WO2024055303A1 - Key management method, key usage apparatus and key management apparatus - Google Patents

Key management method, key usage apparatus and key management apparatus Download PDF

Info

Publication number
WO2024055303A1
WO2024055303A1 PCT/CN2022/119399 CN2022119399W WO2024055303A1 WO 2024055303 A1 WO2024055303 A1 WO 2024055303A1 CN 2022119399 W CN2022119399 W CN 2022119399W WO 2024055303 A1 WO2024055303 A1 WO 2024055303A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
area
location
management device
information
Prior art date
Application number
PCT/CN2022/119399
Other languages
French (fr)
Chinese (zh)
Inventor
彭建芬
郭志鹏
刘自友
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2022/119399 priority Critical patent/WO2024055303A1/en
Priority to CN202280062770.1A priority patent/CN118056376A/en
Publication of WO2024055303A1 publication Critical patent/WO2024055303A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present application relates to the technical fields of intelligent transportation and intelligent driving, and in particular to a key management method, usage device and management device.
  • V2X Vehicle to Everything
  • V2X communication can help autonomous driving achieve lane-level assisted driving, mainly by sending its own location information between vehicles. For example, vehicle position information is broadcast through V2X, so that other vehicles that can obtain V2X messages can determine the position with other vehicles, and realize forward collision warning, blind spot assistance, lane change assistance, emergency braking warning, reverse overtaking warning, etc. function.
  • V2X In a V2X scenario, vehicles need to broadcast their own location information at any time and record the trajectory changes of the vehicle based on a certain reference point. This location information needs to be encrypted and protected. At the same time, vehicle historical trajectory information belongs to users’ personal privacy data. In order to prevent malicious vehicles from intentionally monitoring and collecting the broadcast information of surrounding vehicles to obtain sensitive data such as continuous coordinates, the sensitive data in the V2X message or the V2X message needs to be encrypted and protected. How to reduce the impact caused by key leakage and improve the security of keys has become an urgent problem to be solved.
  • a key management method, usage device and management device are proposed, which can improve the security of the key.
  • embodiments of the present application provide a key management method, which method is applied to a key using device.
  • the method includes: determining the location of the key using device; and obtaining at least A key, the at least one key is allocated to a key using device located in the first area, the location is located in the first area, the at least one key includes the first key; using the The first key.
  • the key corresponds to the region, and the keys used in different regions are different. This reduces the coverage of the same key to one region, which not only reduces the usage range and number of uses of the same key, In addition, when the key of one area is leaked, it will not affect the security of the keys of other areas, thereby reducing the impact caused by the leakage of the key of one area and improving the security of the key.
  • obtaining at least one key according to the location includes: sending location information indicating the location to a key management device; receiving a response to the key management device from the key management device. the at least one key for the location information.
  • the key using device can apply to the key management device for at least one key corresponding to the first area, and then use the first key among the at least one key, thus reducing the coverage of the key.
  • the key management device for at least one key corresponding to the first area, and then use the first key among the at least one key, thus reducing the coverage of the key.
  • the key management device for at least one key corresponding to the first area, and then use the first key among the at least one key, thus reducing the coverage of the key.
  • the key management device for at least one key corresponding to the first area, and then use the first key among the at least one key, thus reducing the coverage of the key.
  • the first area when the key is leaked, it will not affect the security of other areas, thereby reducing the impact caused by the leakage of the key corresponding to the first area and improving the security of the key.
  • the location information is identification information of the first area; obtaining at least one key according to the location further includes: based on the location and a preset area division method , determine the first area.
  • the key usage device calculates the identification information, which can effectively reduce the workload of the key management device.
  • the method further includes: receiving a message including the at least one key from a key management device; and obtaining the at least one key according to the location includes: according to the location, It is determined not to discard the at least one key.
  • the key management device may send at least one key corresponding to the first region to the key usage device in the first region.
  • the coverage of the key is reduced to the first area.
  • the key When the key is leaked, it will not affect the security of other areas, thereby reducing the impact caused by the leakage of the key corresponding to the first area. , which improves the security of the key; on the other hand, it saves communication resources.
  • the at least one key is a plurality of keys
  • the method further includes: selecting the first key from the plurality of keys; using the first key Keying includes using the first key as an encryption key.
  • the same area corresponds to multiple keys, which can reduce the number of key uses, thereby reducing the risk of key leakage and further improving the security of the key.
  • the selection is random selection, weighted random selection or rotating selection.
  • the at least one key is a plurality of keys
  • the method further includes: receiving ciphertext from the first device, the ciphertext being encrypted according to the first key; Obtaining a key parameter, the key parameter indicating the first key; using the first key includes: selecting the first key from the plurality of keys according to the key parameter The key serves as the decryption key for the ciphertext.
  • the at least one key is a plurality of keys
  • the method further includes: receiving ciphertext from the first device, the ciphertext being encrypted according to the first key; Decrypting the ciphertext by traversing the use of the plurality of keys determines that the first key can successfully decrypt the ciphertext; the use of the first key includes: decrypting the ciphertext from the plurality of keys Select the first key as the decryption key of the ciphertext.
  • the key using device can reduce the amount of data carried when interacting with the first device and save communication resources.
  • the first area is divided based on at least one of the following methods: area division based on regular graphics or irregular graphics; area division based on administrative areas; area division based on road grades; Divide areas based on the autonomous driving levels supported by roads; divide areas based on commercial areas.
  • the boundary of the first area is dynamically set.
  • obtaining at least one key according to the location includes:
  • the at least one key is obtained according to the location, wherein the first preset condition includes at least one of the following situations: the key using device is encrypted The key management device registers; the area where the key using device is located changes; the currently saved key expires; the time interval between the current moment and the last time the key was obtained reaches the first update threshold; the currently saved key is used The key cannot successfully decrypt the received data.
  • the method further includes: obtaining a preset second key; when the second preset condition is met, using the second key; wherein the second preset key Assume that the conditions include at least one of the following situations: the key using device is located in a transition area; the key using device is located in a specific area; the key using device does not obtain the at least one key; the at least One key has expired and failed to be updated; the key using device cannot successfully decrypt the received data using the at least one key; the key using device cannot communicate with the key management device.
  • the number of the at least one key is related to at least one of the following: the area of the first area; the number of key using devices in the first area; The level of the first area; the update frequency of the at least one key.
  • the number of at least one key is fixed or dynamically changed.
  • the at least one key is used for geographical location information, vehicle driving information or service content information.
  • the method further includes: when registering on the key management device, obtaining third key information from the key management device, the third key information being used for subsequent The message received from the key management device is decrypted.
  • the use scope of the key can be limited to registered key using devices, so that unregistered key using devices cannot obtain the key provided by the key management device, thereby further improving key security.
  • embodiments of the present application provide a key management method.
  • the method is applied to a key management device.
  • the method includes: obtaining multiple preset areas through area division.
  • the multiple preset areas are The method includes a first area; generating at least one key corresponding to the first area; and sending the at least one key to a key using device in the first area.
  • the method before sending the at least one key to the key usage device in the first area, the method further includes: receiving from the key usage device a message indicating the Location information of the location of the key using device; based on the location information, the at least one key is allocated to the key using device for use.
  • the location information is identification information of the first area or geographical coordinate information of the key using device.
  • sending the at least one key to the key usage device in the first area includes:
  • a message including the at least one key is sent within the first area.
  • the at least one key is multiple keys, and the method further includes:
  • a plurality of key parameters corresponding to the plurality of keys are sent to the key using device.
  • the area division is based on at least one of the following ways:
  • the boundary of the first area is dynamically set.
  • the sending of the at least one key to the key usage device in the first area is triggered by at least one of the following:
  • the key usage device is registered with the key management device
  • the key using device enters the first area from an area other than the first area;
  • the time interval between the current time and the last time the key was sent to the key using device reaches the first update threshold
  • the key using device requests an update of the key corresponding to the first area.
  • the method further includes:
  • the key usage device is located in the transition area
  • the key usage device is located in a specific area
  • the key using device has not obtained the at least one key
  • the at least one key expires and the update fails
  • the key using device is unable to successfully decrypt the received data using the at least one key.
  • the key using device is unable to communicate with the key management device.
  • the number of the at least one key is related to at least one of the following:
  • the number of key using devices in the first area is the number of key using devices in the first area
  • the level of the first area is the level of the first area
  • the update frequency of the at least one key is the update frequency of the at least one key.
  • the number of the at least one key is fixed or dynamically changed.
  • the at least one key is used for geographical location information, vehicle driving information or service content information.
  • the method further includes:
  • third key information is sent to the key using device, and the third key information is used for subsequent processing by the key management device to the key using device.
  • the message is decrypted.
  • a key usage device which includes:
  • a first determination module used to determine the location of the key using device
  • a first acquisition module configured to acquire at least one key according to the location, the at least one key being allocated to a key using device located in the first area, and the location being located in the first area,
  • the at least one key includes a first key
  • the first usage module is used to use the first key.
  • the first acquisition module is also used to:
  • the at least one key responsive to the location information is received from the key management device.
  • the location information is the identification information of the first area
  • the first acquisition module is also used to:
  • the first area is determined according to the location and a preset area division method.
  • the device further includes:
  • a first receiving module configured to receive a message including the at least one key from the key management device
  • the first acquisition module is also used to:
  • the at least one key is multiple keys
  • the device further includes:
  • a first selection module configured to select the first key from the plurality of keys
  • the first using module is also configured to use the first key as an encryption key.
  • the selection is random selection, weighted random selection or rotating selection.
  • the at least one key is multiple keys
  • the device further includes:
  • a second receiving module configured to receive ciphertext from the first device, where the ciphertext is encrypted according to the first key
  • a second acquisition module configured to acquire key parameters, where the key parameters indicate the first key
  • the first usage module is also used for:
  • the first key is selected from the plurality of keys as the decryption key of the ciphertext.
  • the at least one key is multiple keys
  • the device further includes:
  • a third receiving module configured to receive ciphertext from the first device, where the ciphertext is encrypted according to the first key
  • a traversal module configured to decrypt the ciphertext using the plurality of keys through traversal, and determine that the first key can successfully decrypt the ciphertext
  • the first usage module is also used for:
  • the first key is selected from the plurality of keys as the decryption key of the ciphertext.
  • the first area is divided based on at least one of the following methods:
  • the boundary of the first area is dynamically set.
  • the first acquisition module is also used to:
  • the at least one key is obtained according to the location, wherein the first preset condition includes at least one of the following situations:
  • the key using device is registered with the key management device
  • the area where the key using device is located changes
  • the time interval between the current moment and the last time the key was obtained reaches the first update threshold
  • the received data could not be successfully decrypted using the currently saved key.
  • the device further includes:
  • the third acquisition module is used to acquire the preset second key
  • the second use module is used to use the second key when the second preset condition is met;.
  • the second preset condition includes at least one of the following situations:
  • the key usage device is located in the transition area
  • the key usage device is located in a specific area
  • the key using device has not obtained the at least one key
  • the at least one key expires and the update fails
  • the key using device is unable to successfully decrypt the received data using the at least one key.
  • the key using device is unable to communicate with the key management device.
  • the number of the at least one key is related to at least one of the following:
  • the number of key using devices in the first area is the number of key using devices in the first area
  • the level of the first area is the level of the first area
  • the update frequency of the at least one key is the update frequency of the at least one key.
  • the number of at least one key is fixed or dynamically changed.
  • the at least one key is used for geographical location information, vehicle driving information or service content information.
  • the device further includes:
  • the fourth acquisition module is used to obtain third key information from the key management device when registering on the key management device.
  • the third key information is used for subsequent reception from the key management device.
  • the incoming message is decrypted.
  • a key management device which includes:
  • a dividing module configured to obtain multiple preset areas through area division, where the multiple preset areas include a first area
  • a first generation module configured to generate at least one key corresponding to the first area
  • the first sending module is configured to send the at least one key to the key using device in the first area.
  • the device further includes:
  • a first receiving module configured to receive location information indicating the location of the key using device from the key using device
  • a first allocation module configured to allocate the at least one key to the key using device based on the location information.
  • the location information is identification information of the first area or geographical coordinate information of the key using device.
  • the first sending module is also used to:
  • a message including the at least one key is sent within the first area.
  • the at least one key is multiple keys
  • the device further includes:
  • the second sending module is configured to send a plurality of key parameters corresponding to the plurality of keys to the key using device.
  • the area division is based on at least one of the following ways:
  • the boundary of the first area is dynamically set.
  • the sending of the at least one key to the key usage device in the first area is triggered by at least one of the following:
  • the key usage device is registered with the key management device
  • the key using device enters the first area from an area other than the first area;
  • the time interval between the current time and the last time the key was sent to the key using device reaches the first update threshold
  • the key using device requests an update of the key corresponding to the first area.
  • the device further includes:
  • a third sending module configured to send a second key to the key using device, where the second key is used by the key using device in at least one of the following situations:
  • the key usage device is located in the transition area
  • the key usage device is located in a specific area
  • the key using device has not obtained the at least one key
  • the at least one key expires and the update fails
  • the key using device cannot successfully decrypt the received data using the at least one key
  • the key using device cannot communicate with the key management device.
  • the number of the at least one key is related to at least one of the following:
  • the number of key using devices in the first area is the number of key using devices in the first area
  • the level of the first area is the level of the first area
  • the update frequency of the at least one key is the update frequency of the at least one key.
  • the number of at least one key is fixed or dynamically changed.
  • the at least one key is used for geographical location information, vehicle driving information or service content information.
  • the device further includes:
  • the fourth sending module is configured to send third key information to the key using device when the key using device is registered.
  • the third key information is used to subsequently send the key information to the key using device.
  • the key is used to decrypt the message sent by the device.
  • embodiments of the present application provide a key usage device that can perform key management in one or more of the first aspect or multiple possible implementations of the first aspect. method.
  • embodiments of the present application provide a key management device that can perform key management in one or more of the above-mentioned second aspects or multiple possible implementations of the second aspect. method.
  • embodiments of the present application provide a key management system, which may include the key using device described in the fifth aspect, and the key management device described in the sixth aspect.
  • embodiments of the present application provide a non-volatile computer-readable storage medium on which computer program instructions are stored.
  • the computer program instructions are executed by a processor, the above-mentioned first aspect or aspects are implemented.
  • One or more key management methods are implemented.
  • embodiments of the present application provide a computer program product, including a computer readable code, or a non-volatile computer readable storage medium carrying the computer readable code, when the computer readable code is stored electronically
  • the processor in the electronic device executes one or more of the key usage methods of the first aspect or multiple possible implementations of the first aspect, or, the processor in the electronic device
  • the processor executes one or more of the key management methods of the above-mentioned second aspect or multiple possible implementations of the second aspect.
  • embodiments of the present application provide a vehicle, including the key usage device described in the fifth aspect, and/or the key management device described in the sixth aspect.
  • Figure 1 shows a schematic structural diagram of an application scenario key management system provided by an embodiment of the present application.
  • Figure 2 shows a flow chart of the key management method provided by the embodiment of the present application.
  • Figure 3 shows a schematic diagram of area division provided by the embodiment of the present application.
  • Figure 4 shows an interactive flow chart of the key management method provided by the embodiment of the present application.
  • Figure 5 shows an interactive flow chart of the key management method provided by the embodiment of the present application.
  • Figure 6 shows an interactive flow chart of the key management method provided by the embodiment of the present application.
  • Figure 7 shows a schematic diagram of area division provided by the embodiment of the present application.
  • Figure 8 shows a schematic diagram of the division of specific areas in the embodiment of the present application.
  • Figure 9 shows a block diagram of a key usage device provided by an embodiment of the present application.
  • Figure 10 shows a block diagram of a key management device provided by an embodiment of the present application.
  • Figure 11 shows a schematic structural diagram of an electronic device provided by an embodiment of the present application.
  • exemplary means "serving as an example, example, or illustrative.” Any embodiment described herein as “exemplary” is not necessarily to be construed as superior or superior to other embodiments.
  • Figure 1 shows a schematic structural diagram of an application scenario key management system provided by an embodiment of the present application.
  • the system includes: a key usage device 101 and a key management device 102.
  • the key usage device 101 and the key management device 102 can communicate through the network.
  • the key management device 102 can generate keys corresponding to each region, and the key using device 101 can use the keys corresponding to the region where it is located.
  • the key using device 101 may be an electronic device with communication capabilities and data encryption and decryption capabilities.
  • the key usage device 101 may be (or be deployed in) a vehicle with a vehicle communication unit (Telematics box, T-box), a roadside unit (Road Side Unit, RSU), or other terminal equipment.
  • vehicle communication unit Telematics box, T-box
  • RSU Roadside Unit
  • the key management device 102 may be an electronic device with key generation capabilities, may be (or be deployed on) a physical device such as a host, a frame server, a blade server, etc., or may be a virtual device. Devices such as virtual machines, containers, etc.
  • the key management device 102 can be deployed in the cloud, in an RSU, or in a vehicle, and the embodiments of this application are not limited to this.
  • key management device 102 may also have distribution capabilities.
  • the key management device 102 may directly distribute the generated key to the key usage device 101 .
  • the key management device 102 may distribute the generated key to the key usage device 101 through a distribution device (eg, a gateway or a router, etc.).
  • the key usage device 101 can be deployed in a vehicle, and the key management device 102 can be deployed in the cloud; or the key usage device 101 and the key management device 102 can be deployed in different vehicles; or the key management device 102 can be deployed in a different vehicle.
  • the key usage device 101 and the key management device 102 are deployed in the same vehicle; or the key usage device 101 is deployed in the RSU and the key management device 102 is deployed in the cloud, which is not limited in this embodiment of the present application.
  • Figure 2 shows a flow chart of the key management method provided by the embodiment of the present application. This method can be applied to the key using device shown in Figure 1. As shown in Figure 2, the method may include:
  • Step S401 Determine the location of the key using device.
  • the key usage device is located in the first area, and the first area can be any preset area.
  • the first area is divided based on at least one of the following methods: area division based on regular graphics or irregular graphics; area division based on administrative areas; area division based on road grades; The regions are divided based on the supported autonomous driving levels; the regions are divided based on commercial areas.
  • regular graphics include but are not limited to rectangles, trapezoids, triangles, etc.
  • Administrative regions include but are not limited to provinces, cities, counties and streets.
  • Road grades include but are not limited to national highways, provincial highways, altitude and autonomous driving lanes, etc.
  • the autonomous driving levels supported by roads include but are not limited to pure manual driving (L0), driving automation (L1), assisted driving (L2), automatic assisted driving (L3), automatic driving (L4) and driverless driving (L5).
  • Commercial areas include but are not limited to parking lots, shopping malls, supermarkets and wholesale markets.
  • Figure 3 shows a schematic diagram of area division provided by the embodiment of the present application. As shown in Figure 3, 9 preset areas are obtained through area division, which are the 0th preset area, the 1st preset area, ... and the 8th preset area. Based on the position (x, y) of the key using device and Formula 1, the identification information Zoneid of the first zone can be obtained.
  • x is the longitude geodetic distance (in meters) between the position of the key usage device and the geographic location coordinate (0,0) in the WGS84/GCJ-02 coordinate system
  • y is the dimensional geodetic distance (in meters) between the position of the key usage device and the geographic location coordinate (0,0) in the WGS84/GCJ-02 coordinate system
  • L represents the length of the preset area
  • W represents the width of the preset area.
  • the values of L and W can be the same or different. In one example, the values of L and W can be 100 kilometers or 500 kilometers, etc.
  • Nx represents the number of preset areas divided in the latitudinal direction
  • Ny represents the number of preset areas divided in the longitude direction.
  • the values of Nx and Ny can be the same or different. For example, the values of Nx and Ny in Figure 3 are both 3.
  • Floor is a rounding-down operation
  • Mod is a modulo operation.
  • the boundary of the first area is dynamically set. In other words, the boundary of the first area can be changed. This way, flexibility can be increased.
  • Step S402 Obtain at least one key according to the location, and the at least one key includes the first key.
  • the at least one key is assigned to a key using device located in the first area. That is to say, the keys available to the key using device located in the first area are the same.
  • the key distribution method will be explained in detail later and will not be repeated here.
  • the first key may represent a key to be used by the key using device.
  • the key using device may determine the key as the first key.
  • the key using device may determine the first key from the plurality of keys.
  • the method of selecting the first key is also different depending on the usage of the first key. The method of selecting the first key will be explained in step S403 and will not be described again here.
  • the same area corresponds to multiple keys, which can reduce the number of key uses, thereby reducing the risk of key leakage and further improving the security of the key.
  • step S402 may include: when the first preset condition is met, obtaining the at least one key according to the location.
  • the first preset condition includes at least one of the following situations: the key using device is registered with the key management device; the area where the key using device is located changes; the currently saved key expires; The time interval between the current moment and the last time the key was obtained reaches the first update threshold; the received data cannot be successfully decrypted using the currently saved key.
  • the key using device may obtain the key when the key management device registers. In this way, the key using device can use the key immediately after registration without waiting, which is beneficial to improving business efficiency.
  • the key using device can register with the key management device only after completing the payment.
  • the paid key-using device such as a vehicle
  • the first key and the second key to be introduced later
  • the key using device can reacquire the key when the area it is located in changes.
  • keys are distributed according to regions. When the region where the key using device is located changes, the keys that can be used by the key using device also change accordingly. At this time, the key needs to be obtained again. key. In this way, the matching degree of the key can be improved and the decryption success rate can be improved.
  • the key using device can re-obtain the key when the currently saved key expires. It is understandable that as the existence time of the key increases, the possibility of the key being cracked increases accordingly, and the security of the key decreases accordingly. Therefore, in the embodiment of the present application, a validity period is set for the key so that when the key expires, the key using device can re-obtain the key, thus improving the security of the key.
  • the key using device may re-obtain the key when the time interval between the current time and the last time the key was obtained reaches the first update threshold.
  • the time interval between the previous moment and the last time the key was obtained reaches the first update threshold, it indicates that the key has not been updated for a long time, and the risk of the key being cracked or leaked is high, so the key needs to be obtained in order to Improve security.
  • the first update threshold can be set as needed, for example, it can be set to 1 hour or 1 day.
  • the first update threshold may be determined based on the area of the first area or the number of key using devices in the first area. For example, the larger the area of the first area, the smaller the value of the first update threshold (that is, the greater the update frequency), and the greater the number of key using devices in the first area, the smaller the value of the first update threshold. Small (that is, the greater the update frequency).
  • the key using device re-obtains the key when the received data cannot be successfully decrypted using the currently saved key. If the key using device cannot successfully decrypt the received data using the currently saved key, it indicates that the current key is incorrect. In order not to affect the business, the key needs to be obtained again.
  • the update times of keys in different areas can be different, thereby reducing the pressure on the key management device during key update.
  • first preset conditions are only exemplary first preset conditions and are not used to limit the first preset conditions.
  • the embodiment of the present application can also obtain the at least one key according to the location in other circumstances.
  • Step S403 use the first key.
  • the key using device may use the first key for encryption or the first key for decryption.
  • the at least one key can be used for first location information, vehicle driving information or service content information. That is to say, in the embodiment of the present application, the first key can be used to encrypt the first location information, vehicle driving information or service content information, or the first key can be used to encrypt the first location information, vehicle driving information and so on. Decrypt the information or service content information.
  • the first key can also be used to encrypt the message containing the first location information, vehicle driving information or service content information, or the first key can be used to encrypt the message containing the first location information. , vehicle driving information or service content information.
  • the above are only illustrative examples, and at least one key can also be used to encrypt and decrypt other data or messages, which is not limited by the embodiments of this application.
  • key using device A and key using device B are located in the same area, at this time, at least one key obtained by key using device A and key using device B is the same.
  • the first key used when the key using device A sends the V2X message to the key using device B and the first key used when the key using device B sends the V2X message to the key using device A may be the same or different.
  • key using device A and key using device B have obtained key 1, key 2 and key 3.
  • key using device A sends a V2X message to key using device B key 1 is randomly selected for encryption.
  • key using device B sends a V2X message to key using device A
  • key 2 is randomly selected for encryption.
  • the at least one key is a plurality of keys
  • the method may further include: selecting the first key from the plurality of keys.
  • Step S403 may include using the first key as an encryption key.
  • the selection may be random selection, weighted random selection or rotation selection.
  • the key using device randomly selects a key from a plurality of keys as the first key.
  • the key using device may randomly select a key from a plurality of keys as the first key.
  • the weighting coefficient of a key can be determined based on the number of times the key has been used.
  • the weighting factor of a key is inversely proportional to the number of times the key has been used. That is to say, the more times a key has been used, the lower the weighting coefficient of the key, and the less likely the key is to be selected; the less the number of times a key has been used, the lower the weighting coefficient of the key.
  • the higher the weighting factor the more likely the key is to be selected. In this way, the number of uses of each key can be balanced and the impact caused by key leakage can be reduced.
  • the key usage device may rotate multiple keys as the first key.
  • the key using device can change the first key every once in a while, or change the first key every time it moves a certain distance.
  • the key using device can replace the first key according to the speed of the vehicle. When the speed of the vehicle is 0, the first key may not be rotated, or the rotation time may be extended.
  • the at least one key is a plurality of keys
  • the method may further include: receiving ciphertext from the first device, the ciphertext being encrypted according to the first key ; Obtain a key parameter indicating the first key.
  • Step S403 may include: selecting the first key from the plurality of keys as the decryption key of the ciphertext according to the key parameter.
  • the first device may be a key management device, or other devices such as vehicles, RSUs, and portable terminals.
  • the embodiments of this application do not limit the first device.
  • the key using device sends multiple key parameters corresponding to the multiple keys.
  • the key using device can obtain the key parameters of each key at the same time.
  • the key using device can find the key parameter corresponding to the ciphertext, find the first key, and then use the first key to decrypt the ciphertext. In this way, the speed of determining the first key can be increased and the decryption efficiency can be improved.
  • the key parameter can be the id of the key or the derivation time of the key.
  • the at least one key is multiple keys
  • the method may further include: receiving ciphertext from the first device, where the ciphertext is encrypted according to the first key; by The ciphertext is decrypted by traversing and using the multiple keys, and it is determined that the first key can successfully decrypt the ciphertext.
  • Step S403 may include: selecting the first key from the plurality of keys as the decryption key of the ciphertext.
  • the key using device can reduce the amount of data carried when interacting with the first device and save communication resources.
  • the key corresponds to the region, and the keys used in different regions are different. This reduces the coverage of the same key to one region, which not only reduces the usage range and number of uses of the same key, In addition, when the key of one area is leaked, it will not affect the security of the keys of other areas, thereby reducing the impact caused by the leakage of the key of one area and improving the security of the key.
  • the key management device can obtain multiple preset areas through area division, generate at least one key corresponding to the first area, and send the key usage device in the first area. At least one key.
