[go: up one dir, main page]

CN112929871A - OTA upgrade package acquisition method, electronic device and storage medium - Google Patents

OTA upgrade package acquisition method, electronic device and storage medium Download PDF

Info

Publication number
CN112929871A
CN112929871A CN201911233659.0A CN201911233659A CN112929871A CN 112929871 A CN112929871 A CN 112929871A CN 201911233659 A CN201911233659 A CN 201911233659A CN 112929871 A CN112929871 A CN 112929871A
Authority
CN
China
Prior art keywords
key
encrypted
ota
package
hash value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911233659.0A
Other languages
Chinese (zh)
Other versions
CN112929871B (en
Inventor
丁魏
孙荣卫
芮亚楠
蔡建兵
赵毅
张波
杨森
胡崇刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Abup Intelligent Technology Co ltd
Original Assignee
Shanghai Abup Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Abup Intelligent Technology Co ltd filed Critical Shanghai Abup Intelligent Technology Co ltd
Priority to CN201911233659.0A priority Critical patent/CN112929871B/en
Publication of CN112929871A publication Critical patent/CN112929871A/en
Application granted granted Critical
Publication of CN112929871B publication Critical patent/CN112929871B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities
    • H04W8/24Transfer of terminal data
    • H04W8/245Transfer of terminal data from a network towards a terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/84Vehicles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention relates to the field of Internet of vehicles and discloses an OTA upgrade package acquisition method, electronic equipment and a storage medium. In the invention, the method for acquiring the OTA upgrade package comprises the following steps: acquiring an encryption package, a first encryption key and a second key from an over-the-air OTA platform; the first encryption key is the encrypted first key, the first key is the hash value of the OTA upgrade package, and the encryption package is the encrypted OTA upgrade package; decrypting the first encryption key by using the second secret key to obtain a first secret key; and decrypting the encrypted packet by using the first secret key to obtain the OTA upgrade packet. The invention can avoid the problem of verification failure caused by unstable network during networking verification and reduce the requirement of a decryption process on the terminal equipment.

