CN116094825B - Communication security protection method, system, electronic equipment and storage medium - Google Patents
Communication security protection method, system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116094825B CN116094825B CN202310102885.5A CN202310102885A CN116094825B CN 116094825 B CN116094825 B CN 116094825B CN 202310102885 A CN202310102885 A CN 202310102885A CN 116094825 B CN116094825 B CN 116094825B
- Authority
- CN
- China
- Prior art keywords
- tbox
- connection
- credential
- information
- generating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000004891 communication Methods 0.000 title claims abstract description 33
- 230000003993 interaction Effects 0.000 claims abstract description 23
- 230000008569 process Effects 0.000 claims abstract description 10
- 238000004590 computer program Methods 0.000 claims description 9
- 230000004044 response Effects 0.000 abstract description 11
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000012545 processing Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 9
- 235000014510 cooky Nutrition 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000007689 inspection Methods 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 6
- 238000012795 verification Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 5
- 238000003491 array Methods 0.000 description 4
- 238000013528 artificial neural network Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 2
- 238000004378 air conditioning Methods 0.000 description 1
- QVGXLLKOCUKJST-UHFFFAOYSA-N atomic oxygen Chemical compound [O] QVGXLLKOCUKJST-UHFFFAOYSA-N 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000000110 cooling liquid Substances 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000446 fuel Substances 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 229910052760 oxygen Inorganic materials 0.000 description 1
- 239000001301 oxygen Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/08—Randomization, e.g. dummy operations or using noise
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/72—Signcrypting, i.e. digital signing and encrypting simultaneously
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/84—Vehicles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides a communication security protection method, a system, electronic equipment and a storage medium, wherein the method comprises the following steps: generating a first connection credential in response to a connection request of a first device, the first connection credential being used to establish a connection with the first device; verifying identity information provided by the first device to establish a connection with the first device; a session token is generated based on the first connection credential, the session token being used to characterize the interaction credential with the first device. The method provided by the application is beneficial to solving the problem that a third party falsifies or misreports the interaction message by acquiring the TBOX in the interaction process of the TBOX and the TSP of the automobile, misjudgment is caused to the systems of other vehicles, and the safety of the vehicle is threatened.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a method, a system, an electronic device, and a storage medium for protecting communication security.
Background
The automobile is taken as an indispensable transportation means for traveling, and the creation of an intelligent networked automobile is an important development trend at the present stage. The internet of vehicles completes the state monitoring (including temperature, tire pressure, speed per hour, etc.) of the vehicle, the control (including door opening, window opening, air conditioning opening, etc.) of the vehicle, and the warning (including insufficient oil amount, insufficient tire pressure, non-closing of the vehicle door, etc.) if necessary through the interaction of the TBOX (TELEMATICS BOX, vehicle-mounted intelligent terminal) and the TSP (TELEMATICS SERVICE Provider). These interactive data are very important, and if tampered with by a person or misinformation will cause misjudgment to the system, which poses a threat to the vehicle.
Disclosure of Invention
The application provides a communication security protection method, a system, electronic equipment and a storage medium, which are beneficial to solving the problem that a third party falsifies or misreports an interaction message by acquiring the TBOX in the interaction process of the TBOX and the TSP of an automobile, misjudges other vehicle systems and threatens the safety of the automobile.
In a first aspect, the present application provides a communication security protection method, including:
generating a first connection credential in response to a connection request of a first device, the first connection credential being used to establish a connection with the first device;
verifying identity information provided by the first device to establish a connection with the first device;
A session token is generated based on the first connection credential, the session token being used to characterize the interaction credential with the first device.
In the application, the session information security of the TBOX and the TSP is protected through the generated first connection certificate and the session mark generated based on the first connection certificate, which is helpful for solving the problem that a third party falsifies or misreports the interaction message by acquiring the TBOX, misjudges other vehicle systems and threatens the vehicle security.
In one possible implementation manner, the generating, in response to a connection request of the first device, a first connection credential includes:
Responding to a connection request of first equipment, generating a unique random number, and storing the unique random number;
and encrypting based on the equipment information of the first equipment and the unique random number stored in the server to obtain the first connection certificate.
In one possible implementation manner, after the generating the first connection credential in response to the connection request of the first device, the method further includes:
the first connection credential is sent to the first device.
In one possible implementation manner, the verifying the identity information provided by the first device to establish a connection with the first device includes:
Receiving identity information of the first device, wherein the identity information comprises device information of the first device and the first connection certificate;
encrypting based on the unique random number and the device information uploaded by the first device to obtain a second connection certificate;
And comparing the first connection certificate with the second connection certificate, and if the first connection certificate and the second connection certificate are the same, establishing connection with the first device.
