for the third stop request information may be used to indicate that the third stop request information is received.
  • the first node after receiving the third stop request information, the first node sends the fourth stop request information to the second node.
  • the fourth request stop information is used to instruct to stop key verification.
  • the second node may send response information of the fourth stop request information to the first node.
  • the response information of the fourth request to stop the information may be used to indicate that the verification key has been stopped.
  • the first node After receiving the response information of the fourth request to stop the information from the second node, the first node sends the third response information of the request to stop the information to the key server.
  • the response information of the third request to stop the information may be used to indicate that each node in the first communication domain has stopped verifying the key.
  • the response information of the third request to stop the information may include the identification of the first communication domain and the identification of the key to stop the verification. Further, the response information for the third request to stop the information may further include the type of the key to be stopped for verification and/or the indication information that the verification of the key has been stopped.
  • the first communication domain includes a key server, a key agent and a key client.
  • the key server is deployed on the gateway 202 in FIG. 2A
  • the key agent is deployed on the MDC 205 in FIG. 2A
  • the key client is deployed on Taking the ECU 211 of FIG. 2A as an example, the method for obtaining a key provided by the embodiment of the present application will be described in detail.
  • FIG. 12 another method for obtaining a key provided by an embodiment of the present application can be applied to the smart car 20 in FIG. 2A .
  • the method for obtaining the key includes S1201-S1217.
  • the gateway 202 obtains first key information.
  • the gateway 202 sends the information of the first key to the MDC 205.
  • the MDC 205 generates a first key according to the first key information.
  • the MDC 205 sends the first key material and the identifier of the first communication domain to the ECU 211.
  • S1205 The ECU 211 generates a first key according to the first key material.
  • S1206 The gateway 202 generates a first verification code according to the first verification information.
  • the gateway 202 sends the first information and the first verification code to the MDC 205.
  • S1209 The MDC 205 generates a second verification code according to the second verification information.
  • the MDC 205 sends the second information and the second verification code to the gateway 202.
  • S1212 The MDC 205 generates a third verification code according to the third verification information.
  • the MDC 205 sends the third information and the third verification code to the ECU 211.
  • S1215 The ECU 211 generates a fourth verification code according to the fourth verification information.
  • S1216 The ECU 211 sends the fourth information and the fourth verification code to the MDC 205.
  • the gateway 202 can configure a first key for the gateway 202, the MDC 205 and the ECU 211 in the first communication domain, and subsequently, the gateway 202, the MDC 205 and the ECU 211 can use the first key to communication.
  • the first key is stored by the gateway 202, the MDC 205 and the ECU 211, and is not easily leaked. Even if it is leaked, it will not affect the security of other communication domains, so communication security can be improved.
  • the gateway 202 can update the keys of each device at any time, which is very convenient. In addition, the storage space occupied by the first key is small, and the hardware and software costs of nodes in the key management system are not increased.
  • the first key also does not need to be managed by the car factory, and will not increase the management cost of the car factory.
  • the gateway 202, the MDC 205 and the ECU 211 can mutually verify the availability of the first key, so as to prevent the failure or error in the generation of the first key, resulting in failure of normal communication between the gateway 202, the MDC 205 and the ECU 211.
  • the key server may also mark the current state of the key management system, so that the user can know the current state of the key management system.
  • the state information can be stored in the non-volatile storage area of the key server.
  • the status information may include build status information, build type (build type) information and build stage (build stage) information.
  • Build status information can be used to indicate an unbuild status, a build status, or a build completed status.
  • the build type information can be used to indicate the initial build of the key management system, the key update phase in the communication domain, or the device replacement phase in the smart car.
  • the construction phase information may be used to indicate a fixed key filling phase, a long-term key construction phase for the communication domain, or a temporary key construction phase for the communication domain.
  • the build status information when the smart car is used for the first time and is ready to execute S1, the build status information may indicate an unbuilt state, the build type information may indicate the initial build of the key management system, and the build stage information may indicate a fixed key filling stage.
  • the construction status information may indicate the construction status
  • the construction type information may indicate the key update stage of the communication domain
  • the construction stage information may indicate the long-term encryption of the communication domain.
  • the build status information can indicate the build completion status
  • the build type information can indicate the device replacement in the smart car stage
  • the construction stage information may indicate a long-term key construction stage of the communication domain or a temporary key construction stage of the communication domain.
  • the information for example, the first request information, the first key information etc.
  • the information can be divided into request information, response information and notification information according to different functions.
  • the request information can be used to obtain some information.
  • a response message may correspond to a request message, and is used to return the requested message.
  • the notification information can be used to notify the current status, the processing result of a certain operation, or the progress of a certain operation.
  • the message types involved in the embodiments of the present application, the value (value) of each message type, and the meaning of each message type may be as shown in Table 17.
  • the categories of information include the first type of information and the second type of information.
  • the first type of information is the information communicated between the internal node of the key management system and the external node of the key management system, which can be represented by 1.
  • the second type of information is the information communicated between the internal nodes of the key management system, which can be represented by 2.
  • the internal nodes of the key management system may include key servers, key agents or key clients.
  • the external nodes of the key management system may include a key management tool, a cloud key management center, or a first terminal, and the like.
  • the first type of information may include a plurality of fields, for example, a message ID (message ID) field, a message length (length) field, a key management system version number (version) field, a message type field, a message flag (flags) ) field, next payload field, source APP type field, destination APP type field, and message content field.
  • the second type of information may include multiple fields, for example, a message identification field, a message length field, a key management system version number field, a message type field, a message flags field, a next payload field, Source device identification (source device ID) field, destination device identification (destination device ID) field and message content (message content) field.
  • the message format of the first type of information and the message format of the second type of information may be as shown in FIG. 13 . This embodiment of the present application does not limit the number of bits included in each of the foregoing fields.
  • the message identification field may indicate the message identification.
  • the message identifier can be the message sequence number of the service message of the key management system, which can assist in identifying the request information corresponding to a response information, and can also identify the request information and retransmit the request information after the request information times out.
  • the message length field may indicate the message length of the first type of information or the second type of information.
  • the version number field of the key management system may indicate the version number of the key management system.
  • the message type field may indicate the message type.
  • the message tag field can indicate the function of the information, for example, whether the information is request information or response information, and the message tag field can also indicate the operation type.
  • the first bit in the message flag field is used to indicate whether the information is request information or response information, and the other bits in the message flag field are used to indicate the type of operation.
  • the next payload field may also be referred to as the next TLV (type, length, value) type field, which may indicate the TLV type (TLV type) of the first payload in the message content field.
  • the source application type field may indicate the type of the source application.
  • the destination application type field may indicate the type of the destination application.
  • the type of the source application and the type of the destination application may include a cloud key management center (CloudKeyManagerCenter), a key management tool (KeyManagerTool), a first terminal (UserAppTool) or a node in the key management system (InCarKMS).
  • the message content field may indicate the content of the first type of information or the second type of information.
  • the source device identification field may indicate the identification of the source device.
  • the destination device identification field may indicate the identification of the destination device. It can be understood that the identification of the device in the smart car is unique in the smart car. In different smart cars, the identification of the same device may be the same or different. For example, the identification of the CDC in the smart car 1 and the identification of the CDC in the smart car 2 may be the same or different.
  • the destination device identification field may also indicate the communication mode of the second type of information.
  • the second type of information communication includes point-to-point communication or point-to-multipoint communication. Among them, point-to-point communication may also be called unicast communication, and point-to-multipoint communication may also be called broadcast communication. For example, if the destination device identification field is all 0 or all F, it indicates that the communication mode of the second type of information includes point-to-multipoint communication.
  • the receiver may send a response message to the sender in a point-to-multipoint manner after receiving the request message. After other receivers except the receiver receive the response information, the response information can be ignored.
  • the destination device identification field corresponding to the request information is all 0 or all F
  • the source device identification field corresponding to the request information is the identifier of the sender.
  • the destination device identifier field corresponding to the response information is the identifier of the sender
  • the source device identifier field corresponding to the response information is the identifier of the receiver.
  • the sender may re-send the request information to the receiver.
  • the sender can still send the request information to the receiver in a point-to-multipoint manner, and the sender can also send the request information to the receiver in a point-to-point manner.
  • the sender sends the request information to the receiver in a point-to-multipoint manner, for the receiver that has sent the response information, the receiver can ignore the request information, or send the response information to the sender again.
  • the sender can send the request information to the receiver again, or not to the receiver again.
  • Request information If the sender sends the request message to the receiving method again, after receiving the request message, the receiver can ignore the request message, or send the response message to the sender again. It is understandable that if the sender does not receive the response information from the receiver after sending the request information to the receiver for many times in a point-to-point manner, it can be confirmed that the receiver is in an abnormal state.
  • the node receiving the information can use the TLV type indicated by the next payload field. Parse the first payload in the message content field.
  • the format of the TLV may include a TLV header (TLV Header) and TLV data (TLV Data).
  • TLV Header may include a TLV type field, a reserved (reserved) field, and a TLV length field.
  • the TLV Type field may indicate the TLV type of the next TLV, and the node receiving the information may parse the next TLV according to the TLV type indicated by the TLV Type field. Reserved fields can be used for future extensions to this TLV format.
  • the TLV length field may indicate the TLV length, that is, the length of the TLV Header and TLV Data.
  • TLV types, the value of each TLV type, and the meaning of each TLV type can be as shown in Table 19. It can be understood that the TLV data corresponding to different TLV types are different.
  • the format of the TLV may be as shown in FIG. 14 .
  • the format of Vehicle No (VehicleNoPyld) includes TLV Header and Vehicle No fields.
  • the Vehicle No field is used to indicate the vehicle number.
  • the vehicle number can also be called the vehicle identification, the identification of the smart car, etc. Different car manufacturers may have different vehicle numbering rules, and the number of bits required for vehicle numbering may also be different. Therefore, the vehicle number defines a separate TLV, and the specific number is formulated by each car manufacturer.
  • the format of the Security Domain Info includes a TLV Header, a key type (key type) field, and a communication domain identifier (SecDomainID) field.
  • the key type field, the value of each key type, and the meaning of each key type may be as shown in Table 20.
  • the ID field of the communication domain is used to indicate the ID of the communication domain.
  • the definitions or values of the identifiers of the communication domains of different smart cars may be the same or different. Different communication domains in the same smart car have different identities. The way or value of the identification of the communication domain may be defined by the vehicle manufacturer.
  • the format of the Security Domain Info may also include a device ID (Device ID) field.
  • the device identification field is used to indicate the device identification. For the same device of different smart cars, the device identification may be the same or different. In the same smart car, the device IDs of different devices are different.
  • GlobalFixKey 1 Use a fixed key with the scope of the entire vehicle
  • GlobalLongTermKey 2 Use a long-term key that covers the entire vehicle SecDomainFixKey 3
  • the fixed key corresponding to the communication domain SecDomainLongTermKey 4 The long-term key corresponding to the communication domain
  • the format of the Key Security Domain includes a TLV Header, a key type field, a communication domain identification field, and a key identification (key ID) field. Further, the format of the Key Security Domain may also include a device identification field.
  • the format of Key Material includes TLV Header, key material type (key material type, KeyMat Type) field, KDF identification (KDF ID) field, key identification field, and random number or key ( Nonce_K or Key) field.
  • key material type key material type, KeyMat Type
  • KDF ID KDF identification
  • key identification field key identification field
  • random number or key Nonce_K or Key
  • the key material type, the value of each key material type, and the meaning of each key material type may be as shown in Table 21.
  • the random number or key field is used to indicate the random number (eg, the first key material or the second key material) or the key (eg, the first key or the second key) used to generate the key.
  • the format of the Key Material may also include the identification (Old Key ID) field of the key before the update.
  • the ID field of the key before updating is used to indicate the ID of the key before updating.
  • the KDF ID (KDF ID) field is used to indicate the KDF ID.
  • the KDF flag, the value of the KDF flag, and the meaning of the KDF flag can be as shown in Table 22.
  • the format of Key Confirmed includes TLV Header, key type field, key identification field and MAC field.
  • the MAC field is used to indicate the calculated MAC.
  • the format of Key Confirmed may also include the identification field of the key before updating.
  • the format of Key Validate includes TLV Header, key type field, identification field of communication domain, identification field of key, random number field and MAC field.
  • the random number field is used to indicate the random number (for example, the first random number or the second random number) used for key verification.
  • the MAC field is used to indicate the calculated MAC.
  • the calculation method of the MAC in the Key Validate format and the MAC calculation method in the Key Confirmed format can be the same or different.
  • the format of Key Validate may also include a device identification field.
  • the format of Key Remain Time includes TLV Header, key type field, key identifier, remaining timeout days (Remain Days) field and remaining timeout time (Remain time (s)) field.
  • the Remaining Timeout Days field is used to indicate the remaining days that the key is valid. For example, if the Remaining Timeout Days field indicates 30 days, it means that the key will expire after 30 days.
  • the Remaining Timeout field is used to indicate the remaining time that the key is valid when the key is valid for less than one day. For example, if the Remaining Timeout field indicates 5 hours and 30 minutes, it means that the key will expire after 5 hours and 30 minutes.
  • the format of Progress includes TLV Header, build type (build type) field, build stage (build stage) field, the identification (CurSecDomainID) field of the currently constructed communication domain, and the identification (CurDeviceID) field of the current device , the Finished Nums field and the Remain Nums field.
  • the construction type field is used to indicate the construction type, for example, the initial construction of the key management system, the key update phase of the communication domain, or the replacement phase of the device in the smart car.
  • the Build Phase field is used to indicate a build phase, for example, a fixed key filling phase, a long-term key build phase for the communication domain, or an ephemeral key build phase for the communication domain.
  • the ID field of the currently constructed communication domain is used to indicate the ID of the communication domain for which the key is being constructed.
  • the ID field of the current device is used to indicate the ID of the device that is building the key.
  • the Completion Quantity field is used to indicate the number of communication domains or devices that have completed key construction.
  • the Remaining Quantity field is used to indicate the number of communication domains or devices that have not completed key construction.
  • the format of Nonce includes a TLV Header and a random number field.
  • the random number field is used to indicate the random number. This random number can be used for key generation or key verification.
  • the format of Result includes TLV Header and result status (result status) fields.
  • the result status field is used to indicate the result of building the key, for example, the build succeeded or the build failed.
  • the format of Result may also include an error code (error code) field.
  • error code field can indicate the error code corresponding to the cause of the build failure in the case of failure to build the key.
  • the embodiments of the present application do not limit the number of fields included in the above-mentioned various TLV formats, nor limit the number of bits included in each field.
  • the format of the TLV may include more or fewer fields than any of the formats shown in FIG. 14 .
  • the number of bits in the same field included in the formats of different TLVs may be the same or different.
  • the number of bits included in the key type field in the format of Key Security Domain may be the same or different from the number of bits included in the key type field in the format of Key Remain Time.
  • Table 23 provides information, functions, message types, and types of information transmitted between a key server, a key client, a key management tool, and a cloud key management center provided by this embodiment of the application. Corresponding relationship between operation type, information category, information application scenario, and information TLV format. Wherein, NA in the operation type indicates that the information does not involve the operation type, or indicates that the information does not have a corresponding operation type. In this case, if the function of the message is response, the message can be identified as response message by the message tag field in the message. NULL means not to use the TLV format.
  • the above-mentioned key server, key agent or key client, etc. include corresponding hardware structures and/or software modules for executing each function.
  • the unit and algorithm operations of each example described in conjunction with the embodiments disclosed herein can be implemented in hardware or in the form of a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
  • the key server, the key agent, or the key client may be divided into functional modules according to the foregoing method examples.
  • each functional module may be divided into each function, or two or more functions may be divided into two or more functional modules.
  • integrated in a processing module can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.
  • FIG. 15 shows a schematic structural diagram of an apparatus 150 for obtaining a key.
  • the apparatus 150 for obtaining a key includes a processing unit 1501 and a transceiving unit 1502 .
  • the apparatus 150 for obtaining a key is used to implement the function of a key server.
  • the apparatus 150 for obtaining a key is, for example, the key server described in the embodiment shown in FIG. 4 to the embodiment shown in FIG. 11 .
  • the apparatus 150 for obtaining a key may be a key server, or may be a chip applied in the key server or other combined devices or components having the above-mentioned key server function.
  • the processing unit 1501 may be a processor (or a processing circuit), such as a baseband processor.
  • the baseband processor may include one or more CPUs
  • the transceiver unit 1502 may be a transceiver unit 1502.
  • the transceiver may include an antenna and radio frequency circuits, etc.
  • the processing unit 1501 may be a processor (or a processing circuit), such as a baseband processor, and the transceiver unit 1502 may be a radio frequency unit.
  • the processing unit 1501 may be a processor (or a processing circuit) of the chip system, and may include one or more central processing units, and the transceiver unit 1502 may be a chip (eg, a baseband chip) input and output interface.
  • processing unit 1501 in this embodiment of the present application may be implemented by a processor or a processor-related circuit component (or referred to as a processing circuit), and the transceiver unit 1502 may be implemented by a transceiver or a transceiver-related circuit component.
  • the processing unit 1501 may be used to perform all operations performed by the key server in the embodiment shown in FIG. 4 except for the transceiving operations, such as S401 and/or other processes for supporting the techniques described herein.
  • the transceiving unit 1502 may be configured to perform all transceiving operations performed by the key server in the embodiment shown in FIG. 4, such as S402 and/or other processes for supporting the techniques described herein.
  • the processing unit 1501 is used to obtain first key information, the first key information includes first key material and an identifier of the first communication domain, the first key material is used to generate a first key, the first communication The identifier of the domain is used to indicate the first communication domain, the first key is applied to the first communication domain, the first communication domain includes at least two nodes in the key management system, and the at least two nodes include the first node.
  • the transceiver unit 1502 is configured to send the first key information to the first node.
  • the first communication domain is determined according to at least one of the following information: the connection mode of the nodes in the key management system, the function of the nodes in the key management system, or the type of communication information in the key management system.
  • the processing unit 1501 is further configured to generate a first verification code according to the first verification information, where the first verification information includes at least one of the following information: a first key, a first key material, a first key information, or the identification of the device 150 for obtaining the key, the first information includes at least one of the following information: the identification of the first communication domain, the identification of the first key or the first random number;
  • the first node sends the first information and the first verification code.
  • the transceiver unit 1502 is further configured to receive the second information and the second verification code from the first node, the second verification code is generated according to the second verification information, and the second verification information includes the following information: At least one of: the first key, the first key material, the second information, the identification of the first node, or the first random number, the second information includes the identification of the first communication domain, and/or, the first key
  • the processing unit 1501 is further configured to verify the second verification code.
  • the processing unit 1501 is further configured to establish a first secure channel with the first node according to the first protocol, and the first secure channel is used to transmit information between the apparatus 150 for obtaining the key and the first node.
  • the number of the first nodes is greater than 1, and the first security channel includes a point-to-point security channel between the device 150 for obtaining a key and each first node; or, the first security channel includes obtaining a key a point-to-multipoint secure channel between the device 150 and each first node; or, the first secure channel includes a point-to-point secure channel between the device 150 for obtaining the key and a part of the first nodes, and the device for obtaining the key 150 A point-to-multipoint secure channel with another part of the first node.
  • the first node is a key agent
  • the key management system further includes a second node communicatively connected to the first node
  • the second node is a key client.
  • the second node is included in the first communication domain.
  • the transceiver unit 1502 is further configured to receive first notification information from the first node, where the first notification information is used to notify the nodes in the first communication domain of the verification result.
  • the processing unit 1501 is further configured to acquire first configuration information, where the first configuration information is used to indicate at least one of the following information: an identifier of a node in the key management system, a node in the key management system the connection method, or information about other nodes that communicate with the node in the key management system.
  • the transceiver unit 1502 is further configured to send second configuration information to the first node, where the second configuration information is used to indicate at least one of the following information: the identifier of the first node, the connection of the first node mode, or information of other nodes that communicate with the first node.
  • the first node is a key agent
  • the key management system further includes a second node communicatively connected to the first node
  • the second node is a key client
  • the second configuration information is also used to indicate the following: At least one of the information: the identifier of the second node, the connection mode of the second node, or information of other nodes that communicate with the second node.
  • the processing unit 1501 is further configured to determine the information of the communication domain where the device 150 for obtaining the key is located according to the first configuration information, and the information of the communication domain where the device 150 for obtaining the key is located is used to indicate the following information At least one of: the communication mode of the node in the communication domain where the device 150 for obtaining the key is located, and the communication mode of the node in the communication domain where the device 150 for obtaining the key is located, the location where the device 150 for obtaining the key and the device 150 for obtaining the key are located.
  • connection mode of the nodes in the communication domain except the device 150 for obtaining the key the information of other nodes in the communication domain where the device 150 for obtaining the key is located except the device 150 for obtaining the key, or the construction of the device for obtaining the key.
  • the transceiver unit 1502 is further configured to receive the first confirmation information from the key management tool; or, the transceiver unit 1502 is further configured to receive the first confirmation information from the first terminal; or, the transceiver unit Step 1502 is further configured to receive first confirmation information from the second terminal, wherein the first confirmation information is used to trigger the key acquisition device 150 to acquire the first key information.
  • the first protocol includes a transport layer security protocol, an internet key exchange protocol, a hypertext transport security protocol, a data packet transport layer security protocol or a custom protocol.
  • FIG. 16 shows a schematic structural diagram of an apparatus 160 for obtaining a key.
  • the apparatus 160 for obtaining a key includes a transceiving unit 1601 and a processing unit 1602 .
  • the apparatus 160 for obtaining the key is used to implement the function of the first node.
  • the apparatus 160 for obtaining a key is the key client described in the embodiment shown in FIG. 4 to the embodiment shown in FIG. 6 .
  • the apparatus 160 for obtaining a key is the key agent described in the embodiment shown in FIG. 7 to the embodiment shown in FIG. 11 .
  • the device 160 for obtaining a key may be a key client/key proxy, or a chip applied to the key client/key proxy, or another key client/key proxy having the above-mentioned key client/key proxy.
  • the transceiver unit 1601 may be a transceiver
  • the transceiver may include an antenna and a radio frequency circuit, etc.
  • the processing unit 1602 may be a processor (or a processing circuit),
  • a baseband processor may include one or more CPUs.
  • the transceiver unit 1601 may be a radio frequency unit, and the processing unit 1602 may be a processor (or a processing circuit), such as a baseband processor.
  • the transceiver unit 1601 may be an input/output interface of a chip (eg, a baseband chip), and the processing unit 1602 may be a processor (or a processing circuit) of the chip system, which may include one or more a central processing unit.
  • transceiver unit 1601 in this embodiment of the present application may be implemented by a transceiver or a transceiver-related circuit component
  • processing unit 1602 may be implemented by a processor or a processor-related circuit component (or referred to as a processing circuit).
  • the transceiving unit 1601 may be used to perform all transceiving operations performed by the key client in the embodiment shown in FIG. 4 , such as S402 and/or other processes for supporting the techniques described herein.
  • the processing unit 1602 may be configured to perform all operations performed by the key client in the embodiment shown in FIG. 4 except for the transceiving operations, such as S403 and/or other processes for supporting the techniques described herein.
  • the transceiving unit 1601 may be configured to perform all transceiving operations performed by the key agent in the embodiment shown in FIG. 7, such as S702 and S704, and/or other processes for supporting the techniques described herein.
  • the processing unit 1602 may be used to perform all operations performed by the key agent in the embodiment shown in FIG. 7 except for the transceiving operations, such as S703 and/or other processes for supporting the techniques described herein.
  • the transceiver unit 1601 is used to receive the information of the first key from the key server, the information of the first key includes the first key material and the identification of the first communication domain, and the identification of the first communication domain is used to indicate first communication domain.
  • the processing unit 1602 is configured to generate a first key according to the first key material, the first key is applied to the first communication domain, the first communication domain includes at least two nodes in the key management system, and the at least two nodes include Means 160 for obtaining keys.
  • the first communication domain is determined according to at least one of the following information: the connection mode of the nodes in the key management system, the function of the nodes in the key management system, or the type of communication information in the key management system.
  • the transceiver unit 1601 is further configured to receive the first information and the first verification code from the key server, the first verification code is generated according to the first verification information, and the first verification information includes the following information: At least one of: the first key, the first key material, the first information, or the identification of the key server, the first information includes at least one of the following information: the identification of the first communication domain, the identification of the first key or the first random number; the transceiver unit 1601 is also used to verify the first verification code.
  • the processing unit 1602 is further configured to generate a second verification code according to the second verification information, where the second verification information includes at least one of the following information: a first key, a first key material, a second key information, the identification of the device 160 for obtaining the key, or the first random number, the second information includes the identification of the first communication domain, and/or the identification of the first key; the transceiver unit 1601 is also used to send the key server Send the second information and the second verification code.
  • the processing unit 1602 is further configured to establish a first secure channel with the key server according to the first protocol, and the first secure channel is used to transmit the information between the key server and the device 160 for obtaining the key .
  • the number of apparatuses 160 for obtaining keys is greater than 1, and the first secure channel includes a point-to-point secure channel between the key server and each apparatus 160 for obtaining keys; or, the first secure channel includes A point-to-multipoint secure channel between the key server and each device 160 for obtaining keys; alternatively, the first secure channel includes a point-to-point secure channel between the key server and a portion of the devices 160 for obtaining keys, and the key A point-to-multipoint secure channel between the server and another part of the device 160 that obtains the key.
  • the apparatus 160 for obtaining a key is a key agent
  • the key management system further includes a second node that is communicatively connected to the apparatus 160 for obtaining a key, and the second node is a key client.
  • the second node is included in the first communication domain; the transceiver unit 1601 is further configured to send the first key material and the identifier of the first communication domain to the second node.
  • the processing unit 1602 is further configured to generate a third verification code according to third verification information, where the third verification information includes at least one of the following information: a first key, a first key material, a third information, or the identification of the device 160 for obtaining the key, the third information includes at least one of the following information: the identification of the first communication domain, the identification of the first key or the second random number;
  • the second node sends the third information and the third verification code.
  • the transceiver unit 1601 is further configured to receive the fourth information and the fourth verification code from the second node, the fourth verification code is obtained according to the fourth verification information, and the fourth verification information includes the following information: At least one of: first key, first key material, fourth information, identification of the second node, or second random number, the fourth information includes the identification of the first communication domain, and/or, the identification of the first key identification; the processing unit 1602 is further configured to verify the fourth verification code.
  • the transceiver unit 1601 is further configured to send first notification information to the key server, where the first notification information is used to notify the verification results of the nodes in the first communication domain.
  • the processing unit 1602 is further configured to establish a second secure channel with the second node according to the first protocol, and the second secure channel is used to transmit the information between the device 160 for obtaining the key and the second node .
  • the number of the second nodes is greater than 1, and the second security channel includes a point-to-point security channel between the device 160 for obtaining a key and each second node; or, the second security channel includes obtaining a key. a point-to-multipoint secure channel between the device 160 and each second node; or, the second secure channel includes a point-to-point secure channel between the device 160 for obtaining the key and a part of the second node, and the device for obtaining the key 160 point-to-multipoint secure channel with another part of the second node.
  • the transceiver unit 1601 is further configured to receive second configuration information from the key server, where the second configuration information is used to indicate at least one of the following information: the identification of the device 160 for obtaining the key, the obtaining The connection method of the device 160 for obtaining the key, or the information of other nodes that communicate with the device 160 for obtaining the key.
  • the device 160 for obtaining keys is a key agent
  • the key management system further includes a second node that is communicatively connected to the device 160 for obtaining keys, the second node is a key client, and the second configuration
  • the information is also used to indicate at least one of the following information: the identifier of the second node, the connection mode of the second node, or the information of other nodes that communicate with the second node; the transceiver unit 1601 is also used to send to the second node
  • the third configuration information where the third configuration information is used to indicate at least one of the following information: the identifier of the second node, the connection mode of the second node, or the information of other nodes that communicate with the second node.
  • the processing unit 1602 is further configured to determine the information of the communication domain where the device 160 for obtaining the key is located according to the second configuration information, and the information of the communication domain where the device 160 for obtaining the key is located is used to indicate the following information: At least one of: the identification of the communication domain where the device 160 for obtaining the key is located, the communication mode of the nodes in the communication domain where the device 160 for obtaining the key is located, the communication between the device 160 for obtaining the key and the device 160 for obtaining the key are located The connection mode of nodes in the domain other than the device 160 for obtaining the key, the information of other nodes in the communication domain where the device 160 for obtaining the key is located except the device for obtaining the key 160, or the construction of the device for obtaining the key. The key information of the key of the communication domain where 160 is located.
  • the first protocol includes a transport layer security protocol, an internet key exchange protocol, a hypertext transport security protocol, a data packet transport layer security protocol or a custom protocol.
  • the apparatus 160 for obtaining the key is used to implement the function of the second node.
  • the apparatus 160 for obtaining a key is, for example, the second node described in the embodiment shown in FIG. 7 to the embodiment shown in FIG. 11 .
  • the apparatus 160 for obtaining the key may be the second node, or may be a chip applied in the second node or other combined device or component having the function of the second node described above.
  • the transceiver unit 1601 may be a transceiver
  • the transceiver may include an antenna and a radio frequency circuit, etc.
  • the processing unit 1602 may be a processor (or a processing circuit), such as a baseband processor, One or more CPUs may be included in the baseband processor.
  • the transceiver unit 1601 may be a radio frequency unit, and the processing unit 1602 may be a processor (or a processing circuit), such as a baseband processor.
  • the transceiver unit 1601 may be an input/output interface of a chip (eg, a baseband chip), and the processing unit 1602 may be a processor (or a processing circuit) of the chip system, which may include one or more a central processing unit.
  • transceiver unit 1601 in this embodiment of the present application may be implemented by a transceiver or a transceiver-related circuit component
  • processing unit 1602 may be implemented by a processor or a processor-related circuit component (or referred to as a processing circuit).
  • the transceiving unit 1601 may be configured to perform all transceiving operations performed by the second node in the embodiment shown in FIG. 7 , such as S704 and/or other processes for supporting the techniques described herein.
  • the processing unit 1602 may be configured to perform all operations performed by the second node in the embodiment shown in FIG. 7 except for the transceiving operations, such as S705 and/or other processes for supporting the techniques described herein.
  • the transceiver unit 1601 is configured to receive the first key material from the key agent and the identifier of the first communication domain, and the identifier of the first communication domain is used to indicate the first communication domain.
  • the processing unit 1602 is configured to generate a first key according to the first key material, the first key is applied to the first communication domain, the first communication domain includes at least two nodes in the key management system, and the at least two nodes include Means 160 for obtaining keys.
  • the first communication domain is determined according to at least one of the following information: the connection mode of the nodes in the key management system, the function of the nodes in the key management system, or the type of communication information in the key management system.
  • the transceiver unit 1601 is further configured to receive the third information and the third verification code from the key agent, the third verification code is obtained according to the third verification information, and the third verification information includes the following information: At least one of: first key, first key material, third information, or identification of the key agent, the third information including at least one of the following information: identification of the first communication domain, identification of the first key or The second random number; the processing unit 1602 is further configured to verify the third verification code.
  • the processing unit 1602 is further configured to generate a fourth verification code according to fourth verification information, where the fourth verification information includes at least one of the following information: a first key, a first key material, a fourth information, the identification of the device 160 for obtaining the key, or the second random number, the fourth information includes the identification of the first communication domain, and/or the identification of the first key; the transceiver unit 1601 is also used to send the key agent Send the fourth information and the fourth verification code.
  • the processing unit 1602 is further configured to establish a second secure channel with the key agent according to the first protocol, and the second secure channel is used to transmit information between the apparatus 160 for obtaining the key and the key agent.
  • the number of devices 160 for obtaining keys is greater than 1; the second secure channel includes a point-to-point secure channel between the key agent and each device 160 for obtaining keys; or, the second secure channel includes A point-to-multipoint secure channel between the key agent and each device 160 for obtaining keys; alternatively, the second secure channel includes a point-to-point secure channel between the key agent and a portion of the devices 160 for obtaining keys, and the key A point-to-multipoint secure channel between the agent and another part of the device 160 that obtains the key.
  • the transceiver unit 1601 is further configured to receive third configuration information from the key agent, where the third configuration information is used to indicate at least one of the following information: the identification of the device 160 for obtaining the key, the obtaining The connection method of the device 160 for obtaining the key, or the information of other nodes that communicate with the device 160 for obtaining the key.
  • the processing unit 1602 is further configured to determine the information of the communication domain where the device 160 for obtaining the key is located according to the third configuration information, and the information of the communication domain where the device 160 for obtaining the key is located is used to indicate the following information: At least one of: the identification of the communication domain where the device 160 for obtaining the key is located, the communication mode of the nodes in the communication domain where the device 160 for obtaining the key is located, the communication between the device 160 for obtaining the key and the device 160 for obtaining the key are located The connection mode of nodes in the domain other than the device 160 for obtaining the key, the information of other nodes in the communication domain where the device 160 for obtaining the key is located except the device for obtaining the key 160, or the construction of the device for obtaining the key. The key information of the key of the communication domain where 160 is located.
  • the first protocol is a transport layer security protocol, an internet key exchange protocol, a hypertext transport security protocol, a data packet transport layer security protocol or a custom protocol.
  • the disclosed apparatus and method may be implemented in other manners.
  • the device embodiments described above are only illustrative.
  • the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be Incorporation may either be integrated into another device, or some features may be omitted, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may be one physical unit or multiple physical units, that is, they may be located in one place, or may be distributed to multiple different places . Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a readable storage medium.
  • the technical solutions of the embodiments of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, which are stored in a storage medium , including several instructions to make a device (may be a single chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk and other mediums that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请公开了获取密钥的方法、装置及密钥管理系统,涉及智能车技术领域,不仅可以提高通信安全,还可以随时更新密钥,十分便捷。该密钥管理系统包括密钥服务器,以及与密钥服务器通信连接的第一节点,其中,第一节点为密钥客户端或密钥代理。密钥服务器用于获取第一密钥信息,向第一节点发送第一密钥信息。第一节点用于接收来自密钥服务器的第一密钥信息,根据第一密钥信息生成第一密钥。其中,第一密钥信息包括第一密钥材料和第一通信域的标识。第一通信域的标识用于指示第一通信域,第一密钥应用于该第一通信域,第一通信域包括密钥管理系统中的至少两个节点,该至少两个节点包括第一节点。