  • the first area may represent any preset area among multiple preset areas. Other preset areas can refer to the first area, which will not be described again here.
  • the key management device sending at least one key to the key usage device in the first area may be triggered by at least one of the following: the key usage device The device registers; the key using device enters the first area from an area other than the first area; the current key corresponding to the first area expires; the current moment is the same as the last time the key was used. The time interval between the moments when the device sends the key reaches the first update threshold; the key using device requests to update the key corresponding to the first area.
  • the key management device may send the key to the key usage device based on the received location information.
  • Figure 4 shows an interactive flow chart of the key management method provided by the embodiment of the present application. This method can be applied to the system shown in Figure 1. As shown in Figure 4, the method may include:
  • Step S501 The key management device obtains multiple preset areas through area division.
  • the multiple preset areas obtained in this step include the first area.
  • the regional division is based on at least one of the following methods: regional division based on regular graphics or irregular graphics; regional division based on administrative regions; regional division based on road grades; automatic Divide areas based on driving level; divide areas based on commercial areas.
  • step S401 For the specific area division method, please refer to step S401, which will not be described again here.
  • Step S502 The key management device generates at least one key corresponding to the first area.
  • the key management device may generate at least one key corresponding to the first area, at least one of which is assigned to the key using device located in the first area.
  • the number of at least one key corresponding to the first area is related to at least one of the following: the area of the first area; the size of the key using device in the first area. quantity; the level of the first area; the update frequency of the at least one key.
  • the area of the first area When the area of the first area is large, it indicates that there may be more key using devices in the first area, and the same key is more likely to be used by too many key using devices, so it can be the first area. Generate more keys to increase key security. When the area of the first area is small, it indicates that there may be fewer key using devices in the first area, and the same key is less likely to be used by too many key using devices, so it can be generated for the first area. Fewer keys to save key resources and communication overhead.
  • the same key is more likely to be used by too many key using devices. Therefore, more keys can be generated for the first area to improve the key quality. security.
  • the number of key using devices in the first area is small, the same key is less likely to be used by too many key using devices, so fewer keys can be generated for the first area to save passwords. Key resources and communication overhead.
  • the level of the first area is relatively high, for example, when the first area is a national, municipal, national highway, autonomous driving (L4) or unmanned driving (L5), or a commercial area with a large passenger flow, it indicates that there may be There are more key using devices, and the same key is more likely to be used by too many key using devices. Therefore, more keys can be generated for the first area to improve the security of the key.
  • the level of the first area is low, for example, when the first area is a county, street, national highway, driving automation (L1), assisted driving (L2) or a commercial area with small passenger flow, it indicates that there may be With fewer key using devices, the same key is less likely to be used by too many key using devices. Therefore, fewer keys can be generated for the first area to save key resources and communication overhead.
  • the above are only exemplary factors that affect the number of at least one key corresponding to the first area, and do not apply to limit the factors that affect the number of keys.
  • the number of keys can also be related to other factors. This application implements There is no restriction on this.
  • the number of keys can also be set and modified by the user, or it can be set to a fixed value.
  • the update frequency of at least one key can be increased to improve the security of the key.
  • the update frequency of at least one key can be reduced to save computing resources.
  • the number and duration of key usage can be reduced, and key security can be enhanced.
  • the number of at least one key corresponding to the first area may be fixed or dynamically changed. In one example, the number of at least one key corresponding to the first area may be determined based on the area of the first area, such that when the area of the first area is fixed, the number of at least one key corresponding to the first area The number of keys remains unchanged. In yet another example, the number of at least one key corresponding to the first area may be determined based on the number of key using devices in the first area. Since the number of key using devices in the first area changes, therefore The number of at least one key corresponding to the first area will also change accordingly. For example, if the number of key using devices increases, the number of keys will increase accordingly, and if the number of key using devices decreases, the number of keys will decrease accordingly.
  • Step S503 The key using device determines the location of the key using device, and the location is located in the first area.
  • Step S504 The key usage device sends location information indicating the location to the key management device.
  • the location information may be identification information of the first area or geographical coordinate information of the key using device.
  • Step S505 The key management device allocates at least one key corresponding to the first area to the key using device based on the location information.
  • the location information is identification information of the first area.
  • the key using device may first determine the first area based on the location and a preset area division method, and then send the identification information of the first area to the key management device.
  • the key management device may find at least one key corresponding to the first area based on the identification information, and allocate the found at least one key to the key using device for use.
  • the identification information may be a number, a name, a code, etc., which is not limited by the embodiment of the present application.
  • the key usage device calculates the identification information, which can effectively reduce the workload of the key management device.
  • the location information is the geographical coordinate information of the key using device.
  • the key using device may send the geographical coordinate information of the key using device to the key management device.
  • the key management device may determine the first area according to the first coordinate information and a preset area division method, and then allocate at least one key corresponding to the first area to the key using device for use.
  • the key using device Since the preset area division method in the key management device may change, when it changes, the key using device may not be able to update the area division method in time due to some reasons (such as poor network or busy business, etc.), thus As a result, the calculated identification information does not match the actual identification information. In this case, the key obtained by the key using device does not match the first area, causing the key using device to be unable to perform normal V2X communication.
  • the key using device sends geographical coordinate information to the key management device, and the key management device calculates the identification information, which can avoid the problem of the key using device obtaining the wrong key due to changes in the preset area division method.
  • Step S506 The key using device sends the at least one key to the key using device.
  • Step S506 The key using device receives the at least one key from the key management device.
  • Step S507 The key using device uses the first key included in the at least one key.
  • step S402 The process of selecting the first key from at least one key by the key using device and the process of using the first key can refer to step S402 and step S403, which will not be described again here.
  • the key using device can apply to the key management device for at least one key corresponding to the first area, and then use the first key among the at least one key, thus reducing the coverage of the key.
  • the key management device for at least one key corresponding to the first area, and then use the first key among the at least one key, thus reducing the coverage of the key.
  • the key management device for at least one key corresponding to the first area, and then use the first key among the at least one key, thus reducing the coverage of the key.
  • the key management device for at least one key corresponding to the first area, and then use the first key among the at least one key, thus reducing the coverage of the key.
  • the first area when the key is leaked, it will not affect the security of other areas, thereby reducing the impact caused by the leakage of the key corresponding to the first area and improving the security of the key.
  • the key management device can push the key.
  • Figure 5 shows an interactive flow chart of the key management method provided by the embodiment of the present application. This method can be applied to the system shown in Figure 1. As shown in Figure 5, the method may include:
  • Step S601 The key management device obtains multiple preset areas through area division.
  • Step S602 The key management device generates at least one key corresponding to the first area.
  • step S601 and step S602 may refer to step S501 and step S502, which will not be described again here.
  • Step S603 The key management device sends a message including the at least one key in the first area.
  • the key management device can send a message including the at least one key in the first area, so that all key using devices located in the first area can obtain at least one key corresponding to the first area.
  • the key management device may periodically send messages including the at least one key within the first area.
  • the key management device may send a message including the at least one key to the key using device when detecting that a key using device enters the first area. The embodiment of the present application does not limit the timing when the key management device sends a message including the at least one key.
  • Step S604 The key using device receives a message including at least one key from the key management device.
  • Step S605 The key using device determines the location of the key using device, and the location is located in the first area.
  • Step S606 The key using device determines not to discard the at least one key according to the location.
  • the key using device may discard the at least one key if the key using device determines that the location is not located in the first area.
  • a key using device located outside the first area but close to the first area or a key using device that has just left the first area may also receive a message including at least one key corresponding to the first area. Therefore, after receiving the message including the message, the key using device can determine whether to discard the at least one received key according to the location. If the key using device is located in the first area, the key using device does not discard at least one key corresponding to the first area, thereby enabling the key using device to use the key corresponding to the first area. If the key using device is not located in the first area, the key using device will discard at least one key corresponding to the first area, so that the key using device avoids misuse of the key corresponding to the first area.
  • Step S607 The key using device uses the first key included in the at least one key.
  • step S607 please refer to step S607, which will not be described again here.
  • the key management device may send at least one key corresponding to the first region to the key usage device in the first region.
  • the coverage of the key is reduced to the first area.
  • the key When the key is leaked, it will not affect the security of other areas, thereby reducing the impact caused by the leakage of the key corresponding to the first area. , which improves the security of the key; on the other hand, it saves communication resources.
  • Figure 6 shows an interactive flow chart of the key management method provided by the embodiment of the present application. This method can be applied to the system shown in Figure 1. As shown in Figure 6, the method may include:
  • Step S701 The key management device sends the second key to the key using device.
  • the key management device may send the second key to the key using device when the key using device registers. In this way, as long as the key using device is registered with the key management device, the same second key will be stored therein.
  • the key management device may send a new second key to all registered key using devices after the second key becomes invalid or expires. In this way, the second key can be updated synchronously through all registered key using devices, thereby improving the security of the second key.
  • Step S702 The key using device receives the second key.
  • Step S703 The key using device uses the second key if the second preset condition is met.
  • the second preset condition includes at least one of the following situations: the key using device is located in a transition area; the key using device is located in a specific area; the key using device does not obtain the at least one One key; the at least one key has expired and failed to be updated; the key using device cannot successfully decrypt the received data using the at least one key; the key using device cannot communicate with the key management device communication.
  • the method of using the second key may refer to the method of using the first key, which will not be described again here.
  • the multiple preset areas obtained by the key management device through area division may include transition areas.
  • the transition area may represent a preset area among the plurality of preset areas that can be connected to any other preset area.
  • the second key can be used. In this way, the problem of frequent key updates caused by the key using device frequently crossing regions can be avoided.
  • Figure 7 shows a schematic diagram of area division provided by the embodiment of the present application.
  • 10 preset areas are obtained through area division, which are the 0th preset area, the 1st preset area,... and the 8th preset area, as well as the transition area.
  • the transition area can connect any one of the 0th preset area, the 1st preset area, ... and the 8th preset area.
  • the area can be divided first through Formula 1 to obtain the identification information of each preset area. Then, based on the division result, the boundary area between two adjacent preset areas is set as a transition area, and each boundary area can constitute the final transition area.
  • the preset area divided by Formula 1 is a square, and the distance between adjacent preset areas in the longitude direction and the distance between adjacent preset areas in the latitudinal direction are the same, the location that satisfies any one of the conditions in Formula 2 (x, y) is located in the transition region.
  • the value of M is the same as L
  • the value of Z is half the length of the transition region
  • the value of N is the difference between M and Z.
  • x is greater than 400 and less than 600
  • the position is in the transition area.
  • y is greater than 400 and less than 600
  • the position is in the transition region.
  • the key management device can demarcate a specific area, and the specific area can be an area with poor communication conditions (that is, it is easy to communicate between the key management device and the key using devices in the area). Interruption occurs or even failure to connect) or busy business areas (that is, key-using devices in this area need to use keys frequently).
  • the second key can be used when the key-using device is located in that specific area. In this way, when the key using device determines that the location is located in a specific area, the process of determining whether the location is located in the first area can be omitted and the second key can be used directly. In this way, computing resources can be saved. Especially when the specific area is an area with poor communication conditions, there is no need for the key using device to repeatedly send location information to the key management device to obtain at least one key corresponding to the first area, thus saving a large amount of communication resources.
  • the specific area may overlap with multiple preset areas obtained by the key using device through area division. At this time, the key using device may preferentially use the second key.
  • Figure 8 shows a schematic diagram of the division of specific areas in the embodiment of the present application. As shown in Figure 7, the specific area overlaps with the 0th preset area and the 3rd preset area. , if the key using device is located in both the specific area and the 0th preset area, the key using device can preferentially use the second key.
  • the key using device may use the second key without obtaining at least one key corresponding to the first area.
  • the failure of the key management device to obtain at least one key corresponding to the first area may be due to poor communication conditions. At this time, if it waits for at least one key, the sending of service information may be delayed. In order to reduce the need for service information The effect is that a second key can be used.
  • the key using device may try to use the second key when the received data cannot be successfully decrypted using currently existing keys. Because this situation may be caused by the sender being located in a transition area, a specific area, or unable to obtain at least one key. In this way, the impact on business information can be reduced.
  • the key using device may use the second key when it is unable to communicate with the key management device.
  • the key using device cannot communicate with the key management device, which may cause the key using device to be unable to obtain at least one key corresponding to the first area or to update at least one key corresponding to the first area in a timely manner.
  • the key using device uses the second key, which can increase the probability of successful decryption by the receiving end and reduce the impact on the business information caused by poor communication conditions with the key management device.
  • the key management device may send the third key information to the key using device.
  • the third key information may be used to decrypt subsequent messages sent by the key management device to the key usage device. That is to say, the key using device can use the third key information to decrypt subsequent messages received from the key management device.
  • the third key information may be the key itself (recorded as: third key), or may be a parameter used to generate the third key, which is not limited in this embodiment of the present application.
  • the third key information may be used to decrypt a message from the key management device and including at least one key corresponding to the first area, so as to obtain at least one key corresponding to the first area.
  • the third key information can be used to decrypt a message from the key management device and including the second key, so as to obtain the second key.
  • the received message cannot be decrypted successfully, and at least one key and the second key corresponding to the first area cannot be obtained, thereby improving the security of the key.
  • key protection services can be provided to registered users (such as paid registered users).
  • Figure 9 shows a block diagram of a key usage device provided by an embodiment of the present application.
  • the device 800 may include:
  • the first determination module 801 is used to determine the location of the key using device
  • the first acquisition module 802 is configured to acquire at least one key according to the location.
  • the at least one key is allocated to a key using device located in the first area, and the location is located in the first area.
  • the at least one key includes a first key;
  • the first use module 803 is used to use the first key.
  • the first acquisition module is also used to:
  • the at least one key responsive to the location information is received from the key management device.
  • the location information is the identification information of the first area
  • the first acquisition module is also used to:
  • the first area is determined according to the location and a preset area division method.
  • the device further includes:
  • a first receiving module configured to receive a message including the at least one key from the key management device
  • the first acquisition module is also used to:
  • the at least one key is multiple keys
  • the device further includes:
  • a first selection module configured to select the first key from the plurality of keys
  • the first using module is also configured to use the first key as an encryption key.
  • the selection is random selection, weighted random selection or rotating selection.
  • the at least one key is multiple keys
  • the device further includes:
  • a second receiving module configured to receive ciphertext from the first device, where the ciphertext is encrypted according to the first key
  • a second acquisition module configured to acquire key parameters, where the key parameters indicate the first key
  • the first usage module is also used for:
  • the first key is selected from the plurality of keys as the decryption key of the ciphertext.
  • the at least one key is multiple keys
  • the device further includes:
  • a third receiving module configured to receive ciphertext from the first device, where the ciphertext is encrypted according to the first key
  • a traversal module configured to decrypt the ciphertext using the plurality of keys through traversal, and determine that the first key can successfully decrypt the ciphertext
  • the first usage module is also used for:
  • the first key is selected from the plurality of keys as the decryption key of the ciphertext.
  • the first area is divided based on at least one of the following methods:
  • the boundary of the first area is dynamically set.
  • the first acquisition module is also used to:
  • the at least one key is obtained according to the location, wherein the first preset condition includes at least one of the following situations:
  • the key using device is registered with the key management device
  • the area where the key using device is located changes
  • the time interval between the current moment and the last time the key was obtained reaches the first update threshold
  • the received data could not be successfully decrypted using the currently saved key.
  • the device further includes:
  • the third acquisition module is used to acquire the preset second key
  • the second use module is used to use the second key when the second preset condition is met;.
  • the second preset condition includes at least one of the following situations:
  • the key usage device is located in the transition area
  • the key usage device is located in a specific area
  • the key using device has not obtained the at least one key
  • the at least one key expires and the update fails
  • the key using device cannot successfully decrypt the received data using the at least one key
  • the key using device cannot communicate with the key management device.
  • the number of the at least one key is related to at least one of the following:
  • the number of key using devices in the first area is the number of key using devices in the first area
  • the level of the first area is the level of the first area
  • the update frequency of the at least one key is the update frequency of the at least one key.
  • the number of at least one key is fixed or dynamically changed.
  • the at least one key is used for geographical location information, vehicle driving information or service content information.
  • the device further includes:
  • the fourth acquisition module is used to obtain third key information from the key management device when registering on the key management device.
  • the third key information is used for subsequent reception from the key management device.
  • the incoming message is decrypted.
  • Figure 10 shows a block diagram of a key management device provided by an embodiment of the present application.
  • the device 900 may include:
  • Division module 901 configured to obtain multiple preset areas through area division, where the multiple preset areas include the first area;
  • a first generation module 902 configured to generate at least one key corresponding to the first area
  • the first sending module 903 is configured to send the at least one key to the key using device in the first area.
  • the device further includes:
  • a first receiving module configured to receive location information indicating the location of the key using device from the key using device
  • a first allocation module configured to allocate the at least one key to the key using device based on the location information.
  • the location information is identification information of the first area or geographical coordinate information of the key using device.
  • the first sending module is also used to:
  • a message including the at least one key is sent within the first area.
  • the at least one key is multiple keys
  • the device further includes:
  • the second sending module is configured to send a plurality of key parameters corresponding to the plurality of keys to the key using device.
  • the area division is based on at least one of the following ways:
  • the boundary of the first area is dynamically set.
  • the sending of the at least one key to the key usage device in the first area is triggered by at least one of the following:
  • the key usage device is registered with the key management device
  • the key using device enters the first area from an area other than the first area;
  • the time interval between the current time and the last time the key was sent to the key using device reaches the first update threshold
  • the key using device requests an update of the key corresponding to the first area.
  • the device further includes:
  • a third sending module configured to send a second key to the key using device, where the second key is used by the key using device in at least one of the following situations:
  • the key usage device is located in the transition area
  • the key usage device is located in a specific area
  • the key using device has not obtained the at least one key
  • the at least one key expires and the update fails
  • the key using device cannot successfully decrypt the received data using the at least one key
  • the key using device cannot communicate with the key management device.
  • the number of the at least one key is related to at least one of the following:
  • the number of key using devices in the first area is the number of key using devices in the first area
  • the level of the first area is the level of the first area
  • the update frequency of the at least one key is the update frequency of the at least one key.
  • the number of at least one key is fixed or dynamically changed.
  • the at least one key is used for geographical location information, vehicle driving information or service content information.
  • the fourth sending module is configured to send third key information to the key using device when the key using device is registered.
  • the third key information is used to subsequently send the key information to the key using device.
  • the key is used to decrypt the message sent by the device.
  • FIG 11 shows a schematic structural diagram of an electronic device provided by an embodiment of the present application.
  • the electronic device may be a key usage device or a key management device.
  • the electronic device can be deployed in terminal devices such as vehicles and RSUs, or in cloud servers.
  • the test device may include at least one processor 301, a memory 302, an input and output device 303 and a bus 304.
  • processor 301 may include at least one processor 301, a memory 302, an input and output device 303 and a bus 304.
  • the processor 301 is the control center of the test device, and may be a processor or a collective name for multiple processing elements.
  • the processor 301 is a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present disclosure. , for example: one or more microprocessors (Digital Signal Processor, DSP), or one or more Field Programmable Gate Array (Field Programmable Gate Array, FPGA).
  • DSP Digital Signal Processor
  • FPGA Field Programmable Gate Array
  • the processor 301 can execute various functions of the test device by running or executing software programs stored in the memory 302 and calling data stored in the memory 302 .
  • the processor 301 may include one or more CPUs, such as CPU 0 and CPU 1 shown in the figure.
  • the test device may include multiple processors, such as the processor 301 and the processor 305 shown in FIG. 11 .
  • processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
  • a processor here may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).
  • the memory 302 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random access memory (Random Access Memory, RAM) or other types that can store information and instructions. Dynamic storage device, it can also be Electrically Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM) or other optical disk storage, optical disk storage (including compressed optical discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be used by a computer Any other medium for access, but not limited to this.
  • the memory 302 may exist independently and be connected to the processor 301 through a bus 304.
  • the memory 302 may also be integrated with the processor 301.
  • the input and output device 303 used to communicate with other devices or communication networks. Such as used to communicate with Ethernet, Radio access network (Radio access network, RAN), Wireless Local Area Networks (Wireless Local Area Networks, WLAN) and other communication networks.
  • the input and output device 303 may include all or part of a baseband processor, and may also optionally include a radio frequency (Radio Frequency, RF) processor.
  • the RF processor is used to send and receive RF signals
  • the baseband processor is used to implement the processing of the baseband signal converted from the RF signal or the baseband signal to be converted into an RF signal.
  • the input and output device 303 may include a transmitter and a receiver.
  • the transmitter is used to send signals to other devices or communication networks
  • the receiver is used to receive signals sent by other devices or communication networks.
  • the transmitter and receiver can exist independently or integrated together.
  • the bus 304 may be an Industry Standard Architecture (Industry Standard Architecture, ISA) bus, a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc.
  • ISA Industry Standard Architecture
  • PCI Peripheral Component Interconnect
  • EISA Extended Industry Standard Architecture
  • the bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in Figure 11, but it does not mean that there is only one bus or one type of bus.
  • the equipment structure shown in Figure 11 does not constitute a limitation of the test device, and may include more or less components than shown, or combine certain components, or arrange different components.
  • An embodiment of the present application also provides a key usage device, including: a processor and a memory used to store instructions executable by the processor; wherein the processor is configured to implement the above method when executing the instructions.
  • An embodiment of the present application also provides a key management device, including: a processor and a memory used to store instructions executable by the processor; wherein the processor is configured to implement the above method when executing the instructions.
  • An embodiment of the present application also provides a key management system, including the above-mentioned key usage device and the above-mentioned key management device.
  • An embodiment of the present application also provides a vehicle, including the above key usage device and/or the above key management device.
  • Embodiments of the present application also provide a non-volatile computer-readable storage medium on which computer program instructions are stored. When the computer program instructions are executed by a processor, the above method is implemented.
  • Embodiments of the present application provide a computer program product, including computer readable code, or a non-volatile computer readable storage medium carrying the computer readable code, when the computer readable code is stored in a processor of an electronic device When running, the processor in the electronic device executes the above method.
  • Computer-readable storage media may be tangible devices that can retain and store instructions for use by an instruction execution device.
  • the computer-readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the above.
  • Non-exhaustive list of computer-readable storage media include: portable computer disks, hard drives, random access memory (RAM), read only memory (ROM), erasable memory Electrically Programmable Read-Only-Memory (EPROM or Flash Memory), Static Random-Access Memory (SRAM), Portable Compact Disc Read-Only Memory (CD) -ROM), Digital Video Disc (DVD), memory stick, floppy disk, mechanical encoding device, such as a punched card or a raised structure in a groove with instructions stored thereon, and any suitable combination of the above .
  • RAM random access memory
  • ROM read only memory
  • EPROM or Flash Memory erasable memory Electrically Programmable Read-Only-Memory
  • SRAM Static Random-Access Memory
  • CD Portable Compact Disc Read-Only Memory
  • DVD Digital Video Disc
  • memory stick floppy disk
  • mechanical encoding device such as a punched card or a raised structure in a groove with instructions stored thereon, and any suitable combination of the above .
  • Computer-readable program instructions or code described herein may be downloaded from a computer-readable storage medium to various computing/processing devices, or to an external computer or external storage device over a network, such as the Internet, a local area network, a wide area network, and/or a wireless network.
  • the network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers.
  • a network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage on a computer-readable storage medium in the respective computing/processing device .
  • the computer program instructions used to perform the operations of this application can be assembly instructions, instruction set architecture (Instruction Set Architecture, ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, status setting data, or one or more Source code or object code written in any combination of programming languages, including object-oriented programming languages—such as Smalltalk, C++, etc., and conventional procedural programming languages—such as the “C” language or similar programming languages.
  • the computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server implement.
  • the remote computer can be connected to the user's computer through any kind of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or it can be connected to an external computer (such as Use an Internet service provider to connect via the Internet).
  • electronic circuits are customized by utilizing state information of computer-readable program instructions, such as programmable logic circuits, field-programmable gate arrays (Field-Programmable Gate Arrays, FPGAs) or programmable logic arrays (Programmable Logic Array (PLA), the electronic circuit can execute computer-readable program instructions to implement various aspects of the present application.
  • These computer-readable program instructions may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing apparatus, thereby producing a machine that, when executed by the processor of the computer or other programmable data processing apparatus, , resulting in an apparatus that implements the functions/actions specified in one or more blocks in the flowchart and/or block diagram.
  • These computer-readable program instructions can also be stored in a computer-readable storage medium. These instructions cause the computer, programmable data processing device and/or other equipment to work in a specific manner. Therefore, the computer-readable medium storing the instructions includes An article of manufacture that includes instructions that implement aspects of the functions/acts specified in one or more blocks of the flowcharts and/or block diagrams.
  • Computer-readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other equipment, causing a series of operating steps to be performed on the computer, other programmable data processing apparatus, or other equipment to produce a computer-implemented process. , thereby causing instructions executed on a computer, other programmable data processing apparatus, or other equipment to implement the functions/actions specified in one or more blocks in the flowcharts and/or block diagrams.
  • each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions that embody one or more elements for implementing the specified logical function(s).
  • Executable instructions may occur out of the order noted in the figures. For example, two consecutive blocks may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved.
  • each block of the block diagram and/or flowchart illustration, and combinations of blocks in the block diagram and/or flowchart illustration can be implemented by hardware (such as circuits or ASICs) that perform the corresponding function or action. Specific Integrated Circuit), or can be implemented with a combination of hardware and software, such as firmware.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Lock And Its Accessories (AREA)

Abstract

The present application relates to a key management method, a key usage apparatus and a key management apparatus; and the present application relates to the technical field of intelligent transportation and intelligent driving. The method is applied to a key usage apparatus. The method comprises: determining the position of a key usage apparatus; acquiring at least one key according to the position, wherein the at least one key is allocated to a key usage apparatus located in a first area, the position is located in the first area, and the at least one key comprises a first key; and using the first key. The key usage apparatus and the key management apparatus can be applied to a vehicle; and the key management method, key usage apparatus and key management apparatus provided in the embodiments of the present application can improve the security of a key.

Description

一种密钥管理方法、使用装置及管理装置A key management method, usage device and management device 技术领域Technical field
本申请涉及智能交通和智能驾驶技术领域,尤其涉及一种密钥管理方法、使用装置及管理装置。The present application relates to the technical fields of intelligent transportation and intelligent driving, and in particular to a key management method, usage device and management device.
背景技术Background technique
随着社会发展,人们对车辆的需求量逐年增加。车辆在给人们提供出行方便的同时,也带来了交通拥堵和交通事故频发等问题。基于此,车联网(Vehicle to Everything,V2X)技术应运而生。车辆可以通过车辆与车辆之间(Vehicle to Vehicle,V2V)通信或者车辆与路边基础设施(Vehicle to Infrastructure,V2I)通信来及时获取道路交通信息、安全预警信息等,从而实现自动驾驶或者辅助驾驶。With the development of society, people's demand for vehicles is increasing year by year. While vehicles provide people with travel convenience, they also bring about problems such as traffic congestion and frequent traffic accidents. Based on this, Vehicle to Everything (V2X) technology emerged as the times require. Vehicles can obtain road traffic information, safety warning information, etc. in a timely manner through vehicle-to-vehicle (V2V) communication or vehicle-to-roadside infrastructure (Vehicle to Infrastructure, V2I) communication to achieve autonomous driving or assisted driving. .
在自动驾驶场景下,V2X通信能够帮助自动驾驶实现车道级辅助驾驶,主要通过车与车之间发送自身的位置信息来实现。比如通过V2X广播车辆位置信息,使其他能够获取到V2X消息的车辆可以判断与他车之间的位置,实现前向碰撞预警、盲区辅助、变道辅助、紧急制动预警以及逆向超车预警等多种功能。In autonomous driving scenarios, V2X communication can help autonomous driving achieve lane-level assisted driving, mainly by sending its own location information between vehicles. For example, vehicle position information is broadcast through V2X, so that other vehicles that can obtain V2X messages can determine the position with other vehicles, and realize forward collision warning, blind spot assistance, lane change assistance, emergency braking warning, reverse overtaking warning, etc. function.
V2X场景下,车辆需要随时广播自身位置信息,以及记录车辆基于某个参考点的轨迹变化,这些位置信息需要加密保护。同时,车辆历史轨迹信息属于用户个人隐私数据。为防止恶意车辆有意监听收集周围车辆的广播信息获得连续坐标等敏感数据,需要对V2X消息中的敏感数据或者V2X消息进行加密保护。如何降低因密钥泄露而造成的影响,提高密钥的安全性,成为当前亟待解决的问题。In a V2X scenario, vehicles need to broadcast their own location information at any time and record the trajectory changes of the vehicle based on a certain reference point. This location information needs to be encrypted and protected. At the same time, vehicle historical trajectory information belongs to users’ personal privacy data. In order to prevent malicious vehicles from intentionally monitoring and collecting the broadcast information of surrounding vehicles to obtain sensitive data such as continuous coordinates, the sensitive data in the V2X message or the V2X message needs to be encrypted and protected. How to reduce the impact caused by key leakage and improve the security of keys has become an urgent problem to be solved.
发明内容Contents of the invention
有鉴于此,提出了一种密钥管理方法、使用装置及管理装置,能够提高密钥的安全性。In view of this, a key management method, usage device and management device are proposed, which can improve the security of the key.
第一方面,本申请的实施例提供了一种密钥管理方法,所述方法应用于密钥使用装置,所述方法包括:确定所述密钥使用装置的位置;根据所述位置,获取至少一个密钥,所述至少一个密钥是为位于第一区域内的密钥使用装置分配的,所述位置位于所述第一区域中,所述至少一个密钥包括第一密钥;使用所述第一密钥。In a first aspect, embodiments of the present application provide a key management method, which method is applied to a key using device. The method includes: determining the location of the key using device; and obtaining at least A key, the at least one key is allocated to a key using device located in the first area, the location is located in the first area, the at least one key includes the first key; using the The first key.
在本申请实施例中,密钥与区域相对应,不同区域所使用的密钥不同,这样将相同密钥的覆盖范围缩小到了一个区域内,既降低了相同密钥的使用范围和使用次数,又使得一个区域的密钥泄露时,不会对其他区域密钥的安全性造成影响,从而降低因一个区域的密钥泄露而造成的影响,提高了密钥的安全性。In the embodiment of this application, the key corresponds to the region, and the keys used in different regions are different. This reduces the coverage of the same key to one region, which not only reduces the usage range and number of uses of the same key, In addition, when the key of one area is leaked, it will not affect the security of the keys of other areas, thereby reducing the impact caused by the leakage of the key of one area and improving the security of the key.
在一种可能的实现方式中,所述根据所述位置,获取至少一个密钥包括:向密钥管理装置发送用于指示所述位置的位置信息;从所述密钥管理装置接收响应于所述位置信息的所述至少一个密钥。In a possible implementation, obtaining at least one key according to the location includes: sending location information indicating the location to a key management device; receiving a response to the key management device from the key management device. the at least one key for the location information.
在本申请实施例中,密钥使用装置可以向密钥管理装置申请对应于第一区域的至少一个密钥,进而使用至少一个密钥中的第一密钥,这样将密钥的覆盖范围缩小到了第一区域,在该密钥泄露时,不会对其他区域的安全性造成影响,从而降低因对应于第一区域的密钥泄露而造成的影响,提高了密钥的安全性。In this embodiment of the present application, the key using device can apply to the key management device for at least one key corresponding to the first area, and then use the first key among the at least one key, thus reducing the coverage of the key. In the first area, when the key is leaked, it will not affect the security of other areas, thereby reducing the impact caused by the leakage of the key corresponding to the first area and improving the security of the key.
在一种可能的实现方式中,所述位置信息为所述第一区域的标识信息;所述根据所述位置,获取至少一个密钥,还包括:根据所述位置和预设的区域划分方式,确定所述第一区域。In a possible implementation, the location information is identification information of the first area; obtaining at least one key according to the location further includes: based on the location and a preset area division method , determine the first area.
在本申请实施例中,由密钥使用装置计算标识信息,可以有效降低密钥管理装置的工作量。In the embodiment of the present application, the key usage device calculates the identification information, which can effectively reduce the workload of the key management device.
在一种可能的实现方式中,所述方法还包括:从密钥管理装置接收包括所述至少一个密钥的消息;所述根据所述位置,获取至少一个密钥包括:根据所述位置,确定不丢弃所述至少一个密钥。In a possible implementation, the method further includes: receiving a message including the at least one key from a key management device; and obtaining the at least one key according to the location includes: according to the location, It is determined not to discard the at least one key.
在本申请实施例中,密钥管理装置可以向第一区域的密钥使用装置发送对应于第一区域的至少一个密钥。这样,一方面将密钥的覆盖范围缩小到了第一区域,在该密钥泄露时,不会对其他区域的安全性造成影响,从而降低因对应于第一区域的密钥泄露而造成的影响,提高了密钥的安全性;另一方面,节省了通信资源。In this embodiment of the present application, the key management device may send at least one key corresponding to the first region to the key usage device in the first region. In this way, on the one hand, the coverage of the key is reduced to the first area. When the key is leaked, it will not affect the security of other areas, thereby reducing the impact caused by the leakage of the key corresponding to the first area. , which improves the security of the key; on the other hand, it saves communication resources.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述方法还包括:从所述多个密钥中选择所述第一密钥;所述使用所述第一密钥包括:使用所述第一密钥作为加密密钥。In a possible implementation, the at least one key is a plurality of keys, and the method further includes: selecting the first key from the plurality of keys; using the first key Keying includes using the first key as an encryption key.
在本申请实施例中,同一个区域对应多个密钥,可以降低密钥使用次数,从而降低密钥泄露风险,进一步提高密钥的安全性。In the embodiment of this application, the same area corresponds to multiple keys, which can reduce the number of key uses, thereby reducing the risk of key leakage and further improving the security of the key.
在一种可能的实现方式中,所述选择为随机选择、加权随机选择或轮换选择。In a possible implementation, the selection is random selection, weighted random selection or rotating selection.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述方法还包括:从第一设备接收密文,所述密文是根据所述第一密钥加密的;获取密钥参数,所述密钥参数指示所述第一密钥;所述使用所述第一密钥包括:根据所述密钥参数,从所述多个密钥中选择所述第一密钥作为所述密文的解密密钥。In a possible implementation, the at least one key is a plurality of keys, and the method further includes: receiving ciphertext from the first device, the ciphertext being encrypted according to the first key; Obtaining a key parameter, the key parameter indicating the first key; using the first key includes: selecting the first key from the plurality of keys according to the key parameter The key serves as the decryption key for the ciphertext.
在本申请实施例中,通过设置密钥参数,可以快速确定是否具有匹配的密钥,减少无效解密运算,主动丢弃错误消息,降低密钥使用装置的计算压力。In the embodiment of the present application, by setting key parameters, it is possible to quickly determine whether there is a matching key, reduce invalid decryption operations, actively discard error messages, and reduce the computing pressure of the key using device.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述方法还包括:从第一设备接收密文,所述密文是根据所述第一密钥加密的;通过遍历使用所述多个密钥对所述密文进行解密,确定所述第一密钥能够成功解密所述密文;所述使用所述第一密钥包括:从所述多个密钥中选择所述第一密钥作为所述密文的解密密钥。In a possible implementation, the at least one key is a plurality of keys, and the method further includes: receiving ciphertext from the first device, the ciphertext being encrypted according to the first key; Decrypting the ciphertext by traversing the use of the plurality of keys determines that the first key can successfully decrypt the ciphertext; the use of the first key includes: decrypting the ciphertext from the plurality of keys Select the first key as the decryption key of the ciphertext.
这样,密钥使用装置通过遍历多个密钥进行密文解密,可以与第一设备进行交互时携带的数据量,节省通信资源。In this way, by traversing multiple keys to decrypt the ciphertext, the key using device can reduce the amount of data carried when interacting with the first device and save communication resources.
在一种可能的实现方式中,所述第一区域是基于以下至少一种方式划分得到的:基于规则图形或者不规则图形进行区域划分;基于行政区域进行区域划分;基于道路等级进行区域划分;基于道路支持的自动驾驶等级进行区域划分;基于商业区域进行区域划分。In a possible implementation, the first area is divided based on at least one of the following methods: area division based on regular graphics or irregular graphics; area division based on administrative areas; area division based on road grades; Divide areas based on the autonomous driving levels supported by roads; divide areas based on commercial areas.
在一种可能的实现方式中,所述第一区域的边界是被动态设置的。In a possible implementation, the boundary of the first area is dynamically set.
在一种可能的实现方式中,所述根据所述位置,获取至少一个密钥包括:In a possible implementation, obtaining at least one key according to the location includes:
在满足第一预设条件的情况下,根据所述位置,获取所述至少一个密钥,其中,所述第一预设条件包括以下情况中的至少一种:所述密钥使用装置在密钥管理装置进行注册;所述密钥使用装置所处的区域发生变化;当前保存的密钥过期;当前时刻与上一次获取密钥的时刻之间的时间间隔达到第一更新阈值;使用当前保存的密钥无法对接收到的数据成功解密。When a first preset condition is met, the at least one key is obtained according to the location, wherein the first preset condition includes at least one of the following situations: the key using device is encrypted The key management device registers; the area where the key using device is located changes; the currently saved key expires; the time interval between the current moment and the last time the key was obtained reaches the first update threshold; the currently saved key is used The key cannot successfully decrypt the received data.
在一种可能的实现方式中,所述方法还包括:获取预设的第二密钥;在满足第二预设条件的情况下,使用所述第二密钥;其中,所述第二预设条件包括以下情况中的至少一种:所述密钥使用装置位于过渡区域;所述密钥使用装置位于特定区域;所述密钥使用装置未获取到所述至少一个密钥;所述至少一个密钥过期且更新失败;所述密钥使用装置使用所述至少一个密钥无法对接收到的数据成功解密;所述密钥使用装置无法与密钥管理装置进行通信。In a possible implementation, the method further includes: obtaining a preset second key; when the second preset condition is met, using the second key; wherein the second preset key Assume that the conditions include at least one of the following situations: the key using device is located in a transition area; the key using device is located in a specific area; the key using device does not obtain the at least one key; the at least One key has expired and failed to be updated; the key using device cannot successfully decrypt the received data using the at least one key; the key using device cannot communicate with the key management device.
在本申请实施例中,通过设置第二密钥作为备用密钥或者应急密钥,可以避免因密钥获取不及时或者更新不及时造成的业务中断。In this embodiment of the present application, by setting the second key as a backup key or emergency key, service interruption caused by untimely key acquisition or untimely update can be avoided.
在一种可能的实现方式中,所述至少一个密钥的数量与以下内容中的至少一项相关:所述第一区域的面积;所述第一区域中密钥使用装置的数量;所述第一区域的等级;所述至少一个密钥的更新频率。In a possible implementation, the number of the at least one key is related to at least one of the following: the area of the first area; the number of key using devices in the first area; The level of the first area; the update frequency of the at least one key.
在一种可能的实现方式中,所述至少一个密钥的数量是固定的或者是动态变化的。In a possible implementation, the number of at least one key is fixed or dynamically changed.
在一种可能的实现方式中,所述至少一个密钥用于地理位置信息、车辆驾驶信息或者服务内容信息。In a possible implementation, the at least one key is used for geographical location information, vehicle driving information or service content information.
在一种可能的实现方式中,所述方法还包括:在密钥管理装置上进行注册时,从所述密钥管理装置获取第三密钥信息,所述第三密钥信息用于对后续从所述密钥管理装置接收到的消息进行解密。In a possible implementation, the method further includes: when registering on the key management device, obtaining third key information from the key management device, the third key information being used for subsequent The message received from the key management device is decrypted.
这样,可以将密钥的使用范围限制在已注册的密钥使用装置,使得未注册的密钥使用装置无法获取到密钥管理装置提供的密钥,从而进一步提高密钥安全性。In this way, the use scope of the key can be limited to registered key using devices, so that unregistered key using devices cannot obtain the key provided by the key management device, thereby further improving key security.
第二方面,本申请的实施例提供了一种密钥管理方法,所述方法应用于密钥管理装置,所述方法包括:通过区域划分获得多个预设区域,所述多个预设区域包括第一区域;生成对应于所述第一区域的至少一个密钥;向所述第一区域内的密钥使用装置发送所述至少一个密钥。In a second aspect, embodiments of the present application provide a key management method. The method is applied to a key management device. The method includes: obtaining multiple preset areas through area division. The multiple preset areas are The method includes a first area; generating at least one key corresponding to the first area; and sending the at least one key to a key using device in the first area.
在一种可能的实现方式中,在向所述第一区域内的密钥使用装置发送所述至少一个密钥之前,所述方法还包括:从所述密钥使用装置接收用于指示所述密钥使用装置的位置的位置信息;基于所述位置信息,将所述至少一个密钥分配给所述密钥使用装置使用。In a possible implementation, before sending the at least one key to the key usage device in the first area, the method further includes: receiving from the key usage device a message indicating the Location information of the location of the key using device; based on the location information, the at least one key is allocated to the key using device for use.
在一种可能的实现方式中,所述位置信息为所述第一区域的标识信息或者所述密钥使用装置的地理坐标信息。In a possible implementation, the location information is identification information of the first area or geographical coordinate information of the key using device.
在一种可能的实现方式中,所述向所述第一区域内的密钥使用装置发送所述至少一个密钥,包括:In a possible implementation, sending the at least one key to the key usage device in the first area includes:
在所述第一区域范围内发送包括所述至少一个密钥的消息。A message including the at least one key is sent within the first area.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述方法还包括:In a possible implementation, the at least one key is multiple keys, and the method further includes:
向所述密钥使用装置发送与所述多个密钥相对应的多个密钥参数。A plurality of key parameters corresponding to the plurality of keys are sent to the key using device.
在一种可能的实现方式中,所述区域划分基于以下至少一种方式:In a possible implementation, the area division is based on at least one of the following ways:
基于规则图形或者不规则图形进行区域划分;Divide areas based on regular graphics or irregular graphics;
基于行政区域进行区域划分;Regional division based on administrative regions;
基于道路等级进行区域划分;Zoning based on road grade;
基于道路支持的自动驾驶等级进行区域划分;Regional division based on the autonomous driving level supported by the road;
基于商业区域进行区域划分。Zoning based on commercial areas.
在一种可能的实现方式中,所述第一区域的边界是被动态设置的。In a possible implementation, the boundary of the first area is dynamically set.
在一种可能的实现方式中,所述向所述第一区域内的密钥使用装置发送所述至少一个密钥是通过以下至少一项触发的:In a possible implementation, the sending of the at least one key to the key usage device in the first area is triggered by at least one of the following:
所述密钥使用装置在所述密钥管理装置进行注册;The key usage device is registered with the key management device;
所述密钥使用装置由所述第一区域以外的区域进入所述第一区域;The key using device enters the first area from an area other than the first area;
当前对应于所述第一区域的密钥过期;The key currently corresponding to the first area expires;
当前时刻与上一次向所述密钥使用装置发送密钥的时刻之间的时间间隔达到第一更新阈值;The time interval between the current time and the last time the key was sent to the key using device reaches the first update threshold;
所述密钥使用装置请求更新对应于所述第一区域的密钥。The key using device requests an update of the key corresponding to the first area.
在一种可能的实现方式中,所述方法还包括:In a possible implementation, the method further includes:
向所述密钥使用装置发送第二密钥,所述第二密钥用于所述密钥使用装置在以下情况中的至少一种使用:Send a second key to the key usage device, the second key being used by the key usage device in at least one of the following situations:
所述密钥使用装置位于过渡区域;The key usage device is located in the transition area;
所述密钥使用装置位于特定区域;The key usage device is located in a specific area;
所述密钥使用装置未获取到所述至少一个密钥;The key using device has not obtained the at least one key;
所述至少一个密钥过期且更新失败;The at least one key expires and the update fails;
所述密钥使用装置使用所述至少一个密钥无法对接收到的数据成功解密所述密钥使用装置无法与密钥管理装置进行通信。The key using device is unable to successfully decrypt the received data using the at least one key. The key using device is unable to communicate with the key management device.
在一种可能的实现方式中,所述至少一个密钥的数量与以下内容中的至少一项相关:In a possible implementation, the number of the at least one key is related to at least one of the following:
所述第一区域的面积;The area of the first region;
所述第一区域中密钥使用装置的数量;The number of key using devices in the first area;
所述第一区域的等级;The level of the first area;
所述至少一个密钥的更新频率。The update frequency of the at least one key.
在一种可能的实现方式中,所述至少一个密钥的数量是固定的或者是动态变化的。In a possible implementation, the number of the at least one key is fixed or dynamically changed.
在一种可能的实现方式中,所述至少一个密钥用于地理位置信息、车辆驾驶信息或者服务内容信息。In a possible implementation, the at least one key is used for geographical location information, vehicle driving information or service content information.
在一种可能的实现方式中,所述方法还包括:In a possible implementation, the method further includes:
在所述密钥使用装置注册时,向所述密钥使用装置发送第三密钥信息,所述第三密钥信息用于对后续所述密钥管理装置向所述密钥使用装置发送的消息进行解密。When the key using device is registered, third key information is sent to the key using device, and the third key information is used for subsequent processing by the key management device to the key using device. The message is decrypted.
第三方面,本申请实施例提供了一种密钥使用装置,所述装置包括:In a third aspect, embodiments of the present application provide a key usage device, which includes:
第一确定模块,用于确定所述密钥使用装置的位置;A first determination module, used to determine the location of the key using device;
第一获取模块,用于根据所述位置,获取至少一个密钥,所述至少一个密钥是为位于第一区域内的密钥使用装置分配的,所述位置位于所述第一区域中,所述至少一个密钥包括第一密钥;A first acquisition module configured to acquire at least one key according to the location, the at least one key being allocated to a key using device located in the first area, and the location being located in the first area, The at least one key includes a first key;
第一使用模块,用于使用所述第一密钥。The first usage module is used to use the first key.
在一种可能的实现方式中,所述第一获取模块还用于:In a possible implementation, the first acquisition module is also used to:
向密钥管理装置发送用于指示所述位置的位置信息;sending location information indicating the location to the key management device;
从所述密钥管理装置接收响应于所述位置信息的所述至少一个密钥。The at least one key responsive to the location information is received from the key management device.
在一种可能的实现方式中,In one possible implementation,
所述位置信息为所述第一区域的标识信息;The location information is the identification information of the first area;
所述第一获取模块还用于:The first acquisition module is also used to:
根据所述位置和预设的区域划分方式,确定所述第一区域。The first area is determined according to the location and a preset area division method.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第一接收模块,用于从密钥管理装置接收包括所述至少一个密钥的消息;A first receiving module configured to receive a message including the at least one key from the key management device;
所述第一获取模块还用于:The first acquisition module is also used to:
根据所述位置,确定不丢弃所述至少一个密钥。Based on the location, it is determined not to discard the at least one key.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述装置还包括:In a possible implementation, the at least one key is multiple keys, and the device further includes:
第一选择模块,用于从所述多个密钥中选择所述第一密钥;A first selection module, configured to select the first key from the plurality of keys;
所述第一使用模块还用于使用所述第一密钥作为加密密钥。The first using module is also configured to use the first key as an encryption key.
在一种可能的实现方式中,所述选择为随机选择、加权随机选择或轮换选择。In a possible implementation, the selection is random selection, weighted random selection or rotating selection.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述装置还包括:In a possible implementation, the at least one key is multiple keys, and the device further includes:
第二接收模块,用于从第一设备接收密文,所述密文是根据所述第一密钥加密的;a second receiving module, configured to receive ciphertext from the first device, where the ciphertext is encrypted according to the first key;
第二获取模块,用于获取密钥参数,所述密钥参数指示所述第一密钥;a second acquisition module, configured to acquire key parameters, where the key parameters indicate the first key;
所述第一使用模块还用于:The first usage module is also used for:
根据所述密钥参数,从所述多个密钥中选择所述第一密钥作为所述密文的解密密钥。According to the key parameter, the first key is selected from the plurality of keys as the decryption key of the ciphertext.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述装置还包括:In a possible implementation, the at least one key is multiple keys, and the device further includes:
第三接收模块,用于从第一设备接收密文,所述密文是根据所述第一密钥加密的;A third receiving module, configured to receive ciphertext from the first device, where the ciphertext is encrypted according to the first key;
遍历模块,用于通过遍历使用所述多个密钥对所述密文进行解密,确定所述第一密钥能够成功解密所述密文;A traversal module, configured to decrypt the ciphertext using the plurality of keys through traversal, and determine that the first key can successfully decrypt the ciphertext;
所述第一使用模块还用于:The first usage module is also used for:
从所述多个密钥中选择所述第一密钥作为所述密文的解密密钥。The first key is selected from the plurality of keys as the decryption key of the ciphertext.
在一种可能的实现方式中,所述第一区域是基于以下至少一种方式划分得到的:In a possible implementation, the first area is divided based on at least one of the following methods:
基于规则图形或者不规则图形进行区域划分;Divide areas based on regular graphics or irregular graphics;
基于行政区域进行区域划分;Regional division based on administrative regions;
基于道路等级进行区域划分;Zoning based on road grade;
基于道路支持的自动驾驶等级进行区域划分;Regional division based on the autonomous driving level supported by the road;
基于商业区域进行区域划分。Zoning based on commercial areas.
在一种可能的实现方式中,所述第一区域的边界是被动态设置的。In a possible implementation, the boundary of the first area is dynamically set.
在一种可能的实现方式中,所述第一获取模块还用于:In a possible implementation, the first acquisition module is also used to:
在满足第一预设条件的情况下,根据所述位置,获取所述至少一个密钥,其中,所述第一预设条件包括以下情况中的至少一种:When a first preset condition is met, the at least one key is obtained according to the location, wherein the first preset condition includes at least one of the following situations:
所述密钥使用装置在密钥管理装置进行注册;The key using device is registered with the key management device;
所述密钥使用装置所处的区域发生变化;The area where the key using device is located changes;
当前保存的密钥过期;The currently saved key expires;
当前时刻与上一次获取密钥的时刻之间的时间间隔达到第一更新阈值;The time interval between the current moment and the last time the key was obtained reaches the first update threshold;
使用当前保存的密钥无法对接收到的数据成功解密。The received data could not be successfully decrypted using the currently saved key.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第三获取模块,用于获取预设的第二密钥;The third acquisition module is used to acquire the preset second key;
第二使用模块,用于在满足第二预设条件的情况下,使用所述第二密钥;。The second use module is used to use the second key when the second preset condition is met;.
其中,所述第二预设条件包括以下情况中的至少一种:Wherein, the second preset condition includes at least one of the following situations:
所述密钥使用装置位于过渡区域;The key usage device is located in the transition area;
所述密钥使用装置位于特定区域;The key usage device is located in a specific area;
所述密钥使用装置未获取到所述至少一个密钥;The key using device has not obtained the at least one key;
所述至少一个密钥过期且更新失败;The at least one key expires and the update fails;
所述密钥使用装置使用所述至少一个密钥无法对接收到的数据成功解密所述密钥使用装置无法与密钥管理装置进行通信。The key using device is unable to successfully decrypt the received data using the at least one key. The key using device is unable to communicate with the key management device.
在一种可能的实现方式中,所述至少一个密钥的数量与以下内容中的至少一项相关:In a possible implementation, the number of the at least one key is related to at least one of the following:
所述第一区域的面积;The area of the first region;
所述第一区域中密钥使用装置的数量;The number of key using devices in the first area;
所述第一区域的等级;The level of the first area;
所述至少一个密钥的更新频率。The update frequency of the at least one key.
在一种可能的实现方式中,所述至少一个密钥的数量是固定的或者是动态变化的。In a possible implementation, the number of at least one key is fixed or dynamically changed.
在一种可能的实现方式中,所述至少一个密钥用于地理位置信息、车辆驾驶信息或者服务内容信息。In a possible implementation, the at least one key is used for geographical location information, vehicle driving information or service content information.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第四获取模块,用于在密钥管理装置上进行注册时,从所述密钥管理装置获取第三密钥信息,所述第三密钥信息用于对后续从所述密钥管理装置接收到的消息进行解密。The fourth acquisition module is used to obtain third key information from the key management device when registering on the key management device. The third key information is used for subsequent reception from the key management device. The incoming message is decrypted.
第四方面,本申请实施例提供了一种密钥管理装置,所述装置包括:In a fourth aspect, embodiments of the present application provide a key management device, which includes:
划分模块,用于通过区域划分获得多个预设区域,所述多个预设区域包括第一区域;A dividing module, configured to obtain multiple preset areas through area division, where the multiple preset areas include a first area;
第一生成模块,用于生成对应于所述第一区域的至少一个密钥;A first generation module configured to generate at least one key corresponding to the first area;
第一发送模块,用于向所述第一区域内的密钥使用装置发送所述至少一个密钥。The first sending module is configured to send the at least one key to the key using device in the first area.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第一接收模块,用于从所述密钥使用装置接收用于指示所述密钥使用装置的位置的位置信息;A first receiving module configured to receive location information indicating the location of the key using device from the key using device;
第一分配模块,用于基于所述位置信息,将所述至少一个密钥分配给所述密钥使用装置使用。A first allocation module, configured to allocate the at least one key to the key using device based on the location information.
在一种可能的实现方式中,所述位置信息为所述第一区域的标识信息或者所述密钥使用装置的地理坐标信息。In a possible implementation, the location information is identification information of the first area or geographical coordinate information of the key using device.
在一种可能的实现方式中,所述第一发送模块还用于:In a possible implementation, the first sending module is also used to:
在所述第一区域范围内发送包括所述至少一个密钥的消息。A message including the at least one key is sent within the first area.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述装置还包括:In a possible implementation, the at least one key is multiple keys, and the device further includes:
第二发送模块,用于向所述密钥使用装置发送与所述多个密钥相对应的多个密钥参数。The second sending module is configured to send a plurality of key parameters corresponding to the plurality of keys to the key using device.
在一种可能的实现方式中,所述区域划分基于以下至少一种方式:In a possible implementation, the area division is based on at least one of the following ways:
基于规则图形或者不规则图形进行区域划分;Divide areas based on regular graphics or irregular graphics;
基于行政区域进行区域划分;Regional division based on administrative regions;
基于道路等级进行区域划分;Zoning based on road grade;
基于道路支持的自动驾驶等级进行区域划分;Regional division based on the autonomous driving level supported by the road;
基于商业区域进行区域划分。Zoning based on commercial areas.
在一种可能的实现方式中,所述第一区域的边界是被动态设置的。In a possible implementation, the boundary of the first area is dynamically set.
在一种可能的实现方式中,所述向所述第一区域内的密钥使用装置发送所述至少一个密钥是通过以下至少一项触发的:In a possible implementation, the sending of the at least one key to the key usage device in the first area is triggered by at least one of the following:
所述密钥使用装置在所述密钥管理装置进行注册;The key usage device is registered with the key management device;
所述密钥使用装置由所述第一区域以外的区域进入所述第一区域;The key using device enters the first area from an area other than the first area;
当前对应于所述第一区域的密钥过期;The key currently corresponding to the first area expires;
当前时刻与上一次向所述密钥使用装置发送密钥的时刻之间的时间间隔达到第一更新阈值;The time interval between the current time and the last time the key was sent to the key using device reaches the first update threshold;
所述密钥使用装置请求更新对应于所述第一区域的密钥。The key using device requests an update of the key corresponding to the first area.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第三发送模块,用于向所述密钥使用装置发送第二密钥,所述第二密钥用于所述密钥使用装置在以下情况中的至少一种使用:A third sending module, configured to send a second key to the key using device, where the second key is used by the key using device in at least one of the following situations:
所述密钥使用装置位于过渡区域;The key usage device is located in the transition area;
所述密钥使用装置位于特定区域;The key usage device is located in a specific area;
所述密钥使用装置未获取到所述至少一个密钥;The key using device has not obtained the at least one key;
所述至少一个密钥过期且更新失败;The at least one key expires and the update fails;
所述密钥使用装置使用所述至少一个密钥无法对接收到的数据成功解密;The key using device cannot successfully decrypt the received data using the at least one key;
所述密钥使用装置无法与密钥管理装置进行通信。The key using device cannot communicate with the key management device.
在一种可能的实现方式中,所述至少一个密钥的数量与以下内容中的至少一项相关:In a possible implementation, the number of the at least one key is related to at least one of the following:
所述第一区域的面积;The area of the first region;
所述第一区域中密钥使用装置的数量;The number of key using devices in the first area;
所述第一区域的等级;The level of the first area;
所述至少一个密钥的更新频率。The update frequency of the at least one key.
在一种可能的实现方式中,所述至少一个密钥的数量是固定的或者是动态变化的。In a possible implementation, the number of at least one key is fixed or dynamically changed.
在一种可能的实现方式中,所述至少一个密钥用于地理位置信息、车辆驾驶信息或者服务内容信息。In a possible implementation, the at least one key is used for geographical location information, vehicle driving information or service content information.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第四发送模块,用于在所述密钥使用装置注册时,向所述密钥使用装置发送第三密钥信息,所述第三密钥信息用于对后续所述密钥管理装置向所述密钥使用装置发送的消息进行解密。The fourth sending module is configured to send third key information to the key using device when the key using device is registered. The third key information is used to subsequently send the key information to the key using device. The key is used to decrypt the message sent by the device.
第五方面,本申请实施例提供了一种密钥使用装置,该密钥使用装置可以执行上述第一方面或者第一方面的多种可能的实现方式中的一种或几种的密钥管理方法。In a fifth aspect, embodiments of the present application provide a key usage device that can perform key management in one or more of the first aspect or multiple possible implementations of the first aspect. method.
第六方面,本申请实施例提供了一种密钥管理装置,该密钥管理装置可以执行上述第二方面或者第二方面的多种可能的实现方式中的一种或几种的密钥管理方法。In a sixth aspect, embodiments of the present application provide a key management device that can perform key management in one or more of the above-mentioned second aspects or multiple possible implementations of the second aspect. method.
第七方面,本申请实施例提供了一种密钥管理系统,该密钥管理系统可以包括上述第五方面所述的密钥使用装置,以及上述第六方面所述的密钥管理装置。In a seventh aspect, embodiments of the present application provide a key management system, which may include the key using device described in the fifth aspect, and the key management device described in the sixth aspect.
第八方面,本申请的实施例提供了一种非易失性计算机可读存储介质,其上存储有计算机程序指令,所述计算机程序指令被处理器执行时实现上述第一方面或者第一方面的多种可能的实现方式中的一种或几种的密钥使用方法,或者,所述计算机程序指令被处理器执行时实现上述第二方面或者第二方面的多种可能的实现方式中的一种或几种的密钥管理方法。In an eighth aspect, embodiments of the present application provide a non-volatile computer-readable storage medium on which computer program instructions are stored. When the computer program instructions are executed by a processor, the above-mentioned first aspect or aspects are implemented. One or more key usage methods among multiple possible implementations, or, when the computer program instructions are executed by the processor, the above second aspect or one of the multiple possible implementations of the second aspect is implemented One or more key management methods.
第九方面,本申请的实施例提供了一种计算机程序产品,包括计算机可读代码,或者承载有计算机可读代码的非易失性计算机可读存储介质,当所述计算机可读代码在电子设备中运行时,所述电子设备中的处理器执行上述第一方面或者第一方面的多种可能的实现方式中的一种或几种的密钥使用方法,或者,所述电子设备中的处理器执行上述第二方面或者第二方面的多种可能的实现方式中的一种或几种的密钥管理方法。In a ninth aspect, embodiments of the present application provide a computer program product, including a computer readable code, or a non-volatile computer readable storage medium carrying the computer readable code, when the computer readable code is stored electronically When running in the device, the processor in the electronic device executes one or more of the key usage methods of the first aspect or multiple possible implementations of the first aspect, or, the processor in the electronic device The processor executes one or more of the key management methods of the above-mentioned second aspect or multiple possible implementations of the second aspect.
第十个方面,本申请实施例提供了一种车辆,包括第五方面所述的密钥使用装置,和/或,第六方面所述的密钥管理装置。In a tenth aspect, embodiments of the present application provide a vehicle, including the key usage device described in the fifth aspect, and/or the key management device described in the sixth aspect.
本申请的这些和其他方面在以下(多个)实施例的描述中会更加简明易懂。These and other aspects of the application will be better understood in the description of the embodiment(s) below.
附图说明Description of drawings
包含在说明书中并且构成说明书的一部分的附图与说明书一起示出了本申请的示例性实施例、特征和方面,并且用于解释本申请的原理。The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate exemplary embodiments, features, and aspects of the application and together with the description, serve to explain the principles of the application.
图1示出本申请实施例提供的应用场景示意图密钥管理系统的结构示意图。Figure 1 shows a schematic structural diagram of an application scenario key management system provided by an embodiment of the present application.
图2示出本申请实施例提供的密钥管理方法的流程图。Figure 2 shows a flow chart of the key management method provided by the embodiment of the present application.
图3示出本申请实施例提供的区域划分示意图。Figure 3 shows a schematic diagram of area division provided by the embodiment of the present application.
图4示出本申请实施例提供的密钥管理方法的交互流程图。Figure 4 shows an interactive flow chart of the key management method provided by the embodiment of the present application.
图5示出本申请实施例提供的密钥管理方法的交互流程图。Figure 5 shows an interactive flow chart of the key management method provided by the embodiment of the present application.
图6示出本申请实施例提供的密钥管理方法的交互流程图。Figure 6 shows an interactive flow chart of the key management method provided by the embodiment of the present application.
图7示出本申请实施例提供的区域划分示意图。Figure 7 shows a schematic diagram of area division provided by the embodiment of the present application.
图8示出本申请实施例中特定区域的划分示意图。Figure 8 shows a schematic diagram of the division of specific areas in the embodiment of the present application.
图9示出本申请实施例提供的密钥使用装置的框图。Figure 9 shows a block diagram of a key usage device provided by an embodiment of the present application.
图10示出本申请实施例提供的密钥管理装置的框图。Figure 10 shows a block diagram of a key management device provided by an embodiment of the present application.
图11示出本申请实施例提供的电子设备的结构示意图。Figure 11 shows a schematic structural diagram of an electronic device provided by an embodiment of the present application.
具体实施方式Detailed ways
以下将参考附图详细说明本申请的各种示例性实施例、特征和方面。附图中相同的附图标记表示功能相同或相似的元件。尽管在附图中示出了实施例的各种方面,但是除非特别指出,不必按比例绘制附图。Various exemplary embodiments, features, and aspects of the present application will be described in detail below with reference to the accompanying drawings. The same reference numbers in the drawings identify functionally identical or similar elements. Although various aspects of the embodiments are illustrated in the drawings, the drawings are not necessarily drawn to scale unless otherwise indicated.
在这里专用的词“示例性”意为“用作例子、实施例或说明性”。这里作为“示例性”所说明的任何实施例不必解释为优于或好于其它实施例。The word "exemplary" as used herein means "serving as an example, example, or illustrative." Any embodiment described herein as "exemplary" is not necessarily to be construed as superior or superior to other embodiments.
另外,为了更好的说明本申请,在下文的具体实施方式中给出了众多的具体细节。本领域技术人员应当理解,没有某些具体细节,本申请同样可以实施。在一些实例中,对于本领域技术人员熟知的方法、手段、元件和电路未作详细描述,以便于凸显本申请的主旨。In addition, in order to better explain the present application, numerous specific details are given in the following detailed description. It will be understood by those skilled in the art that the present application may be practiced without certain specific details. In some instances, methods, means, components and circuits that are well known to those skilled in the art are not described in detail in order to highlight the subject matter of the present application.
图1示出本申请实施例提供的应用场景示意图密钥管理系统的结构示意图。如图1所示,该系统包括:密钥使用装置101和密钥管理装置102。其中,密钥使用装置101和密钥管理装置102可以通过网络通信。密钥管理装置102可以生成各个区域对应的密钥,密钥使用装置101可以使用所在区域对应的密钥。Figure 1 shows a schematic structural diagram of an application scenario key management system provided by an embodiment of the present application. As shown in Figure 1, the system includes: a key usage device 101 and a key management device 102. Among them, the key usage device 101 and the key management device 102 can communicate through the network. The key management device 102 can generate keys corresponding to each region, and the key using device 101 can use the keys corresponding to the region where it is located.
在一种可能的实现方式中,密钥使用装置101可以是具有通信能力和数据加解密能力的电子设备。例如,密钥使用装置101可以是(或者部署在)具有车载通信单元(Telematics box,T-box)的车辆、路侧单元(Road Side Unit,RSU)或者其他终端设备。In a possible implementation, the key using device 101 may be an electronic device with communication capabilities and data encryption and decryption capabilities. For example, the key usage device 101 may be (or be deployed in) a vehicle with a vehicle communication unit (Telematics box, T-box), a roadside unit (Road Side Unit, RSU), or other terminal equipment.
在一种可能的实现方式中,密钥管理装置102可以是具有密钥生成能力的电子设备,可以是(或者部署在)实体设备如主机、框架式服务器、刀片式服务器等,也可以是虚拟设备如虚拟机、容器等。密钥管理装置102可以部署在云端、也可以部署在RSU,还可以部署在车辆中,对此本申请实施例不做限制。In a possible implementation, the key management device 102 may be an electronic device with key generation capabilities, may be (or be deployed on) a physical device such as a host, a frame server, a blade server, etc., or may be a virtual device. Devices such as virtual machines, containers, etc. The key management device 102 can be deployed in the cloud, in an RSU, or in a vehicle, and the embodiments of this application are not limited to this.
在一个示例中,密钥管理装置102还可以具有分发能力。密钥管理装置102可以将生成的密钥直接分发给密钥使用装置101。在又一示例中,密钥管理装置102可以通过分发装置(例如,网关或者路由器等)将生成的密钥分发给密钥使用装置101。In one example, key management device 102 may also have distribution capabilities. The key management device 102 may directly distribute the generated key to the key usage device 101 . In yet another example, the key management device 102 may distribute the generated key to the key usage device 101 through a distribution device (eg, a gateway or a router, etc.).
在本申请实施例中,密钥使用装置101可以部署在车辆中,密钥管理装置102部署在云端;或者,密钥使用装置101和密钥管理装置102部署在不同的车辆中;或者,密钥使用装置101和密钥管理装置102部署在同一车辆中;或者,密钥使用装置101部署在RSU中,密钥管理装置102部署在云端,对此本申请实施例不做限制。In the embodiment of the present application, the key usage device 101 can be deployed in a vehicle, and the key management device 102 can be deployed in the cloud; or the key usage device 101 and the key management device 102 can be deployed in different vehicles; or the key management device 102 can be deployed in a different vehicle. The key usage device 101 and the key management device 102 are deployed in the same vehicle; or the key usage device 101 is deployed in the RSU and the key management device 102 is deployed in the cloud, which is not limited in this embodiment of the present application.
图2示出本申请实施例提供的密钥管理方法的流程图。该方法可以应用于图1所示的密钥使用装置。如图2所示,该方法可以包括:Figure 2 shows a flow chart of the key management method provided by the embodiment of the present application. This method can be applied to the key using device shown in Figure 1. As shown in Figure 2, the method may include:
步骤S401,确定所述密钥使用装置的位置。Step S401: Determine the location of the key using device.
在本申请实施例中,密钥使用装置的位置位于第一区域中,第一区域可以为任意一个预设区域。In this embodiment of the present application, the key usage device is located in the first area, and the first area can be any preset area.
在一种可能的实现方式中,第一区域是基于以下至少一种方式划分得到的:基于规则图形或者不规则图形进行区域划分;基于行政区域进行区域划分;基于道路等级进行区域划分;基于道路支持的自动驾驶等级进行区域划分;基于商业区域进行区域划分。In a possible implementation, the first area is divided based on at least one of the following methods: area division based on regular graphics or irregular graphics; area division based on administrative areas; area division based on road grades; The regions are divided based on the supported autonomous driving levels; the regions are divided based on commercial areas.
其中,规则图形包括但不限于矩形、梯形或者三角形等。行政区域包括但不限于省、市、县和街道等。道路等级包括但不限于国道、省道、高度和自动驾驶专用车道等。道路支持的自动驾驶等级包括但不限于纯人工驾驶(L0)、驾驶自动化(L1)、辅助驾驶(L2)、自动辅助驾驶(L3)、自动驾驶(L4)和无人驾驶(L5)。商业区域包括但不限于停车场、商场、超市和批发市场等。Among them, regular graphics include but are not limited to rectangles, trapezoids, triangles, etc. Administrative regions include but are not limited to provinces, cities, counties and streets. Road grades include but are not limited to national highways, provincial highways, altitude and autonomous driving lanes, etc. The autonomous driving levels supported by roads include but are not limited to pure manual driving (L0), driving automation (L1), assisted driving (L2), automatic assisted driving (L3), automatic driving (L4) and driverless driving (L5). Commercial areas include but are not limited to parking lots, shopping malls, supermarkets and wholesale markets.
下面以基于规则图形(具体为矩形)划分得到第一区域为例进行举例说明。图3示出本申请实施例提供的区域划分示意图。如图3所示,通过区域划分得到了9个预设区域,分别为第0个预设区域、第1个预设区域、……和第8个预设区域。基于密钥使用装置的位置(x,y)和公式一,可以得到第一区域的标识信息Zoneid。The following is an example of dividing the first area based on a regular graphic (specifically, a rectangle). Figure 3 shows a schematic diagram of area division provided by the embodiment of the present application. As shown in Figure 3, 9 preset areas are obtained through area division, which are the 0th preset area, the 1st preset area, ... and the 8th preset area. Based on the position (x, y) of the key using device and Formula 1, the identification information Zoneid of the first zone can be obtained.
Figure PCTCN2022119399-appb-000001
Figure PCTCN2022119399-appb-000001
其中,x是密钥使用装置的位置和地理位置坐标(0,0)之间在WGS84/GCJ-02坐标系下的经度测地距离(单位是米),y是密钥使用装置的位置和地理位置坐标(0,0)之间在WGS84/GCJ-02坐标系下的维度测地距离(单位是米)。L表示预设区域的长度,W表示预设区域的宽度。L和W的取值可以相同,也可以不同,在一个示例中,L和W的取值可以为100公里或者500公里等。Nx表示在维度方向上划分的预设区域的数量,Ny表示经度方向上划分的预设区域的数量。Nx和Ny的取值可以相同也可以不同,例如,图3中Nx和Ny的取值均为3。Floor是向下取整运算,Mod是取模运算。Wherein, x is the longitude geodetic distance (in meters) between the position of the key usage device and the geographic location coordinate (0,0) in the WGS84/GCJ-02 coordinate system, and y is the dimensional geodetic distance (in meters) between the position of the key usage device and the geographic location coordinate (0,0) in the WGS84/GCJ-02 coordinate system. L represents the length of the preset area, and W represents the width of the preset area. The values of L and W can be the same or different. In one example, the values of L and W can be 100 kilometers or 500 kilometers, etc. Nx represents the number of preset areas divided in the latitudinal direction, and Ny represents the number of preset areas divided in the longitude direction. The values of Nx and Ny can be the same or different. For example, the values of Nx and Ny in Figure 3 are both 3. Floor is a rounding-down operation, and Mod is a modulo operation.
需要说明的是,以上仅为划分方式的示例性举例,并不用于限制划分方式,本申请实施例中还可以采用其他划分方式得到第一区域。It should be noted that the above is only an illustrative example of the division method and is not used to limit the division method. In the embodiment of the present application, other division methods can also be used to obtain the first region.
在一种可能的实现方式中,第一区域的边界是被动态设置的。也就是说,第一区域的边界是可以变化的。这样,可以增加灵活性。In a possible implementation, the boundary of the first area is dynamically set. In other words, the boundary of the first area can be changed. This way, flexibility can be increased.
步骤S402,根据所述位置,获取至少一个密钥,所述至少一个密钥包括第一密钥。Step S402: Obtain at least one key according to the location, and the at least one key includes the first key.
其中,所述至少一个密钥是为位于第一区域内的密钥使用装置分配的。也就是说,位于第一区域的密钥使用装置可供使用的密钥是相同的。关于密钥的分配方式,后文会进行详细说明,这里不再赘述。Wherein, the at least one key is assigned to a key using device located in the first area. That is to say, the keys available to the key using device located in the first area are the same. The key distribution method will be explained in detail later and will not be repeated here.
第一密钥可以表示密钥使用装置将要使用的密钥。在所述至少一个密钥为一个密钥的情况下,密钥使用装置可以将该密钥确定为第一密钥。在所述至少一个密钥为多个密钥的情况下,密钥使用装置可以从所述多个密钥中确定第一密钥。在本申请实施例中,根据第一密钥的使用用途不同,选择第一密钥的方式也不同,第一密钥的选择方式会在步骤S403中进行说明,这里不再赘述。The first key may represent a key to be used by the key using device. In the case where the at least one key is a key, the key using device may determine the key as the first key. In the case where the at least one key is a plurality of keys, the key using device may determine the first key from the plurality of keys. In the embodiment of the present application, the method of selecting the first key is also different depending on the usage of the first key. The method of selecting the first key will be explained in step S403 and will not be described again here.
在本申请实施例中,同一个区域对应多个密钥,可以降低密钥使用次数,从而降低密钥泄露风险,进一步提高密钥的安全性。In the embodiment of this application, the same area corresponds to multiple keys, which can reduce the number of key uses, thereby reducing the risk of key leakage and further improving the security of the key.
在一种可能的实现方式中,步骤S402可以包括:在满足第一预设条件的情况下,根据所述位置,获取所述至少一个密钥。其中,第一预设条件包括以下情况中的至少一种:所述密钥使用装置在密钥管理装置进行注册;所述密钥使用装置所处的区域发生变化;当前保存的密钥过期;当前时刻与上一次获取密钥的时刻之间的时间间隔达到第一更新阈值;使用当前保存的密钥无法对接收到的数据成功解密。In a possible implementation, step S402 may include: when the first preset condition is met, obtaining the at least one key according to the location. Wherein, the first preset condition includes at least one of the following situations: the key using device is registered with the key management device; the area where the key using device is located changes; the currently saved key expires; The time interval between the current moment and the last time the key was obtained reaches the first update threshold; the received data cannot be successfully decrypted using the currently saved key.
在一个示例中,密钥使用装置可以在密钥管理装置进行注册时,获取密钥。这样,密钥使用装置在注册后可以立刻使用密钥,而无需等待,有利于提高业务效率。In one example, the key using device may obtain the key when the key management device registers. In this way, the key using device can use the key immediately after registration without waiting, which is beneficial to improving business efficiency.
另外,在本申请实施例中的一种应用场景中,密钥使用装置在完成付费后,才可以在密钥管理装置进行注册时。这样,只有付费的密钥使用装置(例如车辆)才能后获取到第一密钥和第二密钥(后文中进行介绍)进行使用,可以起到访问控制作用。In addition, in an application scenario in the embodiment of the present application, the key using device can register with the key management device only after completing the payment. In this way, only the paid key-using device (such as a vehicle) can obtain the first key and the second key (to be introduced later) for use, which can play an access control role.
在一个示例中,密钥使用装置可以在所处的区域发生变化时,重新获取密钥。在本申请实施例中,密钥是按照区域进行分配的,当密钥使用装置所处的区域发生变化时,该密钥使用装置可使用的密钥也相应发生变化,此时需要重新获取密钥。这样,可以提高密钥的匹配度,提升解密成功率。In one example, the key using device can reacquire the key when the area it is located in changes. In the embodiment of the present application, keys are distributed according to regions. When the region where the key using device is located changes, the keys that can be used by the key using device also change accordingly. At this time, the key needs to be obtained again. key. In this way, the matching degree of the key can be improved and the decryption success rate can be improved.
在一个示例中,密钥使用装置可以当前保存的密钥过期时,重新获取密钥。可以理解的,随着密钥存在时间的增长,该密钥被破解的可能性相应增加,密钥的安全性相应降低。因此,在本申请实施例中,为密钥设置了有效期这样,当密钥过期时,密钥使用装置就可以重新获取密钥,从而提高了密钥的安全性。In one example, the key using device can re-obtain the key when the currently saved key expires. It is understandable that as the existence time of the key increases, the possibility of the key being cracked increases accordingly, and the security of the key decreases accordingly. Therefore, in the embodiment of the present application, a validity period is set for the key so that when the key expires, the key using device can re-obtain the key, thus improving the security of the key.
在一个示例中,密钥使用装置可以在当前时刻与上一次获取密钥的时刻之间的时间间隔达到第一更新阈值时,重新获取密钥。在前时刻与上一次获取密钥的时刻之间的时间间隔达到第一更新阈值时表明长时间未进行密钥更新,密钥被破解或者泄露的风险值较高,因此需要获取密钥,以提高安全性。In one example, the key using device may re-obtain the key when the time interval between the current time and the last time the key was obtained reaches the first update threshold. When the time interval between the previous moment and the last time the key was obtained reaches the first update threshold, it indicates that the key has not been updated for a long time, and the risk of the key being cracked or leaked is high, so the key needs to be obtained in order to Improve security.
其中,第一更新阈值可以根据需要进行设置,例如可以设置为1小时或者1天等。在一种可能的实现方式中,第一更新阈值可以根据第一区域的面积或者第一区域内密钥使用装置的数量确定。例如,第一区域的面积越大,第一更新阈值的取值可以越小(即更新频率越大),第一区域内密钥使用装置的数量越多,第一更新阈值的取值可以越小(即更新频率越大)。The first update threshold can be set as needed, for example, it can be set to 1 hour or 1 day. In a possible implementation, the first update threshold may be determined based on the area of the first area or the number of key using devices in the first area. For example, the larger the area of the first area, the smaller the value of the first update threshold (that is, the greater the update frequency), and the greater the number of key using devices in the first area, the smaller the value of the first update threshold. Small (that is, the greater the update frequency).
在一个示例中,密钥使用装置在使用当前保存的密钥无法对接收到的数据成功解密时,重新获取密钥。密钥使用装置使用当前保存的密钥无法对接收到的数据成功解密表明当前的密钥有误,为了不影响业务,需要重新获取密钥。In one example, the key using device re-obtains the key when the received data cannot be successfully decrypted using the currently saved key. If the key using device cannot successfully decrypt the received data using the currently saved key, it indicates that the current key is incorrect. In order not to affect the business, the key needs to be obtained again.
另外,在本申请实施例中,通过为不同区域的密钥设置不同的有效期,可以使得不同区域的密钥的更新时间不同,从而减小密钥更新时,密钥管理装置的压力。In addition, in the embodiment of the present application, by setting different validity periods for keys in different areas, the update times of keys in different areas can be different, thereby reducing the pressure on the key management device during key update.
需要说明的是,以上仅为示例性的第一预设条件,不用于限制第一预设条件,本申请实施例还可以在其他情况下根据所述位置获取所述至少一个密钥。It should be noted that the above are only exemplary first preset conditions and are not used to limit the first preset conditions. The embodiment of the present application can also obtain the at least one key according to the location in other circumstances.
步骤S403,使用所述第一密钥。Step S403, use the first key.
在本步骤中,密钥使用装置可以使用第一密钥进行加密,也可以使用第一密钥进行解密。在一种可能的实现方式中,所述至少一个密钥可以用于第一位置信息、车辆 驾驶信息或者服务内容信息。也就是说,在本申请实施例中,可以使用第一密钥对第一位置信息、车辆驾驶信息或者服务内容信息进行加密,或者使用第一密钥对加密后的第一位置信息、车辆驾驶信息或者服务内容信息进行解密。另外,在本申请实施例中,还可以使用第一密钥对包含第一位置信息、车辆驾驶信息或者服务内容信息的消息进行加密,或者使用第一密钥对加密后的包含第一位置信息、车辆驾驶信息或者服务内容信息的消息进行解密。当然,以上仅为示例性举例,至少一个密钥还可以用于其他数据或者消息的加解密,本申请实施例不做限制。In this step, the key using device may use the first key for encryption or the first key for decryption. In a possible implementation, the at least one key can be used for first location information, vehicle driving information or service content information. That is to say, in the embodiment of the present application, the first key can be used to encrypt the first location information, vehicle driving information or service content information, or the first key can be used to encrypt the first location information, vehicle driving information and so on. Decrypt the information or service content information. In addition, in the embodiment of the present application, the first key can also be used to encrypt the message containing the first location information, vehicle driving information or service content information, or the first key can be used to encrypt the message containing the first location information. , vehicle driving information or service content information. Of course, the above are only illustrative examples, and at least one key can also be used to encrypt and decrypt other data or messages, which is not limited by the embodiments of this application.
需要说明的是,假设密钥使用装置A与密钥使用装置B位于同一区域中,此时,密钥使用装置A与密钥使用装置B获取到的至少一个密钥是相同的。在与密钥使用装置A向密钥使用装置B发送V2X消息时采用的第一密钥与密钥使用装置B向密钥使用装置A发送V2X消息时采用的第一密钥可以相同也可以不同。例如,密钥使用装置A与密钥使用装置B均获取到了密钥1、密钥2和密钥3。密钥使用装置A向密钥使用装置B发送V2X消息时,随机选择了密钥1进行加密。而密钥使用装置B向密钥使用装置A发送V2X消息时,随机选择了密钥2进行加密。It should be noted that, assuming that key using device A and key using device B are located in the same area, at this time, at least one key obtained by key using device A and key using device B is the same. The first key used when the key using device A sends the V2X message to the key using device B and the first key used when the key using device B sends the V2X message to the key using device A may be the same or different. . For example, key using device A and key using device B have obtained key 1, key 2 and key 3. When key using device A sends a V2X message to key using device B, key 1 is randomly selected for encryption. When key using device B sends a V2X message to key using device A, key 2 is randomly selected for encryption.
下面对使用第一密钥进行加密的过程进行说明。The process of encryption using the first key is explained below.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述方法还可以包括:从所述多个密钥中选择所述第一密钥。步骤S403可以包括:使用所述第一密钥作为加密密钥。In a possible implementation, the at least one key is a plurality of keys, and the method may further include: selecting the first key from the plurality of keys. Step S403 may include using the first key as an encryption key.
其中,所述选择可以为随机选择、加权随机选择或轮换选择。Wherein, the selection may be random selection, weighted random selection or rotation selection.
在一个示例中,密钥使用装置以从多个密钥中随机选择一个密钥作为第一密钥。In one example, the key using device randomly selects a key from a plurality of keys as the first key.
在又一示例中,密钥使用装置可以从多个密钥中加权随机选择一个密钥作为第一密钥。其中,一个密钥的加权系数可以根据该密钥的已使用次数确定。密钥的加权系数与密钥的已使用次数成反比。也就是说,一个密钥的已使用次数越多,该密钥的加权系数越低,该密钥被选中的可能性也就越小;一个密钥的已使用次数越少,该密钥的加权系数越高,该密钥被选中的可能性也就越大。这样,可以平衡各个密钥的使用次数,降低因密钥泄露而造成的影响。In yet another example, the key using device may randomly select a key from a plurality of keys as the first key. Among them, the weighting coefficient of a key can be determined based on the number of times the key has been used. The weighting factor of a key is inversely proportional to the number of times the key has been used. That is to say, the more times a key has been used, the lower the weighting coefficient of the key, and the less likely the key is to be selected; the less the number of times a key has been used, the lower the weighting coefficient of the key. The higher the weighting factor, the more likely the key is to be selected. In this way, the number of uses of each key can be balanced and the impact caused by key leakage can be reduced.
在又一示例中,密钥使用装置可以将多个密钥轮换作为第一密钥。例如,密钥使用装置可以每隔一段时间更换一次第一密钥,或者每移动一定距离更换一次第一密钥。又如,密钥使用装置可以根据车辆的速度更换第一密钥,在车辆的速度为0时,可以不轮换第一密钥,或者延长轮换时间。In yet another example, the key usage device may rotate multiple keys as the first key. For example, the key using device can change the first key every once in a while, or change the first key every time it moves a certain distance. For another example, the key using device can replace the first key according to the speed of the vehicle. When the speed of the vehicle is 0, the first key may not be rotated, or the rotation time may be extended.
需要说明的是,以上仅为示例性的选择第一密钥的方式,并不用于限制选择第一密钥的方式,本申请实施例中还可以采用其他方式选择第一密钥。It should be noted that the above are only exemplary ways of selecting the first key and are not used to limit the ways of selecting the first key. In the embodiments of the present application, other ways can also be used to select the first key.
下面对使用第一密钥进行解密的过程进行说明。The process of decryption using the first key is explained below.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述方法还可以包括:从第一设备接收密文,所述密文是根据所述第一密钥加密的;获取密钥参数,所述密钥参数指示所述第一密钥。步骤S403可以包括:根据所述密钥参数,从所述多个密钥中选择所述第一密钥作为所述密文的解密密钥。In a possible implementation, the at least one key is a plurality of keys, and the method may further include: receiving ciphertext from the first device, the ciphertext being encrypted according to the first key ; Obtain a key parameter indicating the first key. Step S403 may include: selecting the first key from the plurality of keys as the decryption key of the ciphertext according to the key parameter.
其中,第一设备可以为密钥管理装置,或者车辆、RSU以及便携式终端等其他设备,本申请实施例对第一设备不做限制。The first device may be a key management device, or other devices such as vehicles, RSUs, and portable terminals. The embodiments of this application do not limit the first device.
在一种可能的实现方式中,密钥使用装置发送与所述多个密钥对应的多个密钥参数。密钥使用装置在获取多个密钥时,同时可以获取到每个密钥的密钥参数。之后,密钥使用装置可以密文对应的密钥参数,可以找到第一密钥,进而使用第一密钥对密文进行解密。这样,可以提高确定第一密钥的速度,提高解密效率。In a possible implementation, the key using device sends multiple key parameters corresponding to the multiple keys. When the key using device obtains multiple keys, it can obtain the key parameters of each key at the same time. Afterwards, the key using device can find the key parameter corresponding to the ciphertext, find the first key, and then use the first key to decrypt the ciphertext. In this way, the speed of determining the first key can be increased and the decryption efficiency can be improved.
其中,密钥参数可以为密钥的id或者密钥的派生时间。Among them, the key parameter can be the id of the key or the derivation time of the key.
在本申请实施例中,通过设置密钥参数,可以快速确定是否具有匹配的密钥,减少无效解密运算,主动丢弃错误消息,降低密钥使用装置的计算压力。In the embodiment of the present application, by setting key parameters, it is possible to quickly determine whether there is a matching key, reduce invalid decryption operations, actively discard error messages, and reduce the computing pressure of the key using device.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述方法还可以包括:从第一设备接收密文,所述密文时根据第一密钥加密的;通过遍历使用所述多个密钥对所述密文进行解密,确定所述第一密钥能够成功解密所述密文。步骤S403可以包括:从所述多个密钥中选择所述第一密钥作为所述密文的解密密钥。In a possible implementation, the at least one key is multiple keys, and the method may further include: receiving ciphertext from the first device, where the ciphertext is encrypted according to the first key; by The ciphertext is decrypted by traversing and using the multiple keys, and it is determined that the first key can successfully decrypt the ciphertext. Step S403 may include: selecting the first key from the plurality of keys as the decryption key of the ciphertext.
这样,密钥使用装置通过遍历多个密钥进行密文解密,可以与第一设备进行交互时携带的数据量,节省通信资源。In this way, by traversing multiple keys to decrypt the ciphertext, the key using device can reduce the amount of data carried when interacting with the first device and save communication resources.
在本申请实施例中,密钥与区域相对应,不同区域所使用的密钥不同,这样将相同密钥的覆盖范围缩小到了一个区域内,既降低了相同密钥的使用范围和使用次数,又使得一个区域的密钥泄露时,不会对其他区域密钥的安全性造成影响,从而降低因一个区域的密钥泄露而造成的影响,提高了密钥的安全性。In the embodiment of this application, the key corresponds to the region, and the keys used in different regions are different. This reduces the coverage of the same key to one region, which not only reduces the usage range and number of uses of the same key, In addition, when the key of one area is leaked, it will not affect the security of the keys of other areas, thereby reducing the impact caused by the leakage of the key of one area and improving the security of the key.
在本申请实施例中,密钥管理装置可以通过区域划分获得多个预设区域,生成对应于所述第一区域的至少一个密钥,并向第一区域内的密钥使用装置发送所述至少一个密钥。其中,第一区域可以表示多个预设区域中的任意一个预设区域。其他预设区域可以参照第一区域,这里不再赘述。In this embodiment of the present application, the key management device can obtain multiple preset areas through area division, generate at least one key corresponding to the first area, and send the key usage device in the first area. At least one key. The first area may represent any preset area among multiple preset areas. Other preset areas can refer to the first area, which will not be described again here.
在一种可能的实现方式中,密钥管理装置向第一区域内的密钥使用装置发送至少一个密钥可以是通过以下至少一项触发的:所述密钥使用装置在所述密钥管理装置进行注册;所述密钥使用装置由所述第一区域以外的区域进入所述第一区域;当前对应于所述第一区域的密钥过期;当前时刻与上一次向所述密钥使用装置发送密钥的时刻之间的时间间隔达到第一更新阈值;所述密钥使用装置请求更新对应于所述第一区域的密钥。In a possible implementation, the key management device sending at least one key to the key usage device in the first area may be triggered by at least one of the following: the key usage device The device registers; the key using device enters the first area from an area other than the first area; the current key corresponding to the first area expires; the current moment is the same as the last time the key was used. The time interval between the moments when the device sends the key reaches the first update threshold; the key using device requests to update the key corresponding to the first area.
在一种可能的实现方式中,密钥管理装置可以基于接收到的位置信息,向密钥使用装置发送密钥。图4示出本申请实施例提供的密钥管理方法的交互流程图。该方法可以应用于图1所示的系统。如图4所示,该方法可以包括:In a possible implementation, the key management device may send the key to the key usage device based on the received location information. Figure 4 shows an interactive flow chart of the key management method provided by the embodiment of the present application. This method can be applied to the system shown in Figure 1. As shown in Figure 4, the method may include:
步骤S501,密钥管理装置通过区域划分获得多个预设区域。Step S501: The key management device obtains multiple preset areas through area division.
本步骤中获得的多个预设区域包括第一区域。在一种可能的实现方式中,所述区域划分基于以下至少一种方式:基于规则图形或者不规则图形进行区域划分;基于行政区域进行区域划分;基于道路等级进行区域划分;基于道路支持的自动驾驶等级进行区域划分;基于商业区域进行区域划分。具体的区域划分方式可以参照步骤S401,这里不再赘述。The multiple preset areas obtained in this step include the first area. In a possible implementation, the regional division is based on at least one of the following methods: regional division based on regular graphics or irregular graphics; regional division based on administrative regions; regional division based on road grades; automatic Divide areas based on driving level; divide areas based on commercial areas. For the specific area division method, please refer to step S401, which will not be described again here.
步骤S502,密钥管理装置生成对应于第一区域的至少一个密钥。Step S502: The key management device generates at least one key corresponding to the first area.
在本步骤中,密钥管理装置可以生成对应于第一区域的至少一个密钥,这至少一个是为位于第一区域内的密钥使用装置分配的。In this step, the key management device may generate at least one key corresponding to the first area, at least one of which is assigned to the key using device located in the first area.
在一种可能的实现方式中,对应于第一区域的至少一个密钥的数量与以下内容中的至少一项相关:所述第一区域的面积;所述第一区域中密钥使用装置的数量;所述第一区域的等级;所述至少一个密钥的更新频率。In a possible implementation, the number of at least one key corresponding to the first area is related to at least one of the following: the area of the first area; the size of the key using device in the first area. quantity; the level of the first area; the update frequency of the at least one key.
在第一区域的面积较大时,表明第一区域中可能存在较多的密钥使用装置,同一个密钥被过多的密钥使用装置使用的可能性较大,因此可以为第一区域生成较多的密钥,以提高密钥的安全性。在第一区域的面积较小时,表明第一区域中可能存在较少的密钥使用装置,同一个密钥被过多的密钥使用装置使用的可能性较小,因此可以为第一区域生成较少的密钥,以节省密钥资源及通信开销。When the area of the first area is large, it indicates that there may be more key using devices in the first area, and the same key is more likely to be used by too many key using devices, so it can be the first area. Generate more keys to increase key security. When the area of the first area is small, it indicates that there may be fewer key using devices in the first area, and the same key is less likely to be used by too many key using devices, so it can be generated for the first area. Fewer keys to save key resources and communication overhead.
在第一区域中密钥使用装置的数量较多时,同一个密钥被过多的密钥使用装置使用的可能性较大,因此可以为第一区域生成较多的密钥,以提高密钥的安全性。在第一区域中密钥使用装置的数量较少时,同一个密钥被过多的密钥使用装置使用的可能性较小,因此可以为第一区域生成较少的密钥,以节省密钥资源及通信开销。When there are a large number of key using devices in the first area, the same key is more likely to be used by too many key using devices. Therefore, more keys can be generated for the first area to improve the key quality. security. When the number of key using devices in the first area is small, the same key is less likely to be used by too many key using devices, so fewer keys can be generated for the first area to save passwords. Key resources and communication overhead.
在第一区域的等级较高时,例如第一区域为省、市、国道、自动驾驶(L4)或者无人驾驶(L5)或者客流量较大的商业区时,表明第一区域中可能存在较多的密钥使用装置,同一个密钥被过多的密钥使用装置使用的可能性较大,因此可以为第一区域生成较多的密钥,以提高密钥的安全性。在第一区域的等级较低时,例如第一区域为县、街道、省道、驾驶自动化(L1)、辅助驾驶(L2)或者客流量较小的商业区时,表明第一区域中可能存在较少的密钥使用装置,同一个密钥被过多的密钥使用装置使用的可能性较小,因此可以为第一区域生成较少的密钥,以节省密钥资源及通信开销。When the level of the first area is relatively high, for example, when the first area is a provincial, municipal, national highway, autonomous driving (L4) or unmanned driving (L5), or a commercial area with a large passenger flow, it indicates that there may be There are more key using devices, and the same key is more likely to be used by too many key using devices. Therefore, more keys can be generated for the first area to improve the security of the key. When the level of the first area is low, for example, when the first area is a county, street, provincial highway, driving automation (L1), assisted driving (L2) or a commercial area with small passenger flow, it indicates that there may be With fewer key using devices, the same key is less likely to be used by too many key using devices. Therefore, fewer keys can be generated for the first area to save key resources and communication overhead.
需要说明的是,以上仅为影响对应于第一区域的至少一个密钥的数量示例性因素,并不应用限制影响密钥数量的因素,密钥的数量还可以与其他因素相关,本申请实施例对此不做限制。例如,密钥的数量也可以由用户自定义设置和修改,也可以设置为一个固定不变的值。It should be noted that the above are only exemplary factors that affect the number of at least one key corresponding to the first area, and do not apply to limit the factors that affect the number of keys. The number of keys can also be related to other factors. This application implements There is no restriction on this. For example, the number of keys can also be set and modified by the user, or it can be set to a fixed value.
另外,对应于第一区域的至少一个密钥的数量较多时,表明第一区域内密钥使用装置的数量可能较多,同一个密钥被过多的密钥使用装置使用的可能性较大,因此可以提高至少一个密钥的更新频率,以提高密钥的安全性。对应于第一区域的至少一个密钥的数量较少时,表明第一区域中可能存在较少的密钥使用装置,同一个密钥被过多的密钥使用装置使用的可能性较小,因此可以降低至少一个密钥的更新频率,以节计算资源。In addition, when the number of at least one key corresponding to the first area is large, it indicates that the number of key using devices in the first area may be large, and the same key is more likely to be used by too many key using devices. , so the update frequency of at least one key can be increased to improve the security of the key. When the number of at least one key corresponding to the first area is small, it indicates that there may be fewer key using devices in the first area, and the same key is less likely to be used by too many key using devices, Therefore, the update frequency of at least one key can be reduced to save computing resources.
在本申请实施例中,通过灵活调整密钥数量和密钥更新频率,可以降低密钥使用次数和使用时长,增强密钥安全性。In the embodiment of this application, by flexibly adjusting the number of keys and the key update frequency, the number and duration of key usage can be reduced, and key security can be enhanced.
在一种可能的实现方式中,对应于第一区域的至少一个密钥的数量可以是固定的,也可以是动态变化的。在一个示例中,对应于第一区域的至少一个密钥的数量可以是基于第一区域的面积确定的,这样在第一区域的面积固定不变的情况下,对应于第一区域的至少一个密钥的数量也就不变。在又一示例中,对应于第一区域的至少一个密钥的数量可以是基于第一区域中密钥使用装置的数量确定的,由于第一区域中密钥使用装置的数量是变化的,因此对应于第一区域的至少一个密钥的数量也会相应发生变化,例如密钥使用装置的数量增多则密钥数量相应增加,密钥使用装置的数量减少则密钥数量相应减少。In a possible implementation, the number of at least one key corresponding to the first area may be fixed or dynamically changed. In one example, the number of at least one key corresponding to the first area may be determined based on the area of the first area, such that when the area of the first area is fixed, the number of at least one key corresponding to the first area The number of keys remains unchanged. In yet another example, the number of at least one key corresponding to the first area may be determined based on the number of key using devices in the first area. Since the number of key using devices in the first area changes, therefore The number of at least one key corresponding to the first area will also change accordingly. For example, if the number of key using devices increases, the number of keys will increase accordingly, and if the number of key using devices decreases, the number of keys will decrease accordingly.
步骤S503,密钥使用装置确定密钥使用装置的位置,所述位置位于所述第一区域中。Step S503: The key using device determines the location of the key using device, and the location is located in the first area.
步骤S504,密钥使用装置向密钥管理装置发送用于指示所述位置的位置信息。Step S504: The key usage device sends location information indicating the location to the key management device.
其中,位置信息可以为第一区域的标识信息,或者密钥使用装置的地理坐标信息。The location information may be identification information of the first area or geographical coordinate information of the key using device.
步骤S505,密钥管理装置基于所述位置信息,将对应于所述第一区域的至少一个密钥分配给所述密钥使用装置使用。Step S505: The key management device allocates at least one key corresponding to the first area to the key using device based on the location information.
在一种可能的实现方式中,所述位置信息为第一区域的标识信息。密钥使用装置可以先根据位置和预设的区域划分方式确定第一区域,然后向密钥管理装置发送第一区域的标识信息。密钥管理装置可以基于标识信息,查找到对应于第一区域的至少一个密钥,并将查找到的至少一个密钥分配给密钥使用装置使用。In a possible implementation, the location information is identification information of the first area. The key using device may first determine the first area based on the location and a preset area division method, and then send the identification information of the first area to the key management device. The key management device may find at least one key corresponding to the first area based on the identification information, and allocate the found at least one key to the key using device for use.
在一个示例中,标识信息可以为编号、名称或者代码等,对此本申请实施例不做限制。In one example, the identification information may be a number, a name, a code, etc., which is not limited by the embodiment of the present application.
在本申请实施例中,由密钥使用装置计算标识信息,可以有效降低密钥管理装置的工作量。In the embodiment of the present application, the key usage device calculates the identification information, which can effectively reduce the workload of the key management device.
在一种可能的实现方式中,所述位置信息为密钥使用装置的地理坐标信息。密钥使用装置可以向密钥管理装置发送密钥使用装置的地理坐标信息。密钥管理装置可以根据第一坐标信息和预设的区域划分方式确定第一区域,然后将对应于第一区域的至少一个密钥分配给所述密钥使用装置使用。In a possible implementation, the location information is the geographical coordinate information of the key using device. The key using device may send the geographical coordinate information of the key using device to the key management device. The key management device may determine the first area according to the first coordinate information and a preset area division method, and then allocate at least one key corresponding to the first area to the key using device for use.
由于密钥管理装置中预设的区域划分方式可能会发生变化,当其发生变化时,密钥使用装置可能由于某些原因(例如网络较差或者业务繁忙等)无法及时更新区域划分方式,从而导致计算出来的标识信息与实际标识信息不符,这种情况下,密钥使用装置获取的到密钥与第一区域不匹配,导致密钥使用装置无法进行正常的V2X通信。而密钥使用装置向密钥管理装置发送地理坐标信息,由密钥管理装置计算标识信息可以避免因预设的区域划分方式改变而造成的密钥使用装置获取到错误密钥的问题。Since the preset area division method in the key management device may change, when it changes, the key using device may not be able to update the area division method in time due to some reasons (such as poor network or busy business, etc.), thus As a result, the calculated identification information does not match the actual identification information. In this case, the key obtained by the key using device does not match the first area, causing the key using device to be unable to perform normal V2X communication. The key using device sends geographical coordinate information to the key management device, and the key management device calculates the identification information, which can avoid the problem of the key using device obtaining the wrong key due to changes in the preset area division method.
步骤S506,密钥使用装置向所述密钥使用装置发送所述至少一个密钥。Step S506: The key using device sends the at least one key to the key using device.
步骤S506,密钥使用装置从所述密钥管理装置接收所述至少一个密钥。Step S506: The key using device receives the at least one key from the key management device.
步骤S507,密钥使用装置使用所述至少一个密钥中包括的第一密钥。Step S507: The key using device uses the first key included in the at least one key.
其中,密钥使用装置从至少一个密钥中选择第一密钥的过程以及使用第一密钥的过程可以参照步骤S402和步骤S403,这里不再赘述。The process of selecting the first key from at least one key by the key using device and the process of using the first key can refer to step S402 and step S403, which will not be described again here.
在本申请实施例中,密钥使用装置可以向密钥管理装置申请对应于第一区域的至少一个密钥,进而使用至少一个密钥中的第一密钥,这样将密钥的覆盖范围缩小到了第一区域,在该密钥泄露时,不会对其他区域的安全性造成影响,从而降低因对应于第一区域的密钥泄露而造成的影响,提高了密钥的安全性。In this embodiment of the present application, the key using device can apply to the key management device for at least one key corresponding to the first area, and then use the first key among the at least one key, thus reducing the coverage of the key. In the first area, when the key is leaked, it will not affect the security of other areas, thereby reducing the impact caused by the leakage of the key corresponding to the first area and improving the security of the key.
在一种可能的实现方式中,密钥管理装置可以推送密钥。图5示出本申请实施例提供的密钥管理方法的交互流程图。该方法可以应用于图1所示的系统。如图5所示,该方法可以包括:In a possible implementation, the key management device can push the key. Figure 5 shows an interactive flow chart of the key management method provided by the embodiment of the present application. This method can be applied to the system shown in Figure 1. As shown in Figure 5, the method may include:
步骤S601,密钥管理装置通过区域划分获得多个预设区域。Step S601: The key management device obtains multiple preset areas through area division.
步骤S602,密钥管理装置生成对应于第一区域的至少一个密钥。Step S602: The key management device generates at least one key corresponding to the first area.
在本申请实施例中,步骤S601和步骤S602可以参照步骤S501和步骤S502,这 里不再赘述。In the embodiment of the present application, step S601 and step S602 may refer to step S501 and step S502, which will not be described again here.
步骤S603,密钥管理装置在第一区域内发送包括所述至少一个密钥的消息。Step S603: The key management device sends a message including the at least one key in the first area.
密钥管理装置可以在第一区域内发送包括多所述至少一个密钥的消息,这样位于第一区域的密钥使用装置都可以获取到对应于第一区域的至少一个密钥。在一个示例中,密钥管理装置可以周期性在第一区域内发送包括所述至少一个密钥的消息。在又一示例中,密钥管理装置可以在检测到有密钥使用装置进入第一区域时向该密钥使用装置发送包括所述至少一个密钥的消息。本申请实施例对密钥管理装置发送包括所述至少一个密钥的消息的时机不做限制。The key management device can send a message including the at least one key in the first area, so that all key using devices located in the first area can obtain at least one key corresponding to the first area. In one example, the key management device may periodically send messages including the at least one key within the first area. In yet another example, the key management device may send a message including the at least one key to the key using device when detecting that a key using device enters the first area. The embodiment of the present application does not limit the timing when the key management device sends a message including the at least one key.
步骤S604,密钥使用装置从密钥管理装置接收包括至少一个密钥的消息。Step S604: The key using device receives a message including at least one key from the key management device.
步骤S605,密钥使用装置确定密钥使用装置的位置,所述位置位于所述第一区域中。Step S605: The key using device determines the location of the key using device, and the location is located in the first area.
步骤S606,密钥使用装置根据所述位置,确定不丢弃所述至少一个密钥。Step S606: The key using device determines not to discard the at least one key according to the location.
在一种可能的实现方式中,若密钥使用装置确定所述位置不是位于所述第一区域,则密钥使用装置可以丢弃所述至少一个密钥。In a possible implementation, if the key using device determines that the location is not located in the first area, the key using device may discard the at least one key.
考虑到位于第一区域以外但是靠近第一区域的密钥使用装置或者刚离开第一区域的密钥使用装置也可能接收到包括对应于第一区域的至少一个密钥的消息。因此,密钥使用装置接收到包括该消息后,可以根据所处位置,确定是否丢弃接收到的至少一个密钥。若密钥使用装置的位置位于第一区域,则密钥使用装置不丢弃对应于第一区域的至少一个密钥,从而使密钥使用装置能够使用对应于第一区域的密钥。若密钥使用装置的位置不是位于第一区域,则密钥使用装置会丢弃对应于第一区域的至少一个密钥,从而密钥使用装置避免误使用对应于第一区域的密钥。It is considered that a key using device located outside the first area but close to the first area or a key using device that has just left the first area may also receive a message including at least one key corresponding to the first area. Therefore, after receiving the message including the message, the key using device can determine whether to discard the at least one received key according to the location. If the key using device is located in the first area, the key using device does not discard at least one key corresponding to the first area, thereby enabling the key using device to use the key corresponding to the first area. If the key using device is not located in the first area, the key using device will discard at least one key corresponding to the first area, so that the key using device avoids misuse of the key corresponding to the first area.
步骤S607,密钥使用装置使用所述至少一个密钥中包括的第一密钥。Step S607: The key using device uses the first key included in the at least one key.
本步骤可以参照步骤S607,这里不再赘述。For this step, please refer to step S607, which will not be described again here.
在本申请实施例中,密钥管理装置可以向第一区域的密钥使用装置发送对应于第一区域的至少一个密钥。这样,一方面将密钥的覆盖范围缩小到了第一区域,在该密钥泄露时,不会对其他区域的安全性造成影响,从而降低因对应于第一区域的密钥泄露而造成的影响,提高了密钥的安全性;另一方面,节省了通信资源。In this embodiment of the present application, the key management device may send at least one key corresponding to the first region to the key usage device in the first region. In this way, on the one hand, the coverage of the key is reduced to the first area. When the key is leaked, it will not affect the security of other areas, thereby reducing the impact caused by the leakage of the key corresponding to the first area. , which improves the security of the key; on the other hand, it saves communication resources.
图6示出本申请实施例提供的密钥管理方法的交互流程图。该方法可以应用于图1所示的系统。如图6所示,该方法可以包括:Figure 6 shows an interactive flow chart of the key management method provided by the embodiment of the present application. This method can be applied to the system shown in Figure 1. As shown in Figure 6, the method may include:
步骤S701,密钥管理装置向密钥使用装置发送第二密钥。Step S701: The key management device sends the second key to the key using device.
在一种可能的实现方式中,密钥管理装置可以在密钥使用装置注册时向密钥使用装置发送第二密钥。这样,只要在密钥管理装置进行注册了密钥使用装置均存储有同样的第二密钥。In a possible implementation, the key management device may send the second key to the key using device when the key using device registers. In this way, as long as the key using device is registered with the key management device, the same second key will be stored therein.
在一种可能的实现方式中,密钥管理装置可以在第二密钥失效或者过期后,向所有已注册的密钥使用装置发送新的第二密钥。这样,通过所有已注册的密钥使用装置可以同步更新第二密钥,可以提升第二密钥的安全性。In a possible implementation, the key management device may send a new second key to all registered key using devices after the second key becomes invalid or expires. In this way, the second key can be updated synchronously through all registered key using devices, thereby improving the security of the second key.
步骤S702,密钥使用装置接收所述第二密钥。Step S702: The key using device receives the second key.
步骤S703,密钥使用装置在满足第二预设条件的情况下,使用所述第二密钥。Step S703: The key using device uses the second key if the second preset condition is met.
其中,所述第二预设条件包括以下情况中的至少一种:所述密钥使用装置位于过 渡区域;所述密钥使用装置位于特定区域;所述密钥使用装置未获取到所述至少一个密钥;所述至少一个密钥过期且更新失败;所述密钥使用装置使用所述至少一个密钥无法对接收到的数据成功解密;所述密钥使用装置无法与密钥管理装置进行通信。Wherein, the second preset condition includes at least one of the following situations: the key using device is located in a transition area; the key using device is located in a specific area; the key using device does not obtain the at least one One key; the at least one key has expired and failed to be updated; the key using device cannot successfully decrypt the received data using the at least one key; the key using device cannot communicate with the key management device communication.
其中,第二密钥的使用方式可以参照第一密钥的使用方式,这里不再赘述。The method of using the second key may refer to the method of using the first key, which will not be described again here.
在一种可能的实现方式中,密钥管理装置通过区域划分获得的多个预设区域中可以包括过渡区域。其中,过渡区域可以表示所述多个预设区域中能够连接任意一个其他预设区域的预设区域。密钥使用装置的位置位于过渡区域的情况下,可以使用第二密钥。这样,可以避免密钥使用装置频繁跨区造成的密钥频繁更新的问题。In a possible implementation, the multiple preset areas obtained by the key management device through area division may include transition areas. The transition area may represent a preset area among the plurality of preset areas that can be connected to any other preset area. When the key using device is located in a transition area, the second key can be used. In this way, the problem of frequent key updates caused by the key using device frequently crossing regions can be avoided.
图7示出本申请实施例提供的区域划分示意图。如图7所示,通过区域划分得到了10个预设区域,分别为第0个预设区域、第1个预设区域、……和第8个预设区域,以及过渡区域。其中,过渡区域能够连接第0个预设区域、第1个预设区域、……和第8个预设区域中的任意一个预设区域。Figure 7 shows a schematic diagram of area division provided by the embodiment of the present application. As shown in Figure 7, 10 preset areas are obtained through area division, which are the 0th preset area, the 1st preset area,... and the 8th preset area, as well as the transition area. Among them, the transition area can connect any one of the 0th preset area, the 1st preset area, ... and the 8th preset area.
在一个示例中,可以首先通过公式一进行区域划分,得到每个预设区域的标识信息。然后,在此划分结果的基础上,设置两个相邻的预设区域之间的边界区域为过渡区域,各个边界区域可以组成最终的过渡区域。在通过公式一划分的预设区域为正方形,且经度方向相邻预设区域之间的距离和维度方向相邻预设区域之间的距离相同的情况下,满足公式二中任意一个条件的位置(x,y)位于过渡区域。In one example, the area can be divided first through Formula 1 to obtain the identification information of each preset area. Then, based on the division result, the boundary area between two adjacent preset areas is set as a transition area, and each boundary area can constitute the final transition area. When the preset area divided by Formula 1 is a square, and the distance between adjacent preset areas in the longitude direction and the distance between adjacent preset areas in the latitudinal direction are the same, the location that satisfies any one of the conditions in Formula 2 (x, y) is located in the transition region.
Figure PCTCN2022119399-appb-000002
Figure PCTCN2022119399-appb-000002
其中,M的取值与L相同,Z的取值为过渡区域长度的一半,N的取值为M与Z的差值。假设通过公式一进行区域划分得到的每个预设区域的长度和宽度均为500公里,过渡区域的长度和宽度均为200公里。也就是说,L的取值为500,过渡区域的长度为200,则M的取值为500,Z的取值为200/2=100,N的取值为500-100=400。在x大于400且小于600的情况下,该位置位于过渡区域。在y大于400且小于600的情况下,该位置位于过渡区域。Among them, the value of M is the same as L, the value of Z is half the length of the transition region, and the value of N is the difference between M and Z. Assume that the length and width of each preset area obtained by regional division through formula 1 are both 500 kilometers, and the length and width of the transition area are both 200 kilometers. That is to say, the value of L is 500, the length of the transition area is 200, then the value of M is 500, the value of Z is 200/2=100, and the value of N is 500-100=400. In the case where x is greater than 400 and less than 600, the position is in the transition area. In the case where y is greater than 400 and less than 600, the position is in the transition region.
需要说明的是,以上仅为示例性的确定过渡区域的方式,并不用于限制确定过渡区域的方式,本申请实施例中还可以采用其他方式确定过渡区域。It should be noted that the above are only exemplary ways of determining the transition area and are not used to limit the ways of determining the transition area. In the embodiments of the present application, other ways can also be used to determine the transition area.
在一种可能的实现方式中,密钥管理装置可以划定一个特定区域,该特定区域可以为通信状况较差的区域(即密钥管理装置与该区域内的密钥使用装置之间通信容易发生中断甚至无法连接)或业务繁忙的区域(即该区域中密钥使用装置需要频繁使用密钥)。密钥使用装置位于该特定区域时,可以使用第二密钥。这样,密钥使用装置确定位置位于特定区域时,可以省去对位置是否位于第一区域进行判断的过程,直接使用第二密钥。这样,可以节省计算资源。特别是,特定区域为通信状况较差的区域时,不需要密钥使用装置反复向密钥管理装置发送位置信息以获取与第一区域对应的至少一个密钥,节省了大量的通信资源。In a possible implementation, the key management device can demarcate a specific area, and the specific area can be an area with poor communication conditions (that is, it is easy to communicate between the key management device and the key using devices in the area). Interruption occurs or even failure to connect) or busy business areas (that is, key-using devices in this area need to use keys frequently). The second key can be used when the key-using device is located in that specific area. In this way, when the key using device determines that the location is located in a specific area, the process of determining whether the location is located in the first area can be omitted and the second key can be used directly. In this way, computing resources can be saved. Especially when the specific area is an area with poor communication conditions, there is no need for the key using device to repeatedly send location information to the key management device to obtain at least one key corresponding to the first area, thus saving a large amount of communication resources.
在一个示例中,特定区域可以与密钥使用装置通过区域划分获得的多个预设区域重叠。此时,密钥使用装置可以优先使用第二密钥。图8示出本申请实施例中特定区 域的划分示意图。如图7所示,特定区域与第0个预设区域以及第3个预设区域发生了重叠。,若密钥使用装置既位于特定区域又位于第0个预设区域,则密钥使用装置可以优先使用第二密钥。In one example, the specific area may overlap with multiple preset areas obtained by the key using device through area division. At this time, the key using device may preferentially use the second key. Figure 8 shows a schematic diagram of the division of specific areas in the embodiment of the present application. As shown in Figure 7, the specific area overlaps with the 0th preset area and the 3rd preset area. , if the key using device is located in both the specific area and the 0th preset area, the key using device can preferentially use the second key.
在一种可能的实现方式中,密钥使用装置可以在未获取到与第一区域对应的至少一个密钥的情况下,使用第二密钥。密钥管理装置未获取到与第一区域对应的至少一个密钥可能是因为通信状况较差造成的,此时若一直等待至少一个密钥,则可能耽误业务信息的发送,为了降低对业务信息的影响,可以使用第二密钥。In a possible implementation, the key using device may use the second key without obtaining at least one key corresponding to the first area. The failure of the key management device to obtain at least one key corresponding to the first area may be due to poor communication conditions. At this time, if it waits for at least one key, the sending of service information may be delayed. In order to reduce the need for service information The effect is that a second key can be used.
在一种可能的实现方式中,密钥使用装置在使用当前已有的密钥均无法对接收到的数据成功进行解密的情况下,可以尝试使用第二密钥。因为这一情况可能是发送方位于过渡区域、特定区域或者无法获取到至少一个密钥而造成的。这样,可以降低对业务信息的影响。In a possible implementation, the key using device may try to use the second key when the received data cannot be successfully decrypted using currently existing keys. Because this situation may be caused by the sender being located in a transition area, a specific area, or unable to obtain at least one key. In this way, the impact on business information can be reduced.
在一种可能的实现方式中,密钥使用装置可以在无法与密钥管理装置进行通信的情况下,使用第二密钥。密钥使用装置无法与密钥管理装置进行通信,可能导致密钥使用装置无法获取对应于第一区域的至少一个密钥或者无法及时更新对应于第一区域的至少一个密钥。此时,密钥使用装置使用第二密钥,可以提高接收端解密成功的概率,降低因与密钥管理装置的通信状况较差而造成的对业务信息的影响。In a possible implementation, the key using device may use the second key when it is unable to communicate with the key management device. The key using device cannot communicate with the key management device, which may cause the key using device to be unable to obtain at least one key corresponding to the first area or to update at least one key corresponding to the first area in a timely manner. At this time, the key using device uses the second key, which can increase the probability of successful decryption by the receiving end and reduce the impact on the business information caused by poor communication conditions with the key management device.
在本申请实施例中,通过设置第二密钥作为备用密钥或者应急密钥,可以避免因密钥获取不及时或者更新不及时造成的业务中断。In this embodiment of the present application, by setting the second key as a backup key or emergency key, service interruption caused by untimely key acquisition or untimely update can be avoided.
在一种可能的实现方式中,密钥使用装置在密钥管理装置上进行注册时,密钥管理装置可以向密钥使用装置发送第三密钥信息。In a possible implementation, when the key using device registers on the key management device, the key management device may send the third key information to the key using device.
其中,第三密钥信息可以用于对后续密钥管理装置向密钥使用装置发送的消息进行解密。也就是说,密钥使用装置可以使用第三密钥信息对后续从密钥管理装置接收到的消息进行解密。在一个示例中,第三密钥信息可以为密钥本身(记为:第三密钥),也可以为用于生成第三密钥的参数,对此本申请实施例不做限制。The third key information may be used to decrypt subsequent messages sent by the key management device to the key usage device. That is to say, the key using device can use the third key information to decrypt subsequent messages received from the key management device. In one example, the third key information may be the key itself (recorded as: third key), or may be a parameter used to generate the third key, which is not limited in this embodiment of the present application.
例如,第三密钥信息可以用于对来自于所述密钥管理装置且包括对应于第一区域的至少一个密钥的消息进行解密,以获取到对应于第一区域的至少一个密钥。又如,第三密钥信息可以用于对来自于所述密钥管理装置且包括第二密钥的消息进行解密,以获取到第二密钥。这样,对于未在密钥管理装置进行注册的密钥管理装置而言,其即使接收到了来自密钥管理装置且包括对应于第一区域的至少一个密钥的消息或者包括第二密钥的消息,也无法对接收到的消息成功进行解密,也就无法获得对应于第一区域的至少一个密钥以及第二密钥,从而提高了密钥的安全性。通过这种方式,可以为注册用户(例如付费注册用户)提供密钥保护服务。For example, the third key information may be used to decrypt a message from the key management device and including at least one key corresponding to the first area, so as to obtain at least one key corresponding to the first area. For another example, the third key information can be used to decrypt a message from the key management device and including the second key, so as to obtain the second key. In this way, for a key management device that is not registered with the key management device, even if it receives a message from the key management device that includes at least one key corresponding to the first area or a message that includes the second key. , the received message cannot be decrypted successfully, and at least one key and the second key corresponding to the first area cannot be obtained, thereby improving the security of the key. In this way, key protection services can be provided to registered users (such as paid registered users).
图9示出本申请实施例提供的密钥使用装置的框图。如图9所示,所述装置800可以包括:Figure 9 shows a block diagram of a key usage device provided by an embodiment of the present application. As shown in Figure 9, the device 800 may include:
第一确定模块801,用于确定所述密钥使用装置的位置;The first determination module 801 is used to determine the location of the key using device;
第一获取模块802,用于根据所述位置,获取至少一个密钥,所述至少一个密钥是为位于第一区域内的密钥使用装置分配的,所述位置位于所述第一区域中,所述至少一个密钥包括第一密钥;The first acquisition module 802 is configured to acquire at least one key according to the location. The at least one key is allocated to a key using device located in the first area, and the location is located in the first area. , the at least one key includes a first key;
第一使用模块803,用于使用所述第一密钥。The first use module 803 is used to use the first key.
在一种可能的实现方式中,所述第一获取模块还用于:In a possible implementation, the first acquisition module is also used to:
向密钥管理装置发送用于指示所述位置的位置信息;sending location information indicating the location to the key management device;
从所述密钥管理装置接收响应于所述位置信息的所述至少一个密钥。The at least one key responsive to the location information is received from the key management device.
在一种可能的实现方式中,In one possible implementation,
所述位置信息为所述第一区域的标识信息;The location information is the identification information of the first area;
所述第一获取模块还用于:The first acquisition module is also used to:
根据所述位置和预设的区域划分方式,确定所述第一区域。The first area is determined according to the location and a preset area division method.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第一接收模块,用于从密钥管理装置接收包括所述至少一个密钥的消息;A first receiving module configured to receive a message including the at least one key from the key management device;
所述第一获取模块还用于:The first acquisition module is also used to:
根据所述位置,确定不丢弃所述至少一个密钥。Based on the location, it is determined not to discard the at least one key.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述装置还包括:In a possible implementation, the at least one key is multiple keys, and the device further includes:
第一选择模块,用于从所述多个密钥中选择所述第一密钥;A first selection module, configured to select the first key from the plurality of keys;
所述第一使用模块还用于使用所述第一密钥作为加密密钥。The first using module is also configured to use the first key as an encryption key.
在一种可能的实现方式中,所述选择为随机选择、加权随机选择或轮换选择。In a possible implementation, the selection is random selection, weighted random selection or rotating selection.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述装置还包括:In a possible implementation, the at least one key is multiple keys, and the device further includes:
第二接收模块,用于从第一设备接收密文,所述密文是根据所述第一密钥加密的;a second receiving module, configured to receive ciphertext from the first device, where the ciphertext is encrypted according to the first key;
第二获取模块,用于获取密钥参数,所述密钥参数指示所述第一密钥;a second acquisition module, configured to acquire key parameters, where the key parameters indicate the first key;
所述第一使用模块还用于:The first usage module is also used for:
根据所述密钥参数,从所述多个密钥中选择所述第一密钥作为所述密文的解密密钥。According to the key parameter, the first key is selected from the plurality of keys as the decryption key of the ciphertext.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述装置还包括:In a possible implementation, the at least one key is multiple keys, and the device further includes:
第三接收模块,用于从第一设备接收密文,所述密文是根据所述第一密钥加密的;A third receiving module, configured to receive ciphertext from the first device, where the ciphertext is encrypted according to the first key;
遍历模块,用于通过遍历使用所述多个密钥对所述密文进行解密,确定所述第一密钥能够成功解密所述密文;A traversal module, configured to decrypt the ciphertext using the plurality of keys through traversal, and determine that the first key can successfully decrypt the ciphertext;
所述第一使用模块还用于:The first usage module is also used for:
从所述多个密钥中选择所述第一密钥作为所述密文的解密密钥。The first key is selected from the plurality of keys as the decryption key of the ciphertext.
在一种可能的实现方式中,所述第一区域是基于以下至少一种方式划分得到的:In a possible implementation, the first area is divided based on at least one of the following methods:
基于规则图形或者不规则图形进行区域划分;Divide areas based on regular graphics or irregular graphics;
基于行政区域进行区域划分;Regional division based on administrative regions;
基于道路等级进行区域划分;Zoning based on road grade;
基于道路支持的自动驾驶等级进行区域划分;Regional division based on the autonomous driving level supported by the road;
基于商业区域进行区域划分。Zoning based on commercial areas.
在一种可能的实现方式中,所述第一区域的边界是被动态设置的。In a possible implementation, the boundary of the first area is dynamically set.
在一种可能的实现方式中,所述第一获取模块还用于:In a possible implementation, the first acquisition module is also used to:
在满足第一预设条件的情况下,根据所述位置,获取所述至少一个密钥,其中,所述第一预设条件包括以下情况中的至少一种:When a first preset condition is met, the at least one key is obtained according to the location, wherein the first preset condition includes at least one of the following situations:
所述密钥使用装置在密钥管理装置进行注册;The key using device is registered with the key management device;
所述密钥使用装置所处的区域发生变化;The area where the key using device is located changes;
当前保存的密钥过期;The currently saved key expires;
当前时刻与上一次获取密钥的时刻之间的时间间隔达到第一更新阈值;The time interval between the current moment and the last time the key was obtained reaches the first update threshold;
使用当前保存的密钥无法对接收到的数据成功解密。The received data could not be successfully decrypted using the currently saved key.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第三获取模块,用于获取预设的第二密钥;The third acquisition module is used to acquire the preset second key;
第二使用模块,用于在满足第二预设条件的情况下,使用所述第二密钥;。The second use module is used to use the second key when the second preset condition is met;.
其中,所述第二预设条件包括以下情况中的至少一种:Wherein, the second preset condition includes at least one of the following situations:
所述密钥使用装置位于过渡区域;The key usage device is located in the transition area;
所述密钥使用装置位于特定区域;The key usage device is located in a specific area;
所述密钥使用装置未获取到所述至少一个密钥;The key using device has not obtained the at least one key;
所述至少一个密钥过期且更新失败;The at least one key expires and the update fails;
所述密钥使用装置使用所述至少一个密钥无法对接收到的数据成功解密;The key using device cannot successfully decrypt the received data using the at least one key;
所述密钥使用装置无法与密钥管理装置进行通信。The key using device cannot communicate with the key management device.
在一种可能的实现方式中,所述至少一个密钥的数量与以下内容中的至少一项相关:In a possible implementation, the number of the at least one key is related to at least one of the following:
所述第一区域的面积;The area of the first region;
所述第一区域中密钥使用装置的数量;The number of key using devices in the first area;
所述第一区域的等级;The level of the first area;
所述至少一个密钥的更新频率。The update frequency of the at least one key.
在一种可能的实现方式中,所述至少一个密钥的数量是固定的或者是动态变化的。In a possible implementation, the number of at least one key is fixed or dynamically changed.
在一种可能的实现方式中,所述至少一个密钥用于地理位置信息、车辆驾驶信息或者服务内容信息。In a possible implementation, the at least one key is used for geographical location information, vehicle driving information or service content information.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第四获取模块,用于在密钥管理装置上进行注册时,从所述密钥管理装置获取第三密钥信息,所述第三密钥信息用于对后续从所述密钥管理装置接收到的消息进行解密。The fourth acquisition module is used to obtain third key information from the key management device when registering on the key management device. The third key information is used for subsequent reception from the key management device. The incoming message is decrypted.
图10示出本申请实施例提供的密钥管理装置的框图。如图10所示,所述装置900可以包括:Figure 10 shows a block diagram of a key management device provided by an embodiment of the present application. As shown in Figure 10, the device 900 may include:
划分模块901,用于通过区域划分获得多个预设区域,所述多个预设区域包括第一区域; Division module 901, configured to obtain multiple preset areas through area division, where the multiple preset areas include the first area;
第一生成模块902,用于生成对应于所述第一区域的至少一个密钥;A first generation module 902, configured to generate at least one key corresponding to the first area;
第一发送模块903,用于向所述第一区域内的密钥使用装置发送所述至少一个密钥。The first sending module 903 is configured to send the at least one key to the key using device in the first area.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第一接收模块,用于从所述密钥使用装置接收用于指示所述密钥使用装置的位置的位置信息;A first receiving module configured to receive location information indicating the location of the key using device from the key using device;
第一分配模块,用于基于所述位置信息,将所述至少一个密钥分配给所述密钥使用装置使用。A first allocation module, configured to allocate the at least one key to the key using device based on the location information.
在一种可能的实现方式中,所述位置信息为所述第一区域的标识信息或者所述密 钥使用装置的地理坐标信息。In a possible implementation, the location information is identification information of the first area or geographical coordinate information of the key using device.
在一种可能的实现方式中,所述第一发送模块还用于:In a possible implementation, the first sending module is also used to:
在所述第一区域范围内发送包括所述至少一个密钥的消息。A message including the at least one key is sent within the first area.
在一种可能的实现方式中,所述至少一个密钥为多个密钥,所述装置还包括:In a possible implementation, the at least one key is multiple keys, and the device further includes:
第二发送模块,用于向所述密钥使用装置发送与所述多个密钥相对应的多个密钥参数。The second sending module is configured to send a plurality of key parameters corresponding to the plurality of keys to the key using device.
在一种可能的实现方式中,所述区域划分基于以下至少一种方式:In a possible implementation, the area division is based on at least one of the following ways:
基于规则图形或者不规则图形进行区域划分;Divide areas based on regular graphics or irregular graphics;
基于行政区域进行区域划分;Regional division based on administrative regions;
基于道路等级进行区域划分;Zoning based on road grade;
基于道路支持的自动驾驶等级进行区域划分;Regional division based on the autonomous driving level supported by the road;
基于商业区域进行区域划分。Zoning based on commercial areas.
在一种可能的实现方式中,所述第一区域的边界是被动态设置的。In a possible implementation, the boundary of the first area is dynamically set.
在一种可能的实现方式中,所述向所述第一区域内的密钥使用装置发送所述至少一个密钥是通过以下至少一项触发的:In a possible implementation, the sending of the at least one key to the key usage device in the first area is triggered by at least one of the following:
所述密钥使用装置在所述密钥管理装置进行注册;The key usage device is registered with the key management device;
所述密钥使用装置由所述第一区域以外的区域进入所述第一区域;The key using device enters the first area from an area other than the first area;
当前对应于所述第一区域的密钥过期;The key currently corresponding to the first area expires;
当前时刻与上一次向所述密钥使用装置发送密钥的时刻之间的时间间隔达到第一更新阈值;The time interval between the current time and the last time the key was sent to the key using device reaches the first update threshold;
所述密钥使用装置请求更新对应于所述第一区域的密钥。The key using device requests an update of the key corresponding to the first area.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第三发送模块,用于向所述密钥使用装置发送第二密钥,所述第二密钥用于所述密钥使用装置在以下情况中的至少一种使用:A third sending module, configured to send a second key to the key using device, where the second key is used by the key using device in at least one of the following situations:
所述密钥使用装置位于过渡区域;The key usage device is located in the transition area;
所述密钥使用装置位于特定区域;The key usage device is located in a specific area;
所述密钥使用装置未获取到所述至少一个密钥;The key using device has not obtained the at least one key;
所述至少一个密钥过期且更新失败;The at least one key expires and the update fails;
所述密钥使用装置使用所述至少一个密钥无法对接收到的数据成功解密;The key using device cannot successfully decrypt the received data using the at least one key;
所述密钥使用装置无法与密钥管理装置进行通信。The key using device cannot communicate with the key management device.
在一种可能的实现方式中,所述至少一个密钥的数量与以下内容中的至少一项相关:In a possible implementation, the number of the at least one key is related to at least one of the following:
所述第一区域的面积;The area of the first region;
所述第一区域中密钥使用装置的数量;The number of key using devices in the first area;
所述第一区域的等级;The level of the first area;
所述至少一个密钥的更新频率。The update frequency of the at least one key.
在一种可能的实现方式中,所述至少一个密钥的数量是固定的或者是动态变化的。In a possible implementation, the number of at least one key is fixed or dynamically changed.
在一种可能的实现方式中,所述至少一个密钥用于地理位置信息、车辆驾驶信息或者服务内容信息。In a possible implementation, the at least one key is used for geographical location information, vehicle driving information or service content information.
第四发送模块,用于在所述密钥使用装置注册时,向所述密钥使用装置发送第三密钥信息,所述第三密钥信息用于对后续所述密钥管理装置向所述密钥使用装置发送的消息进行解密。The fourth sending module is configured to send third key information to the key using device when the key using device is registered. The third key information is used to subsequently send the key information to the key using device. The key is used to decrypt the message sent by the device.
图11示出本申请实施例提供的电子设备的结构示意图。该电子设备可以为密钥使用装置也可以我密钥管理装置。该电子设备可以部署在车辆、RSU等终端设备中,也可以部署在云端服务器中。Figure 11 shows a schematic structural diagram of an electronic device provided by an embodiment of the present application. The electronic device may be a key usage device or a key management device. The electronic device can be deployed in terminal devices such as vehicles and RSUs, or in cloud servers.
如图11所示,测试装置可以包括至少一个处理器301,存储器302、输入输出设备303以及总线304。下面结合图11对测试装置的各个构成部件进行具体的介绍:As shown in Figure 11, the test device may include at least one processor 301, a memory 302, an input and output device 303 and a bus 304. The following is a detailed introduction to each component of the test device in conjunction with Figure 11:
处理器301是测试装置的控制中心,可以是一个处理器,也可以是多个处理元件的统称。例如,处理器301是一个中央处理器(Central Processing Unit,CPU),也可以是特定集成电路(Application Specific Integrated Circuit,ASIC),或者是被配置成实施本公开实施例的一个或多个集成电路,例如:一个或多个微处理器(Digital Signal Processor,DSP),或,一个或者多个现场可编程门阵列(Field Programmable Gate Array,FPGA)。The processor 301 is the control center of the test device, and may be a processor or a collective name for multiple processing elements. For example, the processor 301 is a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present disclosure. , for example: one or more microprocessors (Digital Signal Processor, DSP), or one or more Field Programmable Gate Array (Field Programmable Gate Array, FPGA).
其中,处理器301可以通过运行或执行存储在存储器302内的软件程序,以及调用存储在存储器302内的数据,执行测试装置的各种功能。The processor 301 can execute various functions of the test device by running or executing software programs stored in the memory 302 and calling data stored in the memory 302 .
在具体的实现中,作为一种实施例,处理器301可以包括一个或多个CPU,例如图中所示的CPU 0和CPU 1。In a specific implementation, as an embodiment, the processor 301 may include one or more CPUs, such as CPU 0 and CPU 1 shown in the figure.
在具体实现中,作为一种实施例,测试装置可以包括多个处理器,例如图11中所示的处理器301和处理器305。这些处理器中的每一个可以是一个单核处理器(single-CPU),也可以是一个多核处理器(multi-CPU)。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(例如计算机程序指令)的处理核。In specific implementation, as an embodiment, the test device may include multiple processors, such as the processor 301 and the processor 305 shown in FIG. 11 . Each of these processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor here may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).
存储器302可以是只读存储器(Read-Only Memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(Random Access Memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、只读光盘(Compact Disc Read-Only Memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器302可以是独立存在,通过总线304与处理器301相连接。存储器302也可以和处理器301集成在一起。The memory 302 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random access memory (Random Access Memory, RAM) or other types that can store information and instructions. Dynamic storage device, it can also be Electrically Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM) or other optical disk storage, optical disk storage (including compressed optical discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be used by a computer Any other medium for access, but not limited to this. The memory 302 may exist independently and be connected to the processor 301 through a bus 304. The memory 302 may also be integrated with the processor 301.
输入输出设备303,用于与其他设备或通信网络通信。如用于与以太网,无线接入网(Radio access network,RAN),无线局域网(Wireless Local Area Networks,WLAN)等通信网络通信。输入输出设备303可以包括基带处理器的全部或部分,以及还可选择性地包括无线射频(Radio Frequency,RF)处理器。RF处理器用于收发RF信号,基带处理器则用于实现由RF信号转换的基带信号或即将转换为RF信号的基带信号的处理。Input and output device 303, used to communicate with other devices or communication networks. Such as used to communicate with Ethernet, Radio access network (Radio access network, RAN), Wireless Local Area Networks (Wireless Local Area Networks, WLAN) and other communication networks. The input and output device 303 may include all or part of a baseband processor, and may also optionally include a radio frequency (Radio Frequency, RF) processor. The RF processor is used to send and receive RF signals, and the baseband processor is used to implement the processing of the baseband signal converted from the RF signal or the baseband signal to be converted into an RF signal.
在具体实现中,作为一种实施例,输入输出设备303可以包括发射器和接收器。其中,发射器用于向其他设备或通信网络发送信号,接收器用于接收其他设备或通信 网络发送的信号。发射器和接收器可以独立存在,也可以集成在一起。In specific implementation, as an example, the input and output device 303 may include a transmitter and a receiver. Among them, the transmitter is used to send signals to other devices or communication networks, and the receiver is used to receive signals sent by other devices or communication networks. The transmitter and receiver can exist independently or integrated together.
总线304,可以是工业标准体系结构(Industry Standard Architecture,ISA)总线、外部设备互连(Peripheral Component Interconnect,PCI)总线或扩展工业标准体系结构(Extended Industry Standard Architecture,EISA)总线等。该总线可以分为地址总线、数据总线、控制总线等。为便于表示,图11中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 304 may be an Industry Standard Architecture (Industry Standard Architecture, ISA) bus, a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. The bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in Figure 11, but it does not mean that there is only one bus or one type of bus.
图11中示出的设备结构并不构成对测试装置的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。The equipment structure shown in Figure 11 does not constitute a limitation of the test device, and may include more or less components than shown, or combine certain components, or arrange different components.
本申请实施例还提供了一种密钥使用装置,包括:处理器以及用于存储处理器可执行指令的存储器;其中,所述处理器被配置为执行所述指令时实现上述方法。An embodiment of the present application also provides a key usage device, including: a processor and a memory used to store instructions executable by the processor; wherein the processor is configured to implement the above method when executing the instructions.
本申请实施例还提供了一种密钥管理装置,包括:处理器以及用于存储处理器可执行指令的存储器;其中,所述处理器被配置为执行所述指令时实现上述方法。An embodiment of the present application also provides a key management device, including: a processor and a memory used to store instructions executable by the processor; wherein the processor is configured to implement the above method when executing the instructions.
本申请实施例还提供了一种密钥管理系统,包括上述密钥使用装置和上述密钥管理装置。An embodiment of the present application also provides a key management system, including the above-mentioned key usage device and the above-mentioned key management device.
本申请实施例还提供了一种车辆,包括上述密钥使用装置和/或上述密钥管理装置。An embodiment of the present application also provides a vehicle, including the above key usage device and/or the above key management device.
本申请实施例还提供了种非易失性计算机可读存储介质,其上存储有计算机程序指令,所述计算机程序指令被处理器执行时实现上述方法。Embodiments of the present application also provide a non-volatile computer-readable storage medium on which computer program instructions are stored. When the computer program instructions are executed by a processor, the above method is implemented.
本申请的实施例提供了一种计算机程序产品,包括计算机可读代码,或者承载有计算机可读代码的非易失性计算机可读存储介质,当所述计算机可读代码在电子设备的处理器中运行时,所述电子设备中的处理器执行上述方法。Embodiments of the present application provide a computer program product, including computer readable code, or a non-volatile computer readable storage medium carrying the computer readable code, when the computer readable code is stored in a processor of an electronic device When running, the processor in the electronic device executes the above method.
计算机可读存储介质可以是可以保持和存储由指令执行设备使用的指令的有形设备。计算机可读存储介质例如可以是(但不限于)电存储设备、磁存储设备、光存储设备、电磁存储设备、半导体存储设备或者上述的任意合适的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:便携式计算机盘、硬盘、随机存取存储器(Random Access Memory,RAM)、只读存储器(Read Only Memory,ROM)、可擦式可编程只读存储器(Electrically Programmable Read-Only-Memory,EPROM或闪存)、静态随机存取存储器(Static Random-Access Memory,SRAM)、便携式压缩盘只读存储器(Compact Disc Read-Only Memory,CD-ROM)、数字多功能盘(Digital Video Disc,DVD)、记忆棒、软盘、机械编码设备、例如其上存储有指令的打孔卡或凹槽内凸起结构、以及上述的任意合适的组合。Computer-readable storage media may be tangible devices that can retain and store instructions for use by an instruction execution device. The computer-readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the above. More specific examples (non-exhaustive list) of computer-readable storage media include: portable computer disks, hard drives, random access memory (RAM), read only memory (ROM), erasable memory Electrically Programmable Read-Only-Memory (EPROM or Flash Memory), Static Random-Access Memory (SRAM), Portable Compact Disc Read-Only Memory (CD) -ROM), Digital Video Disc (DVD), memory stick, floppy disk, mechanical encoding device, such as a punched card or a raised structure in a groove with instructions stored thereon, and any suitable combination of the above .
这里所描述的计算机可读程序指令或代码可以从计算机可读存储介质下载到各个计算/处理设备,或者通过网络、例如因特网、局域网、广域网和/或无线网下载到外部计算机或外部存储设备。网络可以包括铜传输电缆、光纤传输、无线传输、路由器、防火墙、交换机、网关计算机和/或边缘服务器。每个计算/处理设备中的网络适配卡或者网络接口从网络接收计算机可读程序指令,并转发该计算机可读程序指令,以供存储在各个计算/处理设备中的计算机可读存储介质中。Computer-readable program instructions or code described herein may be downloaded from a computer-readable storage medium to various computing/processing devices, or to an external computer or external storage device over a network, such as the Internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage on a computer-readable storage medium in the respective computing/processing device .
用于执行本申请操作的计算机程序指令可以是汇编指令、指令集架构(Instruction Set Architecture,ISA)指令、机器指令、机器相关指令、微代码、固件指令、状态设置数据、或者以一种或多种编程语言的任意组合编写的源代码或目 标代码,所述编程语言包括面向对象的编程语言—诸如Smalltalk、C++等,以及常规的过程式编程语言—诸如“C”语言或类似的编程语言。计算机可读程序指令可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络—包括局域网(Local Area Network,LAN)或广域网(Wide Area Network,WAN)—连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。在一些实施例中,通过利用计算机可读程序指令的状态信息来个性化定制电子电路,例如可编程逻辑电路、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或可编程逻辑阵列(Programmable Logic Array,PLA),该电子电路可以执行计算机可读程序指令,从而实现本申请的各个方面。The computer program instructions used to perform the operations of this application can be assembly instructions, instruction set architecture (Instruction Set Architecture, ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, status setting data, or one or more Source code or object code written in any combination of programming languages, including object-oriented programming languages—such as Smalltalk, C++, etc., and conventional procedural programming languages—such as the “C” language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server implement. In situations involving remote computers, the remote computer can be connected to the user's computer through any kind of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or it can be connected to an external computer (such as Use an Internet service provider to connect via the Internet). In some embodiments, electronic circuits are customized by utilizing state information of computer-readable program instructions, such as programmable logic circuits, field-programmable gate arrays (Field-Programmable Gate Arrays, FPGAs) or programmable logic arrays (Programmable Logic Array (PLA), the electronic circuit can execute computer-readable program instructions to implement various aspects of the present application.
这里参照根据本申请实施例的方法、装置(系统)和计算机程序产品的流程图和/或框图描述了本申请的各个方面。应当理解,流程图和/或框图的每个方框以及流程图和/或框图中各方框的组合,都可以由计算机可读程序指令实现。Various aspects of the present application are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
这些计算机可读程序指令可以提供给通用计算机、专用计算机或其它可编程数据处理装置的处理器,从而生产出一种机器,使得这些指令在通过计算机或其它可编程数据处理装置的处理器执行时,产生了实现流程图和/或框图中的一个或多个方框中规定的功能/动作的装置。也可以把这些计算机可读程序指令存储在计算机可读存储介质中,这些指令使得计算机、可编程数据处理装置和/或其他设备以特定方式工作,从而,存储有指令的计算机可读介质则包括一个制造品,其包括实现流程图和/或框图中的一个或多个方框中规定的功能/动作的各个方面的指令。These computer-readable program instructions may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing apparatus, thereby producing a machine that, when executed by the processor of the computer or other programmable data processing apparatus, , resulting in an apparatus that implements the functions/actions specified in one or more blocks in the flowchart and/or block diagram. These computer-readable program instructions can also be stored in a computer-readable storage medium. These instructions cause the computer, programmable data processing device and/or other equipment to work in a specific manner. Therefore, the computer-readable medium storing the instructions includes An article of manufacture that includes instructions that implement aspects of the functions/acts specified in one or more blocks of the flowcharts and/or block diagrams.
也可以把计算机可读程序指令加载到计算机、其它可编程数据处理装置、或其它设备上,使得在计算机、其它可编程数据处理装置或其它设备上执行一系列操作步骤,以产生计算机实现的过程,从而使得在计算机、其它可编程数据处理装置、或其它设备上执行的指令实现流程图和/或框图中的一个或多个方框中规定的功能/动作。Computer-readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other equipment, causing a series of operating steps to be performed on the computer, other programmable data processing apparatus, or other equipment to produce a computer-implemented process. , thereby causing instructions executed on a computer, other programmable data processing apparatus, or other equipment to implement the functions/actions specified in one or more blocks in the flowcharts and/or block diagrams.
附图中的流程图和框图显示了根据本申请的多个实施例的装置、系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或指令的一部分,所述模块、程序段或指令的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。The flowcharts and block diagrams in the figures illustrate the architecture, functionality and operations of possible implementations of apparatuses, systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions that embody one or more elements for implementing the specified logical function(s). Executable instructions. In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two consecutive blocks may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved.
也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行相应的功能或动作的硬件(例如电路或ASIC(Application Specific Integrated Circuit,专用集成电路))来实现,或者可以用硬件和软件的组合,如固件等来实现。It will also be noted that each block of the block diagram and/or flowchart illustration, and combinations of blocks in the block diagram and/or flowchart illustration, can be implemented by hardware (such as circuits or ASICs) that perform the corresponding function or action. Specific Integrated Circuit), or can be implemented with a combination of hardware and software, such as firmware.
以上已经描述了本申请的各实施例,上述说明是示例性的,并非穷尽性的,并且也不限于所披露的各实施例。在不偏离所说明的各实施例的范围的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。本文中所用术语的选择, 旨在最好地解释各实施例的原理、实际应用或对市场中的技术的改进,或者使本技术领域的其它普通技术人员能理解本文披露的各实施例。The embodiments of the present application have been described above. The above description is illustrative, not exhaustive, and is not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope of the illustrated embodiments. The terminology used herein is chosen to best explain the principles, practical applications, or improvements to technology in the market of the embodiments, or to enable other persons of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (37)

  1. 一种密钥管理方法,其特征在于,所述方法应用于密钥使用装置,所述方法包括:A key management method, characterized in that the method is applied to a key using device, and the method includes:
    确定所述密钥使用装置的位置;Determine the location of the key using device;
    根据所述位置,获取至少一个密钥,所述至少一个密钥是为位于第一区域内的密钥使用装置分配的,所述位置位于所述第一区域中,所述至少一个密钥包括第一密钥;According to the location, at least one key is obtained, the at least one key is allocated to a key using device located in the first area, the location is located in the first area, the at least one key includes first key;
    使用所述第一密钥。Use the first key.
  2. 根据权利要求1所述的方法,其特征在于,所述根据所述位置,获取至少一个密钥包括:The method according to claim 1, wherein obtaining at least one key according to the location includes:
    向密钥管理装置发送用于指示所述位置的位置信息;sending location information indicating the location to the key management device;
    从所述密钥管理装置接收响应于所述位置信息的所述至少一个密钥。The at least one key responsive to the location information is received from the key management device.
  3. 根据权利要求2所述的方法,其特征在于,The method according to claim 2, characterized in that:
    所述位置信息为所述第一区域的标识信息;The location information is the identification information of the first area;
    所述根据所述位置,获取至少一个密钥,还包括:Obtaining at least one key according to the location further includes:
    根据所述位置和预设的区域划分方式,确定所述第一区域。The first area is determined according to the location and a preset area division method.
  4. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1, further comprising:
    从密钥管理装置接收包括所述至少一个密钥的消息;receiving a message including the at least one key from a key management device;
    所述根据所述位置,获取至少一个密钥包括:Obtaining at least one key according to the location includes:
    根据所述位置,确定不丢弃所述至少一个密钥。Based on the location, it is determined not to discard the at least one key.
  5. 根据权利要求1-4任一项所述的方法,其特征在于,所述至少一个密钥为多个密钥,所述方法还包括:从所述多个密钥中选择所述第一密钥;The method according to any one of claims 1 to 4, characterized in that the at least one key is a plurality of keys, and the method further includes: selecting the first key from the plurality of keys. key;
    所述使用所述第一密钥包括:使用所述第一密钥作为加密密钥。The using the first key includes using the first key as an encryption key.
  6. 根据权利要求5所述的方法,其特征在于,所述选择为随机选择、加权随机选择或轮换选择。The method according to claim 5, characterized in that the selection is random selection, weighted random selection or rotation selection.
  7. 根据权利要求1-4任一项所述的方法,其特征在于,所述至少一个密钥为多个密钥,所述方法还包括:The method according to any one of claims 1 to 4, characterized in that the at least one key is a plurality of keys, and the method further includes:
    从第一设备接收密文,所述密文是根据所述第一密钥加密的;receiving ciphertext from a first device, the ciphertext being encrypted according to the first key;
    获取密钥参数,所述密钥参数指示所述第一密钥;Obtain a key parameter, the key parameter indicating the first key;
    所述使用所述第一密钥包括:The use of the first key includes:
    根据所述密钥参数,从所述多个密钥中选择所述第一密钥作为所述密文的解密密钥。According to the key parameter, the first key is selected from the plurality of keys as the decryption key of the ciphertext.
  8. 根据权利要求1-6任一项所述的方法,其特征在于,所述至少一个密钥为多个密钥,所述方法还包括:The method according to any one of claims 1 to 6, characterized in that the at least one key is a plurality of keys, and the method further includes:
    从第一设备接收密文,所述密文是根据所述第一密钥加密的;receiving ciphertext from a first device, the ciphertext being encrypted according to the first key;
    通过遍历使用所述多个密钥对所述密文进行解密,确定所述第一密钥能够成功解密所述密文;Determine that the first key can successfully decrypt the ciphertext by traversing and using the plurality of keys to decrypt the ciphertext;
    所述使用所述第一密钥包括:The use of the first key includes:
    从所述多个密钥中选择所述第一密钥作为所述密文的解密密钥。The first key is selected from the plurality of keys as the decryption key of the ciphertext.
  9. 根据权利要求1-8任一项所述的方法,其特征在于,所述第一区域是基于以下至 少一种方式划分得到的:The method according to any one of claims 1-8, characterized in that the first area is divided based on at least one of the following methods:
    基于规则图形或者不规则图形进行区域划分;Divide areas based on regular graphics or irregular graphics;
    基于行政区域进行区域划分;Regional division based on administrative regions;
    基于道路等级进行区域划分;Zoning based on road grade;
    基于道路支持的自动驾驶等级进行区域划分;Regional division based on the autonomous driving level supported by the road;
    基于商业区域进行区域划分。Zoning based on commercial areas.
  10. 根据权利要求1-9任一项所述的方法,其特征在于,所述第一区域的边界是被动态设置的。The method according to any one of claims 1 to 9, characterized in that the boundary of the first area is dynamically set.
  11. 根据权利要求1-10任一项所述的方法,其特征在于,所述根据所述位置,获取至少一个密钥包括:The method according to any one of claims 1-10, wherein obtaining at least one key according to the location includes:
    在满足第一预设条件的情况下,根据所述位置,获取所述至少一个密钥,其中,所述第一预设条件包括以下情况中的至少一种:When a first preset condition is met, the at least one key is obtained according to the location, wherein the first preset condition includes at least one of the following situations:
    所述密钥使用装置在密钥管理装置进行注册;The key using device is registered with the key management device;
    所述密钥使用装置所处的区域发生变化;The area where the key using device is located changes;
    当前保存的密钥过期;The currently saved key expires;
    当前时刻与上一次获取密钥的时刻之间的时间间隔达到第一更新阈值;The time interval between the current moment and the last time the key was obtained reaches the first update threshold;
    使用当前保存的密钥无法对接收到的数据成功解密。The received data could not be successfully decrypted using the currently saved key.
  12. 根据权利要求1-11任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1-11, characterized in that the method further includes:
    获取预设的第二密钥;Get the preset second key;
    在满足第二预设条件的情况下,使用所述第二密钥;When the second preset condition is met, use the second key;
    其中,所述第二预设条件包括以下情况中的至少一种:Wherein, the second preset condition includes at least one of the following situations:
    所述密钥使用装置位于过渡区域;The key usage device is located in the transition area;
    所述密钥使用装置位于特定区域;The key usage device is located in a specific area;
    所述密钥使用装置未获取到所述至少一个密钥;The key using device has not obtained the at least one key;
    所述至少一个密钥过期且更新失败;The at least one key expires and the update fails;
    所述密钥使用装置使用所述至少一个密钥无法对接收到的数据成功解密;The key using device cannot successfully decrypt the received data using the at least one key;
    所述密钥使用装置无法与密钥管理装置进行通信。The key using device cannot communicate with the key management device.
  13. 根据权利要求1-12任一项所述的方法,其特征在于,所述至少一个密钥的数量与以下内容中的至少一项相关:The method according to any one of claims 1-12, characterized in that the number of the at least one key is related to at least one of the following:
    所述第一区域的面积;The area of the first region;
    所述第一区域中密钥使用装置的数量;The number of key using devices in the first area;
    所述第一区域的等级;The level of the first area;
    所述至少一个密钥的更新频率。The update frequency of the at least one key.
  14. 根据权利要求1-13任一项所述的方法,其特征在于,所述至少一个密钥的数量是固定的或者是动态变化的。The method according to any one of claims 1 to 13, characterized in that the number of at least one key is fixed or dynamically changed.
  15. 根据权利要求1-14任一项所述的方法,其特征在于,所述至少一个密钥用于地理位置信息、车辆驾驶信息或者服务内容信息。The method according to any one of claims 1 to 14, characterized in that the at least one key is used for geographical location information, vehicle driving information or service content information.
  16. 根据权利要求1至15任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 15, characterized in that the method further includes:
    在密钥管理装置上进行注册时,从所述密钥管理装置获取第三密钥信息,所述第 三密钥信息用于对后续从所述密钥管理装置接收到的消息进行解密。When registering on the key management device, third key information is obtained from the key management device, and the third key information is used to decrypt subsequent messages received from the key management device.
  17. 一种密钥管理方法,其特征在于,所述方法应用于密钥管理装置,所述方法包括:A key management method, characterized in that the method is applied to a key management device, and the method includes:
    通过区域划分获得多个预设区域,所述多个预设区域包括第一区域;A plurality of preset areas are obtained through area division, and the plurality of preset areas include a first area;
    生成对应于所述第一区域的至少一个密钥;generating at least one key corresponding to the first region;
    向所述第一区域内的密钥使用装置发送所述至少一个密钥。The at least one key is sent to the key using device in the first area.
  18. 根据权利要求17所述的方法,其特征在于,在向所述第一区域内的密钥使用装置发送所述至少一个密钥之前,所述方法还包括:The method according to claim 17, characterized in that, before sending the at least one key to the key using device in the first area, the method further includes:
    从所述密钥使用装置接收用于指示所述密钥使用装置的位置的位置信息;receiving location information indicating the location of the key using device from the key using device;
    基于所述位置信息,将所述至少一个密钥分配给所述密钥使用装置使用。Based on the location information, the at least one key is assigned to the key using device for use.
  19. 根据权利要求18所述的方法,其特征在于,所述位置信息为所述第一区域的标识信息或者所述密钥使用装置的地理坐标信息。The method according to claim 18, characterized in that the location information is identification information of the first area or geographical coordinate information of the key using device.
  20. 根据权利要求17所述的方法,其特征在于,所述向所述第一区域内的密钥使用装置发送所述至少一个密钥,包括:The method according to claim 17, characterized in that said sending the at least one key to the key using device in the first area includes:
    在所述第一区域范围内发送包括所述至少一个密钥的消息。A message including the at least one key is sent within the first area.
  21. 根据权利要求17-20任一项所述的方法,其特征在于,所述至少一个密钥为多个密钥,所述方法还包括:The method according to any one of claims 17-20, characterized in that the at least one key is a plurality of keys, and the method further includes:
    向所述密钥使用装置发送与所述多个密钥相对应的多个密钥参数。A plurality of key parameters corresponding to the plurality of keys are sent to the key using device.
  22. 根据权利要求17-21任一项所述的方法,其特征在于,所述区域划分基于以下至少一种方式:The method according to any one of claims 17-21, characterized in that the area division is based on at least one of the following methods:
    基于规则图形或者不规则图形进行区域划分;Divide areas based on regular graphics or irregular graphics;
    基于行政区域进行区域划分;Regional division based on administrative regions;
    基于道路等级进行区域划分;Zoning based on road grade;
    基于道路支持的自动驾驶等级进行区域划分;Regional division based on the autonomous driving level supported by the road;
    基于商业区域进行区域划分。Zoning based on commercial areas.
  23. 根据权利要求17-22任一项所述的方法,其特征在于,所述第一区域的边界是被动态设置的。The method according to any one of claims 17-22, characterized in that the boundary of the first area is dynamically set.
  24. 根据权利要求17-23任一项所述的方法,其特征在于,所述向所述第一区域内的密钥使用装置发送所述至少一个密钥是通过以下至少一项触发的:The method according to any one of claims 17-23, characterized in that sending the at least one key to the key usage device in the first area is triggered by at least one of the following:
    所述密钥使用装置在所述密钥管理装置进行注册;The key usage device is registered with the key management device;
    所述密钥使用装置由所述第一区域以外的区域进入所述第一区域;The key using device enters the first area from an area other than the first area;
    当前对应于所述第一区域的密钥过期;The key currently corresponding to the first area expires;
    当前时刻与上一次向所述密钥使用装置发送密钥的时刻之间的时间间隔达到第一更新阈值;The time interval between the current time and the last time the key was sent to the key using device reaches the first update threshold;
    所述密钥使用装置请求更新对应于所述第一区域的密钥。The key using device requests an update of the key corresponding to the first area.
  25. 根据权利要求17-24任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 17-24, characterized in that the method further includes:
    向所述密钥使用装置发送第二密钥,所述第二密钥用于所述密钥使用装置在以下情况中的至少一种使用:Send a second key to the key usage device, the second key being used by the key usage device in at least one of the following situations:
    所述密钥使用装置位于过渡区域;The key usage device is located in the transition area;
    所述密钥使用装置位于特定区域;The key usage device is located in a specific area;
    所述密钥使用装置未获取到所述至少一个密钥;The key using device has not obtained the at least one key;
    所述至少一个密钥过期且更新失败;The at least one key expires and the update fails;
    所述密钥使用装置使用所述至少一个密钥无法对接收到的数据成功解密;The key using device cannot successfully decrypt the received data using the at least one key;
    所述密钥使用装置无法与密钥管理装置进行通信。The key using device cannot communicate with the key management device.
  26. 根据权利要求17-25任一项所述的方法,其特征在于,所述至少一个密钥的数量与以下内容中的至少一项相关:The method according to any one of claims 17-25, characterized in that the number of the at least one key is related to at least one of the following:
    所述第一区域的面积;The area of the first region;
    所述第一区域中密钥使用装置的数量;The number of key using devices in the first area;
    所述第一区域的等级;The level of the first area;
    所述至少一个密钥的更新频率。The update frequency of the at least one key.
  27. 根据权利要求17-26任一项所述的方法,其特征在于,所述至少一个密钥的数量是固定的或者是动态变化的。The method according to any one of claims 17-26, characterized in that the number of at least one key is fixed or dynamically changed.
  28. 根据权利要求17-27任一项所述的方法,其特征在于,所述至少一个密钥用于地理位置信息、车辆驾驶信息或者服务内容信息。The method according to any one of claims 17-27, characterized in that the at least one key is used for geographical location information, vehicle driving information or service content information.
  29. 根据权利要求17至28任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 17 to 28, characterized in that the method further includes:
    在所述密钥使用装置注册时,向所述密钥使用装置发送第三密钥信息,所述第三密钥信息用于对后续所述密钥管理装置向所述密钥使用装置发送的消息进行解密。When the key using device is registered, third key information is sent to the key using device, and the third key information is used for subsequent processing by the key management device to the key using device. The message is decrypted.
  30. 一种密钥使用装置,其特征在于,所述装置包括:A key usage device, characterized in that the device includes:
    第一确定模块,用于确定所述密钥使用装置的位置;A first determination module, used to determine the location of the key using device;
    第一获取模块,用于根据所述位置,获取至少一个密钥,所述至少一个密钥是为位于第一区域内的密钥使用装置分配的,所述位置位于所述第一区域中,所述至少一个密钥包括第一密钥;A first acquisition module configured to acquire at least one key according to the location, the at least one key being allocated to a key using device located in the first area, and the location being located in the first area, The at least one key includes a first key;
    第一使用模块,用于使用所述第一密钥。The first usage module is used to use the first key.
  31. 一种密钥管理装置,其特征在于,所述装置包括:A key management device, characterized in that the device includes:
    划分模块,用于通过区域划分获得多个预设区域,所述多个预设区域包括第一区域;A dividing module, configured to obtain multiple preset areas through area division, where the multiple preset areas include a first area;
    第一生成模块,用于生成对应于所述第一区域的至少一个密钥;A first generation module configured to generate at least one key corresponding to the first area;
    第一发送模块,用于向所述第一区域内的密钥使用装置发送所述至少一个密钥。The first sending module is configured to send the at least one key to the key using device in the first area.
  32. 一种密钥使用装置,其特征在于,包括:A key usage device, characterized by including:
    处理器;processor;
    用于存储处理器可执行指令的存储器;Memory used to store instructions executable by the processor;
    其中,所述处理器被配置为执行所述指令时实现权利要求1至16中任意一项所述的方法。Wherein, the processor is configured to implement the method according to any one of claims 1 to 16 when executing the instructions.
  33. 一种密钥管理装置,其特征在于,包括:A key management device, characterized in that it includes:
    处理器;processor;
    用于存储处理器可执行指令的存储器;Memory used to store instructions executable by the processor;
    其中,所述处理器被配置为执行所述指令时实现权利要求17至29中任意一项所述的方法。Wherein, the processor is configured to implement the method according to any one of claims 17 to 29 when executing the instructions.
  34. 一种密钥管理系统,其特征在于,包括如权利要求32所述的密钥使用装置以及如权利要求33所述的密钥管理装置。A key management system, characterized in that it includes a key usage device as claimed in claim 32 and a key management device as claimed in claim 33.
  35. 一种非易失性计算机可读存储介质,其上存储有计算机程序指令,其特征在于,所述计算机程序指令被处理器执行时实现权利要求1至16中任意一项所述的方法,或者实现权利要求17至29中任意一项所述的方法。A non-volatile computer-readable storage medium with computer program instructions stored thereon, characterized in that when the computer program instructions are executed by a processor, the method described in any one of claims 1 to 16 is implemented, or Implement the method of any one of claims 17 to 29.
  36. 一种计算机程序产品,包括计算机可读代码,或者承载有计算机可读代码的非易失性计算机可读存储介质,当所述计算机可读代码在电子设备中运行时,所述电子设备中的处理器执行权利要求1至16中任意一项所述的方法,或者实现权利要求17至29中任意一项所述的方法。A computer program product, including computer readable code, or a non-volatile computer readable storage medium carrying computer readable code, when the computer readable code is run in an electronic device, The processor executes the method described in any one of claims 1 to 16, or implements the method described in any one of claims 17 to 29.
  37. 一种车辆,其特征在于,包括如权利要求32所述的密钥使用装置,和/或,如权利要求33所述的密钥管理装置。A vehicle, characterized by comprising a key using device as claimed in claim 32, and/or a key management device as claimed in claim 33.
PCT/CN2022/119399 2022-09-16 2022-09-16 Key management method, key usage apparatus and key management apparatus WO2024055303A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2022/119399 WO2024055303A1 (en) 2022-09-16 2022-09-16 Key management method, key usage apparatus and key management apparatus
CN202280062770.1A CN118056376A (en) 2022-09-16 2022-09-16 Key management method, using device and management device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/119399 WO2024055303A1 (en) 2022-09-16 2022-09-16 Key management method, key usage apparatus and key management apparatus

Publications (1)

Publication Number Publication Date
WO2024055303A1 true WO2024055303A1 (en) 2024-03-21

Family

ID=90273917

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/119399 WO2024055303A1 (en) 2022-09-16 2022-09-16 Key management method, key usage apparatus and key management apparatus

Country Status (2)

Country Link
CN (1) CN118056376A (en)
WO (1) WO2024055303A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108702786A (en) * 2016-03-25 2018-10-23 华为技术有限公司 A kind of communication means, device and system
US20190384320A1 (en) * 2019-07-24 2019-12-19 Lg Electronics Inc. Autonomous driving control method in restricted area and autonomous driving system using the same
WO2021179331A1 (en) * 2020-03-13 2021-09-16 华为技术有限公司 Communication method, apparatus and system
US20220179972A1 (en) * 2020-12-04 2022-06-09 Amazon Technologies, Inc. Highly-available cryptographic keys
WO2022151478A1 (en) * 2021-01-18 2022-07-21 华为技术有限公司 Vehicle key management method, device, and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108702786A (en) * 2016-03-25 2018-10-23 华为技术有限公司 A kind of communication means, device and system
US20190384320A1 (en) * 2019-07-24 2019-12-19 Lg Electronics Inc. Autonomous driving control method in restricted area and autonomous driving system using the same
WO2021179331A1 (en) * 2020-03-13 2021-09-16 华为技术有限公司 Communication method, apparatus and system
US20220179972A1 (en) * 2020-12-04 2022-06-09 Amazon Technologies, Inc. Highly-available cryptographic keys
WO2022151478A1 (en) * 2021-01-18 2022-07-21 华为技术有限公司 Vehicle key management method, device, and system

Also Published As

Publication number Publication date
CN118056376A (en) 2024-05-17

Similar Documents

Publication Publication Date Title
US9218740B2 (en) Enriching driving experience with cloud assistance
US10567923B2 (en) Computation service for mobile nodes in a roadway environment
US20220095115A1 (en) Misbehavior detection for vehicle-to-everything messages
US20170276504A1 (en) Vehicular Traffic Assistance Based on Traffic Management Decisions
WO2022227870A1 (en) Vehicle-road collaborative processing method and apparatus, and electronic device and storage medium
US11178219B2 (en) Resource assurance for vehicle cloudification
EP3114665A1 (en) Cloud-mediated vehicle notification exchange for localized transit events
US11308736B2 (en) Selecting V2X communications interface
US11792687B2 (en) Message management for cooperative driving among connected vehicles
Zhou et al. Arve: Augmented reality applications in vehicle to edge networks
US11395118B2 (en) Vehicular micro cloud hubs
US10843703B2 (en) Accuracy system for connected vehicles
WO2022227881A1 (en) Vehicle-road collaboration system, vehicle-road collaboration-based elevation conversion and updating method and apparatus, and storage medium
JP2020102840A (en) Mobility-oriented data replication in vehicular micro cloud
US11709258B2 (en) Location data correction service for connected vehicles
US20220029832A1 (en) System and methodologies using global electors with regional certificate trust lists
CN115004271A (en) Method for embedding protected vehicle identifier information in cellular vehicle-to-all (C-V2X) messages
EP3610628B1 (en) Transmitting and receiving an interest message specifying an aggregation parameter
CN112800156B (en) Method, system, equipment and storage medium for framing unit map based on road side
WO2024055303A1 (en) Key management method, key usage apparatus and key management apparatus
JP2008131361A (en) Mobile communication method, terminal, program, content distribution method and program, data communication apparatus, and recording medium
US20230247399A1 (en) Adaptive sensor data sharing for a connected vehicle
JP7515554B2 (en) Road space aggregation perception messages in intelligent transportation systems
Ansari Cloud computing on cooperative cars (C4S): An architecture to support navigation-as-a-service
Lu et al. Vehicular Communication and Networking Technologies

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 202280062770.1

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22958493

Country of ref document: EP

Kind code of ref document: A1