In one possible implementation manner, the generating a session flag based on the first connection credential includes:
Signing the identity information of the first device, and generating the session mark by taking the first connection certificate as a secret key.
In one possible implementation manner, after the session flag is generated based on the first connection credential, the method further includes:
and sending the session flag to the first device.
In one possible implementation manner, after the session flag is generated based on the first connection credential, the method further includes:
receiving a subscription message of the first device, wherein the subscription message comprises device information of the first device and the session flag;
decrypting the session flag by using the first connection credential as a key to obtain device information of the first device in the session flag;
judging whether the equipment information of the first equipment in the subscription message is consistent with the equipment information of the first equipment in the session mark, and if not, sending alarm information.
In a second aspect, the present application provides a communication security protection apparatus comprising:
the first generation module is used for responding to a connection request of the first equipment and generating a first connection certificate, wherein the first connection certificate is used for establishing connection with the first equipment.
And the verification module is used for verifying the identity information provided by the first equipment so as to establish connection with the first equipment.
A second generation module for generating a session token based on the first connection credential, the session token being used to characterize an interaction credential with the first device.
In a third aspect, the present application provides a first apparatus comprising: a processor and a memory for storing a computer program; the processor is configured to run the computer program to implement the communication security protection method according to the first aspect.
In a fourth aspect, the present application provides a communication security protection system comprising: a first device and a server as shown in the third aspect.
In a fifth aspect, the present application provides a computer readable storage medium having a computer program stored therein, which when run on a computer causes the computer to implement the communication security protection method as described in the first aspect.
Drawings
FIG. 1 is a schematic flow chart of interaction of a prior art Internet of vehicles system;
fig. 2 is an application scenario architecture diagram provided in an embodiment of the present application;
FIG. 3 is a schematic diagram of an electrical inspection according to an embodiment of the present application;
fig. 4 is a schematic flow chart of communication security protection provided by an embodiment of the present application;
fig. 5 is a schematic structural diagram of a communication security protection apparatus according to an embodiment of the present application;
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In the embodiment of the present application, unless otherwise specified, the character "/" indicates that the associated object is one or the relationship. For example, A/B may represent A or B. "and/or" describes an association relationship of an association object, meaning that three relationships may exist. For example, a and/or B may represent: a exists alone, A and B exist together, and B exists alone.
It should be noted that the terms "first," "second," and the like in the embodiments of the present application are used for distinguishing between description and not necessarily for indicating or implying a relative importance or number of features or characteristics in order.
In the embodiments of the present application, "at least one" means one or more, and "a plurality" means two or more. Furthermore, "at least one item(s)" below, or the like, refers to any combination of these items, and may include any combination of single item(s) or plural items(s). For example, at least one (one) of A, B or C may represent: a, B, C, a and B, a and C, B and C, or A, B and C. Wherein each of A, B, C may itself be an element or a collection of one or more elements.
In embodiments of the application, "exemplary," "in some embodiments," "in another embodiment," etc. are used to indicate an example, instance, or illustration. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term use of an example is intended to present concepts in a concrete fashion.
"Of", "corresponding (corresponding, relevant)" and "corresponding (corresponding)" in the embodiments of the present application may be sometimes mixed, and it should be noted that the meanings to be expressed are consistent when the distinction is not emphasized. In the embodiments of the present application, communications and transmissions may sometimes be mixed, and it should be noted that, when the distinction is not emphasized, the meaning expressed is consistent. For example, a transmission may include sending and/or receiving, either nouns or verbs.
The equal to that related in the embodiment of the application can be used together with the greater than the adopted technical scheme, can also be used together with the lesser than the adopted technical scheme. It should be noted that when the number is equal to or greater than the sum, the number cannot be smaller than the sum; when the value is equal to or smaller than that used together, the value is not larger than that used together.
The internet of vehicles can realize the functions of uploading vehicle information in real time and remotely controlling vehicles through interaction of TBOX and TSP. The TBOX is communicated with the whole vehicle through a network, and vehicle information including real-time oil consumption, engine water temperature, engine rotating speed, vehicle driving mileage, current vehicle speed, battery voltage, air inlet pressure, cooling liquid temperature, oxygen sensor voltage engine load, throttle opening, air flow, GPS vehicle position information and the like is obtained in real time, so that real-time monitoring of vehicle driving data is realized. When the vehicle is stationary, the vehicle can be remotely controlled, and the current real-time state of the vehicle can be obtained through a mobile phone APP (Application) and a TSP background webpage, for example: vehicle information such as whether the vehicle window is closed, whether the vehicle door is locked, the residual oil quantity and the electric quantity, the total mileage, the temperature of the driving cab and the like, and a driver can perform corresponding remote control according to the information, for example: remote door opening, remote trunk opening, remote air conditioner opening and other operations, and the use experience of a driver is greatly facilitated.