Description

获取密钥的方法、装置及密钥管理系统 技术领域
本申请涉及智能车和网联车技术领域,尤其涉及获取密钥的方法、装置及密钥管理系统。
背景技术
目前,车联网被认为是物联网体系中最有产业潜力、市场需求最为明确的领域之一,具有应用空间广、产业潜力大、社会效益强的特点。对促进汽车和信息通信产业创新发展,构建汽车和交通服务新模式新业态,推动自动驾驶技术创新和应用,提高交通效率和安全水平具有重要意义。因此,车联网受到了越来越多的关注。
在车联网中,信息安全一直是被关注的重点。信息安全可以分为车内信息安全和车外信息安全。对于车内信息安全,车内设备出厂前,会在产线上通过密钥灌装的方式灌装密钥,再组装到车辆上。后续,车内设备会通过灌装的密钥进行通信,以保证车内信息安全。上述密钥是由车厂的密钥管理系统进行管理,一方面,若车厂的密钥库出现泄漏,那么车厂的所有车辆的车内安全都受到极大威胁;另一方面,为了提高车内安全,需要定期更新车内设备使用的密钥。但是,每次更新密钥时,都需要去车厂为车内设备更新密钥,十分不便。
发明内容
本申请提供获取密钥的方法、装置及密钥管理系统,可以在智能车内、智能家居场景中或数据中心上部署密钥管理系统,不仅可以提高通信安全,还可以随时更新密钥,十分便捷。
为达到上述目的,本申请的实施例采用如下技术方案:
第一方面,本申请实施例提供一种获取密钥的方法,该方法应用于密钥管理系统,该密钥管理系统包括密钥服务器,以及与密钥服务器通信连接的第一节点,第一节点为密钥客户端或密钥代理,该方法包括:密钥服务器获取第一密钥信息,第一密钥信息包括第一密钥材料和第一通信域的标识,第一密钥材料用于生成第一密钥,第一通信域的标识用于指示第一通信域,第一密钥应用于该第一通信域,第一通信域包括密钥管理系统中的至少两个节点,至少两个节点包括第一节点;密钥服务器向第一节点发送第一密钥信息。
上述第一方面提供的获取密钥的方法,密钥服务器可以为第一通信域中的每个节点配置第一密钥,后续,第一通信域中的节点可以通过该第一密钥进行通信。一方面,该第一密钥是由第一通信域中的节点保存,不易泄漏,即便泄漏了,也不会影响其他通信域的安全,因此可以提高通信安全。另一方面,密钥服务器可以随时更新密钥,十分便捷。另外,第一密钥占用的存储空间较小,不会增加密钥管理系统中节点的软硬件成本。第一密钥也不需要车厂进行管理,不会增加车厂的管理成本。
一种可能的实现方式,第一通信域是根据以下至少一个信息确定的:密钥管理系统 中节点的连接方式,密钥管理系统中节点的功能,或密钥管理系统中通信信息的类型。基于上述方法,可以基于不同的粒度划分通信域,提高了通信域划分的多样性和灵活性。另外,基于不同粒度划分的通信域可以覆盖密钥管理系统中节点之间通信的多种场景,例如,连接方式相同的节点之间的通信场景,功能相同的节点之间的通信场景或通信信息的类型相同的节点之间的通信场景等。该多种场景中的任一种场景都可以对应一个或多个密钥,进而提高通信安全。
一种可能的实现方式,该方法还包括:密钥服务器根据第一验证信息生成第一验证码,第一验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第一信息,或密钥服务器的标识,第一信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识或第一随机数;密钥服务器向第一节点发送第一信息和第一验证码。基于上述方法,密钥服务器可以向第一节点发送第一信息和第一验证码,以便第一节点通过第一验证码对第一密钥在第一节点和密钥服务器之间的可用性进行验证,以防止第一密钥生成失败或错误,导致第一节点和密钥服务器之间无法正常通信。
一种可能的实现方式,该方法还包括:密钥服务器接收来自第一节点的第二信息和第二验证码,第二验证码是根据第二验证信息生成的,第二验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第二信息,第一节点的标识,或第一随机数,第二信息包括第一通信域的标识,和/或,第一密钥的标识;密钥服务器验证第二验证码。基于上述方法,密钥服务器可以通过第二验证码对第一密钥在第一节点和密钥服务器之间的可用性进行验证,以防止第一密钥生成失败或错误,导致第一节点和密钥服务器之间无法正常通信。
一种可能的实现方式,该方法还包括:密钥服务器根据第一协议与第一节点建立第一安全通道,第一安全通道用于传输密钥服务器与第一节点之间的信息。基于的上述方法,密钥服务器和第一节点之间可以建立第一安全通道,以提高密钥服务器和第一节点通信的安全性。
一种可能的实现方式,第一节点的数量大于1,第一安全通道包括密钥服务器与每个第一节点的点到点的安全通道;或者,第一安全通道包括密钥服务器与每个第一节点的点到多点的安全通道;或者,第一安全通道包括密钥服务器与一部分第一节点的点到点的安全通道,以及密钥服务器与另一部分第一节点的点到多点的安全通道。基于上述方法,第一安全通道可以包括多种形式,增加了第一节点与密钥服务器通信的多样性和灵活性。
一种可能的实现方式,第一协议包括传输层安全协议、因特网密钥交换协议、超文本传输安全协议、数据包传输层安全性协议或自定义协议。基于上述方法,密钥管理系统中的节点可以支持多种协议,可以提高密钥管理系统中的节点之间通信的灵活性和多样性。
一种可能的实现方式,第一节点为密钥代理,密钥管理系统还包括与第一节点通信连接的第二节点,第二节点为密钥客户端。基于上述方法,密钥服务器除了与密钥客户端直接通信之外,可以通过密钥代理与密钥客户端通信。
一种可能的实现方式,第二节点包括在第一通信域中。基于上述方法,与密钥代理通信连接的密钥客户端也可以包括在第一通信域中,进而密钥服务器还可以通过密钥代理为 第一通信域中的密钥客户端配置第一密钥。后续,密钥客户端可以通过第一密钥与第一通信域中的节点通信。
一种可能的实现方式,该方法还包括:密钥服务器接收来自第一节点的第一通知信息,第一通知信息用于通知第一通信域内的节点的验证结果。基于上述方法,第一节点可以通知密钥服务器,第一通信域内的节点的验证结果,以便密钥服务器做出响应。例如,若验证失败,密钥服务器重新为第一通信域中的节点配置密钥。又例如,若验证成功,密钥服务器可以启用第一密钥。
一种可能的实现方式,该方法还包括:密钥服务器获取第一配置信息,第一配置信息用于指示以下信息中的至少一种:密钥管理系统中节点的标识,密钥管理系统中节点的连接方式,或与密钥管理系统中节点通信的其他节点的信息。基于上述方法,密钥服务器可以获取第一配置信息,以便密钥服务器为密钥管理系统中的节点分配该节点对应的配置信息,使得密钥管理系统中的节点可以根据该节点对应的配置信息确定该节点所在通信域的信息。
一种可能的实现方式,该方法还包括:密钥服务器向第一节点发送第二配置信息,第二配置信息用于指示以下信息中的至少一种:第一节点的标识,第一节点的连接方式,或与第一节点通信的其他节点的信息。基于上述方法,密钥服务器可以为第一节点发送第二配置信息,使得第一节点可以根据第二配置信息确定第一节点所在通信域的信息。
一种可能的实现方式,第一节点为密钥代理,密钥管理系统还包括与第一节点通信连接的第二节点,第二节点为密钥客户端,第二配置信息还用于指示以下信息中的至少一种:第二节点的标识,第二节点的连接方式,或与第二节点通信的其他节点的信息。基于上述方法,第二配置信息还可以包括第二节点的相关配置信息,例如,第二节点的标识,第二节点的连接方式,或与第二节点通信的其他节点的信息,以便第一节点将这些相关配置信息分配给第二节点,使得第二节点可以根据这些配置信息确定第二节点所在通信域的信息。
一种可能的实现方式,该方法还包括:密钥服务器根据第一配置信息确定密钥服务器所在的通信域的信息,密钥服务器所在的通信域的信息用于指示以下信息中的至少一项:密钥服务器所在的通信域的标识,密钥服务器所在的通信域中节点的通信方式,密钥服务器与密钥服务器所在的通信域中除密钥服务器之外的节点的连接方式,密钥服务器所在的通信域中除密钥服务器之外的其他节点的信息,或构建密钥服务器所在的通信域的密钥的密钥信息。基于上述方法,密钥服务器可以根据第一配置信息确定密钥服务器所在的通信域的相关信息,以便后续为密钥服务器所在的通信域配置密钥。
一种可能的实现方式,该方法还包括:密钥服务器接收来自密钥管理工具的第一确认信息;或者,密钥服务器接收来自第一终端的第一确认信息;或者,密钥服务器接收来第二终端的第一确认信息;其中,第一确认信息用于触发密钥服务器获取第一密钥信息。基于上述方法,可以通过多种方法触发密钥服务器为密钥代理或密钥客户端配置密钥。
第二方面,本申请实施例提供一种获取密钥的方法,该方法应用于密钥管理系统,密钥管理系统包括密钥服务器,以及与密钥服务器通信连接的第一节点,第一节点为密钥客户端或密钥代理,该方法包括:第一节点接收来自密钥服务器的第一密钥的信 息,第一密钥的信息包括第一密钥材料和第一通信域的标识,第一通信域的标识用于指示第一通信域;第一节点根据第一密钥材料生成第一密钥,第一密钥应用于第一通信域,第一通信域包括密钥管理系统中的至少两个节点,至少两个节点包括第一节点。
上述第二方面提供的获取密钥的方法,第一节点可以接收来自密钥服务器的第一密钥的信息,根据第一密钥的信息包括的第一密钥材料生成第一密钥,后续,第一节点可以通过第一密钥与第一通信域中的其他节点进行通信。一方面,该第一密钥是由第一通信域中的节点保存,不易泄漏,即便泄漏了,也不会影响其他通信域的安全,因此可以提高通信安全。另一方面,密钥服务器可以随时更新密钥,十分便捷。另外,第一密钥占用的存储空间较小,不会增加密钥管理系统中节点的软硬件成本。第一密钥也不需要车厂进行管理,不会增加车厂的管理成本。
一种可能的实现方式,第一通信域是根据以下至少一个信息确定的:密钥管理系统中节点的连接方式,密钥管理系统中节点的功能,或密钥管理系统中通信信息的类型。基于上述方法,可以基于不同的粒度划分通信域,提高了通信域划分的多样性和灵活性。另外,基于不同粒度划分的通信域可以覆盖密钥管理系统中节点之间通信的多种场景,该多种场景中的任一种场景都可以对应一个或多个密钥,进而提高通信安全。
一种可能的实现方式,该方法还包括:第一节点接收来自密钥服务器的第一信息和第一验证码,第一验证码是根据第一验证信息生成的,第一验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第一信息,或密钥服务器的标识,第一信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识或第一随机数;第一节点验证第一验证码。基于上述方法,第一节点可以通过第一验证码对第一密钥在第一节点和密钥服务器之间的可用性进行验证,以防止第一密钥生成失败或错误,导致第一节点和密钥服务器之间无法正常通信。
一种可能的实现方式,该方法还包括:第一节点根据第二验证信息生成第二验证码,第二验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第二信息,第一节点的标识,或第一随机数,第二信息包括第一通信域的标识,和/或,第一密钥的标识;第一节点向密钥服务器发送第二信息和第二验证码。基于上述方法,第一节点可以向密钥服务器发送第二信息和第二验证码,以便密钥服务器通过第二验证码对第一密钥在第一节点和密钥服务器之间的可用性进行验证,以防止第一密钥生成失败或错误,导致第一节点和密钥服务器之间无法正常通信。
一种可能的实现方式,该方法还包括:第一节点根据第一协议与密钥服务器建立第一安全通道,第一安全通道用于传输密钥服务器与第一节点之间的信息。基于的上述方法,密钥服务器和第一节点之间可以建立第一安全通道,以提高密钥服务器和第一节点通信的安全性。
一种可能的实现方式,第一节点的数量大于1,第一安全通道包括密钥服务器与每个第一节点的点到点的安全通道;或者,第一安全通道包括密钥服务器与每个第一节点的点到多点的安全通道;或者,第一安全通道包括密钥服务器与一部分第一节点的点到点的安全通道,以及密钥服务器与另一部分第一节点的点到多点的安全通道。基于上述方法,第一安全通道可以包括多种形式,增加了第一节点与密钥服务器通信的多样性和灵活性。
一种可能的实现方式,第一节点为密钥代理,密钥管理系统还包括与第一节点通信连接的第二节点,第二节点为密钥客户端。基于上述方法,密钥服务器除了与密钥客户端直接通信之外,可以通过密钥代理与密钥客户端通信。
一种可能的实现方式,第二节点包括在第一通信域中;该方法还包括:第一节点向第二节点发送第一密钥材料和第一通信域的标识。基于上述方法,若第二节点包括在第一通信域中,密钥服务器还可以通过第一节点为第二节点配置第一密钥。后续,第二节点也可以通过第一密钥与第一通信域中的节点通信。
一种可能的实现方式,该方法还包括:第一节点根据第三验证信息生成第三验证码,第三验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第三信息,或第一节点的标识,第三信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识或第二随机数;第一节点向第二节点发送第三信息和第三验证码。基于上述方法,第一节点可以向第二节点发送第三信息和第三验证码,以便第二节点通过第三验证码对第一密钥在第一节点和第二节点之间的可用性进行验证,以防止第一密钥生成失败或错误,导致第一节点和第二节点之间无法正常通信。
一种可能的实现方式,该方法还包括:第一节点接收来自第二节点的第四信息和第四验证码,第四验证码是根据第四验证信息得到,第四验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第四信息,第二节点的标识,或第二随机数,第四信息包括第一通信域的标识,和/或,第一密钥的标识;第一节点验证第四验证码。基于上述方法,第一节点可以通过第四验证码对第一密钥在第一节点和第二节点之间的可用性进行验证,以防止第一密钥生成失败或错误,导致第一节点和第二节点之间无法正常通信。
一种可能的实现方式,该方法还包括:第一节点向密钥服务器发送第一通知信息,第一通知信息用于通知第一通信域内的节点的验证结果。基于上述方法,第一节点可以通知密钥服务器,第一通信域内的节点的验证结果,以便密钥服务器做出响应。例如,若验证失败,密钥服务器重新为第一通信域中的节点配置密钥。又例如,若验证成功,密钥服务器可以启用第一密钥。
一种可能的实现方式,该方法还包括:第一节点根据第一协议与第二节点建立第二安全通道,第二安全通道用于传输第一节点与第二节点之间的信息。基于的上述方法,第一节点和第二节点之间可以建立第二安全通道,以提高第一节点和第二节点通信的安全性。
一种可能的实现方式,第二节点的数量大于1,第二安全通道包括第一节点与每个第二节点的点到点的安全通道;或者,第二安全通道包括第一节点与每个第二节点的点到多点的安全通道;或者,第二安全通道包括第一节点与一部分第二节点的点到点的安全通道,以及第一节点与另一部分第二节点的点到多点的安全通道。基于上述方法,第二安全通道可以包括多种形式,增加了第一节点与第二节点通信的多样性和灵活性。
一种可能的实现方式,第一协议包括传输层安全协议、因特网密钥交换协议、超文本传输安全协议、数据包传输层安全性协议或自定义协议。基于上述方法,密钥管理系统中的节点可以支持多种协议,可以提高密钥管理系统中的节点之间通信的灵活性和多样性。
一种可能的实现方式,该方法还包括:第一节点接收来自密钥服务器的第二配置信息,第二配置信息用于指示以下信息中的至少一种:第一节点的标识,第一节点的连接方式,或与第一节点通信的其他节点的信息。基于上述方法,第一节点可以接收来自密钥服务器的第二配置信息,使得第一节点可以根据第二配置信息确定第一节点所在通信域的信息。
一种可能的实现方式,第一节点为密钥代理,密钥管理系统还包括与第一节点通信连接的第二节点,第二节点为密钥客户端,第二配置信息还用于指示以下信息中的至少一种:第二节点的标识,第二节点的连接方式,或与第二节点通信的其他节点的信息;该方法还包括:第一节点向第二节点发送第三配置信息,第三配置信息用于指示以下信息中的至少一种:第二节点的标识,第二节点的连接方式,或与第二节点通信的其他节点的信息。基于上述方法,第一节点可以向第二节点发送第三配置信息,使得第二节点可以根据第三配置信息确定第二节点所在通信域的信息。
一种可能的实现方式,该方法还包括:第一节点根据第二配置信息确定第一节点所在通信域的信息,第一节点所在的通信域的信息用于指示以下信息中的至少一项:第一节点所在的通信域的标识,第一节点所在的通信域中节点的通信方式,第一节点与第一节点所在的通信域中除第一节点之外的节点的连接方式,第一节点所在的通信域中除第一节点之外的其他节点的信息,或构建第一节点所在的通信域的密钥的密钥信息。基于上述方法,第一节点可以根据第二配置信息确定第一节点所在的通信域的相关信息,以便密钥服务器后续为第一节点所在的通信域配置密钥。
第三方面,本申请实施例提供一种获取密钥的方法,该方法应用于密钥管理系统,该密钥管理系统包括密钥服务器,与密钥服务器通信连接的密钥代理,以及与密钥代理通信连接的密钥客户端,该方法包括:密钥客户端接收来自密钥代理的第一密钥材料和第一通信域的标识,第一通信域的标识用于指示第一通信域;密钥客户端根据第一密钥材料生成第一密钥,第一密钥应用于第一通信域,第一通信域包括密钥管理系统中的至少两个节点,至少两个节点包括密钥客户端。
上述第三方面提供的获取密钥的方法,密钥客户端可以接收来自密钥代理的第一密钥的信息,根据第一密钥的信息包括的第一密钥材料生成第一密钥,后续,密钥客户端可以通过第一密钥与第一通信域中的其他节点进行通信。一方面,该第一密钥是由第一通信域中的节点保存,不易泄漏,即便泄漏了,也不会影响其他通信域的安全,因此可以提高通信安全。另一方面,密钥服务器可以随时更新密钥,十分便捷。另外,第一密钥占用的存储空间较小,不会增加密钥管理系统中节点的软硬件成本。第一密钥也不需要车厂进行管理,不会增加车厂的管理成本。
一种可能的实现方式,第一通信域是根据以下至少一个信息确定的:密钥管理系统中节点的连接方式,密钥管理系统中节点的功能,或密钥管理系统中通信信息的类型。基于上述方法,可以基于不同的粒度划分通信域,提高了通信域划分的多样性和灵活性。另外,基于不同粒度划分的通信域可以覆盖密钥管理系统中节点之间通信的多种场景,该多种场景中的任一种场景都可以对应一个或多个密钥,进而提高通信安全。
一种可能的实现方式,该方法还包括:密钥客户端接收来自密钥代理的第三信息和第三验证码,第三验证码是根据第三验证信息得到,第三验证信息包括以下信息中的 至少一个:第一密钥,第一密钥材料,第三信息,或密钥代理的标识,第三信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识或第二随机数;密钥客户端验证第三验证码。基于上述方法,密钥客户端可以通过第三验证码对第一密钥在密钥客户端和密钥代理之间的可用性进行验证,以防止第一密钥生成失败或错误,导致密钥客户端和密钥代理之间无法正常通信。
一种可能的实现方式,该方法还包括:密钥客户端根据第四验证信息生成第四验证码,第四验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第四信息,密钥客户端的标识,或第二随机数,第四信息包括第一通信域的标识,和/或,第一密钥的标识;密钥客户端向密钥代理发送第四信息和第四验证码。基于上述方法,密钥客户端可以向密钥代理发送第四信息和第四验证码,以便密钥代理通过第四验证码对第一密钥在密钥客户端和密钥代理之间的可用性进行验证,以防止第一密钥生成失败或错误,导致密钥客户端和密钥代理之间无法正常通信。
一种可能的实现方式,该方法还包括:密钥客户端根据第一协议与密钥代理建立第二安全通道,第二安全通道用于传输密钥客户端与密钥代理之间的信息。基于的上述方法,密钥代理和密钥客户端之间可以建立第二安全通道,以提高密钥代理和密钥客户端通信的安全性。
一种可能的实现方式,密钥客户端的数量大于1;第二安全通道包括密钥代理与每个密钥客户端的点到点的安全通道;或者,第二安全通道包括密钥代理与每个密钥客户端的点到多点的安全通道;或者,第二安全通道包括密钥代理与一部分密钥客户端的点到点的安全通道,以及密钥代理与另一部分密钥客户端的点到多点的安全通道。基于上述方法,第二安全通道可以包括多种形式,增加了第一节点与第二节点通信的多样性和灵活性。
一种可能的实现方式,第一协议包括传输层安全协议、因特网密钥交换协议、超文本传输安全协议、数据包传输层安全性协议或自定义协议。基于上述方法,密钥管理系统中的节点可以支持多种协议,可以提高密钥管理系统中的节点之间通信的灵活性和多样性。
一种可能的实现方式,该方法还包括:密钥客户端接收来自密钥代理的第三配置信息,第三配置信息用于指示以下信息中的至少一种:密钥客户端的标识,密钥客户端的连接方式,或与密钥客户端通信的其他节点的信息。基于上述方法,密钥客户端可以接收来自密钥代理的第三配置信息,以便密钥客户端根据第三配置信息确定密钥客户端所在通信域的信息。
一种可能的实现方式,该方法还包括:密钥客户端根据第三配置信息确定密钥客户端所在通信域的信息,密钥客户端所在的通信域的信息用于指示以下信息中的至少一项:密钥客户端所在的通信域的标识,密钥客户端所在的通信域中节点的通信方式,密钥客户端与密钥客户端所在的通信域中除密钥客户端之外的节点的连接方式,密钥客户端所在的通信域中除密钥客户端之外的其他节点的信息,或构建密钥客户端所在的通信域的密钥的密钥信息。基于上述方法,密钥客户端可以根据第三配置信息确定密钥客户端所在的通信域的相关信息,以便密钥服务器后续为密钥客户端所在的通信域配置密钥。
第四方面,本申请实施例提供一种获取密钥的装置,可以实现上述第一方面、或第一方面任一种可能的实现方式中的方法。该装置包括用于执行上述方法的相应的单元或部件。该装置包括的单元可以通过软件和/或硬件方式实现。该装置例如可以为密钥服务器、或者为可支持密钥服务器实现上述方法的芯片、芯片系统、或处理器等。
第五方面,本申请实施例提供一种获取密钥的装置,可以实现上述第二方面、或第二方面任一种可能的实现方式中的方法。该装置包括用于执行上述方法的相应的单元或部件。该装置包括的单元可以通过软件和/或硬件方式实现。该装置例如可以为第一节点、或者为可支持第一节点实现上述方法的芯片、芯片系统、或处理器等。
第六方面,本申请实施例提供一种获取密钥的装置,可以实现上述第三方面、或第三方面任一种可能的实现方式中的方法。该装置包括用于执行上述方法的相应的单元或部件。该装置包括的单元可以通过软件和/或硬件方式实现。该装置例如可以为密钥客户端、或者为可支持密钥客户端实现上述方法的芯片、芯片系统、或处理器等。
第七方面,本申请实施例提供一种获取密钥的装置,包括:处理器,所述处理器与存储器耦合,所述存储器用于存储程序或指令,当所述程序或指令被所述处理器执行时,使得该装置实现上述第一方面、或第一方面任一种可能的实现方式中所述的方法。
第八方面,本申请实施例提供一种获取密钥的装置,包括:处理器,所述处理器与存储器耦合,所述存储器用于存储程序或指令,当所述程序或指令被所述处理器执行时,使得该装置实现上述第二方面、或第二方面任一种可能的实现方式中所述的方法。
第九方面,本申请实施例提供一种获取密钥的装置,包括:处理器,所述处理器与存储器耦合,所述存储器用于存储程序或指令,当所述程序或指令被所述处理器执行时,使得该装置实现上述第三方面、或第三方面任一种可能的实现方式中所述的方法。
第十方面,本申请实施例提供一种计算机可读介质,其上存储有计算机程序或指令,所述计算机程序或指令被执行时使得计算机执行上述第一方面、或第一方面任一种可能的实现方式中所述的方法。
第十一方面,本申请实施例提供一种计算机可读介质,其上存储有计算机程序或指令,所述计算机程序或指令被执行时使得计算机执行上述第二方面、或第二方面任一种可能的实现方式中所述的方法。
第十二方面,本申请实施例提供一种计算机可读介质,其上存储有计算机程序或指令,所述计算机程序或指令被执行时使得计算机执行上述第三方面、或第三方面任一种可能的实现方式中所述的方法。
第十三方面,本申请实施例提供一种计算机程序产品,其包括计算机程序代码,所述计算机程序代码在计算机上运行时,使得计算机执行上述第一方面、或第一方面任一种可能的实现方式中所述的方法。
第十四方面,本申请实施例提供一种计算机程序产品,其包括计算机程序代码,所述计算机程序代码在计算机上运行时,使得计算机执行上述第二方面、或第二方面任一种可能的实现方式中所述的方法。
第十五方面,本申请实施例提供一种计算机程序产品,其包括计算机程序代码,所述计算机程序代码在计算机上运行时,使得计算机执行上述第三方面、或第三方面任一种可能的实现方式中所述的方法。
第十六方面,本申请实施例提供一种芯片系统,该芯片系统包括至少一个处理器,用于支持实现上述第一方面、或第一方面任一种可能的实现方式中所涉及的功能,例如,收发或处理上述方法中所涉及的数据和/或信息。
第十七方面,本申请实施例提供一种芯片系统,该芯片系统包括至少一个处理器,用于支持实现上述第二方面、或第二方面任一种可能的实现方式中所涉及的功能,例如,收发或处理上述方法中所涉及的数据和/或信息。
第十八方面,本申请实施例提供一种芯片系统,该芯片系统包括至少一个处理器,用于支持实现上述第三方面、或第三方面任一种可能的实现方式中所涉及的功能,例如,收发或处理上述方法中所涉及的数据和/或信息。
第十六方面、第十七方面或第十八方面的一种可能的实现方式,所述芯片系统还包括存储器,所述存储器,用于保存程序指令和数据,存储器位于处理器之内或处理器之外。该芯片系统,可以由芯片构成,也可以包含芯片和其他分立器件。
第十九方面,本申请实施例提供一种密钥管理系统。该系统包括上述第四方面和/或上述第五方面和/或上述第六方面所述的装置,或者该系统包括上述第七方面和/或上述第八方面和/或上述第九方面所述的装置,或者该系统包括上述第十方面和/或上述第十一方面和/或上述第十二方面所述的计算机可读介质,或者该系统包括上述第十三方面和/或上述第十四方面和/或上述第十五方面所述的计算机程序产品,或者该系统包括上述第十六方面和/或上述第十七方面和/或上述第十八方面所述的芯片系统。
可以理解的,上述提供的任一种获取密钥的装置、芯片系统、计算机可读介质、计算机程序产品或密钥管理系统等均用于执行上文所提供的对应的方法,因此,其所能达到的有益效果可参考对应的方法中的有益效果,此处不再赘述。
附图说明
图1A为本申请实施例提供的密钥管理系统的架构示意图一;
图1B为本申请实施例提供的密钥管理系统的架构示意图二;
图2A为本申请实施例提供的智能车的架构示意图一;
图2B为本申请实施例提供的智能车的架构示意图二;
图2C为本申请实施例提供的密钥管理系统的部署示意图;
图3为本申请实施例提供的获取密钥的装置的硬件结构示意图;
图4-图12为本申请实施例提供的获取密钥的方法的流程示意图;
图13为本申请实施例提供的第一类信息的消息格式和第二类信息的消息格式的示意图;
图14为本申请实施例提供的TLV(type,length,value)的格式的示意图;
图15-图16为本申请实施例提供的获取密钥的装置的结构示意图。
具体实施方式
可以理解的,为了提高车内信息安全,例如但不限于,可以采用以下两种方式进行车内设备间的通信:
1.车内设备出厂前,会在产线上通过密钥灌装的方式灌装密钥,再组装到车辆上。后续,车内设备会通过灌装的密钥进行通信,以保证车内信息安全。然而,上述密钥是由车厂的密钥管理系统进行管理,若车厂的密钥库出现泄漏,那么车厂的所有车辆的车内安全都受到极大威胁。另外,为了提高车内安全,需要定期更新车内设备使用的密钥。但是,每次更新密钥时,都需要去车厂为车内设备更新密钥,十分不便。
2.车内设备之间通信之前,需要通过证书进行认证,认证通过之后才能通信。对于这种方式,车内设备上需要部署至少一个证书,增加了车内设备的软硬件成本,以及车厂管理证书的成本。
为了解决上述问题,本申请实施例提供了获取密钥的方法,该方法可以应用于密钥管理系统。密钥管理系统中的密钥服务器可以为第一通信域中的每个节点配置第一密钥,后续,第一通信域中的节点可以通过该第一密钥进行通信。一方面,该第一密钥是由第一通信域中的节点保存,不易泄漏,即便泄漏了,也不会影响其他通信域的安全,因此可以提高通信安全,而且车厂的密钥管理系统不需要管理每辆车的密钥,减轻了车厂的密钥管理系统的负担。另一方面,密钥服务器可以随时更新密钥,十分便捷。另外,第一密钥占用的存储空间较小,不会增加密钥管理系统中节点的软硬件成本。第一密钥也不需要车厂进行管理,不会增加车厂的管理成本。
可以理解的,本申请实施例提供的获取密钥的方法可用于各种短距离通信场景或者闭合空间中设备间的通信场景,例如智能车、智能家居或数据中心等。
示例性的,本申请实施例提供的获取密钥的方法可以应用于智能家居或数据中心中不同设备间的通信。本申请实施例提供的获取密钥的方法还可以应用于车辆的智能驾驶舱,火车的智能驾驶舱或飞机的智能驾驶舱等。本申请下述实施例是以智能车为例进行介绍,其他情况的介绍可以参考本申请实施例关于智能车的描述,不做赘述。
首先,为了方便理解本申请实施例的方案,给出相关概念的简要介绍如下:
1、基础密钥
基础密钥可以是根据安全协议进行身份认证或密钥协商的过程中所依赖的密钥(例如,长期密钥或临时密钥等)。可以理解的,基础密钥在设备掉电后不会丢失,在会话断开后也不会失效。
2、临时密钥
临时密钥可以是根据安全协议进行身份认证或密钥协商的过程中临时派生或协商的密钥。可选的,临时密钥在设备掉电后会丢失,在会话断开后会失效。
3、固定密钥
固定密钥通常不会更新。以智能车为例,固定密钥可以在智能车中的设备出厂时,或者,智能车中的设备需要更换时,灌装在智能车中的设备中,以便智能车中的设备之间采用该固定密钥进行通信,提高通信安全。固定密钥还可以作为基础密钥派生其他密钥,例如,长期密钥。应理解,在具体应用中,若固化安全存储允许,固定密钥也可以进行更新。
4、长期密钥
长期密钥通常会定期或不定期更新,以提高派生出该长期密钥的基础密钥的安全性。可以理解的,长期密钥也可以作为基础密钥派生其他密钥。
可以理解的,基础密钥和临时密钥是根据密钥的性质划分的。基础密钥不易丢失,能 够在一次或多次通信中使用。临时密钥容易丢失,通常是为了一次通信而派生的。固定密钥和长期密钥是根据密钥的时效性划分的,固定密钥的使用时间一般大于长期密钥的使用时间。
可以理解的,本申请实施例中,不同类型的密钥的存储要求不同。对于固定密钥,可以禁止更新,或通过专用工具才可重置、或更新。固定密钥可以存储在非易失性安全区中。对于长期密钥或临时密钥,可以支持更新,在配置或更新长期密钥的过程中不需要专用工具协助。长期密钥可以存储在非易失性安全区中。
若存储长期密钥或临时密钥的非易失性安全区不支持密钥更新功能,也就是说,存储在该非易失性安全区中的信息无法更新的情况下,可以在该非易失性安全区中存储长期密钥或临时密钥的基础密钥(该基础密钥可以不更新),在该非易失性安全区之外的普通区域加密存储长期密钥或临时密钥的派生材料。若要对长期密钥或临时密钥进行更新时,可以更新该派生材料,从而实现长期密钥或临时密钥的更新。
5、密钥的使用范围
密钥的使用范围也可以称为密钥的保护范围或密钥的共享范围。以智能车为例,密钥的使用范围包括车厂、整车或通信域。示例性的,密钥的使用范围包括车厂的情况下,属于车厂的智能车都可以使用该密钥。密钥的使用范围包括整车的情况下,该整车内的设备都可以使用该密钥。密钥的使用范围包括通信域的情况下,包括在该通信域中的设备都可以使用该密钥。其中,通信域可以包括智能车中的全部或部分设备。
下面结合附图对本申请实施例的实施方式进行详细描述。
请参考图1A,图1A为本申请实施例提供的一种密钥管理系统。图1A仅为示意图,并不构成对本申请提供的密钥管理系统的限定。
在图1A中,密钥管理系统10包括密钥服务器101,以及与密钥服务器101通信连接的密钥客户端102-密钥客户端104。可选的,密钥客户端102-密钥客户端104之间通信连接。其中,密钥服务器101可以用于为密钥管理系统10中的节点,例如密钥客户端102,配置密钥。可选的,密钥服务器101还可以为密钥管理系统10中的节点,分配与该节点相关的配置信息,例如,该节点的标识,该节点的连接方式等。图1A中的密钥客户端,例如密钥客户端102-密钥客户端104,可以用于生成密钥客户端所在通信域的密钥。
示例性的,密钥服务器101可以用于获取第一密钥信息,向第一通信域中的第一节点发送第一密钥信息。第一节点可以是密钥客户端102、密钥客户端103或密钥客户端104。第一节点可以用于接收来自密钥服务器101的第一密钥信息,根据第一密钥信息生成第一密钥。这一过程将在下述图4-图6所示的实施例中进行具体介绍。在上述过程中,密钥服务器101可以为密钥管理系统10中一个或多个通信域中的节点配置密钥,使得处于同一通信域的节点之间可以使用密钥服务器101配置的密钥进行通信。一方面,在配置密钥的过程中,不需要密钥管理系统10之外的设备参与,因此可以提高密钥管理系统10的信息安全,而且车厂的密钥管理系统不需要管理每辆车的密钥,减轻了车厂的密钥管理系统的负担。另一方面,密钥服务器101可以随时更新密钥,十分便捷。另外,第一密钥占用的存储空间较小,不会增加密钥管理系统10中节点的软硬件成本。第一密钥也不需要车厂进行管理,不会增加车厂的管理成本。
可选的,密钥管理系统10还包括密钥管理工具(图1A中未示出)。密钥管理工具可 以与密钥服务器101通信连接,用于触发密钥服务器101为密钥管理系统10中的一个或多个通信域中的节点配置密钥。
图1A所示的密钥管理系统10仅用于举例,并非用于限制本申请的技术方案。本领域的技术人员应当明白,在具体实现过程中,密钥管理系统10还可以包括其他节点,同时也可根据具体需要来确定密钥服务器或密钥客户端的数量,不予限制。
上述图1A所示的密钥管理系统中,密钥客户端可以和密钥服务器直接通信。在具体应用中,密钥客户端还可以通过密钥代理与密钥服务器通信。如图1B所示,为本申请实施例提供的又一种密钥管理系统。图1B仅为示意图,并不构成对本申请提供的密钥管理系统的限定。
在图1B中,密钥管理系统11包括密钥服务器111,与密钥服务器111通信连接的密钥客户端112、密钥代理113-密钥代理114,与密钥代理113通信连接的密钥客户端115-密钥客户端116,以及与密钥代理114通信连接的密钥客户端117。可选的,密钥客户端115和密钥客户端116之间通信连接。其中,密钥服务器111可以用于为密钥管理系统11中的节点,例如密钥代理113,密钥客户端115或密钥客户端112,配置密钥。可选的,密钥服务器111还可以为密钥管理系统11中的节点,分配与该节点相关的配置信息,例如,该节点的标识,该节点的连接方式等。图1A中的密钥代理可以用于接收密钥服务器发送的信息。图1A中的密钥代理还可以用于将密钥服务器发送的信息转发给密钥客户端。图1A中的密钥代理还可以用于生成该密钥代理所在通信域的密钥。图1A中的密钥客户端,例如,密钥客户端102-密钥客户端104,可以用于生成密钥客户端所在通信域的密钥。
示例性的,密钥服务器111可以用于获取第一密钥信息,向第一通信域中的第一节点发送第一密钥信息。第一节点可以是密钥客户端112、密钥代理113或密钥代理114。第一节点可以用于接收来自密钥服务器111的第一密钥信息,根据第一密钥信息生成第一密钥。第一节点还可以用于向第一通信域中的第二节点发送第一密钥信息。第二节点为与第一节点通信连接的节点。例如,若第一节点为密钥代理113,则第二节点可以为密钥客户端115或密钥客户端116,若第一节点为密钥代理114,则第二节点可以为密钥客户端117。第二节点可以用于接收来自第一节点的第一密钥信息,根据该第一密钥信息生成第一密钥。这一过程将在下述图7-图11所示的实施例中进行具体介绍。上述过程中,密钥服务器111可以为密钥管理系统11中一个或多个通信域中的节点配置密钥,使得处于同一通信域的节点之间可以使用密钥服务器111配置的密钥进行通信。一方面,在配置密钥的过程中,不需要密钥管理系统11之外的设备参与,因此可以提高密钥管理系统11的信息安全,而且车厂的密钥管理系统不需要管理每辆车的密钥,减轻了车厂的密钥管理系统的负担。另一方面,密钥服务器111可以随时更新密钥,十分便捷。另外,第一密钥占用的存储空间较小,不会增加密钥管理系统11中节点的软硬件成本。第一密钥也不需要车厂进行管理,不会增加车厂的管理成本。
可选的,密钥管理系统11还包括密钥管理工具(图1B中未示出)。密钥管理工具可以与密钥服务器111通信连接,用于触发密钥服务器111为密钥管理系统11中的一个或多个通信域中的节点配置密钥。
图1B所示的密钥管理系统11仅用于举例,并非用于限制本申请的技术方案。本领域的技术人员应当明白,在具体实现过程中,密钥管理系统11还可以包括其他节点,同时也 可根据具体需要来确定密钥服务器、密钥代理或密钥客户端的数量,不予限制。
请参考图2A和图2B,图2A和图2B为本申请实施例提供的智能车的架构。图2A和图2B仅为示意图,并不构成对本申请提供的智能车的架构的限定。