Description

OTA upgrade package acquisition method, electronic device and storage medium
Technical Field
The embodiment of the invention relates to the field of car networking, in particular to an OTA upgrade package acquisition method, electronic equipment and a storage medium.
Background
At present, an Over-The-Air (OTA) technology is widely applied to various fields, The protection of The security of an OTA upgrade package is an important part in The upgrade protection process by using The OTA technology, and The certification in The aspects of security, integrity, authenticity and The like of The obtained OTA upgrade package is necessary, so that The risk of The company of revealing important assets is reduced. In the prior art, a terminal side for upgrading generally needs to obtain a secret Key from a Public Key Infrastructure (PKI) through networking to decrypt an encrypted packet obtained from an OTA platform, so as to obtain an OTA upgrade packet.
The inventor finds that at least the following problems exist in the prior art: the prior art often encounters the problem of verification failure caused by network instability during networking verification. Moreover, since the key for decrypting the encrypted packet needs to be obtained by means of PKI, the decryption process is too dependent on hardware facilities, and accordingly, the requirements on the terminal-side device are higher.
Disclosure of Invention
The embodiment of the invention aims to provide an OTA upgrade package acquisition method, electronic equipment and a storage medium, which can avoid the problem of verification failure caused by network instability during networking verification and reduce the requirement on terminal equipment in the process of decrypting an encrypted package.
In order to solve the above technical problem, an embodiment of the present invention provides a method for acquiring an OTA upgrade package, which is applied to a terminal and includes: acquiring an encryption package, a first encryption key and a second key from an over-the-air OTA platform; the first encryption key is the encrypted first key, the first key is the hash value of the OTA upgrade package, and the encryption package is the encrypted OTA upgrade package; decrypting the first encryption key by using the second secret key to obtain a first secret key; and decrypting the encrypted packet by using the first secret key to obtain the OTA upgrade packet.
The embodiment of the invention also provides an obtaining method of the OTA upgrade package, which is applied to the OTA platform and comprises the following steps: acquiring a first secret key; the first secret key is a hash value of the OTA upgrade package; encrypting the OTA upgrade package by using a first secret key to obtain an encryption package; encrypting the first secret key by using the third secret key to obtain a first encryption secret key; and sending the encryption package, the first encryption key and a second secret key to the terminal, wherein the second secret key and the third secret key are a pair of secret keys.
An embodiment of the present invention also provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to execute the OTA upgrade package acquisition method.
The embodiment of the invention also provides a computer readable storage medium, which stores a computer program, and the computer program is executed by a processor to realize the above OTA upgrade package acquisition method.
Compared with the prior art, the terminal directly obtains the second secret key for decrypting the first encryption secret key from the OTA platform, decrypts the first encryption secret key by using the second secret key to obtain the first secret key capable of decrypting the encryption package, does not need to network and obtain the secret key for decrypting the encryption package from the PKI, can avoid the problem of verification failure caused by unstable network during network verification, and reduces the requirement on terminal equipment because the process of decrypting the encryption package does not depend on the PKI.
In addition, after obtaining the encryption package, the first encryption key and the second key from the OTA platform, before decrypting the first encryption key with the second key to obtain the first key, the method further includes: verifying the encrypted packet acquired from the OTA platform; and if the encrypted packet obtained from the OTA platform passes the verification, decrypting the first encrypted secret key by using the second secret key to obtain the first secret key. In this embodiment, before the terminal decrypts the first secret key, the identity of the encrypted packet is verified, and the first encrypted secret key is decrypted only if the verification passes. The embodiment can confirm the identity of the encryption package, ensure the reliability and integrity of the source of the encryption package, and enhance the safety of the upgrading process.
In addition, in the process of acquiring the encryption package, the first encryption key and the second key from the OTA platform, the method further comprises the following steps: acquiring a first encrypted hash value from an OTA platform; the first encryption hash value is obtained by signing the hash value of the encryption packet through the OTA platform; the method comprises the following steps of verifying and signing an encryption packet acquired from an OTA platform, and specifically comprises the following steps: signing the hash value of the encrypted packet acquired from the OTA platform to obtain a second encrypted hash value; comparing the first encrypted hash value with the second encrypted hash value; and if the first encryption hash value is the same as the second encryption hash value, judging that the encryption packet acquired from the OTA platform passes the verification. The embodiment provides a specific method for verifying the signature, which compares the signed encrypted packet hash values obtained in the two ways, and indicates that the signature passes the verification under the same condition, so that the security is enhanced.
In addition, after obtaining the encryption package, the first encryption key and the second key from the OTA platform, before calculating the hash value of the encryption package obtained from the OTA platform and decrypting the first encryption hash value by using the second key to obtain the hash value of the encryption package, the method further includes: verifying the second secret key by using a prestored root certificate; and if the second secret key passes the verification, decrypting the first encrypted hash value by using the second secret key to obtain the hash value of the encrypted packet. In this embodiment, the verification indicates that the second secret key is legal, and then the second secret key is used to decrypt the first encrypted hash value, so as to ensure that the second secret key is complete and reliable, thereby avoiding the security problem caused by using an illegal second secret key for decryption.
In addition, utilize first secret key to decrypt the encryption package, obtain OTA upgrade package after, still include: calculating the hash value of the OTA upgrade package obtained by decryption, and comparing the hash value of the OTA upgrade package obtained by calculation with the first secret key; and if the calculated hash value of the OTA upgrade package is the same as the first secret key, using the OTA upgrade package obtained by decryption. In this embodiment, the hash value of the OTA upgrade package obtained through calculation is compared with the first secret key obtained by decrypting the first encryption secret key, whether the finally obtained upgrade package is complete is determined, the tampered upgrade package is avoided, and whether company assets are leaked or not can be checked.