Fig. 1 is a schematic flow chart of interaction of a vehicle networking system in the prior art, as shown in fig. 1, the system includes four parts of TBOX, EMQ (ELASTIC MESSAGE Queue ), TSP and other service systems, wherein the EMQ (ELASTIC MESSAGE Queue ) is a universal interconnection message engine (may be called a message server) of an MQTT (Message Queuing Telemetry Transport, message Queue telemetry transmission) message platform of the internet of things. TBOX and TSP are asynchronous communication, message pushing and publishing subscription are carried out through message middleware of the Internet of things, TBOX and TSP generally interact through EMQ as message middleware, EMQ is an interaction mode used by most automobile manufacturers at present, and the whole interaction process belongs to stateless interaction as HTTP (Hyper Text Transfer Protocol ) interaction. Stateless means that there is no memory for the transaction, i.e. after we send an HTTP request to the server, the server returns a response message to us according to our request, but the server will not record any information, which means that if the next request needs the information of the last request, it has to be retransmitted, which may lead to an increased amount of data per transfer, resulting in an excessively long response time.
The method specifically comprises the following steps:
and step 101, reporting vehicle information.
Specifically, the TBOX reports vehicle information to the EMQ, including real-time fuel consumption, engine water temperature, engine speed, vehicle mileage, current vehicle speed, etc.
In step 102, the tsp subscribes to the vehicle information.
Specifically, the TSP subscribes to the vehicle information through the EMQ, and acquires the real-time information of the vehicle.
Step 103, pushing to other systems through service processing.
Specifically, the TSP pushes the information of the vehicle to the APP or other system after the traffic processing.
Step 104, the app or its system sends a remote command.
Specifically, the APP or other system receives a service request of the vehicle, and sends a remote control instruction to the TSP, for example, if the system monitors that the window is not good, the system sends the remote control instruction about the window.
The tsp traffic is forwarded to the EMQ after processing, step 105.
In step 106, the tbox subscribes to remote control messages.
Specifically, the TBOX subscribes to remote control information through the EMQ, and obtains a control instruction of the vehicle.
As can be seen from fig. 1, the EMQ assumes the most important loop in data transmission, including vehicle reporting and message receiving, and typically the EMQ has a protection strength of a certificate SSL (Secure Socket Layer ) +a connection password (configured by a client), and any person can take the certificate and password to establish a connection with the EMQ, i.e. if a person (a vehicle owner or a hacker) takes the TBOX of one of the vehicles, he can obtain information therein, such as a frame number, a TBOX card number, a device number, a certificate, an address of the connection EMQ, and a connection password.
When the TBOX and all of its information is taken, a third party can connect to the EMQ, interact with the EMQ, and send messages directly to the EMQ. Theoretically any message may be sent, including any subject matter, data, such as reporting vehicle alarm data, issuing remote control data (e.g., opening doors, windows, etc.), which may be malicious information for some vehicles.
TBOX consumes messages by subscribing to a topic containing its own device number, e.g. TBOX/remote_cmd/112212122, TBOX/remote_cmd/112212133, where remote_cmd indicates a REMOTE execution command, 112212122/112212133 indicates a device number, and messages sent by TBOX all need to be sent under the topic corresponding to the vehicle device number. The malicious message or topic may not be the vehicle, so that other vehicles subscribe to the EMQ on the third party connection, may send any message, or may define the topic itself, and the TSP or TBOX subscribing to the message will acquire the message, but the TSP or TBOX cannot determine who sent the message. For example, after a third party takes the TBOX of the A car and connects the EMQ, the equipment number in the theme is changed into the B car, the B car subscribes to the message, but the B car cannot judge the sender, if the message is malicious, misjudgment is caused to the B car system, and the safety of the B car is threatened.
Based on the above problems, the embodiment of the application provides a communication security protection method, which is helpful for solving the problem that a third party falsifies or misreports an interaction message by acquiring the TBOX in the interaction process of the TBOX and the TSP of an automobile, misjudges other vehicle systems and threatens the safety of the automobile.