在图2A中,智能车20包括汽车盒子(telematics box,TBox)201,与TBox 201通信连接的网关202,与网关202通信连接的车身控制模块(body control module,BCM)203、智能座舱域控制器(cockpit domain controller,CDC)204、多域控制器(multi domain controller,MDC)205和整车控制单元(vehicle control unit,VCU)206,与BCM 203通信连接的电子控制单元(electronic control unit,ECU)207-ECU 208,与CDC 204通信连接的ECU 209-ECU 210,与MDC 205通信连接的ECU 211,以及与VCU 206通信连接的ECU 212。
其中,TBox 201和网关202之间可以通过以太网连接。网关202和BCM 203、CDC 204、MDC 205以及VCU 206之间,BCM 203和ECU 207-ECU 208之间,CDC 204和ECU 209-ECU 210之间,MDC 205与ECU 211之间,VCU 206与ECU 212之间可以通过以太网、控制器局域网络(controller area network,CAN)、具有灵活数据速率的CAN(CAN with flexible data-rate,CAN FD)、局域互联网(local interconnect network,LIN)、面向媒体的系统传输(media oriented system transport,MOST)或FlexRay连接。例如,网关202与BCM 203之间,BCM 203与ECU 207-ECU 208之间通过CAN连接,网关202与CDC 204之间,CDC 204与ECU 209-ECU 210之间可以通过LIN连接。
图2A中的TBox 201可以具备与智能车20的外部设备以及智能车20的内部设备通信的能力。网关202是智能车20的核心部件,网关202可以将CAN、LIN、MOST或FlexRay等网络数据在不同网络中进行路由。BCM 203可以用于控制车门、车窗、座椅、车灯等硬件设备。CDC 204可以具备人机交互(human-machine interaction,HMI)和智能座舱相关功能。CDC 204还可以具备与智能车20的外部设备以及智能车20的内部设备通信的能力。MDC 205可以接入不同传感器的信号,对该信号进行分析和处理,并发出控制命令。VCU 206可以用于协调和控制智能车20的动力系统。图2A中的ECU可以是智能车20的微机控制器,可以具备执行预设控制功能的能力,例如,ECU 212可以用于控制发动机运行,ECU 211可以用于保护智能车安全。
图2A所示的智能车20仅用于举例,并非用于限制本申请的技术方案。本领域的技术人员应当明白,在具体实现过程中,智能车20还可以包括其他节点,同时也可根据具体需要来确定TBox、网关、BCM、CDC、MDC、VCU或ECU的数量,不予限制。
在图2B中,智能车22包括CDC 221,与CDC 221通信连接的车控域控制器(vehicle domain controller,VDC)/整车集成单元(vehicle integrated/integration unit,VIU)222,与VDC/VIU 222通信连接的TBox 223,VDC/VIU 224和VDC/VIU 225,与VDC/VIU 224通信连接的VDC/VIU 226,与VDC/VIU 226通信连接的ECU 229-ECU 230,以及与VDC/VIU 225通信连接的MDC 227和ECU 228。其中,VDC/VIU 226与VDC/VIU 225以及MDC 227也通信连接。VDC/VIU可以理解为VDC或VIU。
在图2B中,CDC与VDC/VIU之间,VDC/VIU与VDC/VIU之间,VDC/VIU与TBox之间,VDC/VIU与MDC之间以及VDC/VIU与ECU之间可以通过以太网、CAN、CAN FD、LIN、MOST或FlexRay连接。例如,VDC/VIU 226与ECU 229-ECU 230之间通过CAN连接。
图2B中的VDC可以将智能车22中各个设备按功能划分为多个域,并对每个域进行管理。图2B中的多个VIU可以组成一个环网,以实现高带宽(具体可以体现为高清摄像头、或高清显示等)、低时延、高可靠处理能力,另外,该环网还可以简化车载网络配置、提升升级维护效率。图2B中的TBox、CDC、MDC和ECU的功能可以参考上述图2A中对TBox、CDC、MDC和ECU的描述,此处不再赘述。
图2B所示的智能车22仅用于举例,并非用于限制本申请的技术方案。本领域的技术人员应当明白,在具体实现过程中,智能车22还可以包括其他节点,同时也可根据具体需要来确定TBox、VDC/VIU、CDC、MDC或ECU的数量,不予限制。
可以理解的,图1A和图1B所示的密钥管理系统可以部署到图2A或图2B所示的智能车中。例如,图1A或图1B中的密钥服务器可以部署到智能车20或智能车22中具备通信能力,并且存储资源充足的设备上,如:TBox、网关、BCM、CDC、MDC、VCU、VDC或VIU上。图1A或图1B中的密钥客户端可以部署到智能车20或智能车22中的TBox、网关、BCM、CDC、MDC、VCU、VDC、VIU或ECU上。图1A或图1B中的密钥代理可以部署到智能车20或智能车22中的TBox、网关、BCM、CDC、MDC、VCU、VDC或VIU上。可选的,若图1A或图1B中的密钥管理系统还包括密钥管理工具,该密钥管理工具可以部署到TBox、网关、BCM、CDC、MDC、VCU、VDC或VIU上。
下面以将图1B所示的密钥管理系统11部署到图2B所示的智能车22中为例介绍密钥管理系统11的部署情况。请参考图2C,图2C为密钥管理系统的部署示意图。在图2C中,CDC 221上部署了密钥服务器,VDC/VIU 222、TBox 223、VDC/VIU 224、VDC/VIU 225、VDC/VIU 226以及MDC 227上部署了密钥代理,ECU 228-ECU 230上部署了密钥客户端。
可以理解的,在本申请实施例中,密钥服务器、密钥代理或密钥客户端部署在哪个设备上,该设备即为本申请实施例提供的获取密钥的方法的执行主体。例如,若密钥服务器部署在CDC上,密钥代理部署在MDC上,密钥客户端部署在ECU上,则本申请实施例提供的获取密钥的方法的执行主体分别为CDC、MDC和ECU。
可选的,本申请实施例图1A和图1B中的各节点,例如密钥服务器、密钥客户端或密钥代理,可以是一个装置内的一个功能模块。可以理解的是,该功能模块既可以是硬件设备中的元件,例如,车内设备中的通信芯片或通信部件,也可以是在硬件上运行的软件功能模块,或者是平台(例如,云平台)上实例化的虚拟化功能。
例如,图1A和图1B中的各节点均可以通过图3中的获取密钥的装置30来实现。图3所示为可适用于本申请实施例的获取密钥的装置的硬件结构示意图。该获取密钥的装置30包括至少一个处理器301和至少一个通信接口304,用于实现本申请实施例提供的方法。该获取密钥的装置30还可以包括通信线路302和存储器303。
处理器301可以是一个通用中央处理器(central processing unit,CPU),微处理器,特定应用集成电路(application-specific integrated circuit,ASIC),或一个或多个用于控制本申请方案程序执行的集成电路。
通信线路302可包括一通路,在上述组件之间传送信息,例如总线。
通信接口304,用于与其他设备或通信网络通信。通信接口304可以是任何收发器一类的装置,如可以是以太网接口、无线接入网(radio access network,RAN)接口、无线局 域网(wireless local area networks,WLAN)接口、收发器、管脚、总线、或收发电路等。
存储器303可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器可以是独立存在,通过通信线路302与处理器301相耦合。存储器303也可以和处理器301集成在一起。本申请实施例提供的存储器通常可以具有非易失性。其中,存储器303用于存储执行本申请实施例提供的方案所涉及的计算机执行指令,并由处理器301来控制执行。处理器301用于执行存储器303中存储的计算机执行指令,从而实现本申请实施例提供的方法。
本申请实施例中的计算机执行指令也可以称之为应用程序代码,本申请实施例对此不作具体限定。
本申请实施例中的耦合是装置、单元或模块之间的间接耦合或通信连接,可以是电性,机械或其它的形式,用于装置、单元或模块之间的信息交互。
作为一种实施例,处理器301可以包括一个或多个CPU,例如图3中的CPU0和CPU1。
作为一种实施例,获取密钥的装置30可以包括多个处理器,例如图3中的处理器301和处理器307。这些处理器中的每一个可以是一个单核(single-CPU)处理器,也可以是一个多核(multi-CPU)处理器。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(例如计算机程序指令)的处理核。
作为一种实施例,获取密钥的装置30还可以包括输出设备305和/或输入设备306。输出设备305和处理器301耦合,可以以多种方式来显示信息。例如,输出设备305可以是液晶显示器(liquid crystal display,LCD),发光二级管(light emitting diode,LED)显示设备,阴极射线管(cathode ray tube,CRT)显示设备,或投影仪(projector)等。输入设备306和处理器301耦合,可以以多种方式接收用户的输入。例如,输入设备306可以是触摸屏设备或传感设备等。
上述的获取密钥的装置30可以是一个通用设备或者是一个专用设备。在具体实现中,获取密钥的装置30可以是无线终端设备、嵌入式设备或有图3中类似结构的设备。本申请实施例不限定获取密钥的装置30的类型。
下面结合图1A-图3对本申请实施例提供的获取密钥的方法进行具体阐述。
可以理解的,本申请实施例提供的获取密钥的方法、装置及密钥管理系统可以应用于多个领域,例如:无人驾驶领域、自动驾驶领域、辅助驾驶领域、智能驾驶领域、网联驾驶领域、智能网联驾驶领域、汽车共享领域等。
需要说明的是,本申请下述实施例中各个节点之间的消息名字或消息中各参数的名字等只是一个示例,具体实现中也可以是其他的名字,本申请实施例对此不作具体限定。
需要说明的是,在本申请实施例中,“/”可以表示前后关联的对象是一种“或”的关系,例如,A/B可以表示A或B;“和/或”可以用于描述关联对象存在三种关系,例如,A和/或 B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A,B可以是单数或者复数。
为了便于描述本申请实施例的技术方案,在本申请实施例中,可以采用“第一”、“第二”等字样对功能相同或相似的技术特征进行区分。该“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。在本申请实施例中,“示例性的”或者“例如”等词用于表示例子、例证或说明,被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念,便于理解。
需要说明的是,在本申请实施例中,对于一种技术特征,通过“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”等区分该种技术特征中的技术特征,该“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”描述的技术特征间无先后顺序或者大小顺序。
可以理解的,本申请实施例中同一个步骤或者具有相同功能的步骤或者技术特征在不同实施例之间可以互相参考借鉴。
可以理解的,本申请实施例中,密钥服务器,和/或,密钥代理,和/或,密钥客户端可以执行本申请实施例中的部分或全部步骤,这些步骤仅是示例,本申请实施例还可以执行其它步骤或者各种步骤的变形。此外,各个步骤可以按照本申请实施例呈现的不同的顺序来执行,并且有可能并非要执行本申请实施例中的全部步骤。
在本申请实施例中,获取密钥的方法的执行主体的具体结构,本申请实施例并未特别限定,只要能够实现本申请实施例的提供的方法即可。例如,本申请实施例提供的获取密钥的方法的执行主体可以是密钥服务器,或者为应用于密钥服务器中的部件,例如,芯片,本申请对此不进行限定。或者,本申请实施例提供的获取密钥的方法的执行主体可以是密钥代理,或者为应用于密钥代理的部件,例如,芯片,本申请对此不进行限定。或者,本申请实施例提供的获取密钥的方法的执行主体可以是密钥客户端,或者为应用于密钥客户端的部件,例如,芯片,本申请对此不进行限定。下述实施例以获取密钥的方法的执行主体分别为密钥服务器、密钥代理、密钥客户端为例进行描述。
如图4所示,为本申请实施例提供的一种获取密钥的方法,该获取密钥的方法可以应用于密钥管理系统。该密钥管理系统包括密钥服务器,以及与密钥服务器通信连接的第一节点。第一节点为密钥客户端。进一步的,该密钥管理系统可以是图1A所示的密钥管理系统10,在这种情况下,密钥服务器可以是图1A中的密钥服务器101,第一节点可以是图1A中的密钥客户端102、密钥客户端103或密钥客户端104。
一种可能的实现方式,该密钥管理系统可以部署到图2A的智能车20或图2B的智能车22上,在这种情况下,密钥服务器可以部署到智能车20或智能车22中具备通信能力,并且存储资源充足的设备上,如:TBox、网关、BCM、CDC、MDC、VCU、VDC或VIU上。第一节点可以部署到智能车20或智能车22的TBox、网关、BCM、CDC、MDC、VCU、VDC、VIU或ECU上。
可以理解的,在执行本申请实施例提供的获取密钥的方法之前,密钥管理系统中的节点可以被配置一个或多个固定密钥。该固定密钥也可以称为初始密钥,固定密钥的使用范围为密钥管理系统。在根据本申请实施例提供的获取密钥的方法获取到密钥之前,密钥管理系统中的节点之间可以采用该固定密钥通信,以提高密钥管理系统的信息安全,该固定 密钥还可以作为基础密钥派生密钥管理系统中通信域的密钥。应理解,密钥管理系统中的节点也可以不配置固定密钥,直接根据本申请实施例提供的获取密钥的方法获取多个通信域的密钥。下面对密钥管理系统中的节点被配置一个或多个固定密钥的具体过程进行阐述,具体可参考下述S1-S2。
S1:密钥管理工具向第三节点发送第一请求信息。
S1中,密钥管理工具可以包括在密钥管理系统中,也可以不包括在密钥管理系统中。若密钥管理工具包括在密钥管理系统中,该密钥管理工具可以为上述图1A中描述的密钥管理工具。若密钥管理工具不包括在密钥管理系统中,该密钥管理工具可以是车厂设置的密钥管理工具。
S1中,第三节点可以为密钥管理系统中的任一节点。以图1A所示的密钥管理系统10为例,第三节点可以为密钥服务器101、密钥客户端102、密钥客户端103或密钥客户端104。
S1中,第一请求信息可以用于请求为第三节点配置一个或多个固定密钥。第一请求信息可以包括部署密钥管理系统的智能车的标识和第二密钥材料。其中,部署密钥管理系统的智能车的标识可以是该智能车的序列号。部署密钥管理系统的智能车的标识可以是密钥管理工具在本地读取的,也可以是人工输入的。部署密钥管理系统的智能车的标识也可以是密钥管理工具从云端密钥管理中心或密钥服务器获取到的。例如,密钥管理工具向密钥服务器或云端密钥管理中心发送获取智能车的相关信息的请求信息。密钥服务器或云端密钥管理中心接收到该请求信息后,向密钥管理工具发送获取智能车的相关信息的响应信息。该响应信息包括部署密钥管理系统的智能车的相关信息,例如部署密钥管理系统的智能车的标识、架构等。
第二密钥材料可以用于生成第二密钥。例如,第二密钥材料包括一个或多个随机数,该一个或多个随机数可以用于生成第二密钥;或者,第二密钥材料包括第二密钥。进一步的,第一请求信息还包括第二密钥的类型信息。第二密钥的类型信息可以用于指示第二密钥的类型。例如,第二密钥的类型的信息可以包括第二密钥的类型的标识。第二密钥的类型可以包括固定密钥。
一种可能的实现方式,部署第三节点的设备出厂时,或者,需要更新第二密钥的情况下,密钥管理工具向第三节点发送第一请求信息。
一种可能的实现方式,S1之前,密钥管理工具和第三节点之间还可以建立第一通信通道。例如,密钥管理工具和第三节点之间通过非对称算法建立第一通信通道。非对称算法可以包括椭圆曲线Diffie-Hellman(elliptic curve Diffie-Hellman,ECDH)算法或Diffie-Hellman算法等。该第一通信通道可以用于传输密钥管理工具与第三节点之间的信息,例如,上述第一请求信息、下述第一请求信息的响应信息、下述第五验证码等。
一种可能的实现方式,S1之前,密钥管理工具从云端密钥管理中心获取第二密钥材料。例如,密钥管理工具向云端密钥管理中心发送第二请求信息。第二请求信息用于请求第二密钥材料。第二请求信息可以包括部署密钥管理系统的智能车的标识。云端密钥管理中心可以是车厂设置的,用于管理车厂所管理的智能车使用的密钥,例如,车厂所管理的每个智能车使用的固定密钥。车厂所管理的每个智能车使用的固定密钥可以相同也可以不同。云端密钥管理中心接收到第二请求信息后,向密钥管理工具发送第二请求信息的响应信息。 第二请求信息的响应信息包括部署密钥管理系统的智能车的标识和第二密钥材料。这样密钥管理工具可以将部署密钥管理系统的智能车的标识和第二密钥材料包括在第一请求信息中发送给第三节点。进一步的,第二请求信息和第二请求信息的响应信息还可以包括第二密钥的类型信息。
可以理解的,密钥管理工具和云端密钥管理中心之间可以建立第三安全通道。密钥管理工具和云端密钥管理中心之间可以根据第一协议建立第三安全通道。其中,第一协议可以是传输层安全(transport layer security,TLS)协议、超文本传输安全协议(hyper text transfer protocol secure,HTTPs)、数据包传输层安全性(datagram transport layer security,DTLS)协议、自定义协议、或其他协议。第三安全通道可以用于传输密钥管理工具与云端密钥管理中心之间的信息,例如,上述第二请求信息、上述第二请求信息的响应信息等。
可以理解的,密钥管理工具可以一次向多个第三节点发送第一请求信息,也可以一次向一个第三节点发送第一请求信息,不予限制。
对应的,第三节点接收来自密钥管理工具的第一请求信息。
S2:第三节点根据第一请求信息生成第二密钥。
一种可能的实现方式,第三节点根据第二密钥材料生成第二密钥。若第二密钥材料包括一个或多个随机数,第三节点通过一种或多种算法对该一个或多个随机数进行计算,得到第二密钥,并存储该第二密钥。若第二密钥材料包括第二密钥,则第三节点存储该第二密钥。该第二密钥的类型为第二密钥的类型信息中指示的类型。可以理解的,在第三节点存储第二密钥之前,可以将第三节点中用于存储密钥的存储区域清零。
一种可能的实现方式,S2之后,第三节点向密钥管理工具发送第一请求信息的响应信息。第一请求信息的响应信息用于指示第三节点生成第二密钥是否成功。
一种可能的实现方式,S2之后,第三节点向密钥管理工具发送第五验证码。其中,第五验证码是根据一种或多种算法对第五验证信息进行计算得到的。第五验证信息包括一下信息中的至少一项:第二密钥、部署密钥管理系统的智能车的标识或第二密钥的类型信息。第五验证码可以用于验证第五验证信息是否被修改。该第五验证码可以是消息认证码(message authentication code,MAC)。
进一步的,若第五验证信息包括第二密钥,第三节点在计算第五验证码的过程中可以使用第二密钥,也可以不使用第二密钥。若第五验证信息不包括第二密钥,第三节点在计算第五验证码的过程中使用第二密钥。
可以理解的,密钥管理工具接收到第五验证码后,验证第五验证码。示例性的,密钥管理工具根据第五验证信息生成第五验证码,若密钥管理工具生成的第五验证码与接收到的第五验证码相同,则验证成功,即第二密钥生成正确;若密钥管理工具生成的第五验证码与接收到的第五验证码不相同,则验证失败,即第二密钥生成错误或失败。可以理解的,密钥管理工具采用与第三节点生成第五验证码时相同的算法对第五验证信息进行计算,得到第五验证码。
可以理解的,除了上述S1-S2所示的方法之外,第三节点也可以直接从云端密钥管理中心获取第二密钥材料。例如,云端密钥管理中心向第三节点发送第三请求信息。第三请求信息可以包括部署密钥管理系统的智能车的标识和第二密钥材料。第三请求信息还可以包括第二密钥的类型信息。第三节点接收到第三请求信息后,可以根据第三请求信息生成 第二密钥。后续,第三节点还可以向云端密钥管理中心发送第三通知信息。第三通知信息用于指示第三节点生成第二密钥是否成功。第三节点还可以和云端密钥管理中心之间通过MAC验证第二密钥是否生成正确。
可以理解的,密钥管理系统中需要配置第二密钥的节点生成了第二密钥,并组装在了一辆智能车中后,即可采用该第二密钥通信,以提高密钥管理系统的信息安全。密钥管理系统中需要配置第二密钥的节点可以包括密钥管理系统中的全部节点或部分节点。
可以理解的,第二密钥为派生密钥管理系统中通信域的密钥的基础密钥,若攻击者可以轻易通过云端密钥管理中心或密钥管理工具为密钥管理系统配置该第二密钥,则密钥管理系统管理的密钥将不再安全。为了避免攻击者轻易为密钥管理系统配置第二密钥,在通过云端密钥管理中心或密钥管理工具为密钥管理系统配置该第二密钥时,可以采用专用软件执行上述S1-S2,执行完成后,卸载或擦除该专用软件。该专用软件与执行本申请实施例提供的获取密钥的方法的软件不同。或者,在通过云端密钥管理中心或密钥管理工具为密钥管理系统配置该第二密钥时,可以采用一个兼容模式的软件,该兼容模式的软件既可以执行上述S1-S2,又可以执行本申请实施例提供的方法,不过上述S1-S2,和本申请实施例提供的获取密钥的方法对应该兼容模式软件的不同模式。换句话说,在需要灌装固定密钥的情况下,将该兼容模式的软件切换到上述S1-S2对应的模式上,在需要获取通信域的密钥的情况下,将该兼容模式的软件切换到本申请实施例提供的获取密钥的方法对应的模式上。应理解,上述专用软件的权限,以及切换软件模式的权限属于车厂,如此可以避免攻击者轻易为密钥管理系统配置第二密钥。
一种可能的实现方式,为了执行本申请实施例提供的获取密钥的方法,可以为密钥管理系统中的节点配置相关的配置信息,后续密钥管理系统中的节点可以根据该相关的配置信息执行获取密钥的方法。应理解,若为密钥管理系统中的节点配置了相关的配置信息之后,该相关的配置信息没有改变,则每次执行本申请实施例提供的获取密钥的方法之前不需要再次为密钥管理系统中的节点配置相关的配置信息,若该相关的配置信息发生改变,可以为密钥管理系统中的节点配置更新后的相关的配置信息,为密钥管理系统中的节点配置更新后的相关的配置信息的过程,与为密钥管理系统中的节点配置相关的配置信息的过程类似。为密钥管理系统中的节点配置相关的配置信息的具体过程,可以参考下述S3-S4。
S3:密钥服务器获取第一配置信息。
S3中,第一配置信息可以用于指示密钥管理系统中节点的相关配置,例如,第一配置信息指示以下信息中的至少一种:密钥管理系统中节点的标识,密钥管理系统中节点的连接方式,或与密钥管理系统中节点通信的其他节点的信息。
其中,密钥管理系统中节点的标识用于标识部署该密钥管理系统中节点的设备。例如,若密钥服务器部署在CDC上,密钥服务器的标识可以为CDC的标识;若密钥客户端部署在ECU上,该密钥客户端的标识可以为ECU的标识。密钥管理系统中节点的标识可以是车厂配置的。进一步的,密钥管理系统中节点的标识可以是一个编号,也可以是部署该密钥管理系统中节点的设备的名称。若密钥管理系统中节点的标识是一个编号,该编号还可以是智能车组装好后密钥服务器分配的。
密钥管理系统中节点的连接方式可以用于指示该节点的每个端口的连接方式。密钥管理系统中节点的连接方式包括以太网、CAN、CAN FD、LIN、MOST或FlexRay连 接。密钥管理系统中节点的连接方式还可以用于指示该节点的每个端口的地址,例如,互联网协议(Internet Protocol,IP)地址和/或媒体访问控制(media access control,MAC)地址。进一步的,IP地址可以是传输控制协议(transmission control protocol,TCP)和端口号50001。需要说明的是,本申请实施例中,任一两个节点之间的连接方式或任一节点的连接方式(即任一节点的每个端口与其他节点的连接方式)包括以太网、CAN、CAN FD、LIN、MOST或FlexRay连接,在此做出统一说明,后面不再赘述。
与密钥管理系统中节点通信的其他节点的信息可以用于指示该其他节点的标识和该其他节点与密钥管理系统中节点的连接方式。其他节点的标识用于标识部署该其他节点的设备。与密钥管理系统中节点通信的其他节点的信息还可以用于指示该其他节点与该密钥管理系统中节点连接的端口的地址,例如IP地址和/或MAC地址。
示例性的,以图1A所示的密钥管理系统10为例,第一配置信息可以包括密钥服务器101的信息,密钥客户端102的信息,密钥客户端103的信息和密钥客户端104的信息。密钥服务器101的信息可以如表1所示。表1中,密钥服务器101的信息包括密钥服务器101的标识,密钥服务器101的每个端口的连接方式的信息和与密钥服务器101通信的其他节点的信息。密钥服务器101的每个端口的连接方式的信息包括密钥服务器101的每个端口的标识(端口1、端口2和端口3),密钥服务器101的每个端口的连接方式的标识(Eth、CAN和CAN),以及密钥服务器101的每个端口的地址(IP 1、CAN ID 1和CAN ID 2)。与密钥服务器101通信的其他节点的信息包括与密钥服务器101通信的其他节点的标识(密钥客户端102的标识,密钥客户端103的标识和密钥客户端104的标识)和其他节点与密钥服务器101的连接方式的信息。其他节点与密钥服务器101的连接方式的信息包括密钥客户端102与密钥服务器101的连接方式的信息,密钥客户端103与密钥服务器101的连接方式的信息和密钥客户端104与密钥服务器101的连接方式的信息。密钥客户端102与密钥服务器101的连接方式的信息包括密钥客户端102与密钥服务器101的连接方式的标识(Eth),以及密钥客户端102与密钥服务器101连接的端口的IP地址(IP 4)。密钥客户端103与密钥服务器101的连接方式的信息包括密钥客户端103与密钥服务器101的连接方式的标识(CAN),以及密钥客户端103与密钥服务器101连接的端口的地址(CAN ID3)。密钥客户端104与密钥服务器101的连接方式的信息包括密钥客户端104与密钥服务器101的连接方式的标识(CAN),以及密钥客户端104与密钥服务器101连接的端口的地址(CAN ID 4)。
表1
Figure PCTCN2021078283-appb-000001
Figure PCTCN2021078283-appb-000002
密钥客户端102的信息可以如表2所示。表2中,密钥客户端102的信息包括密钥客户端102的标识,密钥客户端102的每个端口的连接方式的信息和与密钥客户端102通信的其他节点的信息。密钥客户端102的每个端口的连接方式的信息包括密钥客户端102的每个端口的连接方式的标识(Eth),以及密钥客户端102的每个端口的IP地址(IP 4)。与密钥客户端102通信的其他节点的信息包括与密钥客户端102通信的其他节点的标识(密钥服务器101的标识)和其他节点与密钥客户端102的连接方式的信息。其他节点与密钥客户端102的连接方式的信息包括密钥服务器101与密钥客户端102连接的端口的标识(端口1),密钥服务器101与密钥客户端102的连接方式的标识(Eth),以及密钥服务器101与密钥客户端102连接的端口的IP地址(IP 1)。
表2
Figure PCTCN2021078283-appb-000003
密钥客户端103的信息可以如表3所示。表3中,密钥客户端103的信息包括密钥客户端103的标识,密钥客户端103的每个端口的连接方式的信息和与密钥客户端103通信的其他节点的信息。密钥客户端103的每个端口的连接方式的信息包括密钥客户端103的每个端口的连接方式的标识(CAN),以及密钥客户端103的每个端口的地址(CAN ID 3)。与密钥客户端103通信的其他节点的信息包括与密钥客户端103通信的其他节点的标识(密钥服务器101的标识)和其他节点与密钥客户端103的连接方式的信息。其他节点与密钥客户端103的连接方式的信息包括密钥服务器101与密钥客户端103连接的端口的标识(端口2),密钥服务器101与密钥客户端103的连接方式的标识(CAN),以及密钥服务器101与密钥客户端103连接的端口的地址(CAN ID 1)。
表3
Figure PCTCN2021078283-appb-000004
密钥客户端104的信息可以如表4所示。表4中,密钥客户端104的信息包括密 钥客户端104的标识,密钥客户端104的每个端口的连接方式的信息和与密钥客户端104通信的其他节点的信息。密钥客户端104的每个端口的连接方式的信息包括密钥客户端104的每个端口的连接方式的标识(CAN),以及密钥客户端104的每个端口的地址(CAN ID 4)。与密钥客户端104通信的其他节点的信息包括与密钥客户端104通信的其他节点的标识(密钥服务器101的标识)和其他节点与密钥客户端104的连接方式的信息。其他节点与密钥客户端104的连接方式的信息密钥服务器101与密钥客户端104连接的端口的标识(端口3),密钥服务器101与密钥客户端104的连接方式的标识(CAN),以及密钥服务器101与密钥客户端104连接的端口的地址(CAN ID 2)。
表4
Figure PCTCN2021078283-appb-000005
通过表1-表4可以看出,密钥服务器101的端口1与密钥客户端102连接,密钥服务器101的端口2与密钥客户端103连接,密钥服务器101的端口3与密钥客户端104连接。
上述表1-表4仅是第一配置信息的示例。第一配置信息可以包括比表1-表4更少或更多的信息,不予限制。
一种可能的实现方式,密钥服务器接收来自密钥管理工具或云端密钥管理中心的第一配置信息。也就是说,密钥服务器可以从密钥管理工具或云端密钥管理中心获取第一配置信息。
对于密钥服务器从密钥管理工具获取第一配置信息的情况,密钥服务器可以向密钥管理工具发送第四请求信息。第四请求信息可以用于请求第一配置信息。例如,第四请求信息包括部署密钥管理系统的智能车的型号。进一步的,第四请求信息还可以包括密钥管理系统的版本号。密钥管理工具接收到第四请求信息后可以向云端密钥管理中心发送第五请求信息。第五请求信息可以用于请求第一配置信息。例如,第五请求信息包括部署密钥管理系统的智能车的型号。进一步的,第五请求信息还可以包括密钥管理系统的版本号。云端密钥管理中心接收到第五请求信息后,可以向密钥管理工具发送第五请求信息的响应信息。第五请求信息的响应信息可以包括第一配置信息。密钥管理工具接收到第五请求信息的响应信息后,可以向密钥服务器发送第四请求信息的响应信息。第四请求信息的响应信息可以包括第一配置信息。
可以理解的,对于密钥服务器从密钥管理工具获取第一配置信息的情况,车厂的员工可以在密钥管理工具中配置部署密钥管理系统的智能车的相关信息(例如,该智能车的型号或架构信息)后,或者,密钥管理工具读取部署密钥管理系统的智能车的相关信息后,密钥管理工具向密钥服务器发送第四通知信息。第四通知信息用于通知 密钥服务器启动获取第一配置信息的流程。后续,密钥服务器向密钥管理中心发送第四请求信息。
可以理解的,密钥管理工具与密钥服务器之间可以建立第四安全通道。密钥管理工具和密钥服务器之间可以根据第一协议建立第四安全通道。第四安全通道可以用于传输密钥管理工具与密钥服务器之间的信息,例如,上述第四请求信息、上述第四请求信息的响应信息等。密钥管理工具和云端密钥管理中心之间可以根据第一协议建立第五安全通道。第五安全通道可以用于传输密钥管理工具与云端密钥管理中心之间的信息,例如,上述第五请求信息、上述第五请求信息的响应信息等。
密钥服务器从云端密钥管理中心获取第一配置信息的情况,密钥服务器可以向云端密钥管理中心发送第六请求信息。第六请求信息可以用于请求第一配置信息。例如,第六请求信息包括部署密钥管理系统的智能车的型号。进一步的,第六请求信息还可以包括密钥管理系统的版本号。云端密钥管理中心接收到第六请求信息后可以向密钥服务器发送第六请求信息的响应信息。第六请求信息的响应信息可以包括第一配置信息。
可以理解的,除了S3所示的方法之外,第一配置信息也可以包括在上述第一请求信息或第三请求信息中发送给密钥服务器。
S4:密钥服务器向第一节点发送第二配置信息。
S4中,第二配置信息可以用于指示以下信息中的至少一种:第一节点的标识,第一节点的连接方式,或与第一节点通信的其他节点的信息。
其中,第一节点的标识用于标识部署第一节点的设备。例如,若第一节点部署在ECU上,该第一节点的标识可以为ECU的标识。第一节点的连接方式可以用于指示该第一节点的每个端口的连接方式。第一节点的连接方式还可以用于指示第一节点的每个端口的地址,例如IP地址和/或MAC地址。与第一节点通信的其他节点的信息可以用于指示该其他节点的标识和该其他节点与第一节点的连接方式。其他节点的标识用于标识部署该其他节点的设备。与第一节点通信的其他节点的信息还可以用于指示该其他节点与第一节点连接的端口的地址,例如IP地址和/或MAC地址。
示例性的,以第一配置信息如表1-表4所示为例,若第一节点为密钥客户端102,则第二配置信息可以如表2所示。若第一节点为密钥客户端103,则第二配置信息可以如表3所示。若第一节点为密钥客户端104,则第二配置信息可以如表4所示。
一种可能的实现方式,密钥服务器在向第一节点发送第二配置信息的过程中,还可以向密钥管理工具或云端密钥管理中心发送第一分发进展通知。第一分发进展通知可以用于指示密钥服务器向每个节点分发第二配置信息的进度。S4之后,密钥服务器还可以向密钥管理工具或云端密钥管理中心发送分发完成通知,用于指示密钥服务器完成了第二配置信息的发送。
一种可能的实现方式,S4之后,密钥管理系统中的节点可以根据该节点接收到的配置信息确定该节点所在的通信域的信息。本申请实施例中,通信域可以按不同的粒度进行划分。基于不同粒度划分的通信域可以覆盖密钥管理系统中节点之间通信的多种场景,例如,连接方式相同的节点之间的通信场景,功能相同的节点之间的通信场景或通信信息的类型相同的节点之间的通信场景等。该多种场景中的任一种场景都可以 对应一个或多个密钥,进而提高通信安全。密钥管理系统中的通信域之间可以有交集,也可以没有交集。通信域之间有交集可以理解为一个通信域和另一个通信域包括有共同的节点。通信域之间没有交集可以理解为一个通信域包括的节点和另一个通信域包括的节点完全不相同。下面以下述三种方式为例,介绍划分通信域的方式。
方式1:通信域可以根据密钥管理系统中节点的连接方式确定
一种可能的实现方式,可以为不同连接方式连接的节点划分不同的通信域。例如,通过以太网连接的节点可以包括在一个通信域中;或者,通过CAN连接的节点可以包括在一个通信域中;或者,通过LIN连接的节点可以包括在一个通信域中;或者,通过MOST连接的节点可以包括在一个通信域中;或者,通过FlexRay连接的节点可以包括在一个通信域中。
示例性的,以第一配置信息如表1-表4所示为例,密钥服务器101和密钥客户端102可以包括在一个通信域中。密钥服务器101、密钥客户端103和密钥客户端104中的至少两个节点可以包括在一个通信域中。
方式2:通信域可以根据部署密钥管理系统中节点的设备的功能确定
一种可能的实现方式,可以为不同功能的设备划分不同的通信域。示例性的,以图1A所示的密钥管理系统10部署到图2A所示的智能车20为例。若密钥服务器101部署在网关202上,密钥客户端102部署在BCM 203上,密钥客户端103部署在CDC 204上,密钥客户端104部署在MDC 205上,BCM 203,CDC 204和MDC 205的功能不同,则密钥服务器101和密钥客户端102可以包括在一个通信域中,密钥服务器101和密钥客户端103可以包括在一个通信域中,密钥服务器101和密钥客户端104可以包括在一个通信域中。
方式3:通信域可以根据密钥管理系统中节点间的通信信息的类型确定
其中,密钥管理系统中节点间的通信信息的类型包括涉及隐私的信息或不涉及隐私的信息。示例性的,以图1A所示的密钥管理系统10部署到图2A所示的智能车20为例。若密钥服务器101部署在网关202上,密钥客户端102部署在BCM 203上,密钥客户端103部署在VCU 206上,密钥客户端104部署在MDC 205上,其中,MDC 205可以接入不同传感器的信号,例如摄像机的信号,因此MDC 205发送的信息有可能涉及隐私,BCM 203和VCU 206发送的信息不涉及隐私,则密钥服务器101和密钥客户端104可以包括在一个通信域中,密钥服务器101、密钥客户端102和密钥客户端103中的至少两个节点可以包括在一个通信域中。