In addition, the OTA upgrade package acquisition method is applied to the vehicle-mounted terminal. The embodiment provides an application scenario of the OTA upgrade package acquisition method.
Drawings
One or more embodiments are illustrated by the corresponding figures in the drawings, which are not meant to be limiting.
Fig. 1 is a flowchart of a method for acquiring an OTA upgrade package according to a first embodiment of the present invention;
fig. 2 is a flowchart of a method for acquiring an OTA upgrade package in a second embodiment of the present invention;
fig. 3 is a flowchart of a method for acquiring an OTA upgrade package according to a third embodiment of the present invention;
fig. 4 is a flowchart of a method for acquiring an OTA upgrade package in a fourth embodiment of the present invention;
fig. 5 is a flowchart of a method for acquiring an OTA upgrade package in a fifth embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to a sixth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually incorporated and referred to without contradiction.
The first embodiment of the present invention relates to a method for acquiring an OTA upgrade package, which is applied to a terminal, where the terminal may be a computer, a mobile phone, or the like, and may be applied to a vehicle-mounted terminal in practical applications, which is not limited herein. In this embodiment, after obtaining the encryption package, the first encryption key, and the second key from the OTA platform, the terminal decrypts the first encryption key using the second key to obtain the first key, and decrypts the encryption package using the first key to obtain the OTA upgrade package finally. In the whole process, the terminal does not need to be networked to obtain the secret key for decrypting the encryption package from the PKI, but an OTA platform is used for issuing the first encryption secret key and the second secret key, and after a series of operations, the encryption package can be decrypted to obtain an OTA upgrade package, so that the problem of verification failure caused by unstable networks during networking verification can be avoided, and the requirement of the decryption process on the terminal equipment is reduced. The details of the OTA upgrade package obtaining method according to this embodiment are described in detail below, and the following description is only provided for the convenience of understanding, and is not necessary for implementing this embodiment. As shown in fig. 1, the method includes:
step 101, an encryption packet, a first encryption key and a second key are obtained from an OTA platform.
Specifically, the first encryption key is the encrypted first key, the first key is a hash value of the OTA upgrade package, and the encryption package is the encrypted OTA upgrade package. And the terminal acquires the encrypted OTA upgrade package, the hash value of the encrypted OTA upgrade package and a second secret key from the OTA platform.
In a specific example, the OTA platform calculates a hash value of the OTA upgrade package, and encrypts the OTA upgrade package by using the hash value of the OTA to obtain an encrypted package, where the Encryption may be implemented by using an Advanced Encryption Standard (AES) algorithm, such as: the AES256 algorithm, which is not limited herein. In addition, the OTA platform acquires a pair of public and private keys from the PKI through the docking platform, and encrypts the hash value of the OTA upgrade package by using the private key as a second key so as to obtain a first encryption key. Therefore, if the OTA platform receives an OTA upgrade request sent by the terminal, the OTA platform can issue the encryption packet, the hash value of the encrypted OTA upgrade packet and the public key in the key pair to the terminal, and the issue mode may be that the encryption packet, the hash value of the encrypted OTA upgrade packet and the public key in the key pair are issued through a hypertext Transfer Protocol over secure session Transport Layer (HTTPS) channel, where the HTTPS channel may adopt a Transport Layer Security (TLS), for example: TLS 1.2, which is not limited herein. The method for the terminal to obtain the hash value of the encryption package, the encrypted OTA upgrade package and the public key in the key pair may be as follows: the download address of the OTA upgrade package is accessed using HTTPS, which is not limited herein.
Step 102, the first encryption key is decrypted by using the second secret key to obtain the first secret key.
In a specific example, the terminal may receive a file package from the OTA platform, and then the terminal may disassemble the file package according to a predetermined rule to obtain an encrypted package, a public key in the key pair, and a hash value of the encrypted OTA upgrade package, and then decrypt the hash value of the encrypted OTA upgrade package by using the public key as the second key, so as to obtain the hash value of the OTA upgrade package.
And 103, decrypting the encrypted packet by using the first secret key to obtain the OTA upgrade packet.
In a specific example, after the terminal decrypts the hash value of the encrypted OTA upgrade package to obtain the hash value of the OTA upgrade package, the terminal may use the hash value of the OTA upgrade package as a first key to decrypt the encrypted package obtained from the OTA platform to finally obtain the OTA upgrade package, so as to further complete the upgrade using the OTA upgrade package, where the decryption may be performed by using an AES algorithm corresponding to the process of encrypting the OTA upgrade package by the OTA platform, such as: the AES256 algorithm, which is not limited herein.
In the embodiment, the terminal does not need to be networked to obtain the secret key for decrypting the encryption package from the PKI, but an OTA platform is used for issuing the first encryption secret key and the second secret key, and after a series of operations, the encryption package can be decrypted to obtain the OTA upgrade package, so that the problem of verification failure caused by unstable network during networking verification can be avoided, and the requirement of the decryption process on the terminal equipment is reduced.
The second embodiment of the invention relates to a method for acquiring an OTA upgrade package. The second embodiment is substantially the same as the first embodiment, and mainly differs therefrom in that: in a second embodiment, after the terminal acquires the encryption package, the first encryption key and the second key from the OTA platform, before the second key is used to decrypt the first encryption key to obtain the first key, the terminal may further check the encryption package acquired from the OTA platform, and if the encryption package acquired from the OTA platform passes the check, the terminal performs decryption of the first encryption key by using the second key to obtain the first key. As shown in fig. 2, the method for acquiring an OTA upgrade package in this embodiment includes:
step 201, an encryption packet, a first encryption key and a second key are obtained from the OTA platform. Similar to step 101, further description is omitted here.
And 202, checking the encrypted packet acquired from the OTA platform.
Specifically, after receiving an encryption packet, a first encryption key and a second key issued by the OTA platform, the terminal checks the encryption packet therein.
In a specific example, in the process that the terminal acquires the encrypted packet, the first encryption key and the second key from the OTA platform, the terminal may further acquire the first encryption hash value, that is, a signature character string obtained by the OTA platform signing the hash value of the encrypted packet, where the signature mode may be: the OTA platform uses a Secure Hash Algorithm (SHA for short) to sign the Hash value of the encrypted packet, which is not limited herein. After the terminal acquires the hash value of the encrypted packet, the terminal can sign the acquired hash value of the encrypted packet by using an SHA algorithm to obtain a second encrypted hash value, then the first encrypted hash value and the second encrypted hash value are compared, and if the first encrypted hash value and the second encrypted hash value are the same, the encrypted packet acquired from the OTA platform is judged to pass the verification of the signature. It should be noted that, the method for the terminal to obtain the hash value of the encrypted packet may be: receiving the hash value of the encrypted packet sent by the OTA platform, or calculating the hash value of the encrypted packet after receiving the encrypted packet sent by the OTA platform, which is not limited herein.
More preferably, the OTA platform may sign the hash value of the encrypted packet by: the method comprises the steps of signing the hash value of an encryption package by utilizing the SHA to obtain a first encryption hash value, then encrypting the first encryption hash value by utilizing the RSA algorithm and a private key in a private key pair to obtain an encrypted first encryption hash value, namely, signing and encrypting the hash value of the encryption package by utilizing the SHA256with RSA algorithm by the terminal. For the terminal side, the terminal may decrypt the encrypted first encrypted hash value by using the RSA algorithm and the public key of the key pair to obtain the first encrypted hash value. In addition, the terminal signs the hash value of the encryption packet sent by the OTA platform by using the SHA algorithm to obtain a second encryption hash value, then compares the first encryption hash value with the second encryption hash value, and if the first encryption hash value is the same as the second encryption hash value, the terminal judges that the encryption packet obtained from the OTA platform passes the verification of the signature. It should be noted that the public key in the above key pair may be issued by the OTA platform.
In step 203, if the encrypted packet obtained from the OTA platform passes the verification, the first encrypted key is decrypted by using the second secret key to obtain the first secret key.
In a specific example, if the calculated hash value of the encrypted packet and the decrypted hash value of the encrypted packet are the same, indicating that the signature verification passes, the terminal may decrypt the first encryption key by using the public key delivered by the OTA platform to obtain the first secret key, that is, obtain the hash value of the OTA upgrade packet.
And step 204, decrypting the encrypted packet by using the first secret key to obtain the OTA upgrade packet. Similar to step 103, further description is omitted here.
In this embodiment, the terminal verifies and signs the encryption package that obtains from the OTA platform, if the encryption package that obtains from the OTA platform verifies and signs and passes through, carry out again and utilize the first encryption key of second secret key deciphering to obtain first key, promptly, under the circumstances that the encryption package that obtains from the OTA platform verified and signs and passes through, just can continue to carry out and decipher first encryption key, this embodiment can play the effect of confirming the identity of encryption package, guarantee the reliability and the integrality of encryption package source, the security of obtaining the upgrade package process has been strengthened.
The third embodiment of the invention relates to a method for acquiring an OTA upgrade package. The third embodiment is substantially the same as the first embodiment, and mainly differs therefrom in that: after the terminal obtains the encryption package, the first encryption key and the second key from the OTA platform, the second key is verified before the first encryption key is decrypted by the second key to obtain the first key, and if the second key passes the verification, the terminal decrypts the first encryption key by the second key to obtain the first key. As shown in fig. 3, the method for acquiring an OTA upgrade package in this embodiment includes:
step 301, an encryption packet, a first encryption key and a second key are obtained from the OTA platform. Similar to step 101, further description is omitted here.
Step 302, the second secret key is verified by using the pre-stored root certificate.
In a specific example, after the terminal acquires the public key issued by the OTA platform, the terminal may perform validity verification on the public key by using the root certificate.
Step 303, if the second secret key passes the verification, the first encryption secret key is decrypted by using the second secret key to obtain the first secret key.
In a specific example, if the public key obtained from the OTA platform verifies that the public key is legal, the terminal may decrypt the first encryption key using the public key to obtain the first secret key, i.e., obtain the hash value of the OTA upgrade package.
And step 304, decrypting the encrypted packet by using the first secret key to obtain the OTA upgrade packet. Similar to step 103, further description is omitted here.
In the embodiment, after the terminal acquires the encryption package, the first encryption key and the second key from the OTA platform, the second key is verified before the first encryption key is decrypted by using the second key to obtain the first key, and the verification indicates that the second key is legal.
The fourth embodiment of the invention relates to a method for acquiring an OTA upgrade package. The fourth embodiment is substantially the same as the first embodiment, and mainly differs therefrom in that: the terminal decrypts the encrypted package by using the first secret key to obtain the OTA upgrade package, calculates the hash value of the OTA upgrade package obtained by decryption, compares the calculated hash value of the OTA upgrade package with the first secret key, and uses the OTA upgrade package obtained by decryption if the calculated hash value of the OTA upgrade package is the same as the first secret key. As shown in fig. 4, the method for acquiring an OTA upgrade package in this embodiment includes:
step 401, an encryption packet, a first encryption key and a second key are obtained from the OTA platform. Similar to step 101, further description is omitted here.
Step 402, decrypting the first encrypted key with the second secret key to obtain the first key. Similar to step 102, further description is omitted here.
And step 403, decrypting the encrypted packet by using the first secret key to obtain the OTA upgrade packet. Similar to step 103, further description is omitted here.
Step 404, calculating a hash value of the OTA upgrade package obtained by decryption, and comparing the calculated hash value of the OTA upgrade package with the first secret key.
Specifically, the terminal calculates the hash value of the decrypted OTA upgrade package, and compares the calculated hash value of the OTA upgrade package with the first secret key, that is, compares the calculated hash value of the OTA upgrade package with the hash value of the OTA upgrade package acquired from the OTA platform.