The communication security protection method provided by the embodiment of the application is described with reference to fig. 2 to 4.
Fig. 2 is an application scenario architecture diagram provided in an embodiment of the present application. As shown in fig. 2, the application scenario includes a first device and a server, where the first device is an electronic device, and the embodiment of the application does not limit the type of the electronic device, and the electronic device may be a mobile phone, a desktop computer, a tablet computer, a notebook computer, a palm computer, a vehicle-mounted terminal, a wearable device, an ultra-mobile personal computer, a UMPC, or a netbook. In the application, the first device is taken as an example of a vehicle-mounted intelligent terminal TBOX.
The application uses the cookie technology to keep the session by imitating HTTP, the HTTP is a stateless protocol, but the HTTP server generates a unique cookie id for each client establishing connection, the client requests the cookie id each time to indicate the identity, and if the client does not carry the cookie id or the cookie id is tampered, the related service is not executed. cookie technology is a solution for clients, cookies are special information sent to clients by a server, the information is stored in the clients in a text file mode, and then the clients carry the special information each time the clients send requests to the server.
Fig. 3 is a schematic flow chart of communication security protection provided by the embodiment of the application, which specifically includes the following steps:
Step 301, electric inspection before loading.
Specifically, relevant equipment information of the vehicle is input into the TSP before TBOX loading, wherein the equipment information comprises equipment numbers, equipment binding vehicle numbers, frame numbers, phone card numbers and the like, a first electrical inspection process is performed before TBOX loading, and connectivity of TBOX, EMQ, TSP is detected. As shown in fig. 4, which is an electrical inspection schematic diagram provided in the embodiment of the present application, server detection refers to detecting a server (i.e. TSP) and detecting whether there is equipment information in the server. When the TBOX sends out a message request, the server judges whether the equipment information in the TBOX is matched with the equipment information stored in the server, namely, judges whether the equipment information is in the system, judges whether the equipment information is accurate, and responds the message to the TBOX. In the process of electric inspection, the TBOX can not receive the message response due to network delay and other reasons, the application sets the response time of 10s, and if the TBOX can not receive the response within 10s, retry is carried out, namely the TBOX resends the message request.
In step 302, the tsp subscribes to TBOX messages. As in step 102.
Step 303, generating and storing a random number, performing hash encryption on the random number and TBOX equipment information stored in the server to generate a first connection certificate t_hash1, and responding to the first connection certificate t_hash 1.
Specifically, during the electrical inspection in step 301, the TSP receives the connection request sent by the TBOX, and at this time, the TSP generates and stores a unique random number, which may be a meaningless character string or a number or UUID (Universally Unique Identifier, universal unified identification code), without limitation, and the random number cannot be known by a third party. Then, the TSP performs hash (hash algorithm) encryption calculation according to the device information of the TBOX and the random number stored in the server to obtain a first connection credential t_hash1, for example, t_hash 1=12345 ytrewsdfgh, where t_hash1 is used as a connection credential of the subsequent TBOX and TSP. The hash algorithm may be MD5 (MESSAGE DIGEST, fifth version of message digest), SHA-256 (Secure Hash Algorithm, hash value length is a 256-bit secure hash algorithm), or the like. The encryption is used to encrypt the message by the hashing algorithm by digest removal, and cannot be reversed even if the key is obtained, since the original data is not known even if the TBOX is taken by a third party.
Step 304, respond to t_hash1.
Specifically, TSP responds this t_hash1 to EMQ.
Step 305, subscribe to and store information.
Specifically, TSP acquires and stores t_hash1 through EMQ subscription.
Step 306, after loading, carrying t_hash1 to start communication.
Specifically, t_hash1 is uploaded to the EMQ during TBOX and TSP interactions.
In step 307, the tsp subscribes to TBOX messages. As in step 102.
Step 308, the tsp judges whether the TBOX carried information is correct according to the service, calculates a second connection certificate t_hash2 according to the device information uploaded by the TBOX and the random number stored during electric inspection, and compares the second connection certificate t_hash2 with t_hash1 carried by the TBOX. If the comparison is correct, a connection between the TBOX and the TSP is established.
Step 309, verify error-free, response jwt token.
Specifically, when t_hash verifies that t_hash is correct, i.e. t_hash1 and t_hash2 are the same, after the TBOX establishes a connection with the TSP, the TSP responds to the EMQ session flag as an interaction credential for the TBOX and the TSP. When the TBOX and the TSP establish a connection, it is necessary to provide own "identity information" including device information including a device number, a device-bound vehicle number, a device-bound phone card number, and the like, and t_hash 1. The TSP verifies that the data is correct, signs the parameters using JWT (JSON Web Token, JSON network Token), uses t_hash1 as a key, and generates session information, i.e., JWT Token, which mainly contains information such as TBOX device number, login time, etc., and responds to TBOX.
Step 310, acquire jwt token, start the session.
Specifically, TBOX acquires jwt token through EMQ, and starts a session with TSP.
In the interaction process of TBOX and TSP, the JWT token information needs to be transmitted, and the JWT signs, so that the data can be prevented from being tampered by others. The TSP receives the subscription message, determines whether the device information in the message body is consistent with that in jwt token, alarms if not, and does not execute normal consumption service. The TBOX receives the subscription message, judges whether the device information in the message body is consistent with that in jwt token, alarms if not, and does not execute normal consumption service.
Jwt token include device information and signatures, and messages sent by third parties may not have jwt token or jwt token, but device information verification is not passed. For example, a third party sends a remote control of the B car by connecting the EMQ of the a car, even if the B car subscribes to this message, the TBOX and TSP verification is not passed. Therefore, even if one trolley is maliciously utilized by a hacker or any third party, TBOX and equipment information are completely exposed, the influence on other vehicles is avoided, the safety of automobile information is improved, and the driving safety of the automobile is improved.
Fig. 5 is a schematic structural diagram of a communication security protection apparatus according to an embodiment of the present application, and as shown in fig. 5, the apparatus 50 may include:
The first generating module 51 is configured to generate, in response to a connection request of a first device, a first connection credential, where the first connection credential is used to establish a connection with the first device.
A verification module 52, configured to verify the identity information provided by the first device, so as to establish a connection with the first device.
A second generation module 53 for generating a session token based on the first connection credential, the session token being used for characterizing the interaction credential with the first device.
In one possible implementation, the first generating module 51 may be further configured to: responding to a connection request of first equipment, generating a unique random number, and storing the unique random number;
and encrypting based on the equipment information of the first equipment and the unique random number stored in the server to obtain the first connection certificate.
In one possible implementation, the verification module 52 may also be configured to: receiving identity information of the first device, wherein the identity information comprises device information of the first device and the first connection certificate;
encrypting based on the unique random number and the device information uploaded by the first device to obtain a second connection certificate;
And comparing the first connection certificate with the second connection certificate, and if the first connection certificate and the second connection certificate are the same, establishing connection with the first device.
In one possible implementation, the second generating module 53 may be further configured to: signing the identity information of the first device, and generating the session mark by taking the first connection certificate as a secret key.
The communication security protection apparatus 50 provided in the embodiment shown in fig. 5 may be used to implement the technical solution of the method embodiment of the present application, and the principle and technical effects thereof may be further described with reference to the related description of the method embodiment.
It should be understood that the division of the modules of the communication security protection apparatus 50 shown in fig. 5 is merely a division of logic functions, and may be fully or partially integrated into a physical entity or may be physically separated. And these modules may all be implemented in software in the form of calls by the processing element; or can be realized in hardware; it is also possible that part of the modules are implemented in the form of software called by the processing element and part of the modules are implemented in the form of hardware. For example, the verification module may be a separately established processing element or may be implemented integrated in a certain chip of the electronic device. The implementation of the other modules is similar. In addition, all or part of the modules can be integrated together or can be independently implemented. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in a software form.
For example, the modules above may be one or more integrated circuits configured to implement the methods above, such as: one or more Application SPECIFIC INTEGRATED Circuits (ASIC), or one or more microprocessors (DIGITAL SIGNAL Processor (DSP), or one or more field programmable gate arrays (Field Programmable GATE ARRAY; FPGA), etc. For another example, the modules may be integrated together and implemented in the form of a System-On-a-Chip (SOC).
In the above embodiments, the processor may include, for example, a CPU, a DSP, a microcontroller, or a digital signal processor, and may further include a GPU, an embedded neural network processor (Neural-network Process Units; hereinafter referred to as NPU), and an image signal processor (IMAGE SIGNAL Processing; hereinafter referred to as ISP), where the processor may further include a necessary hardware accelerator or a logic Processing hardware circuit, such as an ASIC, or one or more integrated circuits for controlling the execution of the program according to the technical solution of the present application. Further, the processor may have a function of operating one or more software programs, which may be stored in a storage medium.
The embodiments of the present application also provide a computer-readable storage medium having a computer program stored therein, which when run on a computer causes the computer to perform the method provided by the illustrated embodiments of the present application.