进一步的,其中一种情况,涉及隐私的信息可以根据不同用户或账户进行划分,因此还可以为不同的用户或账户划分不同的通信域。例如,通信域1和通信域2都包括密钥服务器101和密钥客户端102,但是,通信域1和通信域2对应的用户不同。其中另一种情况,通信域还可以根据隐私信息的等级确定。也就是说,可以为传输不同等级的隐私信息的节点划分不同的通信域。例如,若密钥服务器101和密钥客户端102传输的隐私信息的等级为1,密钥服务器101、密钥客户端103和密钥客户端104传输的隐私信息的等级为2,则密钥服务器101和密钥客户端102可以包括在一个通信域中,密钥服务器101、密钥客户端103和密钥客户端104中的至少两个节点可以包括在一个通信域中。
应理解,上述三种方式仅是示例性的,在具体应用中还可以包括其他划分方式。例如, 根据通信需要进行划分,也就是说,将需要通信的节点划分为一个通信域,还可以根据应用、逻辑端口或需要通信的信息的用途等进行划分。
下面对密钥管理系统中的节点根据该节点接收到的配置信息确定该节点所在的通信域的信息的具体过程进行阐述,具体的,可以参考下述S5-S6。
S5:密钥服务器根据第一配置信息确定密钥服务器所在的通信域的信息。
一种可能的实现方式,密钥服务器采用上述方式1-方式3中的任一方式确定密钥服务器所在的通信域,根据第一配置信息确定每个通信域的信息。
S5中密钥服务器所在的通信域的信息可以用于指示以下信息中的至少一项:密钥服务器所在的通信域的应用范围,密钥服务器所在的通信域的标识,密钥服务器所在的通信域中节点的通信方式,密钥服务器与密钥服务器所在的通信域中除密钥服务器之外的节点的连接方式,密钥服务器与密钥服务器所在的通信域中除密钥服务器之外的节点连接的端口的地址,密钥服务器所在的通信域中除密钥服务器之外的其他节点的信息,或构建密钥服务器所在的通信域的密钥的密钥信息。
其中,密钥服务器所在的通信域的应用范围包括整车、功能域内、跨功能域和主设备之间等。功能域可以理解为根据智能车中设备的功能划分的,例如,电力域、动力域或娱乐域等。功能域内可以理解为密钥服务器所在的通信域包括的节点部署在一个功能域内,例如,部署在电力域内。跨功能域可以理解为密钥服务器所在的通信域包括的节点部署在不同的功能域,例如部署在电力域和动力域内。主设备可以是CDC、BCM、MDC、VCU、VDC、VIU、TBox、或网关等。
密钥服务器所在的通信域中节点的通信方式包括点到点通信或点到多点通信。点到点通信可以理解为信息的发送方和接收方的数量为1。点到多点通信可以理解为信息的发送方的数量为1,信息接收方的数量大于1。其中,信息的发送方或信息的接收方可以是通信域中的任一节点。
密钥服务器所在的通信域中除密钥服务器之外的其他节点的信息可以用于指示以下信息中的至少一项:该其他节点的标识,该其他节点和密钥服务器连接的端口,该其他节点的节点名称,或该其他节点支持的协议或算法。其中,该其他节点的节点名称包括密钥服务器、密钥代理或密钥客户端。该其他节点支持的协议或算法包括以下至少一项:该其他节点支持的报文的协议(例如,用户数据报协议(user data protocol,UDP)或TCP等),该其他节点支持的多种算法(例如,完整性算法,加密算法,身份认证算法或临时密钥的派生算法等)或用于派生密钥服务器所在的通信域的密钥的基础密钥的信息(例如,基础密钥的存储位置信息、基础密钥的类型信息等)。
构建密钥服务器所在的通信域的密钥的密钥信息可以用于指示密钥服务器所在的通信域的密钥的存储位置。进一步的,构建密钥服务器所在的通信域的密钥的密钥信息还可以用于指示密钥服务器所在的通信域的密钥的类型。该密钥的类型可以包括固定密钥或长期密钥。
示例性的,以图1A所示的密钥管理系统10为例,若密钥服务器101和密钥客户端102包括在通信域1中,密钥服务器101、密钥客户端103和密钥客户端104包括在通信域2中,则密钥服务器101所在的通信域的信息可以包括通信域1的信息和通信域2的信息。通信域1的信息可以如表5所示,表5中,通信域1的信息包括通信 域1的应用范围(主设备之间)、通信域1的标识,通信域1中节点的通信方式(点到点),密钥服务器101与密钥客户端102的连接方式的信息,密钥客户端102的信息和构建通信域1的密钥的密钥信息。密钥服务器101与密钥客户端102的连接方式的信息包括密钥服务器101与密钥客户端102连接的端口的标识(密钥服务器101的端口1),密钥服务器101与密钥客户端102的连接方式(Eth)和密钥服务器101与密钥客户端102连接的端口的IP地址(IP 1)。密钥客户端102的信息包括密钥客户端102的标识,密钥客户端102和密钥服务器101连接的端口的标识(密钥客户端102的端口2),密钥客户端102的名称(密钥客户端),和密钥客户端102支持的协议或算法(AES_CMAC_128和AES_CBC_128)。构建密通信域1的密钥的密钥信息包括通信域1的密钥的存储位置(存储位置1)和通信域1的密钥的类型(长期密钥)。其中,AES_CMAC_128为完整性/消息校验码算法,AES_CBC_128为加密算法。
表5
Figure PCTCN2021078283-appb-000006
通信域2的信息可以如表6所示,表6中,通信域2的信息包括通信域2的应用范围(跨功能域)、通信域2的标识,通信域2中节点的通信方式(点到多点),密钥服务器101与密钥客户端103的连接方式的信息,密钥服务器101与密钥客户端104的连接方式的信息,密钥客户端103的信息,密钥客户端104的信息和构建通信域2的密钥的密钥信息。密钥服务器101与密钥客户端103的连接方式的信息包括密钥服务器101与密钥客户端103连接的端口的标识(密钥服务器101的端口1),密钥服务器101与密钥客户端103的连接方式(CAN)和密钥服务器101与密钥客户端103连接的端口的地址(CAN ID 1)。密钥服务器101与密钥客户端104的连接方式的信息包括密钥服务器101与密钥客户端104连接的端口的标识(密钥服务器101的端口3),密钥服务器101与密钥客户端104的连接方式(CAN)和密钥服务器101与密钥客户端104连接的端口的地址(CAN ID 2)。密钥客户端103的信息包括密钥客户端103的标识,密钥客户端103和密钥服务器101连接的端口的标识(密钥客户端103的端口1),密钥客户端103的名称(密钥客户端),和密钥客户端103支持的协议或算法(AES_CMAC_128和AES_CBC_128)。密钥客户端104的信息包括密钥客户端 104的标识,密钥客户端104和密钥服务器101连接的端口的标识(密钥客户端104的端口3),密钥客户端104的名称(密钥客户端),和密钥客户端104支持的协议或算法(AES_CMAC_128和AES_CBC_128)。构建密通信域2的密钥的密钥信息包括通信域2的密钥的存储位置(存储位置2)和通信域2的密钥的类型(长期密钥)。
表6
Figure PCTCN2021078283-appb-000007
应理解,上述表5和表6仅是密钥服务器所在的通信域的信息的示例,在具体应用中,密钥服务器所在的通信域的信息还可以包括比表5和表6更多或更少的信息,不予限制。
S6:第一节点根据第二配置信息确定第一节点所在的通信域的信息。
一种可能的实现方式,第一节点采用上述方式1-方式3中的任一方式确定第一节点所在的通信域,根据第二配置信息确定每个通信域的信息。
S6中第一节点所在的通信域的信息可以用于指示以下信息中的至少一项:第一节点所在的通信域的应用范围,第一节点所在的通信域的标识,第一节点所在的通信域中节点的通信方式,第一节点与第一节点所在的通信域中除第一节点之外的节点的连接方式,第一节点在第一节点所在通信域中的交互方式,第一节点与第一节点所在的通信域中除第一节点之外的节点连接的端口的地址,第一节点支持的协议或算法,第一节点所在的通信域中除第一节点之外的其他节点的信息,或构建第一节点所在的通信域的密钥的密钥信息。
其中,第一节点所在的通信域的应用范围包括整车、功能域内、跨功能域和主设备之间等。第一节点所在的通信域中节点的通信方式包括点到点通信或点到多点通信。 第一节点在第一节点所在通信域中的交互方式包括直接与密钥服务器通信或通过密钥代理与密钥服务器通信。第一节点支持的协议或算法包括以下至少一项:第一节点支持的报文的协议(例如,UDP或TCP等),第一节点支持的多种算法(例如,完整性算法,加密算法,身份认证算法或临时密钥的派生算法等)或用于派生第一节点所在的通信域的密钥的基础密钥的信息(例如,基础密钥的存储位置信息、基础密钥的类型信息等)。第一节点所在的通信域中除第一节点之外的其他节点的信息可以用于指示以下信息中的至少一项:该其他节点的标识,该其他节点和第一节点连接的端口,或该其他节点支持的协议或算法。构建第一节点所在的通信域的密钥的密钥信息可以用于指示第一节点所在的通信域的密钥的存储位置。进一步的,构建第一节点所在的通信域的密钥的密钥信息还可以用于指示第一节点所在的通信域的密钥的类型。
示例性的,以图1A所示的密钥管理系统10为例,若密钥服务器101和密钥客户端102包括在通信域1中,密钥服务器101、密钥客户端103和密钥客户端104包括在通信域2中,第一节点为密钥客户端102,则密钥客户端102确定的通信域1的信息(即密钥客户端102所在通信域的信息)可以如表7所示,表7中,通信域1的信息包括通信域1的应用范围(主设备之间)、通信域1的标识,通信域1中节点的通信方式(点到点),密钥客户端102与密钥服务器101的连接方式的信息,密钥客户端102在通信域1中的交互方式(直接与密钥服务器通信),密钥客户端102支持的协议或算法(AES_CMAC_128和AES_CBC_128),密钥服务器101的信息和构建通信域1的密钥的密钥信息。密钥客户端102与密钥服务器101的连接方式的信息包括密钥客户端102与密钥服务器101连接的端口的标识(密钥客户端102的端口2)和密钥客户端102与密钥服务器101的连接方式(Eth)。密钥服务器101的信息包括密钥服务器101的标识,和密钥服务器101和密钥客户端102连接的端口的标识(密钥服务器101的端口1)。构建密通信域1的密钥的密钥信息包括通信域1的密钥的存储位置(存储位置1)和通信域1的密钥的类型(长期密钥)。
表7
Figure PCTCN2021078283-appb-000008
Figure PCTCN2021078283-appb-000009
若第一节点为密钥客户端103,则密钥客户端103确定的通信域2的信息(即密钥客户端103所在通信域的信息)可以如表8所示,表8中,通信域2的信息包括通信域2的应用范围(跨功能域)、通信域2的标识,通信域2中节点的通信方式(点到多点),密钥客户端103与密钥服务器101的连接方式的信息,密钥客户端103在通信域1中的交互方式(直接与密钥服务器通信),密钥客户端103支持的协议或算法(AES_CMAC_128和AES_CBC_128),密钥服务器101的信息和构建通信域2的密钥的密钥信息。密钥客户端103与密钥服务器101的连接方式的信息包括密钥客户端103与密钥服务器101连接的端口的标识(密钥客户端103的端口1)和密钥客户端103与密钥服务器101的连接方式(CAN)。密钥服务器101的信息包括密钥服务器101的标识,和密钥服务器101和密钥客户端103连接的端口的标识(密钥服务器101的端口2)。构建密通信域2的密钥的密钥信息包括通信域2的密钥的存储位置(存储位置2)和通信域2的密钥的类型(长期密钥)。
表8
Figure PCTCN2021078283-appb-000010
若第一节点为密钥客户端104,则密钥客户端104确定的通信域2的信息(即密钥客户端104所在通信域的信息)可以如表9所示,表9中,通信域2的信息包括通信域2的应用范围(跨功能域)、通信域2的标识,通信域2中节点的通信方式(点到多点),密钥客户端104与密钥服务器101的连接方式的信息,密钥客户端104在通信域1中的交互方式(直接与密钥服务器通信),密钥客户端104支持的协议或算法(AES_CMAC_128和AES_CBC_128),密钥服务器101的信息和构建通信域2的密钥的密钥信息。密钥客户端104与密钥服务器101的连接方式的信息包括密钥客户端104与密钥服务器101连接的端口的标识(密钥客户端104的端口3)和密钥客户 端104与密钥服务器101的连接方式(CAN)。密钥服务器101的信息包括密钥服务器101的标识,和密钥服务器101和密钥客户端104连接的端口的标识(密钥服务器101的端口3)。构建密通信域2的密钥的密钥信息包括通信域2的密钥的存储位置(存储位置2)和通信域2的密钥的类型(长期密钥)。
表9
Figure PCTCN2021078283-appb-000011
应理解,上述表7-表9仅是第一节点所在的通信域的信息的示例,在具体应用中,第一节点所在的通信域的信息还可以包括比表7、表8或表9更多或更少的信息,不予限制。
可以理解的,S6之后,密钥管理系统中的节点即可获取每个通信域的密钥。下面对本申请实施例提供的获取密钥的方法进行具体阐述,该获取密钥的方法包括S401-S403。
S401:密钥服务器获取第一密钥信息。
其中,第一密钥信息可以用于为第一通信域中的节点配置密钥。例如,第一密钥信息可以包括第一密钥材料。进一步的,第一密钥信息还可以包括第一通信域的标识和/或第一密钥的类型信息。
其中,第一密钥材料可以用于生成第一密钥。例如,第一密钥材料包括一个或多个随机数,该一个或多个随机数可以用于生成第一密钥;或者,第一密钥材料包括第一密钥。第一密钥可以具备以下至少一种功能:用于加密第一通信域中的节点间的通信信息,用于验证第一通信域中的节点间的通信信息的完整性,或用于作为基础密钥派生其他密钥。其他密钥可以包括第一通信域中节点间通信的临时密钥或其他长期密钥等。可选的,第一密钥材料是根据第二密钥得到的。
第一通信域的标识可以用于指示第一通信域。第一密钥可以应用于第一通信域,或者说,第一密钥的使用范围为第一通信域。也就是说,第一密钥可以应用于第一通信域的标 识指示的通信域。第一通信域为密钥管理系统中的任一通信域,例如,第一节点所在的通信域的信息中指示的通信域、密钥服务器所在的通信域的信息中指示的通信域。第一通信域包括密钥管理系统中的至少两个节点,该至少两个节点包括第一节点,即密钥客户端。第一通信域的划分方法可以参考上述方式1-方式3中对应的描述。以图1A所示的密钥管理系统10为例,第一通信域包括密钥客户端102-密钥客户端104中的至少两个密钥客户端;或者,第一通信域包括密钥服务器101,和密钥客户端102-密钥客户端104中的至少一个密钥客户端。可以理解的,第一密钥也可以应用于整车,或者说,第一密钥的使用范围为整车。
第一密钥的类型信息可以用于指示第一密钥的类型。例如,第一密钥的类型的信息可以包括第一密钥的类型的标识。第一密钥的类型可以包括固定密钥、长期密钥或临时密钥。
可以理解的,本申请实施例中,第一密钥和/或第二密钥是设备内的关键敏感信息,需要进行安全非易失性存储,且不可以随便更新、删除,甚至需要禁止读取。能够提供安全非易失性存储的硬件机制有:硬件安全模块(hardware security module,HSM)、安全硬件扩展(secure hardware extension,SHE)、可信执行环境(trust execution environment,TEE)中的持久化安全存储区等。
一种可能的实现方式,S401之前,密钥服务器接收到来自密钥管理工具的第一确认信息;或者,密钥服务器接收到来自第一终端的第一确认信息;或者,密钥服务器接收来自第二终端的第一确认信息,密钥服务器获取第一密钥信息;或者,密钥服务器接收到来自云端密钥管理中心的第一确认信息。其中,第一确认信息可以用于触发密钥服务器获取第一密钥信息。也就是说,可以通过密钥管理工具、第一终端、第二终端或云端密钥管理中心来触发密钥服务器为第一通信域中的节点配置密钥。
例如,密钥服务器检测到第一通信域的密钥过期或即将过期,向密钥管理工具、第一终端、第二终端或云端密钥管理中心发送第一请求触发信息,用于指示第一通信域的密钥过期或即将过期。密钥管理工具或云端密钥管理中心接收到第一请求触发信息后可以通知管理员,以便管理员确认是否触发密钥服务器为第一通信域中的节点配置密钥。第一终端或第二终端接收到通知消息后可以通知用户,以便用户确认是否触发密钥服务器为第一通信域中的节点配置密钥。密钥管理工具、第一终端、第二终端或云端密钥管理中心接收到第一请求触发信息后,还可以向密钥服务器发送第一请求触发信息的响应信息。第一请求触发信息的响应信息可以用于指示接收到第一请求触发信息。
可以理解的,密钥服务器接收到第一确认信息后,可以向密钥管理工具、第一终端、第二终端或云端密钥管理中心发送第一确认信息的响应信息,用于指示接收到该第一确认信息,还可以用于指示启动第一通信域的密钥的构建流程,即开始执行S401。
其中,若该密钥管理工具为车厂设置的密钥管理工具,可以将该密钥管理工具通过智能车的诊断口与智能车连接,来触发密钥服务器为第一通信域中的节点配置密钥。密钥管理工具和密钥服务器之间还可以根据第一协议建立第六安全通道。第六安全通道用于传输密钥服务器与密钥管理工具之间的信息,例如,第一确认信息。
上述第一终端可以是用户设备(user equipment,UE),其中,UE包括具有无线通信功能的手持式设备、可穿戴设备或计算设备。示例性地,UE可以是手机(mobile phone)、平板电脑或带无线收发功能的电脑。上述第二终端可以是车载设备,也可以称 为智能车中的设备,例如TBox、网关、BCM、CDC、MDC、VCU、VDC或VIU等。第一终端或第二终端上安装有可以与密钥服务器通信的软件。以第二终端为例,第一确认信息可以是智能车中的设备上部署的车载信息娱乐(in-vehicle infotainment,IVI)系统触发发送的。IVI系统可以为具备以下一种或多种功能的系统:导航、播放音乐、播放视频、语音识别、拨打电话、信息交互等。
一种可能的实现方式,在第一次使用智能车,或者确定需要更新第一通信域的密钥,或者智能车中的设备被更换后的情况下,可以通过密钥管理工具、第一终端、第二终端或云端密钥管理中心来触发密钥服务器为第一通信域中的节点配置密钥。在触发密钥服务器为第一通信域中的节点配置密钥的过程中,可以通过密钥管理工具、第一终端、第二终端或云端密钥管理中心指示第一通信域,例如,第一确认信息可以指示第一通信域。密钥服务器接收到第一确认信息后,可以确定第一密钥的类型信息并生成第一密钥材料。
进一步的,第一通信域的密钥被更新后,例如S403之后,第一通信域中的节点可以将更新前的密钥删除,在这种情况下,第一密钥信息还可以包括更新前的密钥的标识。或者,第一通信域的密钥被更新后,例如S403之后,密钥服务器触发第一通信域中的节点删除更新前的密钥。示例性的,密钥服务器向密钥客户端发送第一请求删除信息。第一请求删除信息用于请求删除更新前的密钥。第一请求删除信息可以包括更新前的密钥的标识。第一请求删除信息还可以包括第一通信域的标识和/或更新前的密钥的类型。密钥客户端接收到密钥服务器的第一请求删除信息后,向密钥服务器发送第一请求删除信息的响应信息,用于指示接收到第一请求删除信息。后续,密钥客户端删除更新前的密钥后,可以向密钥服务器发送第一完成信息,用于指示已删除更新前的密钥。第一完成信息可以包括更新前的密钥的标识和已删除更新前的密钥的指示信息。第一完成信息还可以包括第一通信域的标识和/或更新前的密钥的类型。密钥服务器接收到第一完成信息后,可以向密钥客户端发送第一完成信息的响应信息,用于指示接收到第一完成信息。
进一步的,第一通信域中的节点在删除更新前的密钥的过程中,密钥服务器可以指示停止删除更新前的密钥。示例性的,密钥服务器向密钥客户端发送第一停止删除信息。第一停止删除信息用于指示停止删除更新前的密钥。第一停止删除信息可以包括更新前的密钥的标识。第一停止删除信息还可以包括第一通信域的标识和/或更新前的密钥的类型。密钥客户端接收到第一停止删除信息后,停止删除更新前的密钥,并向密钥服务器发送第一停止删除信息的响应信息,用于指示已停止删除更新前的密钥。
可以理解的,上述触发密钥服务器为第一通信域中的节点配置密钥的方式仅是示例性的,在具体应用中,还可以有其他方式,例如车厂的云端服务器触发密钥服务器为第一通信域中的节点配置密钥,等等,本申请实施例不做具体限定。
一种可能的实现方式,密钥服务器获取第一密钥信息之后,密钥服务器根据第一密钥材料生成第一密钥。该第一密钥的类型为第一密钥的类型信息中指示的类型,该第一密钥作用的通信域为第一通信域。
S402:密钥服务器向密钥客户端发送第一密钥的信息。
其中,密钥客户端的数量大于或等于1。示例性的,图1A所示的密钥管理系统为例,若第一通信域包括密钥服务器101和密钥客户端102,则密钥服务器101向密钥客户端102发送第一密钥的信息;若第一通信域包括密钥客户端102和密钥客户端103,则密钥服务 器101向密钥客户端102和密钥客户端103发送第一密钥的信息。
一种可能的实现方式,S402之前,密钥服务器根据第一协议与密钥客户端建立第一安全通道。对应的,密钥客户端根据第一协议与密钥服务器建立该第一安全通道。第一安全通道用于传输密钥服务器与密钥客户端之间的信息。进一步的,密钥服务器和密钥客户端在建立第一安全通道的过程中使用的密钥为第二密钥。
可以理解的,若密钥客户端的数量等于1,第一安全通道包括密钥服务器与该密钥客户端的点到点的安全通道。若密钥客户端的数量大于1,第一安全通道包括密钥服务器与每个密钥客户端的点到点的安全通道;或者,第一安全通道包括密钥服务器与每个密钥客户端的点到多点的安全通道;或者,第一安全通道包括密钥服务器与一部分密钥客户端的点到点的安全通道,以及密钥服务器与另一部分密钥客户端的点到多点的安全通道。其中,点到点的安全通道可以理解为该安全通道可以用于两个节点之间的通信。点到多点的安全通道可以理解为该安全通道可以用于该点和多点中,任意两个或多个节点之间的通信。
例如,若密钥客户端包括密钥客户端102、密钥客户端103和密钥客户端104,则第一安全通道包括密钥服务器101与密钥客户端102之间的安全通道,密钥服务器101与密钥客户端103之间的安全通道,以及密钥服务器101与密钥客户端104之间的安全通道。其中,密钥服务器101与密钥客户端102之间的安全通道用于密钥服务器101与密钥客户端102之间的通信,密钥服务器101与密钥客户端103之间的安全通道用于密钥服务器101与密钥客户端103之间的通信,密钥服务器101与密钥客户端104之间的安全通道用于密钥服务器101与密钥客户端104之间的通信。或者,第一安全通道包括密钥服务器101与密钥客户端102-密钥客户端104的点到多点的安全通道。其中,密钥服务器101与密钥客户端102-密钥客户端104的点到多点的安全通道用于密钥服务器101、和密钥客户端102-密钥客户端104中任意两个或多个节点之间的通信。或者,第一安全通道包括密钥服务器101与密钥客户端102之间的安全通道,以及密钥服务器与密钥客户端103-密钥客户端104的点到多点的安全通道。其中,密钥服务器101与密钥客户端102之间的安全通道用于密钥服务器101与密钥客户端102之间的通信,密钥服务器101与密钥客户端103-密钥客户端104的点到多点的安全通道用于密钥服务器101、和密钥客户端103-密钥客户端104中任意两个或多个节点之间的通信。
一种可能的实现方式,密钥服务器通过第一安全通道向密钥客户端发送第一密钥的信息。
对应的,密钥客户端接收来自密钥服务器的第一密钥信息。进一步的,密钥客户端通过第一安全通道接收来自密钥服务器的第一密钥信息。
可选的,密钥客户端接收到来自密钥服务器的第一密钥信息后,可以向密钥服务器发送第一密钥信息的响应信息。第一密钥信息的响应信息可以用于指示密钥客户端接收到第一密钥信息。
S403:密钥客户端根据第一密钥信息生成第一密钥。
一种可能的实现方式,密钥客户端根据第一密钥材料生成第一密钥。该第一密钥的类型为第一密钥的类型信息中指示的类型,该第一密钥作用的通信域为第一通信域。
一种可能的实现方式,S403之后,密钥客户端向密钥服务器发送第五通知信息。第五通知信息用于指示密钥客户端生成第一密钥是否成功。
可以理解的,在执行S401-S403的过程中,密钥服务器还可以周期性的向密钥管理工具,第一终端、第二终端或云端密钥管理中心反馈获取密钥的进度。例如,密钥服务器向密钥管理工具,第一终端、第二终端或云端密钥管理中心发送第一进度通知信息。该第一进度通知信息可以用于指示获取密钥的进度。该第一进度通知信息可以包括智能车的标识,第一通信域的标识和进度信息。进度信息用于指示获取密钥的进度。
可以理解的,密钥管理系统中的节点可以多次执行上述S401-S403,使得密钥服务器可以为多个通信域配置该通信域对应的密钥。
基于图4所示的方法,密钥服务器可以为第一通信域中的每个节点配置第一密钥,后续,第一通信域中的节点可以通过该第一密钥进行通信。一方面,该第一密钥是由第一通信域中的节点保存,不易泄漏,即便泄漏了,也不会影响其他通信域的安全,因此可以提高通信安全。另一方面,密钥服务器可以随时更新密钥,十分便捷。另外,第一密钥占用的存储空间较小,不会增加密钥管理系统中节点的软硬件成本。第一密钥也不需要车厂进行管理,不会增加车厂的管理成本。
其中,上述S401-S403中密钥服务器或密钥客户端的动作可以由图3所示的获取密钥的装置30中的处理器301调用存储器303中存储的应用程序代码来执行,本申请实施例对此不做任何限制。
可选的,在图4所示方法的一种可能的实现方式中,密钥客户端可以对第一密钥在密钥客户端和密钥服务器之间的可用性进行验证,以防止第一密钥生成失败或错误,导致密钥客户端和密钥服务器之间无法正常通信。具体的,如图5所示,图4所示的方法还包括S501-S503。
S501:密钥服务器根据第一验证信息生成第一验证码。
其中,第一验证信息可以包括以下信息中的至少一个:第一密钥,第一密钥材料,第一信息,或密钥服务器的标识。第一信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识互第一随机数。第一验证码可以用于验证第一验证信息是否被修改。该第一验证码可以是MAC。密钥服务器可以采用一种或多种算法对第一验证信息进行计算,得到第一验证码。第一随机数为密钥服务器生成的任一随机数。
进一步的,若第一验证信息包括第一密钥,密钥服务器在计算第一验证码的过程中可以使用第一密钥,也可以不使用第一密钥。若第一验证信息不包括第一密钥,密钥服务器在计算第一验证码的过程中使用第一密钥。
S502:密钥服务器向密钥客户端发送第一信息和第一验证码。
一种可能的实现方式,密钥服务器通过第一安全通道向密钥客户端发送第一信息和第一验证码。
对应的,密钥客户端接收来自密钥服务器的第一信息和第一验证码。进一步的,密钥客户端通过第一安全通道接收来自密钥服务器的第一信息和第一验证码。
S503:密钥客户端验证第一验证码。
一种可能的实现方式,密钥客户端验证第一验证码,包括:密钥客户端根据第一验证信息生成第一验证码,若密钥客户端生成的第一验证码与接收到的第一验证码相同,则验证成功;若密钥客户端生成的第一验证码与接收到的第一验证码不相同,则验证失败。
可以理解的,密钥客户端采用与密钥服务器生成第一验证码时相同的算法对第一验证 信息进行计算,得到第一验证码。
一种可能的实现方式,S503之后,密钥客户端向密钥服务器发送第二完成信息。第二完成信息用于指示密钥客户端验证第一验证码是否成功。第二完成信息可以包括第一密钥的标识和是否验证成功的指示信息。第二完成信息还可以包括第一通信域的标识和/或第一密钥的类型。密钥服务器接收到第二完成信息后,可以向密钥客户端发送第二完成信息的响应信息,用于指示接收到该第二完成信息。若第二完成信息指示密钥客户端验证第一验证码成功,第二完成信息的响应信息还可以指示密钥验证结束。可以理解的,若密钥客户端验证失败,或在第一预设时长内密钥服务器未接收到第二完成信息,密钥服务器可以重新向密钥客户端发送用于配置密钥的信息。
可以理解的,密钥客户端可以通过第一安全通道向密钥服务器发送第二完成信息。若该第一安全通道为点到多点的安全通道,则第一通信域中的其他密钥客户端也可以接收到该第二完成信息。其他密钥客户端可以根据该第二完成信息确定该密钥客户端验证第一验证码是否成功,也可以忽略该第二完成信息。
基于图5所示方法,密钥客户端可以通过第一验证码对第一密钥在密钥客户端和密钥服务器之间的可用性进行验证,以防止第一密钥生成失败或错误,导致密钥客户端和密钥服务器之间无法正常通信。
其中,上述S501-S503中的密钥服务器或密钥客户端的动作可以由图3所示的获取密钥的装置30中的处理器301调用存储器303中存储的应用程序代码来执行,本申请实施例对此不做任何限制。
可选的,在图5所示方法的一种可能的实现方式中,密钥服务器可以对第一密钥在密钥客户端和密钥服务器之间的可用性进行验证,以防止第一密钥生成失败或错误,导致密钥客户端和密钥服务器之间无法正常通信。具体的,如图6所示,图5所示的方法还包括S601-S603。
S601:密钥客户端根据第二验证信息生成第二验证码。
其中,第二验证信息可以包括以下信息中的至少一个:第一密钥,第一密钥材料,第二信息,密钥客户端的标识,或第一随机数。第二信息包括第一通信域的标识,和/或,第一密钥的标识。第二验证码可以用于验证第二验证信息是否被修改。该第二验证码可以是MAC。密钥客户端可以采用一种或多种算法对第一验证信息进行计算,得到第一验证码。
进一步的,若第二验证信息包括第一密钥,密钥客户端在计算第二验证码的过程中可以使用第一密钥,也可以不使用第一密钥。若第二验证信息不包括第一密钥,密钥客户端在计算第二验证码的过程中使用第一密钥。
可以理解的,第二验证信息包括的随机数还可以是密钥客户端生成的随机数。在这种情况下,第二验证信息包括以下信息中的至少一项:第一密钥,第一密钥材料,第二信息,或密钥客户端的标识。第二信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识或第三随机数。第三随机数为密钥客户端生成的任一随机数。第三随机数与第一随机数相同或不同。
S602:密钥客户端向密钥服务器发送第二信息和第二验证码。
一种可能的实现方式,密钥客户端通过第一安全通道向密钥服务器发送第二信息和第二验证码。
对应的,密钥服务器接收来自密钥客户端的第二信息和第二验证码。进一步的,密钥服务器通过第一安全通道接收来自密钥客户端的第二信息和第二验证码。
S603:密钥服务器验证第二验证码。
一种可能的实现方式,密钥服务器验证第二验证码,包括:密钥服务器根据第二验证信息生成第二验证码,若密钥服务器生成的第二验证码与接收到的第二验证码相同,则验证成功;若密钥服务器生成的第二验证码与接收到的第二验证码不相同,则验证失败。
一种可能的实现方式,S603之后,密钥服务器向密钥客户端发送第七通知信息。第七通知信息用于指示密钥服务器验证第二验证码是否成功。可以理解的,若密钥服务器验证失败,密钥服务器可以重新向密钥客户端发送用于配置密钥的信息。
可以理解的,本申请实施例不限制S501-S503,以及S601-S603的执行顺序。例如,可以先执行S501-S503,再执行S601-S603,也可以先执行S601-S603,再执行S501-S503。
可以理解的,在本申请实施例中,密钥服务器和密钥客户端中有一方对第一密钥的可行性进行验证即可。也就是说,本申请实施例可以不包括S501-S503或者S601-S603。
基于图6所示方法,密钥服务器可以通过第二验证码对第一密钥在密钥客户端和密钥服务器之间的可用性进行验证,以防止第一密钥生成失败或错误,导致密钥客户端和密钥服务器之间无法正常通信。
其中,上述S601-S603中的密钥服务器或密钥客户端的动作可以由图3所示的获取密钥的装置30中的处理器301调用存储器303中存储的应用程序代码来执行,本申请实施例对此不做任何限制。
上述图4-图6所示的方法是以图1A所示的密钥管理系统10为例介绍本申请实施例提供的获取密钥的方法的。下面以图1B所示的密钥管理系统11为例介绍本申请实施例提供的获取密钥的方法。
如图7所示,为本申请实施例提供的又一种获取密钥的方法。该获取密钥的方法可以应用于密钥管理系统。该密钥管理系统包括密钥服务器,与密钥服务器通信连接的第一节点。第一节点为密钥代理或密钥客户端。若第一节点为密钥代理,该密钥管理系统还包括与第一节点通信连接的第二节点,第二节点为密钥客户端。
进一步的,该密钥管理系统可以是图1B所示的密钥管理系统11,在这种情况下,密钥服务器可以是图1B中的密钥服务器111,第一节点可以是图1B中的密钥客户端112、密钥代理113或密钥代理114。若第一节点是图1B中的密钥客户端112,本申请实施例提供的又一种获取密钥的方法的具体过程可以参考上述图4-图6所示的实施例中所述。若第一节点是图1B中的密钥代理113,则第二节点可以是密钥客户端115或密钥客户端116。若第一节点是图1B中的密钥代理114,则第二节点可以是密钥客户端117。
一种可能的实现方式,该密钥管理系统可以部署到图2A的智能车20或图2B的智能车22上,在这种情况下,密钥服务器可以部署到智能车20或智能车22中具备通信能力,并且存储资源充足的设备上,如:TBox、网关、BCM、CDC、MDC、VCU、VDC或VIU上。第一节点可以部署到智能车20或智能车22的TBox、网关、BCM、CDC、MDC、VCU、VDC、VIU或ECU上。第二节点可以部署到智能车20或智能车22中的TBox、网关、BCM、CDC、MDC、VCU、VDC、VIU或ECU上。
可以理解的,与图4-图6所示的实施例类似,在执行本申请实施例提供的又一种获取 密钥的方法之前,密钥管理系统中的节点可以被配置一个或多个固定密钥。固定密钥的使用范围为密钥管理系统。在根据本申请实施例提供的又一种获取密钥的方法获取到密钥之前,密钥管理系统中的节点之间可以采用该固定密钥通信,以提高密钥管理系统的信息安全,该固定密钥还可以作为基础密钥派生密钥管理系统中通信域的密钥。应理解,密钥管理系统中的节点也可以不配置固定密钥,直接根据本申请实施例提供的获取密钥的方法获取多个通信域的密钥。密钥管理系统中的节点被配置一个或多个固定密钥的具体过程可以参考上述S1-S2中所述。应理解,S1中的第三节点为密钥管理系统中的任一节点。以图1B所示的密钥管理系统11为例,第三节点可以为密钥服务器111、密钥客户端112、密钥代理113、密钥代理114、密钥客户端115、密钥客户端116或密钥客户端117。
一种可能的实现方式,为了执行本申请实施例提供的又一种获取密钥的方法,可以为密钥管理系统中的节点配置相关的配置信息,后续密钥管理系统中的节点可以根据该相关的配置信息执行获取密钥的方法。应理解,若为密钥管理系统中的节点配置了相关的配置信息之后,该相关的配置信息没有改变,则每次执行本申请实施例提供的获取密钥的方法之前不需要再次为密钥管理系统中的节点配置相关的配置信息,若该相关的配置信息发生改变,可以为密钥管理系统中的节点配置更新后的相关的配置信息。为密钥管理系统中的节点配置相关的配置信息的具体过程,可以参考下述S7-S9。
S7:密钥服务器获取第一配置信息。
其中,第一配置信息的介绍可参考上述S3中所述。
示例性的,以图1B所示的密钥管理系统11为例,第一配置信息可以包括密钥服务器111的信息,密钥客户端112的信息,密钥代理113的信息,密钥代理114的信息,密钥客户端115的信息、密钥客户端116的信息和密钥客户端117的信息。密钥服务器111的信息可以如表10所示。表10中,密钥服务器111的信息包括密钥服务器111的标识,密钥服务器111的每个端口的连接方式的信息和与密钥服务器111通信的其他节点的信息。密钥服务器111的每个端口的连接方式的信息包括密钥服务器111的每个端口的标识(端口1、端口2和端口3),密钥服务器111的每个端口的连接方式的标识(Eth、CAN和CAN),以及密钥服务器111的每个端口的地址(IP 1、CAN ID 1和CAN ID 2)。与密钥服务器111通信的其他节点的信息包括与密钥服务器111通信的其他节点的标识(密钥客户端112的标识,密钥代理113的标识和密钥代理114的标识)和其他节点与密钥服务器111的连接方式的信息。其他节点与密钥服务器111的连接方式的信息包括密钥客户端112与密钥服务器111的连接方式的信息,密钥代理113与密钥服务器111的连接方式的信息和密钥代理114与密钥服务器111的连接方式的信息。密钥客户端112与密钥服务器111的连接方式的信息包括密钥客户端112与密钥服务器111的连接方式的标识(Eth),以及密钥客户端112与密钥服务器111连接的端口的IP地址(IP 4)。密钥代理113与密钥服务器111的连接方式的信息包括密钥代理113与密钥服务器111的连接方式的标识(CAN),以及密钥代理113与密钥服务器111连接的端口的地址(CAN ID 3)。密钥代理114与密钥服务器111的连接方式的信息包括密钥代理114与密钥服务器111的连接方式的标识(CAN),以及密钥代理114与密钥服务器111连接的端口的地址(CAN ID 4)。