In step 405, if the calculated hash value of the OTA upgrade package is the same as the first secret key, the OTA upgrade package obtained by decryption is used.
Specifically, if the hash value of the OTA upgrade package calculated by the terminal is the same as the first secret key, that is, the hash value of the OTA upgrade package calculated by the terminal is the same as the hash value of the OTA upgrade package, it indicates that the OTA upgrade package of the OTA platform is consistent with the OTA upgrade package obtained by the terminal, and the terminal can use the decrypted OTA upgrade package.
In this embodiment, the terminal compares the calculated hash value of the OTA upgrade package with the first secret key obtained by decrypting the first encryption secret key, and determines whether the finally obtained upgrade package is complete. By adopting the method, the problem of upgrading failure caused by obtaining the tampered OTA upgrading packet can be avoided, and the condition that the terminal system is damaged due to upgrading of the unofficial OTA upgrading packet is prevented.
The fifth embodiment of the invention relates to an OTA upgrade package acquisition method, which is applied to an OTA platform. In this embodiment, the OTA platform obtains a first key, that is, a hash value of the OTA upgrade package, encrypts the OTA upgrade package with the first key to obtain an encryption package, encrypts the first secret key with a third key to obtain the first encryption key, and sends the encryption package, the first encryption key, and the second secret key to the terminal, where the second key and the third key are a pair of keys. That is to say, the OTA platform directly issues the second key that is used for deciphering first encryption key to the terminal, for the terminal utilizes the second key to decipher first encryption key and obtain the hash value of OTA upgrade package, and utilize the hash value of OTA upgrade package to decipher the encryption package and obtain OTA upgrade package, so, to the terminal, the deciphering process need not the networking and obtains the key, can avoid the unstable problem that leads to the check-up failure of network, and, because the deciphering process need not rely on PKI, so the terminal can not rely on hardware setting, the requirement of deciphering process to terminal equipment has been reduced. The details of the OTA upgrade package obtaining method according to this embodiment are described in detail below, and the following description is only provided for the convenience of understanding, and is not necessary for implementing this embodiment. As shown in fig. 5, the method includes:
step 501, obtain a first key.
Specifically, the OTA platform calculates the hash value of the OTA upgrade package as the first secret key.
Step 502, encrypting the OTA upgrade package by using the first key to obtain an encryption package.
Specifically, the OTA platform may use the hash value of the OTA upgrade package as a key to encrypt the OTA upgrade package to obtain an encryption package, where the encryption mode may be an AES algorithm, for example: the AES256 algorithm, which is not limited herein.
In step 503, the first secret key is encrypted by using the third secret key to obtain a first encryption secret key.
Specifically, the OTA platform encrypts the hash value of the OTA upgrade package by using the acquired third key to obtain the encrypted hash value of the OTA upgrade package, and uses the encrypted hash value as the first encryption key.
In a specific example, the OTA platform acquires a pair of keys from the PKI, and encrypts the hash value of the OTA upgrade package by using a private key thereof as a third key, that is, encrypts the first secret key to obtain the first encryption key.
Step 504, sending the encryption packet, the first encryption key and the second secret key to the terminal.
In a specific example, the OTA platform obtains a pair of keys from the PKI, and uses the public key thereof as the second key, and uses the private key thereof as the third key, that is, the second key and the third key are a pair of keys each other. After obtaining the encrypted OTA upgrade package, the hash value of the encrypted OTA upgrade package and the public key through a series of operations, the OTA platform issues the encrypted OTA upgrade package, the hash value and the public key to the terminal so that the terminal can decrypt the encrypted OTA upgrade package to obtain the OTA upgrade package.
In a specific example, after the OTA platform encrypts the OTA upgrade package by using the first secret key to obtain the encrypted package, before sending the encrypted package, the first encrypted secret key and the second secret key to the terminal, the OTA platform may further calculate a hash value of the encrypted package, and sign the hash value of the encrypted package to obtain the first encrypted hash value, where the signing manner may be an SHA256withRSA algorithm, which is not limited herein. The OTA platform also can send the first encryption hash value to the terminal together in the process of sending the encryption package, the first encryption secret key and the second secret key to the terminal, so that the terminal can check the hash value of the encryption package obtained from the OTA platform, and the safety of the upgrading process is enhanced.
In this embodiment, the OTA platform directly issues the second key for decrypting the first encryption key to the terminal, so that the terminal decrypts the first encryption key by using the second key to obtain the hash value of the OTA upgrade package, and decrypts the encryption package by using the hash value of the OTA upgrade package to obtain the OTA upgrade package, so as to the terminal, the decryption process does not need to be networked to obtain the key, the problem of failure in verification due to unstable network can be avoided, and moreover, the terminal does not depend on hardware setting because the decryption process does not need to use PKI, and the requirement of the decryption process on the terminal equipment is reduced.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
A sixth embodiment of the present invention relates to an electronic apparatus, as shown in fig. 6, including: at least one processor 601; and a memory 602 communicatively coupled to the at least one processor 601; the memory 602 stores instructions executable by the at least one processor 601, and the instructions are executed by the at least one processor 601 to enable the at least one processor 601 to execute the OTA upgrade package obtaining method.
Where the memory 602 and the processor 601 are coupled by a bus, the bus may comprise any number of interconnected buses and bridges that couple one or more of the various circuits of the processor 601 and the memory 602 together. The bus may also connect various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor 601 is transmitted over a wireless medium via an antenna, which further receives the data and transmits the data to the processor 601.
The processor 601 is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. While memory 602 may be used to store data used by processor 601 in performing operations.
A seventh embodiment of the present invention relates to a computer-readable storage medium storing a computer program. The computer program realizes the above-described method embodiments when executed by a processor.
That is, as can be understood by those skilled in the art, all or part of the steps in the method for implementing the embodiments described above may be implemented by a program instructing related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.

Claims (10)

1.一种OTA升级包的获取方法,其特征在于,应用于终端,包括:1. an acquisition method of OTA upgrade package, is characterized in that, is applied to terminal, comprises: 从空中下载OTA平台获取加密包、第一加密秘钥以及第二秘钥;所述第一加密秘钥为加密后的第一秘钥,所述第一秘钥为OTA升级包的哈希值,所述加密包为被加密的所述OTA升级包;Obtain the encryption package, the first encryption key and the second key from the over-the-air download OTA platform; the first encryption key is the encrypted first key, and the first key is the hash value of the OTA upgrade package , the encrypted package is the encrypted OTA upgrade package; 利用所述第二秘钥解密所述第一加密秘钥得到所述第一秘钥;Decrypt the first encryption key with the second key to obtain the first key; 利用所述第一秘钥对所述加密包进行解密,得到所述OTA升级包。Decrypt the encrypted package by using the first secret key to obtain the OTA upgrade package. 2.根据权利要求1所述的OTA升级包的获取方法,其特征在于,所述从OTA平台获取加密包、第一加密秘钥以及第二秘钥后,所述利用所述第二秘钥解密所述第一加密秘钥得到所述第一秘钥前,还包括:2. the acquisition method of OTA upgrade package according to claim 1, is characterized in that, after described obtaining encryption package, first encryption key and second key from OTA platform, described utilizing described second key Before decrypting the first encryption key to obtain the first key, the method further includes: 对从所述OTA平台获取的所述加密包进行验签;Verifying the signature of the encrypted package obtained from the OTA platform; 若所述从所述OTA平台获取的所述加密包验签通过,则执行所述利用所述第二秘钥解密所述第一加密秘钥得到所述第一秘钥。If the encrypted package obtained from the OTA platform passes the signature verification, the decrypting the first encryption key with the second key is performed to obtain the first key. 3.根据权利要求2所述的OTA升级包的获取方法,其特征在于,所述从OTA平台获取加密包、第一加密秘钥以及第二秘钥的过程中,还包括:3. the acquisition method of OTA upgrade package according to claim 2, is characterized in that, in the described process that obtains encrypted package, the first encrypted secret key and the second secret key from OTA platform, also comprises: 从所述OTA平台获取第一加密哈希值;所述第一加密哈希值通过所述OTA平台对所述加密包的哈希值进行签名得到;Obtain the first encrypted hash value from the OTA platform; the first encrypted hash value is obtained by signing the hash value of the encrypted package by the OTA platform; 所述对从所述OTA平台获取的所述加密包进行验签,具体包括:The verification of the signature of the encrypted package obtained from the OTA platform specifically includes: 对从所述OTA平台获取的所述加密包的哈希值进行签名,得到第二加密哈希值;Sign the hash value of the encrypted package obtained from the OTA platform to obtain a second encrypted hash value; 比较所述第一加密哈希值和所述第二加密哈希值;comparing the first cryptographic hash value and the second cryptographic hash value; 若所述第一加密哈希值与所述第二加密哈希值相同,则判定所述从所述OTA平台获取的所述加密包验签通过。If the first encrypted hash value is the same as the second encrypted hash value, it is determined that the encrypted package obtained from the OTA platform has passed the signature verification. 4.根据权利要求1所述的OTA升级包的获取方法,其特征在于,所述从所述OTA平台获取加密包、第一加密秘钥以及第二秘钥后,所述利用所述第二秘钥解密所述第一加密秘钥得到所述第一秘钥前,还包括:4. the acquisition method of OTA upgrade package according to claim 1, is characterized in that, after described obtaining encryption package, first encryption key and second secret key from described OTA platform, described utilizing described second Before the secret key decrypts the first encryption key to obtain the first secret key, the method further includes: 利用预存的根证书对所述第二秘钥进行验证;Verifying the second key by using a pre-stored root certificate; 若所述第二秘钥验证通过,则执行所述利用所述第二秘钥解密所述第一加密秘钥得到所述第一秘钥。If the verification of the second key is passed, the decrypting the first encryption key by using the second key is performed to obtain the first key. 5.根据权利要求1至4中任一项所述的OTA升级包的获取方法,其特征在于,所述利用所述第一秘钥对所述加密包进行解密,得到所述OTA升级包后,还包括:5. The method for obtaining an OTA upgrade package according to any one of claims 1 to 4, wherein the encrypted package is decrypted by the first secret key, and after the OTA upgrade package is obtained ,Also includes: 计算解密得到的所述OTA升级包的哈希值,并将计算得到的所述OTA升级包的哈希值和所述第一秘钥进行比较;Calculate the hash value of the OTA upgrade package obtained by decryption, and compare the hash value of the OTA upgrade package obtained by calculation with the first secret key; 若所述计算得到的所述OTA升级包的哈希值与所述第一秘钥相同,则使用所述解密得到的所述OTA升级包。If the hash value of the OTA upgrade package obtained by the calculation is the same as the first secret key, the OTA upgrade package obtained by the decryption is used. 6.根据权利要求1至4中任一项所述的OTA升级包的获取方法,其特征在于,所述OTA升级包的获取方法应用于车载终端。6. The method for obtaining an OTA upgrade package according to any one of claims 1 to 4, wherein the method for obtaining the OTA upgrade package is applied to a vehicle-mounted terminal. 7.一种OTA升级包的获取方法,其特征在于,应用于OTA平台,包括:7. a kind of acquisition method of OTA upgrade package, is characterized in that, is applied to OTA platform, comprises: 获取第一秘钥;所述第一秘钥为OTA升级包的哈希值;Obtain the first secret key; the first secret key is the hash value of the OTA upgrade package; 利用所述第一秘钥对所述OTA升级包进行加密得到加密包;Utilize the first secret key to encrypt the OTA upgrade package to obtain an encrypted package; 利用第三秘钥对所述第一秘钥进行加密得到第一加密秘钥;Utilize the third secret key to encrypt the first secret key to obtain the first encrypted secret key; 将所述加密包、所述第一加密秘钥以及第二秘钥发送给终端;其中,所述第二秘钥与所述第三秘钥为一对秘钥。Send the encryption package, the first encryption key and the second key to the terminal; wherein the second key and the third key are a pair of keys. 8.根据权利要求7所述的OTA升级包的获取方法,其特征在于,所述利用所述第一秘钥对所述OTA升级包进行加密得到加密包后,所述将所述加密包、所述第一加密秘钥以及第二秘钥发送给终端前,还包括:8. the acquisition method of OTA upgrade package according to claim 7 is characterized in that, after described utilizing described first secret key to encrypt described OTA upgrade package to obtain encrypted package, described encrypted package, Before the first encryption key and the second key are sent to the terminal, the method further includes: 计算所述加密包的哈希值,并对所述加密包的哈希值进行签名得到第一加密哈希值;Calculate the hash value of the encrypted packet, and sign the hash value of the encrypted packet to obtain the first encrypted hash value; 所述将所述加密包、所述第一加密秘钥以及第二秘钥发送给终端的过程中,还包括:The process of sending the encrypted package, the first encryption key and the second key to the terminal further includes: 将所述第一加密哈希值发送给所述终端。Sending the first cryptographic hash value to the terminal. 9.一种电子设备,其特征在于,包括:9. An electronic device, characterized in that, comprising: 至少一个处理器;以及,at least one processor; and, 与所述至少一个处理器通信连接的存储器;其中,a memory communicatively coupled to the at least one processor; wherein, 所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行如权利要求1至6中任一项所述的OTA升级包的获取方法;或者,以使所述至少一个处理器能够执行如权利要求7至8中任一项所述的OTA升级包的获取方法。The memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform the execution of any one of claims 1 to 6 or, so that the at least one processor can execute the method for obtaining an OTA upgrade package according to any one of claims 7 to 8. 10.一种计算机可读存储介质,存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现权利要求1至6中任一项所述的OTA升级包的获取方法;或者,被处理器执行时实现权利要求7至8中任一项所述的OTA升级包的获取方法。10. A computer-readable storage medium storing a computer program, wherein, when the computer program is executed by a processor, the method for obtaining the OTA upgrade package according to any one of claims 1 to 6 is realized; or, When executed by the processor, the method for obtaining the OTA upgrade package according to any one of claims 7 to 8 is implemented.
CN201911233659.0A 2019-12-05 2019-12-05 OTA upgrade package acquisition method, electronic equipment and storage medium Active CN112929871B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911233659.0A CN112929871B (en) 2019-12-05 2019-12-05 OTA upgrade package acquisition method, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911233659.0A CN112929871B (en) 2019-12-05 2019-12-05 OTA upgrade package acquisition method, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112929871A true CN112929871A (en) 2021-06-08
CN112929871B CN112929871B (en) 2024-10-29

Family

ID=76162281

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911233659.0A Active CN112929871B (en) 2019-12-05 2019-12-05 OTA upgrade package acquisition method, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112929871B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021259310A1 (en) * 2020-06-23 2021-12-30 京东方科技集团股份有限公司 Over-the-air updating method, update server, terminal device, and internet of things system
CN119376768A (en) * 2024-12-30 2025-01-28 天津布尔科技有限公司 Automobile OTA upgrade method, device, equipment and storage medium based on dual-card dual-channel

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101425114A (en) * 2008-12-12 2009-05-06 四川长虹电器股份有限公司 Software upgrading bag packaging method and software upgrading method
CN104506515A (en) * 2014-12-17 2015-04-08 北京极科极客科技有限公司 Firmware protection method and firmware protection device
CN108737394A (en) * 2018-05-08 2018-11-02 腾讯科技(深圳)有限公司 Off-line verification system, barcode scanning equipment and server
CN109189450A (en) * 2018-10-24 2019-01-11 郑州云海信息技术有限公司 A kind of method and device of server firmware upgrading
CN109560931A (en) * 2018-11-30 2019-04-02 江苏恒宝智能系统技术有限公司 A kind of equipment remote upgrade method based on no Certification system
CN109829294A (en) * 2019-01-31 2019-05-31 云丁网络技术(北京)有限公司 A kind of firmware validation method, system, server and electronic equipment
CN110071940A (en) * 2019-05-06 2019-07-30 深圳市网心科技有限公司 Software package encipher-decipher method, server, user equipment and storage medium
CN110362990A (en) * 2019-05-31 2019-10-22 口碑(上海)信息技术有限公司 Using the security processing of installation, apparatus and system
CN110378105A (en) * 2019-07-02 2019-10-25 广州小鹏汽车科技有限公司 Security upgrading method, system, server and car-mounted terminal
CN110460588A (en) * 2018-05-31 2019-11-15 腾讯科技(深圳)有限公司 Realize method, apparatus, the computer system and storage medium of Information Authentication

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101425114A (en) * 2008-12-12 2009-05-06 四川长虹电器股份有限公司 Software upgrading bag packaging method and software upgrading method
CN104506515A (en) * 2014-12-17 2015-04-08 北京极科极客科技有限公司 Firmware protection method and firmware protection device
CN108737394A (en) * 2018-05-08 2018-11-02 腾讯科技(深圳)有限公司 Off-line verification system, barcode scanning equipment and server
CN110460588A (en) * 2018-05-31 2019-11-15 腾讯科技(深圳)有限公司 Realize method, apparatus, the computer system and storage medium of Information Authentication
CN109189450A (en) * 2018-10-24 2019-01-11 郑州云海信息技术有限公司 A kind of method and device of server firmware upgrading
CN109560931A (en) * 2018-11-30 2019-04-02 江苏恒宝智能系统技术有限公司 A kind of equipment remote upgrade method based on no Certification system
CN109829294A (en) * 2019-01-31 2019-05-31 云丁网络技术(北京)有限公司 A kind of firmware validation method, system, server and electronic equipment
CN110071940A (en) * 2019-05-06 2019-07-30 深圳市网心科技有限公司 Software package encipher-decipher method, server, user equipment and storage medium
CN110362990A (en) * 2019-05-31 2019-10-22 口碑(上海)信息技术有限公司 Using the security processing of installation, apparatus and system
CN110378105A (en) * 2019-07-02 2019-10-25 广州小鹏汽车科技有限公司 Security upgrading method, system, server and car-mounted terminal

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021259310A1 (en) * 2020-06-23 2021-12-30 京东方科技集团股份有限公司 Over-the-air updating method, update server, terminal device, and internet of things system
US12050901B2 (en) 2020-06-23 2024-07-30 Boe Technology Group Co., Ltd. Over-the-air updating method, update server, terminal device, and internet of things system
CN119376768A (en) * 2024-12-30 2025-01-28 天津布尔科技有限公司 Automobile OTA upgrade method, device, equipment and storage medium based on dual-card dual-channel

Also Published As

Publication number Publication date
CN112929871B (en) 2024-10-29

Similar Documents

Publication Publication Date Title
US12244739B2 (en) Confidential authentication and provisioning
US11321074B2 (en) Vehicle-mounted device upgrade method and related apparatus
US12200144B2 (en) Method for upgrading certificate of POS terminal, server, and POS terminal
CN112913189B (en) OTA (over the air) upgrading method and device
TWI809292B (en) Data encryption and decryption method, device, storage medium and encrypted file
CN108566381A (en) A kind of security upgrading method, device, server, equipment and medium
CN110990827A (en) Identity information verification method, server and storage medium
CN105072125B (en) A kind of http communication system and method
EP3001598B1 (en) Method and system for backing up private key in electronic signature token
JP2020530726A (en) NFC tag authentication to remote servers with applications that protect supply chain asset management
CN106550359B (en) Authentication method and system for terminal and SIM card
KR102591826B1 (en) Apparatus and method for authenticating device based on certificate using physical unclonable function
CN108809907A (en) A kind of certificate request message sending method, method of reseptance and device
CN117041048A (en) Vehicle system upgrading method, OTA upgrading file cloud processing method and electronic equipment
CN112929871B (en) OTA upgrade package acquisition method, electronic equipment and storage medium
US20240223370A1 (en) Method for authentication of a service provider device to a user device
CN109960935B (en) Method, device and storage medium for determining trusted state of TPM (trusted platform Module)
CN115242397A (en) OTA upgrade security verification method and readable storage medium for vehicle EUC
CN114240428A (en) Data transmission method and device, data transaction terminal and data supplier
CN114095277A (en) Power distribution network secure communication method, secure access device and readable storage medium
WO2019037422A1 (en) Key and key handle generation method and system, and smart key security device
CN108242997B (en) Method and apparatus for secure communication
JP2024516126A (en) Encrypted and authenticated firmware provisioning with root of trust security
CN115348081A (en) Method, device, system, equipment and medium for checking safe transmission
WO2024149029A1 (en) Authentication method and authentication apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant