[go: up one dir, main page]

CN115333793A - On-board diagnostics (OBD) interface authentication method based on networking diagnostic equipment and vehicle - Google Patents

On-board diagnostics (OBD) interface authentication method based on networking diagnostic equipment and vehicle Download PDF

Info

Publication number
CN115333793A
CN115333793A CN202210866406.2A CN202210866406A CN115333793A CN 115333793 A CN115333793 A CN 115333793A CN 202210866406 A CN202210866406 A CN 202210866406A CN 115333793 A CN115333793 A CN 115333793A
Authority
CN
China
Prior art keywords
diagnostic equipment
obd
diagnostic
computing unit
central computing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210866406.2A
Other languages
Chinese (zh)
Inventor
高铭霞
李木犀
吴淼
陈明
刘毅
边泽宇
邵馨蕊
胡闯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
FAW Group Corp
Original Assignee
FAW Group Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by FAW Group Corp filed Critical FAW Group Corp
Priority to CN202210866406.2A priority Critical patent/CN115333793A/en
Publication of CN115333793A publication Critical patent/CN115333793A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Vehicle Cleaning, Maintenance, Repair, Refitting, And Outriggers (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses an OBD interface authentication method based on networking diagnostic equipment and a vehicle, and the method specifically comprises the following steps: the central computing unit integrates an OBD authentication component of the central computing unit, and identity authentication is carried out on the diagnostic equipment based on a signature verification mechanism of a digital certificate; the diagnostic equipment integrates an OBD authentication component of the diagnostic equipment and applies for a digital certificate to a trust center on line; the diagnostic equipment is connected with the central computing unit, and the central computing unit performs security authentication on the diagnostic equipment and judges whether the diagnostic equipment has a preset authority; the trust center is accessed to the PKI system and provides functions of digital certificate on-line application, authority verification and on-line downloading for the diagnostic equipment; and the diagnostic equipment OBD authentication component presets a certificate and automatically applies for a trust center to obtain a digital certificate corresponding to the diagnostic equipment. Through the scheme, the problem of insufficient safety when the diagnosis equipment diagnoses the vehicle ECU is solved, and the vehicle is prevented from being attacked through illegal diagnosis service.

Description

一种基于可联网诊断设备的OBD接口认证方法、车辆A kind of OBD interface authentication method based on networkable diagnostic equipment, vehicle

技术领域technical field

本发明涉及OBD接口认证领域,尤其是一种基于可联网诊断设备的OBD接口认证方法,以及诊断设备、中央计算单元、车辆。The invention relates to the field of OBD interface authentication, in particular to an OBD interface authentication method based on networkable diagnostic equipment, diagnostic equipment, a central computing unit, and a vehicle.

背景技术Background technique

目前,绝大部分车型在针对某些特定诊断服务时,采用离线种子与密钥机制(Seed&Key)对诊断设备进行认证。少部分车型也有基于PKI公钥基础设施,利用U盾离线发放并存储数字证书,进行诊断设备的认证。At present, most car models use the offline seed and key mechanism (Seed&Key) to authenticate diagnostic equipment for certain specific diagnostic services. A small number of models are also based on PKI public key infrastructure, using USB-Shield to issue and store digital certificates offline for authentication of diagnostic equipment.

前者使用的加密算法为私有算法,强度不足,且密钥易泄露;后者需离线下载证书,灵活性不足,难以大批量发放证书,且下发证书不易管理。The encryption algorithm used by the former is a private algorithm, which is not strong enough, and the key is easy to leak; the latter needs to download the certificate offline, which is not flexible enough, and it is difficult to issue certificates in large quantities, and the issued certificates are not easy to manage.

在整车信息安全设计中,OBD接口作为整车关键的对外物理接口,诊断设备可以通过其访问到各电控单元(ECU)进行诊断服务,具有通过OBD接口攻击车辆的风险。In the vehicle information security design, the OBD interface is the key external physical interface of the vehicle, through which diagnostic equipment can access each electronic control unit (ECU) for diagnostic services, and there is a risk of attacking the vehicle through the OBD interface.

为保证通信安全,防止通过非法诊断服务攻击车辆,需要对OBD接口进行相应的防护措施。In order to ensure communication security and prevent vehicles from being attacked through illegal diagnostic services, it is necessary to take corresponding protective measures for the OBD interface.

发明内容Contents of the invention

本发明的目的在于提供一种基于可联网诊断设备的OBD接口认证方法,以及诊断设备、中央计算单元,、信任中心、车辆;用以解决诊断设备可以通过OBD接口访问到各电控单元(ECU)进行诊断服务,具有通过OBD接口攻击车辆风险的问题。The object of the present invention is to provide a kind of OBD interface authentication method based on networkable diagnostic equipment, and diagnostic equipment, central computing unit, trust center, vehicle; In order to solve the problem that diagnostic equipment can visit each electronic control unit (ECU) through OBD interface ) for diagnostic services, there is a problem with the risk of attacking the vehicle through the OBD interface.

本发明提供了下述方案:The present invention provides following scheme:

根据本发明的一个方面,提供一种基于可联网诊断设备的OBD接口认证方法,具体包括:According to one aspect of the present invention, there is provided an OBD interface authentication method based on a networkable diagnostic device, which specifically includes:

中央计算单元集成中央计算单元OBD认证组件,基于数字证书的签名验签机制对诊断设备进行身份认证;The central computing unit integrates the OBD authentication component of the central computing unit, and authenticates the identity of the diagnostic device based on the signature verification mechanism of the digital certificate;

诊断设备集成诊断设备OBD认证组件,在线向信任中心申请数字证书;The diagnostic equipment integrates the diagnostic equipment OBD certification component, and applies for a digital certificate to the trust center online;

诊断设备连接中央计算单元,由中央计算单元对诊断设备进行安全认证,判断诊断设备是否具有预设的权限。The diagnostic equipment is connected to the central computing unit, and the central computing unit performs security authentication on the diagnostic equipment to determine whether the diagnostic equipment has preset permissions.

根据本发明的另一个方面,提供一种基于可联网诊断设备的OBD接口认证方法,具体包括:According to another aspect of the present invention, an OBD interface authentication method based on a networkable diagnostic device is provided, specifically comprising:

诊断设备读取诊断设备的序列号;The diagnostic device reads the serial number of the diagnostic device;

诊断设备OBD认证组件将诊断设备的序列号与本地证书列表进行比较,判断本地证书列表中是否包含与诊断设备序列号对应的数字证书;The diagnostic device OBD authentication component compares the serial number of the diagnostic device with the local certificate list, and determines whether the local certificate list contains a digital certificate corresponding to the serial number of the diagnostic device;

若不包含与诊断设备序列号对应的数字证书,则,进行在线申请数字证书;If the digital certificate corresponding to the serial number of the diagnostic equipment is not included, apply for the digital certificate online;

若包含与诊断设备序列号对应的数字证书状态为不可用,则,进行在线申请数字证书;If the status of the digital certificate corresponding to the serial number of the diagnostic device is unavailable, apply for the digital certificate online;

若包含与诊断设备序列号对应的数字证书状态为超过更新阈值,则,进行在线申请数字证书。If the status of the digital certificate corresponding to the serial number of the diagnostic device exceeds the renewal threshold, apply for the digital certificate online.

进一步的,还包括:Further, it also includes:

诊断设备读取诊断设备的序列号的步骤:Steps for the diagnostic device to read the serial number of the diagnostic device:

启动诊断设备软件;Start the diagnostic device software;

诊断设备与信任中心建立连接;The diagnostic device establishes a connection with the trust center;

调用诊断设备OBD认证组件初始化接口;Call the diagnostic device OBD authentication component initialization interface;

导入诊断设备序列号。Import diagnostic device serial numbers.

进一步的,还包括:Further, it also includes:

诊断设备向信任中心发送证书申请报文;The diagnostic device sends a certificate application message to the trust center;

其中,诊断设备OBD认证组件生成SM2密钥对,并生成包含密钥的CSR文件;Among them, the diagnostic device OBD authentication component generates an SM2 key pair, and generates a CSR file containing the key;

使用诊断设备的预置证书对CSR文件和诊断设备序列号进行P7签名,构建证书申请报文;Use the preset certificate of the diagnostic device to perform P7 signature on the CSR file and the serial number of the diagnostic device, and construct a certificate application message;

诊断设备OBD认证组件接收来自信任中心的数字证书;The diagnostic device OBD authentication component receives the digital certificate from the trust center;

其中,申请报文经过了信任中心P7签名验证,申请报文中记录的诊断设备序列号通过了信任中心的白名单的校验。Among them, the application message has passed the P7 signature verification of the trust center, and the serial number of the diagnostic device recorded in the application message has passed the verification of the white list of the trust center.

进一步的,还包括:Further, it also includes:

诊断设备接收来自信任中心的数字证书;The diagnostic device receives the digital certificate from the trust center;

诊断设备OBD认证组件对数字证书进行校验;The diagnostic equipment OBD authentication component verifies the digital certificate;

若,like,

校验数字证书主题序列号与诊断设备的序列号相符,Verify that the digital certificate subject serial number matches the serial number of the diagnostic device,

校验数字证书与诊断设备OBD认证组件生成的SM2密钥相匹配,Verify that the digital certificate matches the SM2 key generated by the OBD authentication component of the diagnostic device,

校验数字证书为本CA签发;The verification digital certificate is issued by this CA;

则,诊断设备OBD认证组件导入数字证书,更新本地证书列表。Then, the diagnostic device OBD authentication component imports the digital certificate, and updates the local certificate list.

进一步的,还包括:Further, it also includes:

诊断设备向中央计算单元发送通过校验的数字证书;The diagnostic equipment sends a verified digital certificate to the central computing unit;

诊断设备向中央计算单元发送获取随机数的请求;The diagnostic device sends a request for obtaining random numbers to the central computing unit;

诊断设备接收来自中央计算单元的随机数;The diagnostic device receives random numbers from the central computing unit;

诊断设备OBD认证组件对随机数进行签名;The diagnostic device OBD authentication component signs the random number;

诊断设备向中央计算单元发送签名的结果。The diagnostic device sends the signed results to the central computing unit.

根据本发明的又一个方面,提供一种基于可联网诊断设备的OBD接口认证方法,具体包括:According to another aspect of the present invention, there is provided an OBD interface authentication method based on a networkable diagnostic device, which specifically includes:

中央计算单元集成中央计算单元OBD认证组件,预置根证书;The central computing unit integrates the OBD authentication component of the central computing unit, and the root certificate is preset;

中央计算单元接收来自校验诊断设备发送的数字证书;The central computing unit receives the digital certificate sent from the calibration diagnostic equipment;

中央计算单元OBD认证组件校验诊断设备发送的数字证书;The central computing unit OBD authentication component verifies the digital certificate sent by the diagnostic equipment;

若校验通过,则向诊断设备返回一个随机数;If the verification is passed, a random number is returned to the diagnostic device;

中央计算单元接收来自诊断设备对该随机数的签名结果;The central computing unit receives the signature result of the random number from the diagnostic device;

中央计算单元OBD认证组件对该随机数的签名结果进行认证;The central computing unit OBD authentication component authenticates the signature result of the random number;

若认证通过,则中央计算单元向诊断设备开放预设的权限。If the authentication is passed, the central computing unit releases preset permissions to the diagnostic equipment.

根据本发明的再一个方面,提供一种诊断设备,包括:According to another aspect of the present invention, a diagnostic device is provided, comprising:

诊断设备集成诊断设备OBD认证组件,并预置根证书;Diagnostic equipment integrates diagnostic equipment OBD authentication components, and preset root certificates;

通过以太网向信任中心申请数字证书;执行基于可联网诊断设备的OBD接口认证方法。Apply for a digital certificate to the trust center through Ethernet; implement an OBD interface authentication method based on a networkable diagnostic device.

根据本发明的还一个方面,提供一种中央计算单元,包括:According to still another aspect of the present invention, a kind of central computing unit is provided, comprising:

中央计算单元集成中央计算单元OBD认证组件,并预置根证书;基于数字证书的签名验签机制对诊断设备进行身份认证;执行基于可联网诊断设备的OBD接口认证方法。The central computing unit integrates the OBD authentication component of the central computing unit, and presets the root certificate; the digital certificate-based signature verification mechanism authenticates the identity of the diagnostic device; executes the OBD interface authentication method based on the networkable diagnostic device.

根据本发明的又一个方面,提供一种车辆,包括:中央计算单元;中央计算单元内集成中央计算单元OBD认证组件,基于数字证书的签名验签机制对诊断设备进行身份认证;According to another aspect of the present invention, a vehicle is provided, including: a central computing unit; an OBD authentication component of the central computing unit is integrated in the central computing unit, and the diagnostic device is authenticated based on a signature verification mechanism of a digital certificate;

诊断设备集成诊断设备OBD认证组件,以在线方式向信任中心申请数字证书;The diagnostic equipment integrates the diagnostic equipment OBD authentication component, and applies for a digital certificate from the trust center online;

诊断设备基于诊断协议连接中央计算单元,由中央计算单元对诊断设备进行安全认证;若,诊断设备通过认证,则,允许中央计算单元、诊断设备之间进行认证机制保护下的数据交互。The diagnostic equipment is connected to the central computing unit based on the diagnostic protocol, and the central computing unit performs security authentication on the diagnostic equipment; if the diagnostic equipment passes the authentication, data exchange under the protection of the authentication mechanism is allowed between the central computing unit and the diagnostic equipment.

本发明与现有技术相比具有以下的优点:Compared with the prior art, the present invention has the following advantages:

对诊断设备安全认证,降低了通过OBD接口攻击车辆的风险;Security certification for diagnostic equipment reduces the risk of attacking vehicles through the OBD interface;

通过在线安全认证,及时更新数字证书,提高了安全等级;Through online security certification, digital certificates are updated in time to improve the security level;

通过在线PKI,降低密钥泄密的风险;Through online PKI, reduce the risk of key leakage;

在线下发数字证书,提高了证书获取的灵活性;Issue digital certificates online, improving the flexibility of certificate acquisition;

在线下载数字证书,不用本地大量存储证书,证书数量限制小;Download digital certificates online, no need to store a large number of certificates locally, and the number of certificates is limited;

不在本地大量存储证书,简化对证书管理的困难度。It does not store a large number of certificates locally, which simplifies the difficulty of certificate management.

附图说明Description of drawings

为了更清楚地说明本发明具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the specific implementation of the present invention or the technical solutions in the prior art, the following will briefly introduce the accompanying drawings that need to be used in the specific implementation or description of the prior art. Obviously, the accompanying drawings in the following description The drawings show some implementations of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any creative work.

图1是一种基于可联网诊断设备的OBD接口认证方法的主流程图;Fig. 1 is a kind of main flowchart of the OBD interface authentication method based on networkable diagnostic equipment;

图2是在基于可联网诊断设备的OBD接口认证方法诊断设备的流程图;Fig. 2 is a flow chart of diagnosing equipment based on the OBD interface authentication method of networkable diagnosing equipment;

图3是在基于可联网诊断设备的OBD接口认证方法中央计算单元的流程图;Fig. 3 is a flow chart of the central computing unit of the OBD interface authentication method based on networkable diagnostic equipment;

图4是一个具体实施例的硬件连接框图;Fig. 4 is a hardware connection block diagram of a specific embodiment;

图5是一个具体实施例的诊断设备OBD认证组件证书申请流程图;Fig. 5 is a flow chart of applying for a certificate of a diagnostic device OBD authentication component in a specific embodiment;

图6是一个具体实施例的证书更新前校验流程图;Fig. 6 is a flow chart of verification before certificate renewal in a specific embodiment;

图7是一个具体实施例的证书诊断设备与中央计算单元之间的OBD端口的认证流程图;Fig. 7 is an authentication flowchart of the OBD port between the certificate diagnosis device and the central computing unit of a specific embodiment;

图8是电子设备的系统架构图。FIG. 8 is a system architecture diagram of an electronic device.

具体实施方式Detailed ways

下面将结合附图对本发明的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions of the present invention will be clearly and completely described below in conjunction with the accompanying drawings. Apparently, the described embodiments are some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

如图1所示,公开一种基于可联网诊断设备的OBD接口认证方法的主流程。As shown in FIG. 1 , a main flow of an OBD interface authentication method based on a networkable diagnostic device is disclosed.

步骤S1,中央计算单元集成中央计算单元OBD认证组件,基于数字证书的签名验签机制对诊断设备进行身份认证;Step S1, the central computing unit integrates the OBD authentication component of the central computing unit, and authenticates the identity of the diagnostic device based on the signature verification mechanism of the digital certificate;

步骤S2,诊断设备集成诊断设备OBD认证组件,在线向信任中心申请数字证书;Step S2, the diagnostic device integrates the OBD authentication component of the diagnostic device, and applies for a digital certificate to the trust center online;

步骤S3,诊断设备连接中央计算单元,由中央计算单元对诊断设备进行安全认证,判断诊断设备是否具有预设的权限。In step S3, the diagnostic device is connected to the central computing unit, and the central computing unit performs security authentication on the diagnostic device to determine whether the diagnostic device has a preset authority.

本实施例中,诊断设备OBD认证组件预先内置证书;诊断设备OBD认证组件自行向信任中心申请获取与诊断设备相对应的数字证书;信任中心接入PKI系统,为诊断设备提供,包括数字证书在线申请、权限审核、以及在线下载的功能;中央计算单元OBD认证组件预先内置根证书;中央计算单元与诊断设备之间基于诊断协议连接;诊断设备OBD认证组件通过以太网向信任中心申请数字证书;以太网借助国家SSL技术规范下的VPN技术平台,保障诊断设备和信任中心之间数据的安全。In this embodiment, the OBD authentication component of the diagnostic equipment has a built-in certificate in advance; the OBD authentication component of the diagnostic equipment applies to the trust center for a digital certificate corresponding to the diagnostic equipment; Functions of application, permission review, and online download; the OBD authentication component of the central computing unit has a built-in root certificate; the connection between the central computing unit and the diagnostic device is based on a diagnostic protocol; the OBD authentication component of the diagnostic device applies for a digital certificate to the trust center through Ethernet; With the help of the VPN technology platform under the national SSL technical specification, Ethernet ensures the security of data between the diagnostic equipment and the trust center.

本发明与现有技术相比具有以下的优点:Compared with the prior art, the present invention has the following advantages:

对诊断设备安全认证,降低了通过OBD接口攻击车辆的风险;Security certification for diagnostic equipment reduces the risk of attacking vehicles through the OBD interface;

通过在线安全认证,及时更新数字证书,提高了安全等级;Through online security certification, digital certificates are updated in time to improve the security level;

通过在线PKI,降低密钥泄密的风险;Through online PKI, reduce the risk of key leakage;

在线下发数字证书,提高了证书获取的灵活性;Issue digital certificates online, improving the flexibility of certificate acquisition;

在线下载数字证书,不用本地大量存储证书,证书数量限制小;Download digital certificates online, no need to store a large number of certificates locally, and the number of certificates is limited;

不在本地大量存储证书,简化对证书管理的困难度。It does not store a large number of certificates locally, which simplifies the difficulty of certificate management.

如图2所示,本实施例公开了基于可联网诊断设备的OBD接口认证方法中诊断设备的工作流程。As shown in FIG. 2 , this embodiment discloses the workflow of the diagnostic device in the OBD interface authentication method based on the networkable diagnostic device.

步骤P1,诊断设备判断本地证书列表中数字证书的步骤;Step P1, a step for the diagnosis device to determine the digital certificate in the local certificate list;

诊断设备读取诊断设备的序列号;The diagnostic device reads the serial number of the diagnostic device;

诊断设备OBD认证组件将诊断设备的序列号与本地证书列表进行比较,判断本地证书列表中是否包含与诊断设备序列号对应的数字证书;The diagnostic device OBD authentication component compares the serial number of the diagnostic device with the local certificate list, and determines whether the local certificate list contains a digital certificate corresponding to the serial number of the diagnostic device;

若不包含与诊断设备序列号对应的数字证书,则,进行在线申请数字证书;If the digital certificate corresponding to the serial number of the diagnostic equipment is not included, apply for the digital certificate online;

若包含与诊断设备序列号对应的数字证书状态为不可用,则,进行在线申请数字证书;If the status of the digital certificate corresponding to the serial number of the diagnostic device is unavailable, apply for the digital certificate online;

若包含与诊断设备序列号对应的数字证书状态为超过更新阈值,则,进行在线申请数字证书。If the status of the digital certificate corresponding to the serial number of the diagnostic device exceeds the renewal threshold, apply for the digital certificate online.

步骤P2,诊断设备读取诊断设备序列号的步骤:Step P2, the steps for the diagnostic equipment to read the serial number of the diagnostic equipment:

启动诊断设备软件;Start the diagnostic device software;

诊断设备与信任中心建立连接;The diagnostic device establishes a connection with the trust center;

调用诊断设备OBD认证组件初始化接口;Call the diagnostic device OBD authentication component initialization interface;

导入诊断设备序列号。Import diagnostic device serial numbers.

步骤P3,诊断设备与信任中心进行签名验证的步骤;Step P3, the step of performing signature verification between the diagnostic device and the trust center;

诊断设备向信任中心发送证书申请报文;The diagnostic device sends a certificate application message to the trust center;

其中,诊断设备OBD认证组件生成SM2密钥对,并生成包含密钥的CSR文件;Among them, the diagnostic device OBD authentication component generates an SM2 key pair, and generates a CSR file containing the key;

使用诊断设备的预置证书对CSR文件和诊断设备序列号进行P7签名,构建证书申请报文;Use the preset certificate of the diagnostic device to perform P7 signature on the CSR file and the serial number of the diagnostic device, and construct a certificate application message;

诊断设备OBD认证组件接收来自信任中心的数字证书;The diagnostic device OBD authentication component receives the digital certificate from the trust center;

其中,申请报文经过了信任中心P7签名验证,申请报文中记录的诊断设备序列号通过了信任中心的白名单的校验。Among them, the application message has passed the P7 signature verification of the trust center, and the serial number of the diagnostic device recorded in the application message has passed the verification of the white list of the trust center.

步骤P4,诊断设备的诊断设备OBD认证组件导入数字证书前进行校验的步骤;Step P4, a step of verifying before importing the digital certificate into the diagnostic device OBD authentication component of the diagnostic device;

诊断设备接收来自信任中心的数字证书;The diagnostic device receives the digital certificate from the trust center;

诊断设备OBD认证组件对数字证书进行校验;The diagnostic equipment OBD authentication component verifies the digital certificate;

若,like,

校验数字证书主题序列号与诊断设备的序列号相符,Verify that the digital certificate subject serial number matches the serial number of the diagnostic device,

校验数字证书与诊断设备OBD认证组件生成的SM2密钥相匹配,Verify that the digital certificate matches the SM2 key generated by the OBD authentication component of the diagnostic device,

校验数字证书为本CA签发;The verification digital certificate is issued by this CA;

则,诊断设备OBD认证组件导入数字证书,更新本地证书列表。Then, the diagnostic device OBD authentication component imports the digital certificate, and updates the local certificate list.

步骤P5,诊断设备向中央计算单元签名验证的步骤;Step P5, a step for the diagnostic device to verify the signature of the central computing unit;

诊断设备向中央计算单元发送通过校验的数字证书;The diagnostic equipment sends a verified digital certificate to the central computing unit;

诊断设备向中央计算单元发送获取随机数的请求;The diagnostic device sends a request for obtaining random numbers to the central computing unit;

诊断设备接收来自中央计算单元的随机数;The diagnostic device receives random numbers from the central computing unit;

诊断设备OBD认证组件对随机数进行签名;The diagnostic device OBD authentication component signs the random number;

诊断设备向中央计算单元发送签名的结果。The diagnostic device sends the signed results to the central computing unit.

如图3所示,本实施例公开了基于可联网诊断设备的OBD接口认证方法中央计算单元的工作流程。As shown in FIG. 3 , this embodiment discloses the workflow of the central computing unit of the OBD interface authentication method based on networkable diagnostic equipment.

步骤P6,中央计算单元对诊断设备数字证书验证的步骤;Step P6, a step for the central computing unit to verify the digital certificate of the diagnostic device;

步骤P601中央计算单元集成中央计算单元OBD认证组件,预置根证书;Step P601 The central computing unit integrates the OBD authentication component of the central computing unit, and presets the root certificate;

步骤P602中央计算单元接收来自校验诊断设备发送的数字证书;Step P602 The central computing unit receives the digital certificate sent from the verification diagnostic equipment;

步骤P603中央计算单元OBD认证组件校验诊断设备发送的数字证书;Step P603 The central computing unit OBD authentication component verifies the digital certificate sent by the diagnostic device;

步骤P604若校验通过,则向诊断设备返回一个随机数;In step P604, if the verification is passed, a random number is returned to the diagnostic equipment;

步骤P605中央计算单元接收来自诊断设备对该随机数的签名结果;Step P605 The central computing unit receives the signature result of the random number from the diagnostic device;

步骤P606中央计算单元OBD认证组件对该随机数的签名结果进行认证;Step P606 central computing unit OBD authentication component authenticates the signature result of the random number;

步骤P607若认证通过,则中央计算单元向诊断设备开放预设的权限。In step P607, if the authentication is passed, the central computing unit releases the preset authority to the diagnostic equipment.

如图4所示,本发明还公开了一个具体的实施例,关于实现OBD端口加密验证的硬件环境,用于说明OBD认证组件实现数字证书的签名验签机制的运行方式,以及诊断设备与中央计算单元的数字认证。As shown in Figure 4, the present invention also discloses a specific embodiment, regarding the hardware environment for realizing OBD port encryption verification, it is used to explain the operation mode of the OBD authentication component to realize the signature verification mechanism of the digital certificate, and the diagnostic equipment and the central Digital certification of computing units.

在中央计算单元集成OBD认证组件,并预置根证书,基于数字证书的签名验签机制对诊断设备进行身份认证。在诊断设备端集成诊断设备OBD认证组件,通过以太网向信任中心申请数字证书。诊断设备集成OBD认证组件,基于诊断协议连接到中央计算单元后,由中央计算单元对诊断设备依据合法的数字证书进行安全认证。The OBD authentication component is integrated in the central computing unit, and the root certificate is preset, and the identity authentication of the diagnostic device is performed based on the signature verification mechanism of the digital certificate. Integrate the diagnostic equipment OBD authentication component on the diagnostic equipment side, and apply for a digital certificate to the trust center through Ethernet. The diagnostic equipment integrates OBD authentication components. After connecting to the central computing unit based on the diagnostic protocol, the central computing unit performs security authentication on the diagnostic equipment based on legal digital certificates.

信任中心接入PKI系统,为诊断设备提供证书在线申请,权限审核,以及在线下载等功能。The trust center is connected to the PKI system to provide functions such as online application for certificates, authority review, and online download for diagnostic equipment.

证书申请,指的是诊断设备组件自行向信任中心,申请与所连接的诊断设备相对应的证书,包括诊断设备第一次申请证书、诊断设备证书已过期、诊断设备证书已失效等情况。Certificate application refers to the application of diagnostic device components to the trust center for a certificate corresponding to the connected diagnostic device, including the first application for a certificate for a diagnostic device, the expiration of a diagnostic device certificate, and the invalidation of a diagnostic device certificate.

诊断设备OBD认证组件可以维护多套证书。The diagnostic device OBD certification component can maintain multiple sets of certificates.

如图5所示,公开一个具体实施例的诊断设备OBD认证组件证书申请流程。As shown in FIG. 5 , the process of applying for a certificate of a diagnostic device OBD authentication component in a specific embodiment is disclosed.

诊断设备OBD认证组件证书申请流程如下:The application process for the OBD certification component certificate of diagnostic equipment is as follows:

步骤11.当启动诊断设备软件且诊断设备与信任中心建立连接后,诊断设备软件调用诊断设备OBD认证组件初始化接口,传入诊断设备序列号;Step 11. After starting the diagnostic equipment software and establishing a connection between the diagnostic equipment and the trust center, the diagnostic equipment software calls the diagnostic equipment OBD authentication component initialization interface, and passes in the serial number of the diagnostic equipment;

步骤12.诊断设备OBD认证组件通过诊断设备序列号,从本地证书列表中查找对应的证书;如果未找到证书,或证书状态为不可用,或达到证书更新阈值,则进行在线申请证书;Step 12. The OBD authentication component of the diagnostic device searches for the corresponding certificate from the local certificate list through the serial number of the diagnostic device; if the certificate is not found, or the certificate status is unavailable, or the certificate update threshold is reached, apply for the certificate online;

步骤13.诊断设备OBD认证组件生成SM2密钥对并生成CSR证书申请,使用预置证书对CSR和诊断设备序列号进行P7签名,构建证书申请报文;Step 13. The diagnostic device OBD authentication component generates an SM2 key pair and generates a CSR certificate application, uses the preset certificate to perform P7 signature on the CSR and the serial number of the diagnostic device, and constructs a certificate application message;

步骤14.诊断设备OBD认证组件使用预置证书与信任中心建立SSL安全连接,将证书申请报文发送至信任中心;Step 14. The diagnostic device OBD authentication component uses the preset certificate to establish an SSL secure connection with the trust center, and sends the certificate application message to the trust center;

步骤15.信任中心收到证书申请报文后,验证P7签名,根据白名单校验诊断设备序列号后,签发证书,并返回给诊断设备;Step 15. After receiving the certificate application message, the trust center verifies the P7 signature, verifies the serial number of the diagnostic device according to the white list, issues the certificate, and returns it to the diagnostic device;

步骤16.诊断设备OBD认证组件导入证书时,要先对证书进行校验;Step 16. When importing the certificate of the OBD authentication component of the diagnostic device, the certificate must be verified first;

步骤17.证书校验成功导入后,更新本地证书列表,用于下次诊断设备从新接入时进行数字证书的查询。Step 17. After the certificate verification is successfully imported, update the local certificate list, which will be used to query the digital certificate when the diagnostic device is re-connected next time.

如图6所示,公开一个具体实施例的证书校验流程。As shown in FIG. 6 , a certificate verification process of a specific embodiment is disclosed.

诊断设备OBD认证组件导入证书时,要先对证书进行校验的步骤;When importing the certificate of the OBD certification component of the diagnostic equipment, the steps of verifying the certificate are required first;

步骤16a.校验证书主题序列号与诊断设备是否相符;Step 16a. Verify whether the serial number of the subject of the certificate matches the diagnostic device;

步骤16b.校验证书与SM2密钥是否相匹配;Step 16b. Check whether the certificate matches the SM2 key;

步骤16c.校验证书是否为本CA签发;Step 16c. Check whether the certificate is issued by this CA;

步骤16d.如果校验条件都相符则说明证书合法,可以导入;否则说明证书非法,不允许导入;Step 16d. If the verification conditions match, the certificate is valid and can be imported; otherwise, the certificate is illegal and cannot be imported;

如图7所示,公开一个具体实施例的诊断设备与中央计算单元之间的OBD端口的认证流程。As shown in FIG. 7 , an authentication process of an OBD port between a diagnostic device and a central computing unit according to a specific embodiment is disclosed.

诊断设备申请证书后,诊断设备与中央计算单元之间的OBD端口的认证开始进行,流程如下:After the diagnostic device applies for a certificate, the authentication of the OBD port between the diagnostic device and the central computing unit begins, and the process is as follows:

步骤21.由诊断设备发起,向诊断设备OBD认证组件获取数字证书;Step 21. Initiated by the diagnostic device, obtain a digital certificate from the OBD authentication component of the diagnostic device;

步骤22.诊断设备OBD认证组件校验诊断设备序列号通过后,向诊断设备返回数字证书;Step 22. After the diagnostic device OBD authentication component verifies the serial number of the diagnostic device, it returns a digital certificate to the diagnostic device;

步骤23.诊断设备向中央计算单元发送该数字证书,并向中央计算单元请求随机数;Step 23. The diagnostic device sends the digital certificate to the central computing unit, and requests a random number from the central computing unit;

步骤24.预置根证书的中央计算单元调用OBD认证组件校验该诊断设备发送的数字证书,校验通过后,向诊断设备返回一个随机数;Step 24. The central computing unit of the preset root certificate calls the OBD authentication component to verify the digital certificate sent by the diagnostic device, and returns a random number to the diagnostic device after the verification is passed;

步骤25.诊断设备调用诊断设备OBD认证组件,对该随机数进行签名;Step 25. The diagnostic device invokes the OBD authentication component of the diagnostic device to sign the random number;

步骤26.诊断设备将签名结果发给中央计算单元进行认证;Step 26. The diagnostic device sends the signature result to the central computing unit for authentication;

步骤27.中央计算单元调用OBD认证组件,使用缓存的数字证书对该随机数进行认证,如果认证通过,则允许中央计算单元与诊断设备之间进行认证机制保护下的数据交互。Step 27. The central computing unit calls the OBD authentication component, and uses the cached digital certificate to authenticate the random number. If the authentication is passed, the central computing unit and the diagnostic device are allowed to exchange data under the protection of the authentication mechanism.

在本实施例中,OBD认证组件中预置根证书或预置证书,需要被妥善的保存,一般采用硬件固化的方法。In this embodiment, the preset root certificate or preset certificate in the OBD authentication component needs to be properly stored, and a method of hardware curing is generally adopted.

在本实施例中,通过以太网做在线的数字证书认证,可以使用国密SSL安全连接进行诊断设备远程证书申请及发放。In this embodiment, the online digital certificate authentication is done through Ethernet, and the national secret SSL secure connection can be used to apply for and issue the remote certificate of the diagnostic equipment.

在本实施例中,通过诊断设备序列号进行数字证书的申请及绑定,使数字证书与诊断设备的OBD接口的权限具有唯一性,清晰表明诊断设备的身份。In this embodiment, the digital certificate is applied for and bound through the serial number of the diagnostic device, so that the authority of the digital certificate and the OBD interface of the diagnostic device is unique, clearly indicating the identity of the diagnostic device.

在本实施例中,每次诊断设备连接中央计算平台,中央计算平台对诊断设备的身份认证流程完成后,才开始与诊断设备进行中央计算平台所管理的底层的ECU数据交互,防止非法的诊断设备入侵ECU。In this embodiment, each time the diagnostic device is connected to the central computing platform, the central computing platform will start to interact with the underlying ECU data managed by the central computing platform to prevent illegal diagnosis after the identity authentication process of the diagnostic device is completed. The device hacks the ECU.

本发明还公开了另一个实施例,关于诊断设备。The present invention also discloses another embodiment, which relates to the diagnosis equipment.

一种诊断设备,包括:A diagnostic device comprising:

诊断设备集成诊断设备OBD认证组件,并预置根证书;Diagnostic equipment integrates diagnostic equipment OBD authentication components, and preset root certificates;

通过以太网向信任中心申请数字证书;执行基于可联网诊断设备的OBD接口认证方法。Apply for a digital certificate to the trust center through Ethernet; implement an OBD interface authentication method based on a networkable diagnostic device.

本发明还公开了另一个实施例,关于中央计算单元。The present invention also discloses another embodiment, about the central computing unit.

一种中央计算单元,包括:A central computing unit comprising:

中央计算单元集成中央计算单元OBD认证组件,并预置根证书;基于数字证书的签名验签机制对诊断设备进行身份认证;执行基于可联网诊断设备的OBD接口认证方法。The central computing unit integrates the OBD authentication component of the central computing unit, and presets the root certificate; the digital certificate-based signature verification mechanism authenticates the identity of the diagnostic device; executes the OBD interface authentication method based on the networkable diagnostic device.

如图8所示,上述电子设备提到的通信总线可以是外设部件互连标准(PeripheralComponent Interconnect,PCI)总线或扩展工业标准结构(Extended Industry StandardArchitecture,EISA)总线等。该通信总线可以分为地址总线、数据总线、控制总线等。为便于表示,图中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。As shown in FIG. 8 , the communication bus mentioned in the above electronic device may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus or the like. The communication bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used in the figure, but it does not mean that there is only one bus or one type of bus.

电子设备包括硬件层,运行在硬件层之上的操作系统层,以及运行在操作系统上的应用层。该硬件层包括中央处理器(CPU,Central Processing Unit)、内存管理单元(MMU,Memory Management Unit)和内存等硬件。该操作系统可以是任意一种或多种通过进程(Process)实现电子设备控制的计算机操作系统,例如,Linux操作系统、Unix操作系统、Android操作系统、iOS操作系统或windows操作系统等。并且在本发明实施例中该电子设备可以是智能手机、平板电脑等手持设备,也可以是桌面计算机、便携式计算机等电子设备,本发明实施例中并未特别限定。An electronic device includes a hardware layer, an operating system layer running on the hardware layer, and an application layer running on the operating system. The hardware layer includes hardware such as a central processing unit (CPU, Central Processing Unit), a memory management unit (MMU, Memory Management Unit) and memory. The operating system can be any one or more computer operating systems that realize electronic device control through processes, for example, Linux operating system, Unix operating system, Android operating system, iOS operating system, or windows operating system. And in the embodiment of the present invention, the electronic device may be a handheld device such as a smart phone or a tablet computer, or may be an electronic device such as a desktop computer or a portable computer, which is not particularly limited in the embodiment of the present invention.

本发明实施例中的电子设备控制的执行主体可以是电子设备,或者是电子设备中能够调用程序并执行程序的功能模块。电子设备可以获取到存储介质对应的固件,存储介质对应的固件由供应商提供,不同存储介质对应的固件可以相同可以不同,在此不做限定。电子设备获取到存储介质对应的固件后,可以将该存储介质对应的固件写入存储介质中,具体地是往该存储介质中烧入该存储介质对应固件。将固件烧入存储介质的过程可以采用现有技术实现,在本发明实施例中不做赘述。The execution subject of electronic device control in the embodiment of the present invention may be an electronic device, or a functional module in the electronic device that can call a program and execute the program. The electronic device can obtain the firmware corresponding to the storage medium. The firmware corresponding to the storage medium is provided by the supplier. The firmware corresponding to different storage media may be the same or different, which is not limited here. After the electronic device obtains the firmware corresponding to the storage medium, it may write the firmware corresponding to the storage medium into the storage medium, specifically burn the firmware corresponding to the storage medium into the storage medium. The process of burning the firmware into the storage medium can be realized by using the existing technology, and will not be repeated in the embodiment of the present invention.

电子设备还可以获取到存储介质对应的重置命令,存储介质对应的重置命令由供应商提供,不同存储介质对应的重置命令可以相同可以不同,在此不做限定。The electronic device can also obtain a reset command corresponding to the storage medium. The reset command corresponding to the storage medium is provided by the supplier. The reset commands corresponding to different storage media can be the same or different, which is not limited here.

此时电子设备的存储介质为写入了对应的固件的存储介质,电子设备可以在写入了对应的固件的存储介质中响应该存储介质对应的重置命令,从而电子设备根据存储介质对应的重置命令,对该写入对应的固件的存储介质进行重置。根据重置命令对存储介质进行重置的过程可以现有技术实现,在本发明实施例中不做赘述。At this time, the storage medium of the electronic device is the storage medium in which the corresponding firmware is written, and the electronic device can respond to the reset command corresponding to the storage medium in the storage medium in which the corresponding firmware is written, so that the electronic device can The reset command resets the storage medium in which the corresponding firmware is written. The process of resetting the storage medium according to the reset command can be implemented in the prior art, and will not be described in detail in this embodiment of the present invention.

本发明还公开了另一个实施例,关于车辆。The invention also discloses another embodiment, which relates to the vehicle.

一种车辆,包括:中央计算单元;中央计算单元内集成中央计算单元OBD认证组件,基于数字证书的签名验签机制对诊断设备进行身份认证;A vehicle, comprising: a central computing unit; an OBD authentication component of the central computing unit is integrated in the central computing unit, and a diagnostic device is authenticated based on a signature verification mechanism of a digital certificate;

诊断设备集成诊断设备OBD认证组件,以在线方式向信任中心申请数字证书;The diagnostic equipment integrates the diagnostic equipment OBD authentication component, and applies for a digital certificate from the trust center online;

诊断设备基于诊断协议连接中央计算单元,由中央计算单元对诊断设备进行安全认证;若,诊断设备通过认证,则,允许中央计算单元、诊断设备之间进行认证机制保护下的数据交互。The diagnostic equipment is connected to the central computing unit based on the diagnostic protocol, and the central computing unit performs security authentication on the diagnostic equipment; if the diagnostic equipment passes the authentication, data exchange under the protection of the authentication mechanism is allowed between the central computing unit and the diagnostic equipment.

为了描述的方便,描述以上装置时以功能分为各种单元、模块分别描述。当然在实施本申请时可以把各单元、模块的功能在同一个或多个软件和/或硬件中实现。For the convenience of description, when describing the above devices, the functions are divided into various units and modules and described separately. Of course, when implementing the present application, the functions of each unit and module can be implemented in one or more software and/or hardware.

本技术领域技术人员可以理解,除非另外定义,这里使用的所有术语(包括技术术语和科学术语),具有与本发明所属领域中的普通技术人员的一般理解相同的意义。还应该理解的是,诸如通用字典中定义的那些术语,应该被理解为具有与现有技术的上下文中的意义一致的意义,并且除非被特定定义,否则不会用理想化或过于正式的含义来解释。Those skilled in the art can understand that, unless otherwise defined, all terms (including technical terms and scientific terms) used herein have the same meaning as commonly understood by those of ordinary skill in the art to which this invention belongs. It should also be understood that terms, such as those defined in commonly used dictionaries, should be understood to have meanings consistent with the meanings in the context of the prior art, and will not be used in an idealized or overly formal sense unless specifically defined to explain.

需要说明的是,本说明书与权利要求中使用了某些词汇来指称特定元件。本领域技术人员应可以理解,车辆制造商可能会用不同名词来称呼同一个元件。本说明书与权利要求并不以名词的差异来作为区分元件的方式,而是以元件在功能上的差异作为区分的准则。如通篇说明书及权利要求当中所提及的“包含”或“包括”为一开放式用语,故其应被理解成“包括但不限定于”。后续将对实施本发明的较佳实施方式进行描述说明,但是所述说明是以说明书的一般原则为目的,并非用于限定本发明的范围。本发明的保护范围当根据其所附的权利要求所界定者为准。It should be noted that certain terms are used in the specification and claims to refer to specific elements. Those skilled in the art should understand that vehicle manufacturers may use different terms to refer to the same component. The specification and claims do not use the difference in nouns as a way to distinguish components, but use the difference in function of components as a criterion for distinguishing. As mentioned throughout the specification and claims, "comprising" or "comprising" is an open term, so it should be understood as "including but not limited to". The preferred implementation modes of the present invention will be described later, but the descriptions are for the purpose of general principles of the description, and are not intended to limit the scope of the present invention. The protection scope of the present invention should be defined according to the appended claims.

通过以上的实施方式的描述可知,本领域的技术人员可以清楚地了解到本申请可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施方式或者实施方式的某些部分所述的方法。It can be known from the above description of the implementation manners that those skilled in the art can clearly understand that the present application can be implemented by means of software plus a necessary general hardware platform. Based on this understanding, the essence of the technical solution of this application or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in storage media, such as ROM/RAM, disk , CD, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments of this application.

上所描述的装置实施方式仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施方式方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。The device implementation described above is only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without creative effort.

本申请可用于众多通用或专用的计算系统环境或配置中,例如:个人计算机、服务器计算机、手持设备或便携式设备、平板型设备、多处理器系统、基于微处理器的系统、置顶盒、可编程的消费电子设备、网络PC、小型计算机、大型计算机、包括以上任何系统或设备的分布式计算环境等等。This application can be used in numerous general purpose or special purpose computing system environments or configurations, such as: personal computers, server computers, handheld or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set-top boxes, Programmed consumer electronic devices, network PCs, minicomputers, mainframe computers, distributed computing environments including any of the above systems or devices, and more.

本申请可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本申请,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。This application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including storage devices.

在本说明书的描述中,参考术语“一个实施例”、“示例”、“具体示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of this specification, descriptions with reference to the terms "one embodiment", "example", "specific example" and the like mean that specific features, structures, materials or characteristics described in conjunction with the embodiment or example are included in at least one embodiment of the present invention. In an embodiment or example. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. scope.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. scope.

Claims (10)

1. An OBD interface authentication method based on a network-connectable diagnosis device is characterized by specifically comprising the following steps:
the central computing unit integrates an OBD authentication component of the central computing unit, and identity authentication is carried out on the diagnostic equipment based on a signature verification mechanism of a digital certificate;
the diagnostic equipment integrates an OBD authentication component of the diagnostic equipment and applies for a digital certificate to a trust center on line;
the diagnostic equipment is connected with the central computing unit, and the central computing unit carries out safety certification on the diagnostic equipment and judges whether the diagnostic equipment has a preset authority.
2. An OBD interface authentication method based on a network-connectable diagnosis device is characterized by specifically comprising the following steps:
the diagnostic equipment reads the serial number of the diagnostic equipment;
the diagnostic equipment OBD authentication component compares the serial number of the diagnostic equipment with a local certificate list and judges whether the local certificate list contains a digital certificate corresponding to the serial number of the diagnostic equipment;
if the digital certificate corresponding to the serial number of the diagnostic equipment is not included, the digital certificate is applied online;
if the digital certificate state corresponding to the serial number of the diagnostic equipment is unavailable, applying for the digital certificate on line;
and if the digital certificate state corresponding to the serial number of the diagnostic equipment exceeds the updating threshold, performing online application on the digital certificate.
3. The network-enabled diagnostic device based OBD interface authentication method as claimed in claim 2, further comprising:
the diagnostic device reads the serial number of the diagnostic device:
starting the diagnostic equipment software;
the diagnostic equipment establishes connection with the trust center;
calling an initialization interface of an OBD authentication component of the diagnostic equipment;
and importing a serial number of the diagnostic equipment.
4. The On Board Diagnostic (OBD) interface authentication method based on a network-enabled OBD device according to claim 2, further comprising:
the diagnostic equipment sends a certificate application message to the trust center;
the diagnostic equipment OBD authentication component generates an SM2 key pair and generates a CSR file containing a key;
performing P7 signature on the CSR file and the serial number of the diagnostic equipment by using a preset certificate of the diagnostic equipment to construct a certificate application message;
the diagnostic device OBD authentication component receives a digital certificate from a trust center;
the application message is subjected to signature verification of a trust center P7, and the diagnostic equipment serial number recorded in the application message passes verification of a white list of the trust center.
5. The network-enabled diagnostic device based OBD interface authentication method as claimed in claim 2, further comprising:
the diagnostic device receives a digital certificate from a trust center;
the diagnostic equipment OBD authentication component verifies the digital certificate;
if the number of the first time interval and the second time interval is less than the preset threshold,
verifying that the digital certificate subject serial number matches the serial number of the diagnostic device,
the verification digital certificate matches the SM2 key generated by the diagnostic device OBD authentication component,
verifying that the digital certificate is issued by the CA;
then the diagnostic device OBD authentication component imports the digital certificate and updates the local certificate list.
6. The On Board Diagnostic (OBD) interface authentication method based on a network-enabled OBD device according to claim 5, further comprising:
the diagnostic equipment sends the verified digital certificate to the central computing unit;
the diagnostic device sends a request for obtaining a random number to the central computing unit;
the diagnostic device receives the random number from the central computing unit;
the diagnostic equipment OBD authentication component signs the random number;
the diagnostic device sends the result of the signature to the central computing unit.
7. An OBD interface authentication method based on a network-connectable diagnosis device is characterized by specifically comprising the following steps:
the central computing unit integrates an OBD authentication component of the central computing unit and presets a root certificate;
the central computing unit receives the digital certificate sent by the checking and diagnosing equipment;
the central computing unit OBD authentication component verifies the digital certificate sent by the diagnostic equipment;
if the verification is passed, returning a random number to the diagnostic equipment;
the central computing unit receives a signature result of the random number from the diagnostic device;
the central computing unit OBD authentication component authenticates the signature result of the random number;
and if the authentication is passed, the central computing unit opens the preset authority to the diagnostic equipment.
8. A diagnostic device, comprising:
the diagnostic equipment integrates an OBD authentication component of the diagnostic equipment and presets a root certificate;
applying for a digital certificate to a trust center through Ethernet; performing the network-connectable diagnostic device based OBD interface authentication method of any of claims 2 to 6.
9. A central computing unit, comprising:
the central computing unit integrates an OBD authentication component of the central computing unit and presets a root certificate; the identity authentication is carried out on the diagnostic equipment based on a signature verification mechanism of the digital certificate; an OBD interface authentication method based on a networkable diagnostic device, as claimed in claim 7, is performed.
10. A vehicle, characterized by comprising: a central computing unit; the central computing unit is internally integrated with an OBD authentication component of the central computing unit, and the identity authentication is carried out on the diagnostic equipment based on a signature verification mechanism of a digital certificate;
the diagnostic equipment integrates an OBD authentication component of the diagnostic equipment and applies for a digital certificate to the trust center in an online mode;
the diagnostic equipment is connected with the central computing unit based on a diagnostic protocol, and the central computing unit carries out safety certification on the diagnostic equipment; and if the diagnostic equipment passes the authentication, allowing the central computing unit and the diagnostic equipment to perform data interaction under the protection of an authentication mechanism.
CN202210866406.2A 2022-07-22 2022-07-22 On-board diagnostics (OBD) interface authentication method based on networking diagnostic equipment and vehicle Pending CN115333793A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210866406.2A CN115333793A (en) 2022-07-22 2022-07-22 On-board diagnostics (OBD) interface authentication method based on networking diagnostic equipment and vehicle

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210866406.2A CN115333793A (en) 2022-07-22 2022-07-22 On-board diagnostics (OBD) interface authentication method based on networking diagnostic equipment and vehicle

Publications (1)

Publication Number Publication Date
CN115333793A true CN115333793A (en) 2022-11-11

Family

ID=83919635

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210866406.2A Pending CN115333793A (en) 2022-07-22 2022-07-22 On-board diagnostics (OBD) interface authentication method based on networking diagnostic equipment and vehicle

Country Status (1)

Country Link
CN (1) CN115333793A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE202017103778U1 (en) * 2016-08-23 2017-07-20 Beihang University Communication protection device and system for an OBD-II interface of an electric motor vehicle
CN108513635A (en) * 2018-03-30 2018-09-07 深圳市元征软件开发有限公司 Vehicle checking method, user equipment, server and vehicle detecting system
WO2020057314A1 (en) * 2018-09-19 2020-03-26 恒宝股份有限公司 Method, device and system for issuing esim certificate online
WO2021062946A1 (en) * 2019-09-30 2021-04-08 恒宝股份有限公司 Method for issuing the same-root certificate online, device and system
CN112702169A (en) * 2020-12-21 2021-04-23 北京信安世纪科技股份有限公司 Visual digital certificate application method
WO2021168864A1 (en) * 2020-02-29 2021-09-02 华为技术有限公司 Fault diagnostic method and apparatus, and vehicle
US20220144291A1 (en) * 2019-03-15 2022-05-12 Tvs Motor Company Limited Portable wireless connected diagnostic system for a vehicle
CN114513310A (en) * 2022-02-21 2022-05-17 中国第一汽车股份有限公司 Authentication method and device for vehicle diagnosis equipment, electronic equipment and medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE202017103778U1 (en) * 2016-08-23 2017-07-20 Beihang University Communication protection device and system for an OBD-II interface of an electric motor vehicle
CN108513635A (en) * 2018-03-30 2018-09-07 深圳市元征软件开发有限公司 Vehicle checking method, user equipment, server and vehicle detecting system
US20210383619A1 (en) * 2018-03-30 2021-12-09 Shenzhen Launch Software Co., Ltd. Vehicle diagnosis method, user equipment, and server
WO2020057314A1 (en) * 2018-09-19 2020-03-26 恒宝股份有限公司 Method, device and system for issuing esim certificate online
US20220144291A1 (en) * 2019-03-15 2022-05-12 Tvs Motor Company Limited Portable wireless connected diagnostic system for a vehicle
WO2021062946A1 (en) * 2019-09-30 2021-04-08 恒宝股份有限公司 Method for issuing the same-root certificate online, device and system
WO2021168864A1 (en) * 2020-02-29 2021-09-02 华为技术有限公司 Fault diagnostic method and apparatus, and vehicle
CN112702169A (en) * 2020-12-21 2021-04-23 北京信安世纪科技股份有限公司 Visual digital certificate application method
CN114513310A (en) * 2022-02-21 2022-05-17 中国第一汽车股份有限公司 Authentication method and device for vehicle diagnosis equipment, electronic equipment and medium

Similar Documents

Publication Publication Date Title
US8438385B2 (en) Method and apparatus for identity verification
CA2868896C (en) Secure mobile framework
CN111478769A (en) A distributed trusted identity authentication method, system, storage medium and terminal
CN109039654B (en) TBOX identity authentication method and terminal equipment
US20110252227A1 (en) Methods and systems to bind a device to a computer system
CN113312674B (en) Access security method and system based on multi-factor environment perception digital certificate
CN104320389B (en) A kind of fusion identity protection system and method based on cloud computing
JP6940584B2 (en) Internet of Things (IoT) security and management systems and methods
CN110795126A (en) A firmware security upgrade system
CN110891257A (en) A networked vehicle remote upgrade system and method with anti-attack two-way authentication
US20220311777A1 (en) Hardening remote administrator access
CN108040044A (en) A kind of management method and system for realizing eSIM card security authentications
CN110753029B (en) Identity verification method and biological identification platform
CN113766450A (en) Vehicle virtual key sharing method, mobile terminal, server and vehicle
CN119363444A (en) Device access authentication system, method, device and medium for power Internet of Things
CN111090841A (en) A kind of authentication method and device for industrial control system
CN118487877B (en) Communication security protection method, readable storage medium and intelligent device
CN115189885A (en) Authentication device login method, storage medium, and electronic device
CN108390892B (en) Control method and device for security access of remote storage system
CN115333793A (en) On-board diagnostics (OBD) interface authentication method based on networking diagnostic equipment and vehicle
CN116049807A (en) A service access system and method, electronic equipment, and storage medium
CN116938471A (en) A POS machine security authorization deployment method, device and storage medium
CN113645263B (en) Account binding method and device
KR20240024610A (en) System for diagnosis of a vehicle and method thereof
CN119254548B (en) On-board safety diagnostic system and method based on authority control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20221111

RJ01 Rejection of invention patent application after publication