表10
Figure PCTCN2021078283-appb-000012
密钥客户端112的信息可以如表11所示。表11中,密钥客户端112的信息包括密钥客户端112的标识,密钥客户端112的每个端口的连接方式的信息和与密钥客户端112通信的其他节点的信息。密钥客户端112的每个端口的连接方式的信息包括密钥客户端112的每个端口的连接方式的标识(Eth),以及密钥客户端112的每个端口的IP地址(IP 4)。与密钥客户端112通信的其他节点的信息包括与密钥客户端112通信的其他节点的标识(密钥服务器111的标识)和其他节点与密钥客户端112的连接方式的信息。其他节点与密钥客户端112的连接方式的信息包括密钥服务器111与密钥客户端112连接的端口的标识(端口1),密钥服务器111与密钥客户端112的连接方式的标识(Eth),以及密钥服务器111与密钥客户端112连接的端口的IP地址(IP 1)。
表11
Figure PCTCN2021078283-appb-000013
密钥代理113的信息可以如表12所示。表12中,密钥代理113的信息包括密钥代理113的标识,密钥代理113的每个端口的连接方式的信息和与密钥代理113通信的其他节点的信息。密钥代理113的每个端口的连接方式的信息包括密钥代理113的每个端口的标识(端口1,端口2和端口3),密钥代理113的每个端口的连接方式的标识(CAN,CAN,CAN),以及密钥代理113的每个端口的地址(CAN ID 3,CAN ID 5和CAN ID 6)。与密钥代理113通信的其他节点的信息包括与密钥代理113通信的其他节点的标识(密钥服务器111的标识,密钥客户端115的标识和密钥客户端116的标识)和其他节点与密钥代理113的连接方式的信息。其他节点与密钥代理113的连接方式的信息包括密钥服务器111与密钥代理113连接方式的信息,密钥客户端115与密钥代理113的连接方式的信息和密钥客户端116与密钥代理113的连接方式的信 息。密钥服务器111与密钥代理113连接方式的信息包括密钥服务器111与密钥代理113连接的端口的标识(端口2),密钥服务器111与密钥代理113的连接方式的标识(CAN),以及密钥服务器111与密钥代理113连接的端口的地址(CAN ID 1)。密钥客户端115与密钥代理113的连接方式的信息包括密钥客户端115与密钥代理113的连接方式的标识(CAN),密钥客户端115与密钥代理113连接的端口的地址(CAN ID 7)。密钥客户端116与密钥代理113的连接方式的信息包括密钥客户端116与密钥代理113的连接方式的标识(CAN),密钥客户端116与密钥代理113连接的端口的地址(CAN ID 8)。
表12
Figure PCTCN2021078283-appb-000014
密钥代理114的信息可以如表13所示。表13中,密钥代理114的信息包括密钥代理114的标识,密钥代理114的每个端口的连接方式的信息和与密钥代理114通信的其他节点的信息。密钥代理114的每个端口的连接方式的信息包括密钥代理114的每个端口的标识(端口1和端口2),密钥代理114的每个端口的连接方式的标识(CAN和CAN),以及密钥代理114的每个端口的地址(CAN ID 4和CAN ID 9)。与密钥代理114通信的其他节点的信息包括与密钥代理114通信的其他节点的标识(密钥服务器111的标识),密钥服务器111与密钥代理114的连接方式的信息和密钥客户端117与密钥代理114的连接方式的信息。密钥服务器111与密钥代理114的连接方式的信息包括密钥服务器111与密钥代理114连接的端口的标识(端口3),密钥服务器111与密钥代理114的连接方式的标识(CAN),以及密钥服务器111与密钥代理114连接的端口的地址(CAN ID 2)。密钥客户端117与密钥代理114的连接方式的 信息包括密钥客户端117与密钥代理114的连接方式的标识(CAN),以及密钥客户端117与密钥代理114连接的端口的地址(CAN ID 10)。
表13
Figure PCTCN2021078283-appb-000015
密钥客户端115的信息可以如表14所示。表14中,密钥客户端115的信息包括密钥客户端115的标识,密钥客户端115的每个端口的连接方式的信息和与密钥客户端115通信的其他节点的信息。密钥客户端115的每个端口的连接方式的信息包括密钥客户端115的每个端口的连接方式的标识(CAN),以及密钥客户端115的每个端口的地址(CAN ID 7)。与密钥客户端115通信的其他节点的信息包括与密钥客户端115通信的其他节点的标识(密钥代理113的标识)和其他节点与密钥客户端115的连接方式的信息。其他节点与密钥客户端115的连接方式的信息包括密钥代理113与密钥客户端115连接的端口的标识(端口2),密钥代理113与密钥客户端115的连接方式的标识(CAN),以及密钥代理113与密钥客户端115连接的端口的地址(CAN ID 5)。
表14
Figure PCTCN2021078283-appb-000016
密钥客户端116的信息可以如表15所示。表15中,密钥客户端116的信息包括密钥客户端116的标识,密钥客户端116的每个端口的连接方式的信息和与密钥客户端116通信的其他节点的信息。密钥客户端116的每个端口的连接方式的信息包括密钥客户端116的每个端口的连接方式的标识(CAN),以及密钥客户端116的每个端口的地址(CAN ID 8)。与密钥客户端116通信的其他节点的信息包括与密钥客户端 116通信的其他节点的标识(密钥代理113的标识)和其他节点与密钥客户端116的连接方式的信息。其他节点与密钥客户端116的连接方式的信息包括密钥代理113与密钥客户端116连接的端口的标识(端口3),密钥代理113与密钥客户端116的连接方式的标识(CAN),以及密钥代理113与密钥客户端116连接的端口的地址(CAN ID 6)。
表15
Figure PCTCN2021078283-appb-000017
密钥客户端117的信息可以如表16所示。表16中,密钥客户端117的信息包括密钥客户端117的标识,密钥客户端117的每个端口的连接方式的信息和与密钥客户端117通信的其他节点的信息。密钥客户端117的每个端口的连接方式的信息包括密钥客户端117的每个端口的连接方式的标识(CAN),以及密钥客户端117的每个端口的地址(CAN ID 10)。与密钥客户端117通信的其他节点的信息包括与密钥客户端117通信的其他节点的标识(密钥代理114的标识)和其他节点与密钥客户端117的连接方式的信息。其他节点与密钥客户端117的连接方式的信息包括密钥代理114与密钥客户端117连接的端口的标识(端口2),密钥代理114与密钥客户端117的连接方式的标识(CAN),以及密钥代理114与密钥客户端117连接的端口的地址(CAN ID 9)。
表16
Figure PCTCN2021078283-appb-000018
通过表10-表16可以看出,密钥服务器111的端口1与密钥客户端112连接,密钥服务器111的端口2与密钥代理113连接,密钥服务器111的端口3与密钥代理114连接。密钥代理113的端口1与密钥服务器111连接,密钥代理113的端口2与密钥客户端115连接,密钥代理113的端口3与密钥客户端116连接。密钥代理114的端口1与密钥服务器111连接,密钥代理114的端口2与密钥客户端117连接。
上述表10-表16仅是第一配置信息的示例。第一配置信息可以包括比表10-表16更少或更多的信息,不予限制。
一种可能的实现方式,密钥服务器接收来自密钥管理工具或云端密钥管理中心的 第一配置信息。也就是说,密钥服务器可以从密钥管理工具或云端密钥管理中心获取第一配置信息。密钥服务器从密钥管理工具或云端密钥管理中心获取第一配置信息的具体过程可以参考上述S3中所述,在此不做赘述。
S8:密钥服务器向第一节点发送第二配置信息。
S8中,第二配置信息可以用于指示以下信息中的至少一种:第一节点的标识,第一节点的连接方式,或与第一节点通信的其他节点的信息。进一步的,第二配置信息还可以用于指示以下信息中的至少一种:第二节点的标识,第二节点的连接方式,或与第二节点通信的其他节点的信息。
其中,第一节点的标识,第一节点的连接方式,与第一节点通信的其他节点的信息的介绍可以参考上述S4中所述。
第二节点的标识用于标识部署第二节点的设备。例如,若第二节点部署在ECU上,该第二节点的标识可以为ECU的标识。第二节点的连接方式可以用于指示该第二节点的每个端口的连接方式。第二节点的连接方式还可以用于指示第二节点的每个端口的地址,例如IP地址和/或MAC地址。与第二节点通信的其他节点的信息可以用于指示该其他节点的标识和该其他节点与第二节点的连接方式。其他节点的标识用于标识部署该其他节点的设备。与第二节点通信的其他节点的信息还可以用于指示该其他节点与第二节点连接的端口的地址,例如IP地址和/或MAC地址。
示例性的,以第一配置信息如表10-表16所示为例,若第一节点为密钥客户端112,则第二配置信息可以如表11所示。若第一节点为密钥代理113,则第二配置信息可以包括表12、表14和表15所示的内容。若第一节点为密钥代理114,则第二配置信息可以包括表13和表16所示的内容。
一种可能的实现方式,密钥服务器在向第一节点发送第二配置信息的过程中,还可以向密钥管理工具或云端密钥管理中心发送第一分发进展通知。第一分发进展通知可以用于指示密钥服务器向每个节点分发第二配置信息的进度。
S9:第一节点向第二节点发送第三配置信息。
其中,第三配置信息可以用于指示以下信息中的至少一种:第二节点的标识,第二节点的连接方式,或与第二节点通信的其他节点的信息。
示例性的,以第二配置信息如表10-表16所示为例,若第一节点为密钥代理113,第二节点为密钥客户端115,则第三配置信息可以如表14所示。若第一节点为密钥代理113,第二节点为密钥客户端116,则第三配置信息可以如表15所示。若第一节点为密钥代理114,第二节点为密钥客户端117,则第三配置信息可以如表16所示。
一种可能的实现方式,第一节点在向第二节点发送第三配置信息的过程中,还可以通过密钥服务器向密钥管理工具或云端密钥管理中心发送第二分发进展通知。第二分发进展通知可以用于指示第一节点向每个节点分发第三配置信息的进度。S9之后,密钥服务器还可以向密钥管理工具或云端密钥管理中心发送分发完成通知,用于指示密钥管理系统中的节点都接收到了各自的配置信息。
一种可能的实现方式,S9之后,密钥管理系统中的节点可以根据该节点接收到的配置信息确定该节点所在的通信域的信息。具体的,可以参考下述S10-S12。
S10:密钥服务器根据第一配置信息确定密钥服务器所在的通信域的信息。
S11:第一节点根据第二配置信息确定第一节点所在的通信域的信息。
S10-S11的具体过程可以参考上述S5-S6中对应的描述。
S12:第二节点根据第三配置信息确定第二节点所在通信域的信息。
一种可能的实现方式,第二节点采用上述方式1-方式3中的任一方式确定第二节点所在的通信域,根据第三配置信息确定每个通信域的信息。具体的,可以参考S5或S6中确定通信域的信息中对应的描述。
S12中第二节点所在的通信域的信息可以用于指示以下信息中的至少一项:第二节点所在的通信域的应用范围,第二节点所在的通信域的标识,第二节点所在的通信域中节点的通信方式,第二节点与第二节点所在的通信域中除第二节点之外的节点的连接方式,第二节点在第二节点所在通信域中的交互方式,第二节点与第二节点所在的通信域中除第二节点之外的节点连接的端口的地址,第二节点支持的协议或算法,第二节点所在的通信域中除第二节点之外的其他节点的信息,或构建第二节点所在的通信域的密钥的密钥信息。
其中,第二节点所在的通信域的应用范围包括整车、功能域内、跨功能域和主设备之间等。第二节点所在的通信域中节点的通信方式包括点到点通信或点到多点通信。第二节点在第二节点所在通信域中的交互方式包括直接与密钥服务器通信或通过密钥代理与密钥服务器通信。第二节点支持的协议或算法包括以下至少一项:第二节点支持的报文的协议(例如,UDP或TCP等),第二节点支持的多种算法(例如,完整性算法,加密算法,身份认证算法或临时密钥的派生算法等)或用于派生第二节点所在的通信域的密钥的基础密钥的信息(例如,基础密钥的存储位置信息、基础密钥的类型信息等)。第二节点所在的通信域中除第二节点之外的其他节点的信息可以用于指示以下信息中的至少一项:该其他节点的标识,该其他节点和第二节点连接的端口,或该其他节点支持的协议或算法。构建第二节点所在的通信域的密钥的密钥信息可以用于指示第二节点所在的通信域的密钥的存储位置。进一步的,构建第二节点所在的通信域的密钥的密钥信息还可以用于指示第二节点所在的通信域的密钥的类型。
可以理解的,S12之后,密钥管理系统中的节点即可获取每个通信域的密钥。下面对本申请实施例提供的获取密钥的方法进行具体阐述,该获取密钥的方法包括S701-S705。
S701:密钥服务器获取第一密钥信息。
S701的具体过程可以参考上述S401中对应的描述,不同的是以下三点:
(1)S701中的第一密钥信息还包括第二节点的信息。该第二节点的信息用于指示第二节点,第二节点为第一通信域中、与密钥代理通信连接的密钥客户端。可以理解的,第一密钥信息包括第二节点的信息是为了向密钥代理指示需要向哪些密钥客户端发送第一密钥材料和第一通信域的标识等信息。在具体应用中,第一密钥信息也可以不包括第二节点的信息,密钥代理接收到第一密钥信息后,自己确定第二节点。
(2)S701中的第一通信域包括的节点与S401中的第一通信域不同。在S701中,第一通信域包括密钥管理系统中的至少两个节点,该至少两个节点包括第二节点。该至少两个节点可以包括第一节点也可以不包括第一节点。例如,第一通信域包括至少两个密钥客户端;或者,第一通信域包括至少一个密钥客户端,至少一个密钥代理和密钥服务器;或者,第一通信域包括至少一个密钥客户端和密钥服务器;或者,第一通信域包括至少一个 密钥客户端和至少一个密钥代理。以图1B所示的密钥管理系统为例,第一通信域包括密钥客户端115-密钥客户端116;或者,第一通信域包括密钥服务器111、密钥代理114和密钥客户端117;或者,第一通信域包括密钥服务器111和密钥客户端112;或者,第一通信域包括密钥代理114和密钥客户端117;或者,第一通信域包括密钥服务器111和密钥客户端115。
(3)第一通信域的密钥被更新后,密钥服务器触发第一通信域中的节点删除更新前的密钥的流程不同。
示例性的,第一通信域的密钥被更新后,例如,S705之后,密钥服务器向密钥代理发送第一请求删除信息。第一请求删除信息用于请求删除更新前的密钥。第一请求删除信息可以包括更新前的密钥的标识。第一请求删除信息还可以包括第一通信域的标识和/或更新前的密钥的类型。密钥代理接收到密钥服务器的第一请求删除信息后,可以向密钥服务器发送第一请求删除信息的响应信息,用于指示接收到第一请求删除信息。密钥代理接收到密钥服务器的第一请求删除信息后,还可以向第二节点发送第二请求删除信息。第二请求删除信息用于请求第二节点删除更新前的密钥。第二请求删除信息可以包括更新前的密钥的标识。第二请求删除信息还可以包括第一通信域的标识和/或更新前的密钥的类型。第二节点接收到密钥代理的第二请求删除信息后,删除该更新前的密钥,并向密钥代理发送第二请求删除信息的响应信息,用于指示已删除更新前的密钥。
后续,若密钥代理包括在第一通信域中,密钥代理接收到第二请求删除信息的响应信息并删除了更新前的密钥后,向密钥服务器发送第一完成信息,用于指示已删除更新前的密钥。若密钥代理不包括在第一通信域中,密钥代理接收到第二请求删除信息的响应信息后,向密钥服务器发送第一完成信息,用于指示已删除更新前的密钥。第一完成信息可以包括更新前的密钥的标识和已删除更新前的密钥的指示信息。第一完成信息还可以包括第一通信域的标识和/或更新前的密钥的类型。密钥服务器接收到第一完成信息后,可以向密钥客户端发送第一完成信息的响应信息,用于指示接收到第一完成信息。
进一步的,在删除更新前的密钥的过程中,密钥代理还可以周期性或非周期性地向密钥服务器反馈删除的进度。例如,密钥代理向密钥服务器发送第二进度通知信息。该第二进度通知信息可以用于指示删除更新前的密钥的进度。该第二进度通知信息可以包括更新前的密钥的标识和进度信息。进度信息用于指示删除更新前的密钥的进度。
S702:密钥服务器向密钥代理发送第一密钥的信息。
一种可能的实现方式,密钥代理包括在第一通信域中或不包括在第一通信域中。密钥代理的数量大于或等于1。示例性的,图1B所示的密钥管理系统为例,若第一通信域包括密钥服务器111和密钥代理113,则密钥服务器111向密钥代理113发送第一密钥的信息;若第一通信域包括密钥代理113和密钥代理114,则密钥服务器111向密钥代理113和密钥代理114发送第一密钥的信息。
一种可能的实现方式,S702之前,密钥服务器根据第一协议与密钥代理建立第一安全通道。对应的,密钥代理根据第一协议与密钥服务器建立该第一安全通道。第一协议和第一安全通道的介绍可以参考S402中对应的描述,不同的是,S702中的第一安全通道用于传输密钥服务器与密钥代理之间的信息。
一种可能的实现方式,密钥服务器通过第一安全通道向密钥代理发送第一密钥的信息。
对应的,密钥代理接收来自密钥服务器的第一密钥信息。进一步的,密钥代理通过第一安全通道接收来自密钥服务器的第一密钥信息。
可选的,密钥代理接收到来自密钥服务器的第一密钥信息后,可以向密钥服务器发送第一密钥信息的响应信息。第一密钥信息的响应信息可以用于指示密钥代理接收到第一密钥信息。
S703:密钥代理根据第一密钥信息生成第一密钥。
S703的具体过程可以参考S403中密钥客户端根据第一密钥信息生成第一密钥的对应描述,此处不再赘述。
可以理解的,若密钥代理包括在第一通信域中,密钥代理执行S703。若密钥代理未包括在第一通信域中,密钥代理可以不执行S703。若第一密钥信息包括第二节点的信息,密钥代理接收到第一密钥信息后,根据第二节点的信息向第二节点发送第一密钥材料和第一通信域的标识。若第一密钥信息不包括第二节点的信息,密钥代理接收到第一密钥信息并确定第二节点后,向第二节点发送第一密钥信息。
S704:密钥代理向第二节点发送第一密钥材料和第一通信域的标识。
一种可能的实现方式,S704之前,密钥代理根据第一协议与第二节点建立第二安全通道。对应的,第二节点根据第一协议与密钥代理建立该第二安全通道。第二安全通道可以用于传输密钥代理与第二节点之间的信息。
可以理解的,若第二节点的数量等于1,第二安全通道包括密钥代理与该第二节点的点到点的安全通道。若第二节点的数量大于1,第二安全通道包括密钥代理与每个第二节点的点到点的安全通道;或者,第二安全通道包括密钥代理与每个第二节点的点到多点的安全通道;或者,第二安全通道包括密钥代理与一部分第二节点的点到点的安全通道,以及密钥代理与另一部分第二节点的点到多点的安全通道。
一种可能的实现方式,密钥代理通过第二安全通道向第二节点发送第一密钥材料和第一通信域的标识。
一种可能的实现方式,S704之后,密钥代理向密钥服务器发送第三完成信息。第三完成信息可以用于指示密钥代理完成第一密钥材料和第一通信域的标识的发送。密钥服务器接收到第三完成信息后,可以向密钥代理发送第三完成信息的响应信息。第三完成信息的响应信息用于指示密钥服务器接收到该第三完成信息。
一种可能的实现方式,若第二节点的数量大于1,S704之后,密钥代理向密钥服务器发送第三进度通知信息,第三进度通知信息可以用于指示密钥代理向第二节点发送第一密钥材料和第一通信域的标识的进展。第三进度通知信息可以包括第一通信域的标识和发送第一密钥材料和第一通信域的标识的进展的指示信息。第三进度通知信息还可以包括第一密钥的类型。
可以理解的,若第一密钥的信息包括第一密钥的类型信息,则密钥代理向第二节点发送第一密钥材料、第一通信域的标识和第一密钥的类型信息。
可以理解的,除了第一密钥材料和第一通信域的标识之外,密钥密钥代理还可以向第二节点发送第二节点的信息,以便第二节点确定第一通信域包括的节点。
可以理解的,本申请实施例不限制S703和S704的执行顺序。例如,可以先执行S703再执行S704,也可以先执行S704再执行S703,还可以同时执行S703和S704。
对应的,第二节点接收来自密钥代理的第一密钥材料和第一通信域的标识。进一步的,第二节点通过第二安全通道接收来自密钥代理的第一密钥材料和第一通信域的标识。
可选的,第二节点接收到来自密钥代理的第一密钥材料和第一通信域的标识后,可以向密钥代理发送第一响应信息。第一响应信息可以用于指示第二节点接收到第一密钥材料和第一通信域的标识。
S705:第二节点根据第一密钥材料生成第一密钥。
S705的具体过程可以参考S403中密钥客户端根据第一密钥信息生成第一密钥的对应描述,此处不再赘述。
基于图7所示的方法,密钥服务器可以为第一通信域中的每个节点配置第一密钥,后续,第一通信域中的节点可以通过该第一密钥进行通信。一方面,该第一密钥是由第一通信域中的节点保存,不易泄漏,即便泄漏了,也不会影响其他通信域的安全,因此可以提高通信安全。另一方面,密钥服务器可以随时更新密钥,十分便捷。另外,第一密钥占用的存储空间较小,不会增加密钥管理系统中节点的软硬件成本。第一密钥也不需要车厂进行管理,不会增加车厂的管理成本。
其中,上述S701-S705中密钥服务器、密钥代理或密钥客户端的动作可以由图3所示的获取密钥的装置30中的处理器301调用存储器303中存储的应用程序代码来执行,本申请实施例对此不做任何限制。
可选的,在图7所示方法的一种可能的实现方式中,若密钥代理包括在第一通信域中,密钥代理可以对第一密钥在密钥服务器和密钥代理之间的可用性进行验证,以防止第一密钥生成失败或错误,导致密钥服务器和密钥代理之间无法正常通信。具体的,如图8所示,图7所示的方法还包括S801-S803。
S801:密钥服务器根据第一验证信息生成第一验证码。
S802:密钥服务器向密钥代理发送第一信息和第一验证码。
S803:密钥代理验证第一验证码。
S801-S803的具体过程可以参考上述S501-S503中对应的描述,此处不再赘述。
可以理解的,本申请实施例不限制S801-S803以及S704-S705的执行顺序。例如,可以先执行S801-S803,再执行S704-S704,也可以先执行S704-S705,再执行S801-S803,还可以同时执行S801-S803和S704-S705,不予限制。
基于图5所示方法,密钥代理可以通过第一验证码对第一密钥在密钥服务器和密钥代理之间的可用性进行验证,以防止第一密钥生成失败或错误,导致密钥服务器和密钥代理之间无法正常通信。
其中,上述S801-S803中的密钥服务器或密钥代理的动作可以由图3所示的获取密钥的装置30中的处理器301调用存储器303中存储的应用程序代码来执行,本申请实施例对此不做任何限制。
可选的,在图8所示方法的一种可能的实现方式中,密钥服务器可以对第一密钥在密钥服务器和密钥代理之间的可用性进行验证,以防止第一密钥生成失败或错误,导致密钥服务器和密钥代理之间无法正常通信。具体的,如图9所示,图8所示的方法还包括S901-S903。
S901:密钥代理根据第二验证信息生成第二验证码。
S902:密钥代理向密钥服务器发送第二信息和第二验证码。
S903:密钥服务器验证第二验证码。
S901-S903的具体过程可以参考上述S601-S603中对应的描述,此处不再赘述。
可以理解的,本申请实施例不限制S901-S903以及S801-S803的执行顺序。例如,可以先执行S901-S903,再执行S801-S803,也可以先执行S801-S803,再执行S901-S903,还可以同时执行S901-S903和S801-S803,不予限制。
可以理解的,在本申请实施例中,也可以密钥服务器和密钥代理中有一方对第一密钥的可行性进行验证即可。也就是说,本申请实施例可以不包括S801-S803或者S901-S903。
基于图9所示方法,密钥服务器可以通过第二验证码对第一密钥在密钥服务器和密钥代理之间的可用性进行验证,以防止第一密钥生成失败或错误,导致密钥服务器和密钥代理之间无法正常通信。
其中,上述S901-S903中的密钥服务器或密钥代理的动作可以由图3所示的获取密钥的装置30中的处理器301调用存储器303中存储的应用程序代码来执行,本申请实施例对此不做任何限制。
可选的,在图7所示方法的一种可能的实现方式中,第二节点可以对第一密钥在密钥代理和第二节点之间的可用性进行验证,以防止第一密钥生成失败或错误,导致密钥代理和第二节点之间无法正常通信。具体的,如图10所示,图7所示的方法还包括S1001-S1003。
S1001:密钥代理根据第三验证信息生成第三验证码。
其中,第三验证信息可以包括以下信息中的至少一个:第一密钥,第一密钥材料,第三信息,或密钥代理的标识。第三信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识和第二随机数。第三验证码可以用于验证第三验证信息是否被修改。该第三验证码可以是MAC。密钥代理可以采用一种或多种算法对第三验证信息进行计算,得到第三验证码。第二随机数为密钥代理生成的任一随机数,第二随机数与第一随机数相同或不同;或者,第二随机数即为第一随机数。
进一步的,若第三验证信息包括第一密钥,密钥代理在计算第三验证码的过程中可以使用第一密钥,也可以不使用第一密钥。若第三验证信息不包括第一密钥,密钥代理在计算第一验证码的过程中使用第一密钥。
S1002:密钥代理向第二节点发送第三信息和第三验证码。
一种可能的实现方式,密钥代理通过第二安全通道向第二节点发送第三信息和第三验证码。
一种可能的实现方式,S1002之后,密钥代理周期性或非周期性向密钥服务器反馈密钥验证进度。例如,密钥代理向密钥服务器发送第四进度通知信息,第四进度通知信息可以用于指示第二节点和密钥代理之间进行密钥验证的进度。第四进度通知信息可以包括第一通信域的标识和验证第一密钥的进度的指示信息。第四进度通知信息还可以包括第一密钥的类型。
对应的,第二节点接收来自密钥代理的第三信息和第三验证码。进一步的,第二节点通过第二安全通道接收来自密钥代理的第三信息和第三验证码。
S1003:第二节点验证第三验证码。
一种可能的实现方式,第二节点验证第三验证码,包括:第二节点根据第三验证信息 生成第三验证码,若第二节点生成的第三验证码与接收到的第三验证码相同,则验证成功;若第二节点生成的第三验证码与接收到的第三验证码不相同,则验证失败。
可以理解的,第二节点采用与密钥代理生成第三验证码时相同的算法对第三验证信息进行计算,得到第三验证码。
一种可能的实现方式,S1003之后,第二节点向密钥代理发送第八通知信息。第八通知信息用于指示第二节点验证第三验证码是否成功。
可以理解的,第二节点可以通过第二安全通道向密钥代理发送第八通知信息。若该第二安全通道为点到多点的安全通道,则第二通信域中的其他第二节点也可以接收到该第八通知信息。其他第二节点可以根据该第八通知信息确定该第二节点验证第三验证码是否成功,也可以忽略该第八通知信息。
一种可能的实现方式,密钥代理接收到来自一个或多个第二节点的第八通知信息后,向密钥服务器发送第一通知信息。第一通知信息可以用于通知第一通信域内的节点的验证结果,例如,该一个或多个第二节点的验证结果。若一个或多个第二节点中的节点验证失败,或在第二预设时长内密钥服务器未接收到第一通知信息,密钥服务器可以重新向密钥代理发送用于配置密钥的信息。
一种可能的实现方式,密钥服务器接收到第一通知信息后,向密钥代理发送响应信息。该响应信息用于指示接收到第一通知信息。若在第三预设时长内未收到该响应信息,密钥代理可以重新发送该响应信息。第一预设时长、第二预设时长和第三预设时长可以相同或不同。
可以理解的,上述S1001-S1003也可以在S801之前执行,S803之后执行,S901之前执行,或S903之后执行,本申请实施例对此不做任何限制。
进一步的,若S1001-S1003在S901之前执行,或S903之后执行,S1001和S901可以合并。也就是说,密钥代理可以生成一次验证码,该验证码既可以用于验证第一密钥在第二节点和密钥代理之间的可用性,又可以验证第一密钥在密钥服务器和密钥代理之间的可用性。
基于图10所示方法,第二节点可以通过第三验证码对第一密钥在第二节点和密钥代理之间的可用性进行验证,以防止第一密钥生成失败或错误,导致第二节点和密钥代理之间无法正常通信。
其中,上述S1001-S1003中的密钥代理或密钥客户端的动作可以由图3所示的获取密钥的装置30中的处理器301调用存储器303中存储的应用程序代码来执行,本申请实施例对此不做任何限制。
可选的,在图10所示方法的一种可能的实现方式中,若密钥代理包括在第一通信域中,密钥代理可以对第一密钥在第二节点和密钥代理之间的可用性进行验证,以防止第一密钥生成失败或错误,导致第二节点和密钥代理之间无法正常通信。具体的,如图11所示,图10所示的方法还包括S1101-S1103。
S1101:第二节点根据第四验证信息生成第四验证码。
其中,第四验证信息可以包括以下信息中的至少一个:第一密钥,第一密钥材料,第四信息,第二节点的标识,或第二随机数。第四信息包括第一通信域的标识,和/或,第一密钥的标识。第四验证码可以用于验证第四验证信息是否被修改。该第四验证码可以是 MAC。第二节点可以采用一种或多种算法对第四验证信息进行计算,得到第四验证码。
进一步的,若第四验证信息包括第一密钥,第二节点在计算第四验证码的过程中可以使用第一密钥,也可以不使用第一密钥。若第四验证信息不包括第一密钥,第二节点在计算第四验证码的过程中使用第一密钥。
可以理解的,第四验证信息包括的随机数还可以是第二节点生成的随机数。在这种情况下,第四验证信息包括第一密钥,和/或,第一密钥材料,和/或,第四信息,和/或,第二节点的标识。第四信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识或第四随机数。第四随机数为第二节点生成的任一随机数。第四随机数与第二随机数相同或不同。
S1102:第二节点向密钥代理发送第四信息和第四验证码。
一种可能的实现方式,第二节点通过第二安全通道向密钥代理发送第四信息和第四验证码。
对应的,密钥代理接收来自第二节点的第四信息和第四验证码。进一步的,密钥代理通过第二安全通道接收来自第二节点的第四信息和第四验证码。
S1103:密钥代理验证第四验证码。
一种可能的实现方式,密钥代理验证第四验证码,包括:密钥代理根据第四验证信息生成第四验证码,若密钥代理生成的第四验证码与接收到的第四验证码相同,则验证成功;若密钥代理生成的第四验证码与接收到的第四验证码不相同,则验证失败。
一种可能的实现方式,S1103之后,密钥代理向密钥服务器发送第一通知信息。第一通知信息可以用于通知第一通信域内的节点的验证结果,例如,该密钥代理的验证结果。可以理解的,若第一通信域内的节点验证失败,或在第二预设时长内密钥服务器未接收到第一通知信息,密钥服务器可以重新向密钥代理发送用于配置密钥的信息。
一种可能的实现方式,密钥服务器接收到第一通知信息后,向密钥代理发送响应信息。该响应信息用于指示接收到第一通知信息。若在第三预设时长内未收到该响应信息,密钥代理可以重新发送该响应信息。
可以理解的,本申请实施例不限制S1001-S1003,以及S1101-S1103的执行顺序。例如,可以先执行S1001-S1003,再执行S1101-S1103,也可以先执行S1101-S1103,再执行S1001-S1003。
可以理解的,在本申请实施例中,也可以密钥代理和第二节点中有一方对第一密钥的可行性进行验证即可。也就是说,本申请实施例可以不包括S1001-S1003或者S1101-S1103。
可以理解的,上述S1101-S1103也可以在S801之前执行,S803之后执行,S901之前执行,或S903之后执行,本申请实施例对此不做任何限制。
基于图11所示方法,密钥代理可以通过第四验证码对第一密钥在第二节点和密钥代理之间的可用性进行验证,以防止第一密钥生成失败或错误,导致第二节点和密钥代理之间无法正常通信。
其中,上述S1101-S1103中的密钥代理或密钥客户端的动作可以由图3所示的获取密钥的装置30中的处理器301调用存储器303中存储的应用程序代码来执行,本申请实施例对此不做任何限制。
一种可能的实现方式,在执行本申请实施例提供的获取密钥的方法的过程中,例如, S402,S403或S704之后,密钥管理工具、第一终端、第二终端或云端密钥管理中心可以向密钥服务器发送第一请求停止信息。第一请求停止信息可以用于请求停止为第一通信域中的节点配置密钥,第一请求停止信息可以包括智能车的标识和第一通信域的标识。第一请求停止信息还可以包括要停止配置的密钥的类型。密钥服务器接收到第一请求停止信息后,可以向密钥管理工具、第一终端、第二终端或云端密钥管理中心发送第一请求停止信息的响应信息,第一请求停止信息的响应信息可以用于指示密钥服务器接收到第一请求停止信息。或者,密钥服务器接收到第一请求停止信息后,向第一通信域中的各个节点发第二请求停止信息。第二请求停止信息用于指示停止为第一通信域中的节点配置密钥。各个节点接收到第二请求停止信息后,可以向密钥服务器发送第二请求停止信息的响应信息。第二请求停止信息的响应信息可以用于指示已停止配置密钥。密钥服务器接收到各个节点的第二请求停止信息的响应信息后,向密钥管理工具、第一终端、第二终端或云端密钥管理中心发送第一请求停止信息的响应信息。第一请求停止信息的响应信息可以用于指示第一通信域中的各个节点已停止配置密钥。第一请求停止信息的响应信息可以包括智能车的标识,第一通信域的标识。进一步的,第一请求停止信息的响应信息还可以包括要停止配置的密钥的类型和/或已停止配置密钥的指示信息。
一种可能的实现方式,在执行完成本申请实施例提供的获取密钥的方法后,密钥服务器可以向密钥管理工具、第一终端、第二终端或云端密钥管理中心发送第四完成信息。第四完成信息可以用于指示第一通信域中的节点配置密钥完成。第四完成信息可以包括智能车的标识和第一通信域的标识。第四完成信息还可以包括第一密钥的类型。密钥管理工具、第一终端、第二终端或云端密钥管理中心接收到第四完成信息后,可以向密钥服务器发送第四完成信息的响应信息。第四完成信息的响应信息用于指示接收到该第四完成信息。第四完成信息的响应信息可以包括智能车的标识和/或第一通信域中的节点配置密钥完成的指示信息。
一种可能的实现方式,密钥服务器和第一节点在进行密钥验证的过程中,例如,S502,S602,S803,或S901之后,密钥服务器可以向第一节点发送第三请求停止信息。第三请求停止信息可以用于请求停止密钥验证,第三请求停止信息可以包括第一通信域的标识和要停止验证的密钥的标识。第三请求停止信息还可以包括要停止验证的密钥的类型。第一节点接收到第三请求停止信息后,可以向密钥服务器发送第三请求停止信息的响应信息,第三请求停止信息的响应信息可以用于指示接收到第三请求停止信息。或者,第一节点接收到第三请求停止信息后,向第二节点发第四请求停止信息。第四请求停止信息用于指示停止密钥验证。第二节点接收到第四请求停止信息后,可以向第一节点发送第四请求停止信息的响应信息。第四请求停止信息的响应信息可以用于指示已停止验证密钥。第一节点接收到第二节点的第四请求停止信息的响应信息后,向密钥服务器发送第三请求停止信息的响应信息。第三请求停止信息的响应信息可以用于指示第一通信域中的各个节点已停止验证密钥。第三请求停止信息的响应信息可以包括第一通信域的标识和要停止验证的密钥的标识。进一步的,第三请求停止信息的响应信息还可以包括要停止验证的密钥的类型和/或已停止验证密钥的指示信息。
下面以第一通信域包括密钥服务器、密钥代理和密钥客户端,密钥服务器部署在图2A的网关202上,密钥代理部署在图2A的MDC 205上,密钥客户端部署在图2A的ECU  211上为例,对本申请实施例提供的获取密钥的方法进行具体阐述。
如图12所示,为本申请实施例提供的又一种获取密钥的方法,该方法可以应用于图2A中的智能车20。该获取密钥的方法包括S1201-S1217。
S1201:网关202获取第一密钥信息。
S1202:网关202向MDC 205发送第一密钥的信息。
S1203:MDC 205根据第一密钥信息生成第一密钥。
S1204:MDC 205向ECU 211发送第一密钥材料和第一通信域的标识。
S1205:ECU 211根据第一密钥材料生成第一密钥。
上述S1201-S1205的具体过程可以参考上述S701-S705中对应的描述,在此不做赘述。
S1206:网关202根据第一验证信息生成第一验证码。
S1207:网关202向MDC 205发送第一信息和第一验证码。
S1208:MDC 205验证第一验证码。
上述S1206-S1208的具体过程可以参考上述S801-S803中对应的描述,此处不再赘述。
S1209:MDC 205根据第二验证信息生成第二验证码。
S1210:MDC 205向网关202发送第二信息和第二验证码。
S1211:网关202验证第二验证码。
上述S1209-S1211的具体过程可以参考上述S901-S903中对应的描述,此处不再赘述。
S1212:MDC 205根据第三验证信息生成第三验证码。
S1213:MDC 205向ECU 211发送第三信息和第三验证码。
S1214:ECU 211验证第三验证码。
上述S1212-S1214的具体过程可以参考上述S1001-S1003中对应的描述,此处不再赘述。
S1215:ECU 211根据第四验证信息生成第四验证码。
S1216:ECU 211向MDC 205发送第四信息和第四验证码。
S1217:MDC 205验证第四验证码。
上述S1215-S1217的具体过程可以参考上述S1101-S1103中对应的描述,此处不再赘述。
基于图12所示的方法,网关202可以为第一通信域中的网关202,MDC 205和ECU 211配置第一密钥,后续,网关202,MDC 205和ECU 211可以通过该第一密钥进行通信。一方面,该第一密钥是由网关202,MDC 205和ECU 211保存,不易泄漏,即便泄漏了,也不会影响其他通信域的安全,因此可以提高通信安全。另一方面,网关202可以随时更新各设备的密钥,十分便捷。另外,第一密钥占用的存储空间较小,不会增加密钥管理系统中节点的软硬件成本。第一密钥也不需要车厂进行管理,不会增加车厂的管理成本。而且网关202,MDC 205和ECU 211可以相互验证第一密钥的可用性,以防止第一密钥生成失败或错误,导致网关202,MDC 205和ECU 211之间无法正常通信。
一种可能的实现方式,本申请实施例中,密钥服务器还可以对密钥管理系统当前所处的状态进行标记,使得用户了解密钥管理系统当前所处的状态。为了避免各种异常,例如智能车掉电重启,导致标记的状态信息丢失,可以将该状态信息存储在密钥服务器的非易失性存储区。进一步的,该状态信息可以包括构建状态信息,构建类型(build type)信息 和构建阶段(build stage)信息。构建状态信息可以用于指示未构建状态、正在构建状态或构建完成状态。构建类型信息可以用于指示密钥管理系统初次构建,通信域的密钥更新阶段或智能车中设备更换阶段。构建阶段信息可以用于指示固定密钥灌装阶段、通信域的长期密钥构建阶段或通信域的临时密钥构建阶段。
示例性的,在初次使用智能车,准备执行S1的情况下,构建状态信息可以指示未构建状态,构建类型信息可以指示密钥管理系统初次构建,构建阶段信息可以指示固定密钥灌装阶段。在更新第一通信域的密钥,执行S402或S703的情况下,构建状态信息可以指示正在构建状态,构建类型信息可以指示通信域的密钥更新阶段,构建阶段信息可以指示通信域的长期密钥构建阶段或通信域的临时密钥构建阶段。在智能车中设备更换的过程中,所有需要配置密钥的通信域中的设备都执行完S603或S1103的情况下,构建状态信息可以指示构建完成状态,构建类型信息可以指示智能车中设备更换阶段,构建阶段信息可以指示通信域的长期密钥构建阶段或通信域的临时密钥构建阶段。
可以理解的,在正在构建状态下,还可以附加一些状态信息,例如,当前构建的是哪个通信域,或当前构建的是哪个通信域的哪个节点等。
上述图4-图11所示的实施例中,密钥服务器、密钥客户端、密钥管理工具和云端密钥管理中心之间传输的信息(例如,第一请求信息,第一密钥信息等)的功能、消息类型(message type)、操作类型(operation type)、类别不同。其中,信息按照不同的功能可以分为请求信息、响应信息和通知信息。其中,请求信息可以用于获取某些信息。一个响应信息可以与一个请求信息对应,用于返回请求的信息。通知信息可以用于通知当前状态、对某一操作的处理结果或某一操作的进展等。本申请实施例涉及的消息类型,每个消息类型的值(value),以及每个消息类型的含义可以如表17所示。
表17
Figure PCTCN2021078283-appb-000019
Figure PCTCN2021078283-appb-000020
本申请实施例涉及的操作类型,每个操作类型的值,以及每个操作类型的含义可以如表18所示。
表18
Figure PCTCN2021078283-appb-000021
Figure PCTCN2021078283-appb-000022
本申请实施例中,信息的类别包括第一类信息和第二类信息。第一类信息为密钥管理系统的内部节点与密钥管理系统的外部节点之间通信的信息,可以用于1表示。第二类信息为密钥管理系统的内部节点之间通信的信息,可以用2表示。其中,密钥管理系统的内部节点可以包括密钥服务器、密钥代理或密钥客户端。密钥管理系统的外部节点可以包括密钥管理工具、云端密钥管理中心或第一终端等。
进一步的,第一类信息可以包括多个字段,例如,消息标识(message ID)字段、消息长度(length)字段、密钥管理系统的版本号(version)字段、消息类型字段、消息标记(flags)字段、下一个有效载荷(next payload)字段、源应用类型(source APP type)字段、目的应用类型(destination APP type)字段和消息内容(message content)字段。第二类信息可以包括多个字段,例如,消息标识字段、消息长度字段、密钥管理系统的版本号字段、消息类型字段、消息标记(flags)字段、下一个有效载荷(next payload)字段、源设备标识(source device ID)字段、目的设备标识(destination device ID)字段和消息内容(message content)字段。示例性的,第一类信息的消息格式和第二类信息的消息格式可以如图13所示。本申请实施例不限制上述每个字段包括的比特数。
其中,消息标识字段可以指示消息标识。消息标识可以是密钥管理系统的业务消息的消息序列号,可以协助识别一个响应信息对应的请求信息,还可以在请求信息超时后,识别该请求信息并重传该请求信息。消息长度字段可以指示第一类信息或第二类信息的消息长度。密钥管理系统的版本号字段可以指示密钥管理系统的版本号。消息类型字段可以指示消息类型。消息标记字段可以指示该信息的功能,例如指示该信息是请求信息还是响应信息,消息标记字段还可以指示操作类型。例如,消息标记字段中的第一个比特用于指示该信息是请求信息还是响应信息,消息标记字段中的其他比特用于指示操作类型。下一个有效载荷字段也可以称为下一个TLV(type,length,value)类型字段,可以指示消息内容字段中第一个payload的TLV类型(TLV type)。源应用类型字段可以指示源应用的类型。目的应用类型字段可以指示目的应用的类型。源应用的类型和目的应用的类型可以包括云端密钥管理中心(CloudKeyManagerCenter),密钥管理工具(KeyManagerTool),第一终端(UserAppTool)或密钥管理系统中的节点(InCarKMS)。消息内容字段可以指示第一 类信息或第二类信息的内容。源设备标识字段可以指示源设备的标识。目的设备标识字段可以指示目的设备的标识。可以理解的,智能车中设备的标识在智能车中是唯一的。不同智能车中,相同设备的标识可以相同也可以不同。例如,CDC在智能车1中的标识和CDC在智能车2中的标识可以相同也可以不同。
进一步的,目的设备标识字段还可以指示第二类信息的通信方式。第二类信息的通信方式包括点到点通信或点到多点通信。其中,点到点通信还可以称为单播通信,点到多点通信还可以称为广播通信。例如,若目的设备标识字段全为0或全为F,则表示第二类信息的通信方式包括点到多点通信。
进一步的,若发送方通过点到多点的方式向接收方发送一个请求信息,接收方接收到该请求信息后,可以通过点到多点的方式向发送方发送一个响应信息。除了该接收方之外的其他接收方接收到该响应信息后,可以忽略该响应信息。在上述过程中,该请求信息对应的目的设备标识字段全为0或全为F,该请求信息对应的源设备标识字段为发送方的标识。该响应信息对应的目的设备标识字段为发送方的标识,该响应信息对应的源设备标识字段为接收方的标识。进一步的,若发送方在第四预设时长内未接收到响应信息,则发送方可以重新向接收方发送该请求信息。此时,发送方仍可以通过点到多点的方式向接收方发送请求信息,发送方也可以通过点到点的方式向接收方发送请求信息。在发送方通过点到多点的方式向接收方发送请求信息的情况下,对于已经发送了响应信息的接收方,该接收方可以忽略该请求信息,也可以再次向发送方发送响应信息。在发送方通过点到点的方式向接收方发送请求信息的情况下,对于已经发送了响应信息的接收方,发送方可以向该接收方再次发送请求信息,也可以不向该接收方再次发送请求信息。若发送方向该接收方法再次发送请求信息,该接收方接收到该请求信息后,可以忽略该请求信息,也可以再次向发送方发送响应信息。可以理解的,若发送方通过点到点的方式多次向接收方发送请求信息后,都没有接收到接收方的响应信息,可以确认该接收方处于异常状态。
可以理解的,TLV类型不同,TLV的格式也不同,因此下一个有效载荷字段指示了消息内容字段中第一个payload的TLV类型后,接收信息的节点可以根据下一个有效载荷字段指示的TLV类型解析消息内容字段中第一个payload。
其中,TLV的格式可以包括TLV头(TLV Header)和TLV数据(TLV Data)。TLV的格式可以可以称为TLV的payload。TLV Header可以包括TLV类型字段、保留(reserved)字段和TLV长度字段。TLV类型字段可以指示下一个TLV的TLV类型,接收信息的节点可以根据TLV类型字段指示的TLV类型解析下一个TLV。保留字段可以用于以后对该TLV格式的扩展。TLV长度字段可以指示TLV长度,即TLV Header和TLV Data的长度。TLV类型,每个TLV类型的值,以及每个TLV类型的含义可以如表19所示。可以理解的,不同TLV类型对应的TLV数据不同。
表19
Figure PCTCN2021078283-appb-000023
Figure PCTCN2021078283-appb-000024
示例性的,TLV的格式可以如图14所示。图14中,Vehicle No的格式(VehicleNoPyld)包括TLV Header和Vehicle No字段。Vehicle No字段用于指示车辆编号。车辆编号也可以称为车辆标识,智能车的标识等。不同的车厂,车辆编号规则可能不一样,车辆编号所需的比特数也可能不一样。因此车辆编号定义了单独的TLV,具体编号由各车厂制定。
图14中,Security Domain Info的格式(SecDomainPyld)包括TLV Header,密钥类型(key type)字段,和通信域的标识(SecDomainID)字段。其中,密钥类型字段、每个密钥类型的值以及每个密钥类型的含义可以如表20所示。通信域的标识字段用于指示通信域的标识。不同智能车的通信域的标识的定义方式或值可以相同、也可以不同。同一个智能车内的不同通信域的标识不同。通信域的标识的定义方式或值可以由车厂定义。进一步的,Security Domain Info的格式还可以包括设备标识(Device ID)字段。设备标识字段用于指示设备标识。对于不同智能车的相同设备,设备标识可以相同,也可以不同。同一智能车内,不同设备的设备标识不同。
表20
密钥类型 密钥类型的值 密钥类型的含义
Reserved 0 预留,同时表示该信息不需要密钥类型。
GlobalFixKey 1 使用范围为整车的固定密钥
GlobalLongTermKey 2 使用范围为整车的长期密钥
SecDomainFixKey 3 通信域对应的固定密钥
SecDomainLongTermKey 4 通信域对应的长期密钥
图14中,Key Security Domain的格式(KeySecDomPyld)包括TLV Header,密钥类型字段,通信域标识字段和密钥的标识(key ID)字段。进一步的,Key Security Domain的格式还可以包括设备标识字段。
图14中,Key Material的格式(KeyMatPyld)包括TLV Header,密钥材料类型(key material type,KeyMat Type)字段,KDF标识(KDF ID)字段,密钥的标识字段,和随机数或密钥(Nonce_K or Key)字段。其中,密钥材料类型,每个密钥材料类型的值以及每个密钥材料类型的含义可以如表21所示。随机数或密钥字段用于指示用于生成密钥的随机数(例如,第一密钥材料或第二密钥材料)或密钥(例如,第一密钥或第二密钥)。进 一步的,Key Material的格式还可以包括更新前的密钥的标识(Old Key ID)字段。更新前的密钥的标识字段用于指示更新前的密钥的标识。
表21
Figure PCTCN2021078283-appb-000025
图14中,KDF标识(KDF ID)字段用于指示KDF标识。KDF标识,KDF标识的值以及KDF标识的含义可以如表22所示。
表22
Figure PCTCN2021078283-appb-000026
图14中,Key Confirmed的格式(KeyConPyld)包括TLV Header,密钥类型字段,密钥的标识字段和MAC字段。其中,MAC字段用于指示计算得到的MAC。进一步的,Key Confirmed的格式还可以包括更新前的密钥的标识字段。
图14中,Key Validate的格式(KeyValidPyld)包括TLV Header,密钥类型字段,通信域的标识字段,密钥的标识字段,随机数字段和MAC字段。其中,随机数字段用于指 示用于密钥验证的随机数(例如,第一随机数或第二随机数)。MAC字段用于指示计算得到的MAC。Key Validate的格式中的MAC的计算方法与Key Confirmed的格式中的MAC的计算方法可以相同也可以不同。进一步的,Key Validate的格式还可以包括设备标识字段。
图14中,Key Remain Time的格式(KeyRemTmPyld)包括TLV Header,密钥类型字段,密钥的标识,剩余超时天数(Remain Days)字段和剩余超时时间(Remain time(s))字段。剩余超时天数字段用于指示密钥有效的剩余天数,例如,若剩余超时天数字段指示30天,则表示密钥将在30天后失效。剩余超时时间字段用于指示密钥有效天数不足一天的情况下,密钥有效的剩余时长,例如,若剩余超时时间字段指示5小时30分,则表示密钥将在5小时30分后失效。
图14中,Progress的格式(ProgPyld)包括TLV Header,构建类型(build type)字段,构建阶段(build stage)字段,当前构建的通信域的标识(CurSecDomainID)字段,当前设备的标识(CurDeviceID)字段,完成数量(Finished Nums)字段和剩余数量(Remain Nums)字段。其中,构建类型字段用于指示构建类型,例如,密钥管理系统初次构建,通信域的密钥更新阶段或智能车中设备更换阶段。构建阶段字段用于指示构建阶段,例如,固定密钥灌装阶段、通信域的长期密钥构建阶段或通信域的临时密钥构建阶段。当前构建的通信域的标识字段用于指示正在构建密钥的通信域的标识。当前设备的标识字段用于指示正在构建密钥的设备的标识。完成数量字段用于指示完成密钥构建的通信域或设备的数量。剩余数量字段用于指示未完成密钥构建的通信域或设备的数量。
图14中,Nonce的格式(NoncePyld)包括TLV Header和随机数字段。其中,随机数字段用于指示随机数。该随机数可以用于生成密钥,也可以用于密钥验证。
图14中,Result的格式(ResultPyld)包括TLV Header和结果状态(result status)字段。其中,结果状态字段用于指示构建密钥的结果,例如,构建成功或构建失败。进一步的,Result的格式还可以包括错误代码(error code)字段。错误代码字段可以在构建密钥失败的情况下,指示构建失败的原因对应的错误代码。
可以理解的,本申请实施例不限制上述各种TLV的格式中包括的字段的数量,也不限制每个字段包括的比特数。示例性的,TLV的格式可以包括比图14所示的任一格式包括的字段更多或更少的字段。不同TLV的格式包括的相同字段中的比特数可以相同,也可以不同。例如,Key Security Domain的格式中密钥类型字段包括的比特数,与Key Remain Time的格式中密钥类型字段包括的比特数可以相同,也可以不同。
请参考表23,表23为本申请实施例提供的密钥服务器、密钥客户端、密钥管理工具和云端密钥管理中心之间传输的信息、信息的功能、信息的消息类型、信息的操作类型、信息的类别、信息的应用场景和信息的TLV的格式的对应关系。其中,操作类型中的NA表示信息不涉及操作类型,或者表示信息没有对应的操作类型。在这种情况下,若该信息的功能是响应,可以通过该信息中的消息标记字段识别该信息是响应信息。NULL表示不使用TLV的格式。
表23
Figure PCTCN2021078283-appb-000027
Figure PCTCN2021078283-appb-000028
Figure PCTCN2021078283-appb-000029
Figure PCTCN2021078283-appb-000030
Figure PCTCN2021078283-appb-000031
Figure PCTCN2021078283-appb-000032
上述主要从各个网元之间交互的角度对本申请实施例提供的方法进行了介绍。可以理解的是,上述密钥服务器,密钥代理或者密钥客户端等为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法操作,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
本申请实施例可以根据上述方法示例对密钥服务器,密钥代理或者密钥客户端进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。
比如,以采用集成的方式划分各个功能模块的情况下,图15示出了一种获取密钥的装置150的结构示意图。获取密钥的装置150包括处理单元1501和收发单元1502。
示例性地,获取密钥的装置150用于实现密钥服务器的功能。获取密钥的装置150例如为图4所示的实施例-图11所示的实施例所述的密钥服务器。
在本申请实施例中,获取密钥的装置150可以是密钥服务器,也可以是应用于密钥服务器中的芯片或者其他具有上述密钥服务器功能的组合器件、或部件等。当获取密钥的装置150是密钥服务器时,处理单元1501可以是处理器(或者,处理电路),例如基带处理器,基带处理器中可以包括一个或多个CPU,收发单元1502可以是收发器,收发器可以包括天线和射频电路等。当获取密钥的装置150是具有上述密钥服务器功能的部件时,处理单元1501可以是处理器(或者,处理电路),例如基带处理器,收发单元1502可以是射频单元。当获取密钥的装置150是芯片系统时,处理单元1501可以是芯片系统的处理器(或者,处理电路),可以包括一个或多个中央处理单元,收发单元1502可以是芯片(例如基带芯片)的输入输出接口。应理解,本申请实施例中的处理单元1501可以由处理器或处理器相关电路组件(或者,称为处理电路)实现,收发单元1502可以由收发器或收发器相关电路组件实现。
例如,处理单元1501可以用于执行图4所示的实施例中由密钥服务器所执行的除了收发操作之外的全部操作,例如S401和/或用于支持本文所描述的技术的其它过程。收发单元1502可以用于执行图4所示的实施例中由密钥服务器所执行的全部收发操作,例如S402和/或用于支持本文所描述的技术的其它过程。
其中,处理单元1501,用于获取第一密钥信息,第一密钥信息包括第一密钥材料 和第一通信域的标识,第一密钥材料用于生成第一密钥,第一通信域的标识用于指示第一通信域,第一密钥应用于第一通信域,第一通信域包括密钥管理系统中的至少两个节点,至少两个节点包括该第一节点。
收发单元1502,用于向第一节点发送该第一密钥信息。
一种可能的实现方式,第一通信域是根据以下至少一个信息确定的:密钥管理系统中节点的连接方式,密钥管理系统中节点的功能,或密钥管理系统中通信信息的类型。
一种可能的实现方式,处理单元1501,还用于根据第一验证信息生成第一验证码,第一验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第一信息,或获取密钥的装置150的标识,第一信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识或第一随机数;收发单元1502,还用于向第一节点发送该第一信息和该第一验证码。
一种可能的实现方式,收发单元1502,还用于接收来自第一节点的第二信息和第二验证码,第二验证码是根据第二验证信息生成的,第二验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第二信息,第一节点的标识,或第一随机数,第二信息包括第一通信域的标识,和/或,第一密钥的标识;处理单元1501,还用于验证第二验证码。
一种可能的实现方式,处理单元1501,还用于根据第一协议与第一节点建立第一安全通道,第一安全通道用于传输获取密钥的装置150与第一节点之间的信息。
一种可能的实现方式,第一节点的数量大于1,第一安全通道包括获取密钥的装置150与每个第一节点的点到点的安全通道;或者,第一安全通道包括获取密钥的装置150与每个第一节点的点到多点的安全通道;或者,第一安全通道包括获取密钥的装置150与一部分第一节点的点到点的安全通道,以及获取密钥的装置150与另一部分第一节点的点到多点的安全通道。
一种可能的实现方式,第一节点为密钥代理,密钥管理系统还包括与第一节点通信连接的第二节点,第二节点为密钥客户端。
一种可能的实现方式,第二节点包括在第一通信域中。
一种可能的实现方式,收发单元1502,还用于接收来自第一节点的第一通知信息,第一通知信息用于通知该第一通信域内的节点的验证结果。
一种可能的实现方式,处理单元1501,还用于获取第一配置信息,第一配置信息用于指示以下信息中的至少一种:密钥管理系统中节点的标识,密钥管理系统中节点的连接方式,或与密钥管理系统中节点通信的其他节点的信息。
一种可能的实现方式,收发单元1502,还用于向第一节点发送第二配置信息,第二配置信息用于指示以下信息中的至少一种:第一节点的标识,第一节点的连接方式,或与第一节点通信的其他节点的信息。
一种可能的实现方式,第一节点为密钥代理,密钥管理系统还包括与第一节点通信连接的第二节点,第二节点为密钥客户端,第二配置信息还用于指示以下信息中的至少一种:第二节点的标识,第二节点的连接方式,或与第二节点通信的其他节点的信息。
一种可能的实现方式,处理单元1501,还用于根据第一配置信息确定获取密钥的装置150所在的通信域的信息,获取密钥的装置150所在的通信域的信息用于指示以下信息中的至少一项:获取密钥的装置150所在的通信域的标识该获取密钥的装置150所在的通信域中节点的通信方式,获取密钥的装置150与获取密钥的装置150所在的通信域中除获取密钥的装置150之外的节点的连接方式,获取密钥的装置150所在的通信域中除获取密钥的装置150之外的其他节点的信息,或构建获取密钥的装置150所在的通信域的密钥的密钥信息。
一种可能的实现方式,收发单元1502,还用于接收来自密钥管理工具的第一确认信息;或者,收发单元1502,还用于接收来自第一终端的第一确认信息;或者,收发单元1502,还用于接收来自第二终端的第一确认信息;其中,第一确认信息用于触发获取密钥的装置150获取第一密钥信息。
一种可能的实现方式,第一协议包括传输层安全协议、因特网密钥交换协议、超文本传输安全协议、数据包传输层安全性协议或自定义协议。
当用于实现密钥服务器的功能时,关于获取密钥的装置150所能实现的其他功能,可参考图4所示的实施例-图11所示的实施例的相关介绍,不多赘述。
比如,以采用集成的方式划分各个功能模块的情况下,图16示出了一种获取密钥的装置160的结构示意图。获取密钥的装置160包括收发单元1601和处理单元1602。
示例性地,获取密钥的装置160用于实现第一节点的功能。例如,获取密钥的装置160为图4所示的实施例-图6所示的实施例所述的密钥客户端。又例如,获取密钥的装置160为图7所示的实施例-图11所示的实施例所述的密钥代理。
在本申请实施例中,获取密钥的装置160可以是密钥客户端/密钥代理,也可以是应用于密钥客户端/密钥代理中的芯片或者其他具有上述密钥客户端/密钥代理功能的组合器件、或部件等。当获取密钥的装置160是密钥客户端/密钥代理时,收发单元1601可以是收发器,收发器可以包括天线和射频电路等,处理单元1602可以是处理器(或者,处理电路),例如基带处理器,基带处理器中可以包括一个或多个CPU。当获取密钥的装置160是具有上述密钥客户端/密钥代理功能的部件时,收发单元1601可以是射频单元,处理单元1602可以是处理器(或者,处理电路),例如基带处理器。当获取密钥的装置160是芯片系统时,收发单元1601可以是芯片(例如基带芯片)的输入输出接口,处理单元1602可以是芯片系统的处理器(或者,处理电路),可以包括一个或多个中央处理单元。应理解,本申请实施例中的收发单元1601可以由收发器或收发器相关电路组件实现,处理单元1602可以由处理器或处理器相关电路组件(或者,称为处理电路)实现。
例如,收发单元1601可以用于执行图4所示的实施例中由密钥客户端所执行的全部收发操作,例如S402和/或用于支持本文所描述的技术的其它过程。处理单元1602可以用于执行图4所示的实施例中由密钥客户端所执行的除了收发操作之外的全部操作,例如S403和/或用于支持本文所描述的技术的其它过程。
又例如,收发单元1601可以用于执行图7所示的实施例中由密钥代理所执行的全部收发操作,例如S702和S704,和/或用于支持本文所描述的技术的其它过程。处理单元1602可以用于执行图7所示的实施例中由密钥代理所执行的除了收发操作之外 的全部操作,例如S703和/或用于支持本文所描述的技术的其它过程。
其中,收发单元1601,用于接收来自密钥服务器的第一密钥的信息,第一密钥的信息包括第一密钥材料和第一通信域的标识,第一通信域的标识用于指示第一通信域。
处理单元1602,用于根据第一密钥材料生成第一密钥,第一密钥应用于第一通信域,第一通信域包括密钥管理系统中的至少两个节点,至少两个节点包括获取密钥的装置160。
一种可能的实现方式,第一通信域是根据以下至少一个信息确定的:密钥管理系统中节点的连接方式,密钥管理系统中节点的功能,或密钥管理系统中通信信息的类型。
一种可能的实现方式,收发单元1601,还用于接收来自密钥服务器的第一信息和第一验证码,第一验证码是根据第一验证信息生成的,第一验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第一信息,或密钥服务器的标识,第一信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识或第一随机数;收发单元1601,还用于验证第一验证码。
一种可能的实现方式,处理单元1602,还用于根据第二验证信息生成第二验证码,第二验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第二信息,获取密钥的装置160的标识,或第一随机数,第二信息包括第一通信域的标识,和/或,第一密钥的标识;收发单元1601,还用于向密钥服务器发送第二信息和第二验证码。
一种可能的实现方式,处理单元1602,还用于根据第一协议与密钥服务器建立第一安全通道,第一安全通道用于传输该密钥服务器与获取密钥的装置160之间的信息。
一种可能的实现方式,获取密钥的装置160的数量大于1,第一安全通道包括密钥服务器与每个获取密钥的装置160的点到点的安全通道;或者,第一安全通道包括密钥服务器与每个获取密钥的装置160的点到多点的安全通道;或者,第一安全通道包括密钥服务器与一部分获取密钥的装置160的点到点的安全通道,以及密钥服务器与另一部分获取密钥的装置160的点到多点的安全通道。
一种可能的实现方式,获取密钥的装置160为密钥代理,密钥管理系统还包括与获取密钥的装置160通信连接的第二节点,第二节点为密钥客户端。
一种可能的实现方式,第二节点包括在该第一通信域中;收发单元1601,还用于向第二节点发送第一密钥材料和第一通信域的标识。
一种可能的实现方式,处理单元1602,还用于根据第三验证信息生成第三验证码,第三验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第三信息,或获取密钥的装置160的标识,第三信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识或第二随机数;收发单元1601,还用于向第二节点发送第三信息和第三验证码。
一种可能的实现方式,收发单元1601,还用于接收来自第二节点的第四信息和第四验证码,第四验证码是根据第四验证信息得到,第四验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第四信息,第二节点的标识,或第二随机数,第四信息包括第一通信域的标识,和/或,第一密钥的标识;处理单元1602,还用于验证该第四验证码。
一种可能的实现方式,收发单元1601,还用于向密钥服务器发送第一通知信息,第一通知信息用于通知第一通信域内的节点的验证结果。
一种可能的实现方式,处理单元1602,还用于根据第一协议与第二节点建立第二安全通道,第二安全通道用于传输该获取密钥的装置160与第二节点之间的信息。
一种可能的实现方式,第二节点的数量大于1,第二安全通道包括获取密钥的装置160与每个第二节点的点到点的安全通道;或者,第二安全通道包括获取密钥的装置160与每个第二节点的点到多点的安全通道;或者,第二安全通道包括获取密钥的装置160与一部分第二节点的点到点的安全通道,以及获取密钥的装置160与另一部分第二节点的点到多点的安全通道。
一种可能的实现方式,收发单元1601,还用于接收来自密钥服务器的第二配置信息,第二配置信息用于指示以下信息中的至少一种:获取密钥的装置160的标识,获取密钥的装置160的连接方式,或与获取密钥的装置160通信的其他节点的信息。
一种可能的实现方式,获取密钥的装置160为密钥代理,密钥管理系统还包括与获取密钥的装置160通信连接的第二节点,第二节点为密钥客户端,第二配置信息还用于指示以下信息中的至少一种:第二节点的标识,第二节点的连接方式,或与第二节点通信的其他节点的信息;收发单元1601,还用于向第二节点发送第三配置信息,第三配置信息用于指示以下信息中的至少一种:第二节点的标识,第二节点的连接方式,或与第二节点通信的其他节点的信息。
一种可能的实现方式,处理单元1602,还用于根据第二配置信息确定获取密钥的装置160所在通信域的信息,获取密钥的装置160所在的通信域的信息用于指示以下信息中的至少一项:获取密钥的装置160所在的通信域的标识,获取密钥的装置160所在的通信域中节点的通信方式,获取密钥的装置160与获取密钥的装置160所在的通信域中除获取密钥的装置160之外的节点的连接方式,获取密钥的装置160所在的通信域中除获取密钥的装置160之外的其他节点的信息,或构建获取密钥的装置160所在的通信域的密钥的密钥信息。
一种可能的实现方式,第一协议包括传输层安全协议、因特网密钥交换协议、超文本传输安全协议、数据包传输层安全性协议或自定义协议。
当用于实现第一节点的功能时,关于获取密钥的装置160所能实现的其他功能,可参考图4所示的实施例-图11所示的实施例的相关介绍,不多赘述。
或者,示例性地,获取密钥的装置160用于实现第二节点的功能。获取密钥的装置160例如为图7所示的实施例-图11所示的实施例所述的第二节点。
在本申请实施例中,获取密钥的装置160可以是第二节点,也可以是应用于第二节点中的芯片或者其他具有上述第二节点功能的组合器件、或部件等。当获取密钥的装置160是第二节点时,收发单元1601可以是收发器,收发器可以包括天线和射频电路等,处理单元1602可以是处理器(或者,处理电路),例如基带处理器,基带处理器中可以包括一个或多个CPU。当获取密钥的装置160是具有上述第二节点功能的部件时,收发单元1601可以是射频单元,处理单元1602可以是处理器(或者,处理电路),例如基带处理器。当获取密钥的装置160是芯片系统时,收发单元1601可以是芯片(例如基带芯片)的输入输出接口,处理单元1602可以是芯片系统的处理器(或 者,处理电路),可以包括一个或多个中央处理单元。应理解,本申请实施例中的收发单元1601可以由收发器或收发器相关电路组件实现,处理单元1602可以由处理器或处理器相关电路组件(或者,称为处理电路)实现。
例如,收发单元1601可以用于执行图7所示的实施例中由第二节点所执行的全部收发操作,例如S704和/或用于支持本文所描述的技术的其它过程。处理单元1602可以用于执行图7所示的实施例中由第二节点所执行的除了收发操作之外的全部操作,例如S705和/或用于支持本文所描述的技术的其它过程。
其中,收发单元1601,用于接收来自密钥代理的第一密钥材料和第一通信域的标识,第一通信域的标识用于指示第一通信域。
处理单元1602,用于根据第一密钥材料生成第一密钥,第一密钥应用于第一通信域,第一通信域包括密钥管理系统中的至少两个节点,至少两个节点包括获取密钥的装置160。
一种可能的实现方式,第一通信域是根据以下至少一个信息确定的:密钥管理系统中节点的连接方式,密钥管理系统中节点的功能,或密钥管理系统中通信信息的类型。
一种可能的实现方式,收发单元1601,还用于接收来自密钥代理的第三信息和第三验证码,第三验证码是根据第三验证信息得到,第三验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第三信息,或密钥代理的标识,第三信息包括以下信息中的至少一个:第一通信域的标识,第一密钥的标识或第二随机数;处理单元1602,还用于验证第三验证码。
一种可能的实现方式,处理单元1602,还用于根据第四验证信息生成第四验证码,第四验证信息包括以下信息中的至少一个:第一密钥,第一密钥材料,第四信息,获取密钥的装置160的标识,或第二随机数,第四信息包括第一通信域的标识,和/或,第一密钥的标识;收发单元1601,还用于向密钥代理发送第四信息和第四验证码。
一种可能的实现方式,处理单元1602,还用于根据第一协议与密钥代理建立第二安全通道,第二安全通道用于传输获取密钥的装置160与密钥代理之间的信息。
一种可能的实现方式,获取密钥的装置160的数量大于1;第二安全通道包括密钥代理与每个获取密钥的装置160的点到点的安全通道;或者,第二安全通道包括密钥代理与每个获取密钥的装置160的点到多点的安全通道;或者,第二安全通道包括密钥代理与一部分获取密钥的装置160的点到点的安全通道,以及密钥代理与另一部分获取密钥的装置160的点到多点的安全通道。
一种可能的实现方式,收发单元1601,还用于接收来自密钥代理的第三配置信息,第三配置信息用于指示以下信息中的至少一种:获取密钥的装置160的标识,获取密钥的装置160的连接方式,或与获取密钥的装置160通信的其他节点的信息。
一种可能的实现方式,处理单元1602,还用于根据第三配置信息确定获取密钥的装置160所在通信域的信息,获取密钥的装置160所在的通信域的信息用于指示以下信息中的至少一项:获取密钥的装置160所在的通信域的标识,获取密钥的装置160所在的通信域中节点的通信方式,获取密钥的装置160与获取密钥的装置160所在的通信域中除获取密钥的装置160之外的节点的连接方式,获取密钥的装置160所在的 通信域中除获取密钥的装置160之外的其他节点的信息,或构建获取密钥的装置160所在的通信域的密钥的密钥信息。
一种可能的实现方式,第一协议是传输层安全协议、因特网密钥交换协议、超文本传输安全协议、数据包传输层安全性协议或自定义协议。
当用于实现第二节点的功能时,关于获取密钥的装置160所能实现的其他功能,可参考图7所示的实施例-图11所示的实施例的相关介绍,不多赘述。
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。
在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个装置,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是一个物理单元或多个物理单元,即可以位于一个地方,或者也可以分布到多个不同地方。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该软件产品存储在一个存储介质中,包括若干指令用以使得一个设备(可以是单片机,芯片等)或处理器(processor)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (80)