Embodiments of the present application also provide a computer program product comprising a computer program which, when run on a computer, causes the computer to perform the method provided by the illustrated embodiments of the present application.
An exemplary electronic device provided in an embodiment of the application is further described below in conjunction with fig. 6. Fig. 6 shows a schematic structural diagram of an electronic device 6000.
The electronic device 6000 may include: at least one processor; and at least one memory communicatively coupled to the processor, wherein: the memory stores program instructions executable by the processor, and the processor is capable of executing the program instructions provided by the embodiments of the present application. . The method.
Fig. 6 shows a block diagram of an exemplary electronic device 6000 suitable for implementing embodiments of the application. The electronic device 6000 shown in fig. 6 is merely an example, and should not be construed as limiting the functionality and scope of use of the embodiments of the present application.
As shown in fig. 6, the electronic device 6000 is in the form of a general purpose computing device. Components of electronic device 6000 may include, but are not limited to: one or more processors 6010, a memory 6020, a communication bus 6040 that connects the various system components (including the memory 6020 and the processor 6010), and a communication interface 6030.
Communication bus 6040 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include industry Standard architecture (Industry Standard Architecture; hereinafter ISA) bus, micro channel architecture (Micro Channel Architecture; hereinafter MAC) bus, enhanced ISA bus, video electronics standards Association (Video Electronics Standards Association; hereinafter VESA) local bus, and peripheral component interconnect (PERIPHERAL COMPONENT INTERCONNECTION; hereinafter PCI) bus.
Electronic device 6000 typically includes a variety of computer system readable media. Such media can be any available media that can be accessed by the electronic device and includes both volatile and nonvolatile media, removable and non-removable media.
Memory 6020 may include computer system-readable media in the form of volatile memory, such as random access memory (Random Access Memory; hereinafter: RAM) and/or cache memory. The electronic device may further include other removable/non-removable, volatile/nonvolatile computer system storage media. Although not shown in fig. 6, a disk drive for reading from and writing to a removable nonvolatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable nonvolatile optical disk (e.g., a compact disk read only memory (Compact Disc Read Only Memory; hereinafter CD-ROM), digital versatile read only optical disk (Digital Video Disc Read Only Memory; hereinafter DVD-ROM), or other optical media) may be provided. In these cases, each drive may be connected to communication bus 6040 by one or more data medium interfaces. Memory 6020 may comprise at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of the embodiments of the application.
A program/utility having a set (at least one) of program modules can be stored in the memory 6020, including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules typically carry out the functions and/or methods of the embodiments described herein.
The electronic device 6000 may also communicate with one or more external devices (e.g., keyboard, pointing device, display, etc.), with one or more devices which enable a user to interact with the electronic device, and/or with any devices which enable the electronic device to communicate with one or more other computing devices (e.g., network card, modem, etc.). Such communication can occur through a communication interface 6030. Also, the electronic device 6000 may communicate with one or more networks, such as a local area network (Local Area Network; hereinafter: LAN), a wide area network (Wide Area Network; hereinafter: WAN) and/or a public network, such as the Internet, through a network adapter (not shown in FIG. 6), which may communicate with other modules of the electronic device through a communication bus 6040. It should be appreciated that although not shown in fig. 6, other hardware and/or software modules may be used in connection with electronic device 6000, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, disk arrays (Redundant Arrays of INDEPENDENT DRIVES; hereinafter RAID) systems, tape drives, data backup storage systems, and the like.
The processor 6010 executes various functional applications and data processing by running programs stored in the memory 6020, for example, implements the method provided by the embodiment of the application.
It should be understood that the connection relationship between the modules illustrated in the embodiment of the present application is only illustrative, and does not limit the structure of the electronic device 6000. In other embodiments of the present application, the electronic device 6000 may also adopt different interfacing manners or a combination of multiple interfacing manners in the above embodiments.
In the above embodiments, the processor may include, for example, a CPU, a DSP, a microcontroller, or a digital signal processor, and may further include a GPU, an embedded neural network processor (Neural-network Process Units; hereinafter referred to as NPU), and an image signal processor (IMAGE SIGNAL Processing; hereinafter referred to as ISP), where the processor may further include a necessary hardware accelerator or a logic Processing hardware circuit, such as an ASIC, or one or more integrated circuits for controlling the execution of the program according to the technical solution of the present application. Further, the processor may have a function of operating one or more software programs, which may be stored in a storage medium.
Those of ordinary skill in the art will appreciate that the various elements and algorithm steps described in the embodiments disclosed herein can be implemented as a combination of electronic hardware, computer software, and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In several embodiments provided by the present application, any of the functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (hereinafter referred to as ROM), a random access Memory (Random Access Memory hereinafter referred to as RAM), a magnetic disk, or an optical disk, etc., which can store program codes.
The foregoing is merely exemplary embodiments of the present application, and any person skilled in the art may easily conceive of changes or substitutions within the technical scope of the present application, which should be covered by the present application. The protection scope of the present application shall be subject to the protection scope of the claims.
Claims (9)
1. The communication security protection method based on the Internet of vehicles is applied to a server and is characterized by comprising the following steps:
verifying identity information provided by a TBOX to establish a connection with the TBOX, the identity information comprising a first connection credential;
generating a session flag based on the first connection credential, the session flag being an interaction credential of the server with the TBOX;
Wherein the first connection credential is generated when the TBOX is loaded, and the generating process of the first connection credential includes:
generating a unique random number before the TBOX is loaded, responding to a connection request of the TBOX, and storing the unique random number;
and encrypting based on the equipment information of the TBOX and the unique random number stored in the server to generate the first connection certificate.
2. The method of claim 1, wherein after generating the first connection credential, the method further comprises:
the first connection credential is sent to the TBOX.
3. The method of claim 2, wherein the establishing a connection with the TBOX comprises:
receiving identity information of the TBOX, wherein the identity information also comprises equipment information of the TBOX;
Encrypting based on the unique random number and the equipment information uploaded by the TBOX to obtain a second connection certificate;
and comparing the first connection certificate with the second connection certificate, and if the first connection certificate and the second connection certificate are the same, establishing connection with the TBOX.
4. The method of claim 1, wherein the generating a session flag based on the first connection credential comprises:
Signing the identity information of the TBOX, and generating the session mark by taking the first connection certificate as a secret key.
5. The method of claim 1, wherein after the generating a session flag, the method further comprises:
And sending the session flag to the TBOX.
6. The method of claim 1, wherein after the generating a session flag, the method further comprises:
Receiving a subscription message of the TBOX, wherein the subscription message comprises equipment information of the TBOX and the session flag;
decrypting the session mark by using the first connection certificate as a key to obtain the equipment information of the TBOX in the session mark;
Judging whether the equipment information of the TBOX in the subscription message is consistent with the equipment information of the TBOX in the session mark, and if not, sending alarm information.
7. A TBOX, comprising: a processor and a memory for storing a computer program; the processor is configured to run the computer program to implement the communication security protection method based on internet of vehicles according to any one of claims 1 to 6.
8. A communication safety protection system based on the Internet of vehicles is characterized in that,
Comprising a TBOX and a server as claimed in claim 7.
9. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when run on a computer, implements the internet of vehicles-based communication security protection method according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310102885.5A CN116094825B (en) | 2023-02-01 | 2023-02-01 | Communication security protection method, system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310102885.5A CN116094825B (en) | 2023-02-01 | 2023-02-01 | Communication security protection method, system, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116094825A CN116094825A (en) | 2023-05-09 |
| CN116094825B true CN116094825B (en) | 2024-08-20 |
Family
ID=86208116
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310102885.5A Active CN116094825B (en) | 2023-02-01 | 2023-02-01 | Communication security protection method, system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116094825B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105243542A (en) * | 2015-11-13 | 2016-01-13 | 广西米付网络技术有限公司 | System and method of dynamic electronic certificate authentication |
| CN109413032A (en) * | 2018-09-03 | 2019-03-01 | 中国平安人寿保险股份有限公司 | A kind of single-point logging method, computer readable storage medium and gateway |