  1. 一种获取密钥的方法,其特征在于,所述方法应用于密钥管理系统,所述密钥管理系统包括密钥服务器,以及与所述密钥服务器通信连接的第一节点,所述第一节点为密钥客户端或密钥代理,所述方法包括:
    所述密钥服务器获取第一密钥信息,所述第一密钥信息包括第一密钥材料和第一通信域的标识,所述第一密钥材料用于生成所述第一密钥,所述第一通信域的标识用于指示第一通信域,所述第一密钥应用于所述第一通信域,所述第一通信域包括所述密钥管理系统中的至少两个节点,所述至少两个节点包括所述第一节点;
    所述密钥服务器向所述第一节点发送所述第一密钥信息。
  2. 根据权利要求1所述的获取密钥的方法,其特征在于,所述第一通信域是根据以下至少一个信息确定的:所述密钥管理系统中节点的连接方式,所述密钥管理系统中节点的功能,或所述密钥管理系统中通信信息的类型。
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:
    所述密钥服务器根据第一验证信息生成第一验证码,所述第一验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,第一信息,或所述密钥服务器的标识,所述第一信息包括以下信息中的至少一个:所述第一通信域的标识,第一密钥的标识或第一随机数;
    所述密钥服务器向所述第一节点发送所述第一信息和所述第一验证码。
  4. 根据权利要求1-3中任一项所述的方法,其特征在于,所述方法还包括:
    所述密钥服务器接收来自所述第一节点的第二信息和第二验证码,所述第二验证码是根据第二验证信息生成的,所述第二验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,所述第二信息,所述第一节点的标识,或第一随机数,所述第二信息包括所述第一通信域的标识,和/或,所述第一密钥的标识;
    所述密钥服务器验证所述第二验证码。
  5. 根据权利要求1-4中任一项所述的方法,其特征在于,所述方法还包括:
    所述密钥服务器根据第一协议与所述第一节点建立第一安全通道,所述第一安全通道用于传输所述密钥服务器与所述第一节点之间的信息。
  6. 根据权利要求5所述的方法,其特征在于,所述第一节点的数量大于1,
    所述第一安全通道包括所述密钥服务器与每个第一节点的点到点的安全通道;或者,
    所述第一安全通道包括所述密钥服务器与每个第一节点的点到多点的安全通道;或者,
    所述第一安全通道包括所述密钥服务器与一部分第一节点的点到点的安全通道,以及所述密钥服务器与另一部分第一节点的点到多点的安全通道。
  7. 根据权利要求1-6中任一项所述的方法,其特征在于,所述第一节点为密钥代理,所述密钥管理系统还包括与所述第一节点通信连接的第二节点,所述第二节点为密钥客户端。
  8. 根据权利要求7所述的方法,其特征在于,所述第二节点包括在所述第一通信域中。
  9. 根据权利要求7或8所述的方法,其特征在于,所述方法还包括:
    所述密钥服务器接收来自所述第一节点的第一通知信息,所述第一通知信息用于通知所述第一通信域内的节点的验证结果。
  10. 根据权利要求1-9中任一项所述的方法,其特征在于,所述方法还包括:
    所述密钥服务器获取第一配置信息,所述第一配置信息用于指示以下信息中的至少一种:所述密钥管理系统中节点的标识,所述密钥管理系统中节点的连接方式,或与所述密钥管理系统中节点通信的其他节点的信息。
  11. 根据权利要求10所述的方法,其特征在于,所述方法还包括:
    所述密钥服务器向所述第一节点发送第二配置信息,所述第二配置信息用于指示以下信息中的至少一种:所述第一节点的标识,所述第一节点的连接方式,或与所述第一节点通信的其他节点的信息。
  12. 根据权利要求11所述的方法,其特征在于,所述第一节点为密钥代理,所述密钥管理系统还包括与所述第一节点通信连接的第二节点,所述第二节点为密钥客户端,所述第二配置信息还用于指示以下信息中的至少一种:所述第二节点的标识,所述第二节点的连接方式,或与所述第二节点通信的其他节点的信息。
  13. 根据权利要求10-12中任一项所述的方法,其特征在于,所述方法还包括:
    所述密钥服务器根据所述第一配置信息确定所述密钥服务器所在的通信域的信息,所述密钥服务器所在的通信域的信息用于指示以下信息中的至少一项:所述密钥服务器所在的通信域的标识,所述密钥服务器所在的通信域中节点的通信方式,所述密钥服务器与所述密钥服务器所在的通信域中除所述密钥服务器之外的节点的连接方式,所述密钥服务器所在的通信域中除所述密钥服务器之外的其他节点的信息,或构建所述密钥服务器所在的通信域的密钥的密钥信息。
  14. 根据权利要求1-13中任一项所述的方法,其特征在于,所述方法还包括:
    所述密钥服务器接收来自密钥管理工具的第一确认信息;或者,
    所述密钥服务器接收来自第一终端的第一确认信息;或者,
    所述密钥服务器接收来自第二终端的第一确认信息;
    其中,所述第一确认信息用于触发所述密钥服务器获取所述第一密钥信息。
  15. 一种获取密钥的方法,其特征在于,所述方法应用于密钥管理系统,所述密钥管理系统包括密钥服务器,以及与所述密钥服务器通信连接的第一节点,所述第一节点为密钥客户端或密钥代理,所述方法包括:
    所述第一节点接收来自所述密钥服务器的第一密钥的信息,所述第一密钥的信息包括第一密钥材料和第一通信域的标识,所述第一通信域的标识用于指示第一通信域;
    所述第一节点根据所述第一密钥材料生成第一密钥,所述第一密钥应用于所述第一通信域,所述第一通信域包括所述密钥管理系统中的至少两个节点,所述至少两个节点包括所述第一节点。
  16. 根据权利要求15所述的获取密钥的方法,其特征在于,所述第一通信域是根据以下至少一个信息确定的:所述密钥管理系统中节点的连接方式,所述密钥管理系统中节点的功能,或所述密钥管理系统中通信信息的类型。
  17. 根据权利要求15或16所述的方法,其特征在于,所述方法还包括:
    所述第一节点接收来自所述密钥服务器的第一信息和第一验证码,所述第一验证码是根据第一验证信息生成的,所述第一验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,所述第一信息,或所述密钥服务器的标识,所述第一信息包括以下信息中的至少一个:所述第一通信域的标识,第一密钥的标识或第一随机数;
    所述第一节点验证所述第一验证码。
  18. 根据权利要求15-17中任一项所述的方法,其特征在于,所述方法还包括:
    所述第一节点根据第二验证信息生成第二验证码,所述第二验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,第二信息,所述第一节点的标识,或第一随机数,所述第二信息包括所述第一通信域的标识,和/或,所述第一密钥的标识;
    所述第一节点向所述密钥服务器发送所述第二信息和所述第二验证码。
  19. 根据权利要求15-18中任一项所述的方法,其特征在于,所述方法还包括:
    所述第一节点根据第一协议与所述密钥服务器建立第一安全通道,所述第一安全通道用于传输所述密钥服务器与所述第一节点之间的信息。
  20. 根据权利要求19所述的方法,其特征在于,所述第一节点的数量大于1,
    所述第一安全通道包括所述密钥服务器与每个第一节点的点到点的安全通道;或者,
    所述第一安全通道包括所述密钥服务器与每个第一节点的点到多点的安全通道;或者,
    所述第一安全通道包括所述密钥服务器与一部分第一节点的点到点的安全通道,以及所述密钥服务器与另一部分第一节点的点到多点的安全通道。
  21. 根据权利要求15-20中任一项所述的方法,其特征在于,所述第一节点为密钥代理,所述密钥管理系统还包括与所述第一节点通信连接的第二节点,所述第二节点为密钥客户端。
  22. 根据权利要求21所述的方法,其特征在于,所述第二节点包括在所述第一通信域中;
    所述方法还包括:
    所述第一节点向所述第二节点发送所述第一密钥材料和所述第一通信域的标识。
  23. 根据权利要求22所述的方法,其特征在于,所述方法还包括:
    所述第一节点根据第三验证信息生成第三验证码,所述第三验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,第三信息,或所述第一节点的标识,所述第三信息包括以下信息中的至少一个:所述第一通信域的标识,第一密钥的标识或第二随机数;
    所述第一节点向所述第二节点发送所述第三信息和所述第三验证码。
  24. 根据权利要求22或23所述的方法,其特征在于,所述方法还包括:
    所述第一节点接收来自所述第二节点的第四信息和第四验证码,所述第四验证码是根据第四验证信息得到,所述第四验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,所述第四信息,所述第二节点的标识,或第二随机数,所 述第四信息包括所述第一通信域的标识,和/或,所述第一密钥的标识;
    所述第一节点验证所述第四验证码。
  25. 根据权利要求23或24所述的方法,其特征在于,所述方法还包括:
    所述第一节点向所述密钥服务器发送第一通知信息,所述第一通知信息用于通知所述第一通信域内的节点的验证结果。
  26. 根据权利要求21-25中任一项所述的方法,其特征在于,所述方法还包括:
    所述第一节点根据第一协议与所述第二节点建立第二安全通道,所述第二安全通道用于传输所述第一节点与所述第二节点之间的信息。
  27. 根据权利要求26所述的方法,其特征在于,所述第二节点的数量大于1,
    所述第二安全通道包括所述第一节点与每个第二节点的点到点的安全通道;或者,
    所述第二安全通道包括所述第一节点与每个第二节点的点到多点的安全通道;或者,
    所述第二安全通道包括所述第一节点与一部分第二节点的点到点的安全通道,以及所述第一节点与另一部分第二节点的点到多点的安全通道。
  28. 根据权利要求15-27中任一项所述的方法,其特征在于,所述方法还包括:
    所述第一节点接收来自所述密钥服务器的第二配置信息,所述第二配置信息用于指示以下信息中的至少一种:所述第一节点的标识,所述第一节点的连接方式,或与所述第一节点通信的其他节点的信息。
  29. 根据权利要求28所述的方法,其特征在于,所述第一节点为密钥代理,所述密钥管理系统还包括与所述第一节点通信连接的第二节点,所述第二节点为密钥客户端,所述第二配置信息还用于指示以下信息中的至少一种:所述第二节点的标识,所述第二节点的连接方式,或与所述第二节点通信的其他节点的信息;
    所述方法还包括:
    所述第一节点向所述第二节点发送第三配置信息,所述第三配置信息用于指示以下信息中的至少一种:所述第二节点的标识,所述第二节点的连接方式,或与所述第二节点通信的其他节点的信息。
  30. 根据权利要求28或29所述的方法,其特征在于,所述方法还包括:
    所述第一节点根据所述第二配置信息确定所述第一节点所在通信域的信息,所述第一节点所在的通信域的信息用于指示以下信息中的至少一项:所述第一节点所在的通信域的标识,所述第一节点所在的通信域中节点的通信方式,所述第一节点与所述第一节点所在的通信域中除所述第一节点之外的节点的连接方式,所述第一节点所在的通信域中除所述第一节点之外的其他节点的信息,或构建所述第一节点所在的通信域的密钥的密钥信息。
  31. 一种获取密钥的方法,其特征在于,所述方法应用于密钥管理系统,所述密钥管理系统包括密钥服务器,与所述密钥服务器通信连接的密钥代理,以及与所述密钥代理通信连接的密钥客户端,所述方法包括:
    所述密钥客户端接收来自所述密钥代理的第一密钥材料和第一通信域的标识,所述第一通信域的标识用于指示第一通信域;
    所述密钥客户端根据所述第一密钥材料生成所述第一密钥,所述第一密钥应用于 所述第一通信域,所述第一通信域包括所述密钥管理系统中的至少两个节点,所述至少两个节点包括所述密钥客户端。
  32. 根据权利要求31所述的获取密钥的方法,其特征在于,所述第一通信域是根据以下至少一个信息确定的:所述密钥管理系统中节点的连接方式,所述密钥管理系统中节点的功能,或所述密钥管理系统中通信信息的类型。
  33. 根据权利要求31或32所述的方法,其特征在于,所述方法还包括:
    所述密钥客户端接收来自所述密钥代理的第三信息和第三验证码,所述第三验证码是根据第三验证信息得到,所述第三验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,所述第三信息,或所述密钥代理的标识,所述第三信息包括以下信息中的至少一个:所述第一通信域的标识,第一密钥的标识或第二随机数;
    所述密钥客户端验证所述第三验证码。
  34. 根据权利要求31-33中任一项所述的方法,其特征在于,所述方法还包括:
    所述密钥客户端根据第四验证信息生成第四验证码,所述第四验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,第四信息,所述密钥客户端的标识,或第二随机数,所述第四信息包括所述第一通信域的标识,和/或,所述第一密钥的标识;
    所述密钥客户端向所述密钥代理发送所述第四信息和所述第四验证码。
  35. 根据权利要求31-34中任一项所述的方法,其特征在于,所述方法还包括:
    所述密钥客户端根据第一协议与所述密钥代理建立第二安全通道,所述第二安全通道用于传输所述密钥客户端与所述密钥代理之间的信息。
  36. 根据权利要求35所述的方法,其特征在于,所述密钥客户端的数量大于1;
    所述第二安全通道包括所述密钥代理与每个密钥客户端的点到点的安全通道;或者,
    所述第二安全通道包括所述密钥代理与每个密钥客户端的点到多点的安全通道;或者,
    所述第二安全通道包括所述密钥代理与一部分密钥客户端的点到点的安全通道,以及所述密钥代理与另一部分密钥客户端的点到多点的安全通道。
  37. 根据权利要求31-36中任一项所述的方法,其特征在于,所述方法还包括:
    所述密钥客户端接收来自所述密钥代理的第三配置信息,所述第三配置信息用于指示以下信息中的至少一种:所述密钥客户端的标识,所述密钥客户端的连接方式,或与所述密钥客户端通信的其他节点的信息。
  38. 根据权利要求37所述的方法,其特征在于,所述方法还包括:
    所述密钥客户端根据所述第三配置信息确定所述密钥客户端所在通信域的信息,所述密钥客户端所在的通信域的信息用于指示以下信息中的至少一项:所述密钥客户端所在的通信域的标识,所述密钥客户端所在的通信域中节点的通信方式,所述密钥客户端与所述密钥客户端所在的通信域中除所述密钥客户端之外的节点的连接方式,所述密钥客户端所在的通信域中除所述密钥客户端之外的其他节点的信息,或构建所述密钥客户端所在的通信域的密钥的密钥信息。
  39. 一种获取密钥的装置,其特征在于,所述获取密钥的装置应用于密钥管理系统, 所述密钥管理系统包括获取密钥的装置,以及与所述获取密钥的装置通信连接的第一节点,所述第一节点为密钥客户端或密钥代理,所述获取密钥的装置包括:处理单元和收发单元;
    所述处理单元,用于获取第一密钥信息,所述第一密钥信息包括第一密钥材料和第一通信域的标识,所述第一密钥材料用于生成所述第一密钥,所述第一通信域的标识用于指示第一通信域,所述第一密钥应用于所述第一通信域,所述第一通信域包括所述密钥管理系统中的至少两个节点,所述至少两个节点包括所述第一节点;
    所述收发单元,用于向所述第一节点发送所述第一密钥信息。
  40. 根据权利要求39所述的获取密钥的装置,其特征在于,所述第一通信域是根据以下至少一个信息确定的:所述密钥管理系统中节点的连接方式,所述密钥管理系统中节点的功能,或所述密钥管理系统中通信信息的类型。
  41. 根据权利要求39或40所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于根据第一验证信息生成第一验证码,所述第一验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,第一信息,或所述获取密钥的装置的标识,所述第一信息包括以下信息中的至少一个:所述第一通信域的标识,第一密钥的标识或第一随机数;
    所述收发单元,还用于向所述第一节点发送所述第一信息和所述第一验证码。
  42. 根据权利要求39-41中任一项所述的获取密钥的装置,其特征在于,
    所述收发单元,还用于接收来自所述第一节点的第二信息和第二验证码,所述第二验证码是根据第二验证信息生成的,所述第二验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,所述第二信息,所述第一节点的标识,或第一随机数,所述第二信息包括所述第一通信域的标识,和/或,所述第一密钥的标识;
    所述处理单元,还用于验证所述第二验证码。
  43. 根据权利要求39-42中任一项所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于根据第一协议与所述第一节点建立第一安全通道,所述第一安全通道用于传输所述获取密钥的装置与所述第一节点之间的信息。
  44. 根据权利要求43所述的获取密钥的装置,其特征在于,所述第一节点的数量大于1,
    所述第一安全通道包括所述获取密钥的装置与每个第一节点的点到点的安全通道;或者,
    所述第一安全通道包括所述获取密钥的装置与每个第一节点的点到多点的安全通道;或者,
    所述第一安全通道包括所述获取密钥的装置与一部分第一节点的点到点的安全通道,以及所述获取密钥的装置与另一部分第一节点的点到多点的安全通道。
  45. 根据权利要求39-44中任一项所述的获取密钥的装置,其特征在于,所述第一节点为密钥代理,所述密钥管理系统还包括与所述第一节点通信连接的第二节点,所述第二节点为密钥客户端。
  46. 根据权利要求45所述的获取密钥的装置,其特征在于,所述第二节点包括在所述第一通信域中。
  47. 根据权利要求45或46所述的获取密钥的装置,其特征在于,
    所述收发单元,还用于接收来自所述第一节点的第一通知信息,所述第一通知信息用于通知所述第一通信域内的节点的验证结果。
  48. 根据权利要求39-47中任一项所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于获取第一配置信息,所述第一配置信息用于指示以下信息中的至少一种:所述密钥管理系统中节点的标识,所述密钥管理系统中节点的连接方式,或与所述密钥管理系统中节点通信的其他节点的信息。
  49. 根据权利要求48所述的获取密钥的装置,其特征在于,
    所述收发单元,还用于向所述第一节点发送第二配置信息,所述第二配置信息用于指示以下信息中的至少一种:所述第一节点的标识,所述第一节点的连接方式,或与所述第一节点通信的其他节点的信息。
  50. 根据权利要求49所述的获取密钥的装置,其特征在于,所述第一节点为密钥代理,所述密钥管理系统还包括与所述第一节点通信连接的第二节点,所述第二节点为密钥客户端,所述第二配置信息还用于指示以下信息中的至少一种:所述第二节点的标识,所述第二节点的连接方式,或与所述第二节点通信的其他节点的信息。
  51. 根据权利要求48-50中任一项所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于根据所述第一配置信息确定所述获取密钥的装置所在的通信域的信息,所述获取密钥的装置所在的通信域的信息用于指示以下信息中的至少一项:所述获取密钥的装置所在的通信域的标识,所述获取密钥的装置所在的通信域中节点的通信方式,所述获取密钥的装置与所述获取密钥的装置所在的通信域中除所述获取密钥的装置之外的节点的连接方式,所述获取密钥的装置所在的通信域中除所述获取密钥的装置之外的其他节点的信息,或构建所述获取密钥的装置所在的通信域的密钥的密钥信息。
  52. 根据权利要求39-51中任一项所述的获取密钥的装置,其特征在于,
    所述收发单元,还用于接收来自密钥管理工具的第一确认信息;或者,
    所述收发单元,还用于接收来自第一终端的第一确认信息;或者,
    所述收发单元,还用于接收来自第二终端的第一确认信息;
    其中,所述第一确认信息用于触发所述获取密钥的装置获取所述第一密钥信息。
  53. 一种获取密钥的装置,其特征在于,所述获取密钥的装置应用于密钥管理系统,所述密钥管理系统包括密钥服务器,以及与所述密钥服务器通信连接的所述获取密钥的装置,所述获取密钥的装置为密钥客户端或密钥代理,所述获取密钥的装置包括:收发单元和处理单元;
    所述收发单元,用于接收来自所述密钥服务器的第一密钥的信息,所述第一密钥的信息包括第一密钥材料和第一通信域的标识,所述第一通信域的标识用于指示第一通信域;
    所述处理单元,用于根据所述第一密钥材料生成第一密钥,所述第一密钥应用于所述第一通信域,所述第一通信域包括所述密钥管理系统中的至少两个节点,所述至少两个节点包括所述获取密钥的装置。
  54. 根据权利要求53所述的获取密钥的装置,其特征在于,所述第一通信域是根 据以下至少一个信息确定的:所述密钥管理系统中节点的连接方式,所述密钥管理系统中节点的功能,或所述密钥管理系统中通信信息的类型。
  55. 根据权利要求53或54所述的获取密钥的装置,其特征在于,
    所述收发单元,还用于接收来自所述密钥服务器的第一信息和第一验证码,所述第一验证码是根据第一验证信息生成的,所述第一验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,所述第一信息,或所述密钥服务器的标识,所述第一信息包括以下信息中的至少一个:所述第一通信域的标识,第一密钥的标识或第一随机数;
    所述收发单元,还用于验证所述第一验证码。
  56. 根据权利要求53-55中任一项所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于根据第二验证信息生成第二验证码,所述第二验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,第二信息,所述获取密钥的装置的标识,或第一随机数,所述第二信息包括所述第一通信域的标识,和/或,所述第一密钥的标识;
    所述收发单元,还用于向所述密钥服务器发送所述第二信息和所述第二验证码。
  57. 根据权利要求53-55中任一项所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于根据第一协议与所述密钥服务器建立第一安全通道,所述第一安全通道用于传输所述密钥服务器与所述获取密钥的装置之间的信息。
  58. 根据权利要求57所述的获取密钥的装置,其特征在于,所述获取密钥的装置的数量大于1,
    所述第一安全通道包括所述密钥服务器与每个获取密钥的装置的点到点的安全通道;或者,
    所述第一安全通道包括所述密钥服务器与每个获取密钥的装置的点到多点的安全通道;或者,
    所述第一安全通道包括所述密钥服务器与一部分获取密钥的装置的点到点的安全通道,以及所述密钥服务器与另一部分获取密钥的装置的点到多点的安全通道。
  59. 根据权利要求53-58中任一项所述的获取密钥的装置,其特征在于,所述获取密钥的装置为密钥代理,所述密钥管理系统还包括与所述获取密钥的装置通信连接的第二节点,所述第二节点为密钥客户端。
  60. 根据权利要求59所述的获取密钥的装置,其特征在于,所述第二节点包括在所述第一通信域中;
    所述收发单元,还用于向所述第二节点发送所述第一密钥材料和所述第一通信域的标识。
  61. 根据权利要求60所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于根据第三验证信息生成第三验证码,所述第三验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,第三信息,或所述获取密钥的装置的标识,所述第三信息包括以下信息中的至少一个:所述第一通信域的标识,第一密钥的标识或第二随机数;
    所述收发单元,还用于向所述第二节点发送所述第三信息和所述第三验证码。
  62. 根据权利要求60或61所述的获取密钥的装置,其特征在于,
    所述收发单元,还用于接收来自所述第二节点的第四信息和第四验证码,所述第四验证码是根据第四验证信息得到,所述第四验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,所述第四信息,所述第二节点的标识,或第二随机数,所述第四信息包括所述第一通信域的标识,和/或,所述第一密钥的标识;
    所述处理单元,还用于验证所述第四验证码。
  63. 根据权利要求61或62所述的获取密钥的装置,其特征在于,
    所述收发单元,还用于向所述密钥服务器发送第一通知信息,所述第一通知信息用于通知所述第一通信域内的节点的验证结果。
  64. 根据权利要求59-63中任一项所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于根据第一协议与所述第二节点建立第二安全通道,所述第二安全通道用于传输所述获取密钥的装置与所述第二节点之间的信息。
  65. 根据权利要求64所述的获取密钥的装置,其特征在于,所述第二节点的数量大于1,
    所述第二安全通道包括所述获取密钥的装置与每个第二节点的点到点的安全通道;或者,
    所述第二安全通道包括所述获取密钥的装置与每个第二节点的点到多点的安全通道;或者,
    所述第二安全通道包括所述获取密钥的装置与一部分第二节点的点到点的安全通道,以及所述获取密钥的装置与另一部分第二节点的点到多点的安全通道。
  66. 根据权利要求53-65中任一项所述的获取密钥的装置,其特征在于,
    所述收发单元,还用于接收来自所述密钥服务器的第二配置信息,所述第二配置信息用于指示以下信息中的至少一种:所述获取密钥的装置的标识,所述获取密钥的装置的连接方式,或与所述获取密钥的装置通信的其他节点的信息。
  67. 根据权利要求66所述的获取密钥的装置,其特征在于,所述获取密钥的装置为密钥代理,所述密钥管理系统还包括与所述获取密钥的装置通信连接的第二节点,所述第二节点为密钥客户端,所述第二配置信息还用于指示以下信息中的至少一种:所述第二节点的标识,所述第二节点的连接方式,或与所述第二节点通信的其他节点的信息;
    所述收发单元,还用于向所述第二节点发送第三配置信息,所述第三配置信息用于指示以下信息中的至少一种:所述第二节点的标识,所述第二节点的连接方式,或与所述第二节点通信的其他节点的信息。
  68. 根据权利要求66或67所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于根据所述第二配置信息确定所述获取密钥的装置所在通信域的信息,所述获取密钥的装置所在的通信域的信息用于指示以下信息中的至少一项:所述获取密钥的装置所在的通信域的标识,所述获取密钥的装置所在的通信域中节点的通信方式,所述获取密钥的装置与所述获取密钥的装置所在的通信域中除所述获取密钥的装置之外的节点的连接方式,所述获取密钥的装置所在的通信域中除所述获取密钥的装置之外的其他节点的信息,或构建所述获取密钥的装置所在的通信域的密钥 的密钥信息。
  69. 一种获取密钥的装置,其特征在于,所述获取密钥的装置应用于密钥管理系统,所述密钥管理系统包括密钥服务器,与所述密钥服务器通信连接的密钥代理,以及与所述密钥代理通信连接的获取密钥的装置,所述获取密钥的装置包括:收发单元和处理单元;
    所述收发单元,用于接收来自所述密钥代理的第一密钥材料和第一通信域的标识,所述第一通信域的标识用于指示第一通信域;
    所述处理单元,用于根据所述第一密钥材料生成所述第一密钥,所述第一密钥应用于所述第一通信域,所述第一通信域包括所述密钥管理系统中的至少两个节点,所述至少两个节点包括所述获取密钥的装置。
  70. 根据权利要求69所述的获取密钥的装置,其特征在于,所述第一通信域是根据以下至少一个信息确定的:所述密钥管理系统中节点的连接方式,所述密钥管理系统中节点的功能,或所述密钥管理系统中通信信息的类型。
  71. 根据权利要求69或70所述的获取密钥的装置,其特征在于,
    所述收发单元,还用于接收来自所述密钥代理的第三信息和第三验证码,所述第三验证码是根据第三验证信息得到,所述第三验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,所述第三信息,或所述密钥代理的标识,所述第三信息包括以下信息中的至少一个:所述第一通信域的标识,第一密钥的标识或第二随机数;
    所述处理单元,还用于验证所述第三验证码。
  72. 根据权利要求69-71中任一项所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于根据第四验证信息生成第四验证码,所述第四验证信息包括以下信息中的至少一个:所述第一密钥,所述第一密钥材料,第四信息,所述获取密钥的装置的标识,或第二随机数,所述第四信息包括所述第一通信域的标识,和/或,所述第一密钥的标识;
    所述收发单元,还用于向所述密钥代理发送所述第四信息和所述第四验证码。
  73. 根据权利要求69-72中任一项所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于根据第一协议与所述密钥代理建立第二安全通道,所述第二安全通道用于传输所述获取密钥的装置与所述密钥代理之间的信息。
  74. 根据权利要求73所述的获取密钥的装置,其特征在于,所述获取密钥的装置的数量大于1;
    所述第二安全通道包括所述密钥代理与每个获取密钥的装置的点到点的安全通道;或者,
    所述第二安全通道包括所述密钥代理与每个获取密钥的装置的点到多点的安全通道;或者,
    所述第二安全通道包括所述密钥代理与一部分获取密钥的装置的点到点的安全通道,以及所述密钥代理与另一部分获取密钥的装置的点到多点的安全通道。
  75. 根据权利要求69-74中任一项所述的获取密钥的装置,其特征在于,
    所述收发单元,还用于接收来自所述密钥代理的第三配置信息,所述第三配置信 息用于指示以下信息中的至少一种:所述获取密钥的装置的标识,所述获取密钥的装置的连接方式,或与所述获取密钥的装置通信的其他节点的信息。
  76. 根据权利要求75所述的获取密钥的装置,其特征在于,
    所述处理单元,还用于根据所述第三配置信息确定所述获取密钥的装置所在通信域的信息,所述获取密钥的装置所在的通信域的信息用于指示以下信息中的至少一项:所述获取密钥的装置所在的通信域的标识,所述获取密钥的装置所在的通信域中节点的通信方式,所述获取密钥的装置与所述获取密钥的装置所在的通信域中除所述获取密钥的装置之外的节点的连接方式,所述获取密钥的装置所在的通信域中除所述获取密钥的装置之外的其他节点的信息,或构建所述获取密钥的装置所在的通信域的密钥的密钥信息。
  77. 一种计算机可读介质,其上存储有计算机程序或指令,其特征在于,所述计算机程序或指令被执行时使得计算机执行如权利要求1至14中任一项所述的方法,或者如权利要求15至30中任一项所述的方法,或者如权利要求31至38中任一项所述的方法。
  78. 一种计算机程序产品,所述计算机程序产品中包括计算机程序代码,其特征在于,当所述计算机程序代码在计算机上运行时,使得计算机实现权利要求1至14中任一项所述的方法,或者实现权利要求15至30中任一项所述的方法,或者实现权利要求31至38中任一项所述的方法。
  79. 一种密钥管理系统,其特征在于,所述密钥管理系统包括:密钥服务器和第一节点,所述密钥服务器用于实现权利要求1至14中任一项所述的方法,所述第一节点用于实现权利要求15至30中任一项所述的方法。
  80. 根据权利要求79所述的密钥管理系统,其特征在于,所述密钥管理系统还包括第二节点,所述第二节点用于实现权要要求31至38中任一项所述的方法。
PCT/CN2021/078283 2021-02-26 2021-02-26 获取密钥的方法、装置及密钥管理系统 WO2022178871A1 (zh)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/CN2021/078283 WO2022178871A1 (zh) 2021-02-26 2021-02-26 获取密钥的方法、装置及密钥管理系统
EP21927307.5A EP4290790A4 (en) 2021-02-26 2021-02-26 KEY ACQUISITION METHOD AND APPARATUS AND KEY MANAGEMENT SYSTEM
CN202180000702.8A CN113056898B (zh) 2021-02-26 2021-02-26 获取密钥的方法、装置及密钥管理系统

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/078283 WO2022178871A1 (zh) 2021-02-26 2021-02-26 获取密钥的方法、装置及密钥管理系统

Publications (1)

Publication Number Publication Date
WO2022178871A1 true WO2022178871A1 (zh) 2022-09-01

Family

ID=76518632

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/078283 WO2022178871A1 (zh) 2021-02-26 2021-02-26 获取密钥的方法、装置及密钥管理系统

Country Status (3)

Country Link
EP (1) EP4290790A4 (zh)
CN (1) CN113056898B (zh)
WO (1) WO2022178871A1 (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20240146705A1 (en) * 2022-10-26 2024-05-02 Cisco Technology, Inc. Reducing bluetooth connection latency using selective gatt cache requests
EP4387285A1 (en) * 2022-12-13 2024-06-19 Infineon Technologies AG Key indication protocol
WO2024193004A1 (zh) * 2023-03-20 2024-09-26 一汽奔腾轿车有限公司 一种远程加密信息测试验证系统及方法

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023000313A1 (zh) * 2021-07-23 2023-01-26 华为技术有限公司 一种密钥验证方法及相关装置
JP2024533559A (ja) * 2021-09-18 2024-09-12 華為技術有限公司 鍵伝送方法及び装置
CN114338141A (zh) * 2021-12-27 2022-04-12 中国电信股份有限公司 通信密钥处理方法、装置、非易失性存储介质及处理器
CN114301606B (zh) * 2021-12-31 2023-07-21 北京三快在线科技有限公司 无人设备密钥管理系统、方法、装置、设备及存储介质
TWI795256B (zh) * 2022-03-31 2023-03-01 穎利科研國際事業有限公司 車聯網資安防護系統
CN116567579B (zh) * 2023-07-07 2023-10-20 一汽解放汽车有限公司 一种车载终端数据灌装方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106658493A (zh) * 2016-10-17 2017-05-10 东软集团股份有限公司 密钥管理方法、装置和系统
CN110943957A (zh) * 2018-09-21 2020-03-31 郑州信大捷安信息技术股份有限公司 一种车内网安全通信系统及方法
CN111147260A (zh) * 2019-12-26 2020-05-12 国汽(北京)智能网联汽车研究院有限公司 一种车辆密钥生成及发行方法、装置
US20200348924A1 (en) * 2018-01-25 2020-11-05 Lg Electronics Inc. Vehicular update system and control method thereof

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB9213169D0 (en) * 1992-06-22 1992-08-05 Ncr Int Inc Cryptographic key management apparatus and method
JP4346413B2 (ja) * 2002-12-19 2009-10-21 株式会社バッファロー 暗号鍵設定システム、アクセスポイント、および、暗号鍵設定方法
CN100362785C (zh) * 2003-05-29 2008-01-16 华为技术有限公司 一种共享密钥更新的方法
CN101674179B (zh) * 2009-10-10 2011-06-01 西安西电捷通无线网络通信股份有限公司 一种传感器网络密钥预分发与密钥建立方法
CN102131191A (zh) * 2010-01-15 2011-07-20 中兴通讯股份有限公司 实现密钥映射的方法及认证服务器、终端、系统
US9698979B2 (en) * 2011-04-15 2017-07-04 Quintessencelabs Pty Ltd. QKD key management system
SG10201705960QA (en) * 2017-07-20 2019-02-27 Huawei Int Pte Ltd System and method for managing secure communications between modules in a controller area network
CN110545252B (zh) * 2018-05-29 2021-10-22 华为技术有限公司 一种认证和信息保护的方法、终端、控制功能实体及应用服务器
US10764291B2 (en) * 2018-09-04 2020-09-01 International Business Machines Corporation Controlling access between nodes by a key server
CN111010411B (zh) * 2020-03-11 2020-08-11 北京信安世纪科技股份有限公司 通信的方法、装置、路边设备、车辆和存储介质

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106658493A (zh) * 2016-10-17 2017-05-10 东软集团股份有限公司 密钥管理方法、装置和系统
US20200348924A1 (en) * 2018-01-25 2020-11-05 Lg Electronics Inc. Vehicular update system and control method thereof
CN110943957A (zh) * 2018-09-21 2020-03-31 郑州信大捷安信息技术股份有限公司 一种车内网安全通信系统及方法
CN111147260A (zh) * 2019-12-26 2020-05-12 国汽(北京)智能网联汽车研究院有限公司 一种车辆密钥生成及发行方法、装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP4290790A4 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20240146705A1 (en) * 2022-10-26 2024-05-02 Cisco Technology, Inc. Reducing bluetooth connection latency using selective gatt cache requests
EP4387285A1 (en) * 2022-12-13 2024-06-19 Infineon Technologies AG Key indication protocol
WO2024193004A1 (zh) * 2023-03-20 2024-09-26 一汽奔腾轿车有限公司 一种远程加密信息测试验证系统及方法

Also Published As

Publication number Publication date
EP4290790A4 (en) 2024-03-20
EP4290790A1 (en) 2023-12-13
CN113056898A (zh) 2021-06-29
CN113056898B (zh) 2022-08-09

Similar Documents

Publication Publication Date Title
WO2022178871A1 (zh) 获取密钥的方法、装置及密钥管理系统
EP3759885B1 (en) Broker-based bus protocol and multi-client architecture
EP3742696B1 (en) Identity management method, equipment, communication network, and storage medium
US9473496B2 (en) Dynamically mapping network trust relationships
US20190173951A1 (en) Vehicle communication using publish-subscribe messaging protocol
CN111799867B (zh) 一种充电设备与充电管理平台间的互信认证方法及系统
US10200353B2 (en) End-to-end M2M service layer sessions
US11917018B2 (en) Broker-based bus protocol and multi-client architecture
US9313172B1 (en) Providing access to remote networks via external endpoints
KR20190095963A (ko) 서비스 지향 아키텍처에 기초하는 집중식 서비스 ecu를 구현하도록 구성된 관련 디바이스들을 갖는 특별히 프로그래밍된 컴퓨팅 시스템들 및 그 사용 방법들
CN109756450A (zh) 一种物联网通信的方法、装置和系统
JP2020517144A (ja) V2x通信装置、及びそのデータ通信方法
KR20190013964A (ko) IoT 디바이스 접속, 발견 및 네트워킹
CN107534658A (zh) 使用公钥机制在服务层的端对端认证
CN103036784A (zh) 用于自组织二层企业网络架构的方法和装置
CN112491533B (zh) 一种密钥生成方法及装置
US20130091352A1 (en) Techniques to Classify Virtual Private Network Traffic Based on Identity
US20160218939A1 (en) Distributed multi-site cloud deployment
CN116405193A (zh) 一种证书申请方法及设备
CN112913209A (zh) 一种服务授权管理方法及装置
EP4092957A1 (en) Secure and trusted peer-to-peer offline communication systems and methods
WO2021237753A1 (zh) 通信方法及装置
CN114915942A (zh) 通信密钥配置方法及装置
WO2019201257A1 (zh) 一种设备到任意d2x通信的方法、装置及存储介质
Han et al. Enhancing security and robustness of Cyphal on Controller Area Network in unmanned aerial vehicle environments

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 2021927307

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2021927307

Country of ref document: EP

Effective date: 20230906

NENP Non-entry into the national phase

Ref country code: DE