Family Cites Families (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8635373B1 (en) * | 2012-09-22 | 2014-01-21 | Nest Labs, Inc. | Subscription-Notification mechanisms for synchronization of distributed states |
| CN103685323B (en) * | 2014-01-02 | 2016-08-17 | 中国科学院信息工程研究所 | A kind of Smart Home safe network implementation method based on intelligent cloud television gateway |
| CN104780141B (en) * | 2014-01-10 | 2018-07-03 | 电信科学技术研究院 | Message Authentication acquisition methods and equipment in a kind of car networking system |
| US9491161B2 (en) * | 2014-09-30 | 2016-11-08 | Citrix Systems, Inc. | Systems and methods for performing single sign-on by an intermediary device for a remote desktop session of a client |
| CN111917685B (en) * | 2019-05-07 | 2022-05-31 | 华为云计算技术有限公司 | Method for applying for digital certificate |
| CN113243097B (en) * | 2019-06-28 | 2023-06-13 | Oppo广东移动通信有限公司 | A device binding method, a cloud server, and a first device |
| US10805083B1 (en) * | 2019-09-04 | 2020-10-13 | Capital One Services, Llc | Systems and methods for authenticated communication sessions |
| CN112910826B (en) * | 2019-12-03 | 2022-08-23 | 中国移动通信有限公司研究院 | Initial configuration method and terminal equipment |
| CN111131313B (en) * | 2019-12-31 | 2021-05-11 | 北京邮电大学 | Safety assurance method and system for replacing ECU in intelligent networked vehicles |
| CN111818483B (en) * | 2020-06-29 | 2022-02-11 | 郑州信大捷安信息技术股份有限公司 | V2V vehicle networking communication system and method based on 5G |
| CN111770091A (en) * | 2020-06-29 | 2020-10-13 | 王志辉 | Equipment identity authentication and dynamic secret negotiation method and device for hospital Internet of things health monitoring system |
| CN115550067B (en) * | 2022-11-28 | 2023-03-31 | 北京泰尔英福科技有限公司 | Industrial Internet interoperation method, system and equipment based on distributed identification |
-
2023
- 2023-02-01 CN CN202310102885.5A patent/CN116094825B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105243542A (en) * | 2015-11-13 | 2016-01-13 | 广西米付网络技术有限公司 | System and method of dynamic electronic certificate authentication |
| CN109413032A (en) * | 2018-09-03 | 2019-03-01 | 中国平安人寿保险股份有限公司 | A kind of single-point logging method, computer readable storage medium and gateway |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116094825A (en) | 2023-05-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11662991B2 (en) | Vehicle-mounted device upgrade method and related device | |
| US10979415B2 (en) | Unmanned vehicle message exchange | |
| US9930027B2 (en) | Authenticated messages between unmanned vehicles | |
| US9714088B2 (en) | Unmanned vehicle rollback | |
| US9663226B2 (en) | Influencing acceptance of messages in unmanned vehicles | |
| US11514365B2 (en) | Immutable watermarking for authenticating and verifying AI-generated output | |
| US20180351941A1 (en) | Secure device-to-device process for granting access to a physical space | |
| US9578499B2 (en) | Authenticating user sessions based on information obtained from mobile devices | |
| CN110191415A (en) | A kind of encryption method of information of vehicles, mobile unit and server | |
| CN113259429A (en) | Session keeping control method, device, computer equipment and medium | |
| Oyler et al. | Security in automotive telematics: a survey of threats and risk mitigation strategies to counter the existing and emerging attack vectors | |
| CN112506267B (en) | RTC calibration method, vehicle-mounted terminal, user and storage medium | |
| CN110717770A (en) | Anti-counterfeiting detection method, device, equipment and storage medium for vehicle parts | |
| US11271971B1 (en) | Device for facilitating managing cyber security health of a connected and autonomous vehicle (CAV) | |
| CN111953633A (en) | Access control method and access control device based on terminal environment | |
| CN116094825B (en) | Communication security protection method, system, electronic equipment and storage medium | |
| Kathiresh et al. | Vehicle diagnostics over internet protocol and over-the-air updates | |
| JP6253168B2 (en) | Improved tamper resistance of aggregated data | |
| Dhulipala | Detection of injection attacks on in-vehicle network using data analytics | |
| US20240275581A1 (en) | Data storage system, mobile object, and non-transitory computer readable storage medium | |
| Joy et al. | Architecture for secure tablet integration in automotive network | |
| CN115333748A (en) | Anti-counterfeiting communication method, system, electronic device and computer readable storage medium | |
| CN119232470A (en) | A method for detecting an attack, a method for controlling a defense, and a device | |
| CN118118552A (en) | Data analysis method and related device | |
| CN117874830A (en) | License processing method and device based on application service and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20240122 Address after: No. 13 Xingxiang Road, Zengjia Town, High tech Zone, Shapingba District, Chongqing, 400039 Applicant after: Chongqing Selis Phoenix Intelligent Innovation Technology Co.,Ltd. Country or region after: China Address before: Room 2901, Floor 29, Unit 1, Building 1, No. 151, Tianfu Second Street, Chengdu Hi tech Zone, Chengdu Free Trade Pilot Zone, 610,000, Sichuan Applicant before: Chengdu Thalys Technology Co.,Ltd. Country or region before: China |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |