[go: up one dir, main page]

CN118487880B - Method and vehicle-mounted device for authenticating vehicle user identity - Google Patents

Method and vehicle-mounted device for authenticating vehicle user identity Download PDF

Info

Publication number
CN118487880B
CN118487880B CN202410947488.2A CN202410947488A CN118487880B CN 118487880 B CN118487880 B CN 118487880B CN 202410947488 A CN202410947488 A CN 202410947488A CN 118487880 B CN118487880 B CN 118487880B
Authority
CN
China
Prior art keywords
vehicle
public key
biometric
encrypted
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410947488.2A
Other languages
Chinese (zh)
Other versions
CN118487880A (en
Inventor
王萌
童菲
冯海涛
华宇铖
毕晓冬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SAIC General Motors Corp Ltd
Pan Asia Technical Automotive Center Co Ltd
Original Assignee
SAIC General Motors Corp Ltd
Pan Asia Technical Automotive Center Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SAIC General Motors Corp Ltd, Pan Asia Technical Automotive Center Co Ltd filed Critical SAIC General Motors Corp Ltd
Priority to CN202410947488.2A priority Critical patent/CN118487880B/en
Publication of CN118487880A publication Critical patent/CN118487880A/en
Application granted granted Critical
Publication of CN118487880B publication Critical patent/CN118487880B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/84Vehicles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Measurement Of The Respiration, Hearing Ability, Form, And Blood Characteristics Of Living Organisms (AREA)

Abstract

The present application relates to internet of vehicles and authentication technology, and more particularly, to a method and an in-vehicle apparatus for authenticating the identity of a vehicle user. The method comprises the following steps: acquiring biological data of a user by using a vehicle-mounted sensor; extracting biological characteristics from the biological data using an onboard processor; generating a first public key P 1 and a corresponding first private key S 1 by using a vehicle-mounted security processing module; encrypting the biological characteristics by using a first private key S 1 by using a vehicle-mounted safety processing module, encrypting the account number of the user, the vehicle identification and the first public key P 1 by using a second public key P 2, and respectively storing the second public key P 2 and a corresponding second private key S 2 at the vehicle-mounted safety processing module and an identity authentication server; and sending a registration request message containing the encrypted biological characteristics, the account number, the vehicle identification and the first public key P 1 to an identity authentication server by utilizing the vehicle-mounted communication module.

Description

Method for authenticating identity of vehicle user and vehicle-mounted device
Technical Field
The present application relates to internet of vehicles and authentication technology, and more particularly, to a method and an in-vehicle apparatus for authenticating the identity of a vehicle user.
Background
The internet of vehicles account generally refers to an account system used in the internet of vehicles system to identify and distinguish between different users. In a car networking system, each user may have an account through which the user may access and manage various services and functions associated with the vehicle. The internet of vehicles account is used to verify the identity of a user as a primary means of identifying the identity of the user, thereby enabling personalized customized services to be provided. The current verification scheme of the Internet of vehicles account comprises a login mode based on an account and a password and a mode based on the cooperative authentication of a mobile phone end and a vehicle machine end. In order to effectively protect against the risk of the user identity being imitated, it is desirable to provide a more secure and reliable authentication mechanism.
Disclosure of Invention
It is an object of the present application to provide a method and an in-vehicle device for authenticating the identity of a vehicle user, which provides a more secure and reliable authentication mechanism.
According to one aspect of the application, there is provided a method for authenticating the identity of a vehicle user, comprising:
A1, acquiring biological data of a user by using a vehicle-mounted sensor;
a2, extracting biological characteristics from the biological data by using an on-board processor;
a3, generating a first public key P 1 and a first private key S 1 corresponding to the first public key P 1 by utilizing a vehicle-mounted security processing module;
A4, encrypting the biometric feature with the first private key S 1 and encrypting the user' S account number, vehicle identification and the first public key P 1 with a second public key P 2 using the vehicle-mounted secure processing module, wherein the second public key P 2 and a second private key S 2 corresponding to the second public key P 2 are stored at the vehicle-mounted secure processing module and an identity authentication server, respectively;
A5, a registration request message containing the encrypted biological characteristics, the encrypted account number, the encrypted vehicle identifier and the encrypted first public key P 1 is sent to the identity authentication server by utilizing the vehicle-mounted communication module.
Optionally, in the above method, the second private key S 2 is used by the identity authentication server to decrypt the account number, the vehicle identifier and the first public key P 1 in the registration request message, and the decrypted first public key P 1 is used by the identity authentication server to decrypt the biometric in the registration request message, so that a binding relationship between the account number, the vehicle identifier and the biometric of the user is established at the identity authentication server.
Optionally, in the above method, the biological data comprises at least two types, wherein step A2 comprises:
Extracting corresponding biometric vectors from various types of biometric data;
The biometric vector is provided as the biometric to the security processing module.
Further alternatively, in the above method, in step A4, the biometric feature is encrypted in the following manner:
constructing a combination of the biometric vectors with a predetermined algorithm;
The combination of biometric vectors is encrypted with the first private key S 1.
Still further alternatively, in the above method, the second public key P 2 and the predetermined algorithm are written to the secure processing module at the time of initialization.
Still further alternatively, in the above method, the predetermined algorithm is selected from one of a plurality of candidate algorithms stored in the secure processing module, step A4 further includes encrypting an identification of the predetermined algorithm with the first private key S 1 or with the second public key P 2, and the registration request message further includes the encrypted identification of the predetermined algorithm.
According to another aspect of the present application, there is provided an in-vehicle apparatus for authenticating an identity of a user of a vehicle, comprising:
a sensor configured to acquire biometric data of a user;
A processor coupled to the sensor and configured to extract a biometric feature from the biometric data;
a communication module configured to establish a communication connection with an authentication server;
and a security processing module connected to the processor and the communication module and configured to:
Generating a first public key P 1 and a first key S 1 corresponding to the first public key P 1;
Encrypting the biometric with the first private key S 1 and encrypting the user' S account number, vehicle identification and the first public key P 1 with a second public key P 2, wherein a second private key S 2 corresponding to the second public key P 2 is stored at the authentication server;
And sending a registration request message containing the encrypted biological feature, the encrypted account number, the encrypted vehicle identifier and the encrypted first public key P 1 to the identity authentication server through the communication module.
According to yet another aspect of the present application, there is provided a method for authenticating the identity of a vehicle user, comprising:
b1, acquiring biological data of a user by using a vehicle-mounted sensor;
b2, extracting biological characteristics from the biological data by using an on-board processor;
B3, encrypting the biometric feature with a first private key S 1 and encrypting the account number and the vehicle identification of the user with a second public key P 2, wherein the first private key S 1 and a first public key P 1 corresponding to the first private key S 1 are generated by the vehicle-mounted secure processing module, the first public key P 1 is stored at the identity authentication server, and the second public key P 2 and a second private key S 2 corresponding to the second public key P 2 are stored at the vehicle-mounted secure processing module and the identity authentication server, respectively;
And B4, transmitting a login request message or a logout request message containing the encrypted biological characteristics, the encrypted account number and the encrypted vehicle identifier to the identity authentication server by utilizing the vehicle-mounted communication module.
Optionally, in the above method, the second private key S 2 is used by the authentication server to decrypt the account number and the vehicle identification in the login request message or the logout request message, and the first public key P 1 is used by the authentication server to decrypt the biometric in the login request message or the logout request message, so that the authentication server can determine whether the account number, the vehicle identification and the biometric in the login request message or the logout request message match.
Optionally, in the above method, the biological data comprises at least two types, wherein step B2 comprises:
Extracting corresponding biometric vectors from various types of biometric data;
The biometric vector is provided as the biometric to the security processing module.
Further alternatively, in the above method, in step B3, the biometric feature is encrypted in the following manner:
constructing a combination of the biometric vectors with a predetermined algorithm;
The combination of biometric vectors is encrypted with the first private key S 1.
Still further alternatively, in the above method, the second public key P 2 and the predetermined algorithm are written to the secure processing module at the time of initialization.
Still further alternatively, in the above method, the predetermined algorithm is selected from one of a plurality of candidate algorithms stored in the secure processing module, step B3 further includes encrypting an identification of the predetermined algorithm with the first private key S 1 or the second public key P 2, and the login request message or the logoff request message further includes the encrypted identification of the predetermined algorithm.
According to still another aspect of the present application, there is provided an in-vehicle apparatus for authenticating an identity of a user of a vehicle, comprising:
a sensor configured to acquire biometric data of a user;
A processor coupled to the sensor and configured to extract a biometric feature from the biometric data;
a communication module configured to establish a communication connection with an authentication server;
a secure processing module coupled to the processor and the communication module and configured to:
Encrypting the biometric feature with a first private key S 1 and encrypting the user' S account number and vehicle identification with a second public key P 2, wherein the first private key S 1 and a first public key P 1 corresponding to the first private key S 1 are generated by the vehicle-mounted secure processing module, the first public key P 1 is stored at the identity authentication server, and the second public key P 2 and a second private key S 2 corresponding to the second public key P 2 are stored at the vehicle-mounted secure processing module and the identity authentication server, respectively;
and sending a login request message or a logout request message containing the encrypted biological characteristics, the encrypted account number and the encrypted vehicle identifier to the identity authentication server by utilizing the vehicle-mounted communication module.
In some embodiments of the application, the first private key and the corresponding first public key are generated at the vehicle end and the first public key is transmitted to the authentication server in encrypted form, thereby enabling the authentication server to decrypt the biometric encrypted with the first private key. The above-mentioned manner solves the security problem in the course of key generation and distribution. In other embodiments, security may be further enhanced by constructing the combination of biometric vectors with a pre-set algorithm. In particular, even if the biometric vector is intercepted and the first private key is stolen or cracked, as long as the algorithm used to construct the combination is unknown to the on-board security processing module and devices other than the authentication server, the biometric vector transmitted by an illegal user to the authentication server will be incorrect, whereby the risk of falsifying the user's identity can be effectively reduced.
Drawings
The foregoing and/or other aspects and advantages of the present application will become more apparent and more readily appreciated from the following description of the various aspects taken in conjunction with the accompanying drawings in which like or similar elements are designated with the same reference numerals. The drawings include:
fig. 1 is a schematic block diagram of an in-vehicle device for authenticating a user identity of a vehicle in accordance with one embodiment of the present disclosure.
Fig. 2 shows a schematic block diagram of an in-vehicle security processing module.
Fig. 3 is a flow chart of a method for verifying a vehicle user identity according to another embodiment of the present disclosure.
Fig. 4 is a flow chart of a method for verifying a vehicle user identity according to another embodiment of the present disclosure.
Fig. 5 is a flow chart of a method for verifying a vehicle user identity according to another embodiment of the present disclosure.
Detailed Description
The present application will now be described more fully hereinafter with reference to the accompanying drawings, in which illustrative embodiments of the application are shown. This application may, however, be embodied in different forms and should not be construed as limited to the embodiments set forth herein. The above-described embodiments are provided to fully convey the disclosure herein and to more fully convey the scope of the application to those skilled in the art.
In this specification, terms such as "comprising" and "including" mean that there are other elements and steps not directly or explicitly recited in the description and claims, nor does the inventive solution exclude the presence of other elements or steps.
Unless specifically stated otherwise, terms such as "first" and "second" do not denote a sequential order of elements in terms of time, space, size, etc., but rather are merely used to distinguish one element from another.
In this specification, "biological data" refers broadly to various biological data that can be used to describe the biological characteristics of an individual, including various types. These types include, for example, but are not limited to, fingerprints, irises, facial contours, sounds, individual signature tracks, hand shapes, and walking gestures, among others. Accordingly, the biometric features described herein include, but are not limited to, facial features such as fingerprint features, iris features, shape and location of facial organs, voice features such as frequency, pitch and cadence, signature behavior features such as stroke order, pressure and speed, hand shape features such as palm size, shape and venous distribution, and stride position features such as step size, pace and cadence. In some examples, the extracted biometric features from the biometric data may be represented in the form of vectors, which will be referred to below as biometric feature vectors.
Fig. 1 is a schematic block diagram of an in-vehicle device for authenticating a user identity of a vehicle in accordance with one embodiment of the present disclosure. The in-vehicle apparatus 10 shown in fig. 1 includes one or more in-vehicle sensors 110, an in-vehicle processor 120, an in-vehicle communication module 130, and an in-vehicle security processing module 140. The sensor 110 is a variety of sensors capable of acquiring biological data of a user, including, for example, but not limited to, a scanner (for acquiring fingerprint images), a camera (usable for acquiring iris images, facial images, walking gestures, and the like), a microphone, an electronic signature board, a 3D scanner (usable for acquiring hand shape data), and the like. The onboard processor 120 may be various processors on the vehicle that provide computing power, AI processing power, and multitasking power, coupled to the sensors 110 to extract biological features from the biological data. For each type of biometric data, the biometric feature may be obtained by execution of a corresponding feature extraction algorithm by the processor 120. The in-vehicle communication module 130 is responsible for establishing a communication connection with the authentication server 20.
It should be noted that, in some examples, the sensor 110, the processor 120, and the in-vehicle communication module 130 are dedicated components of the in-vehicle device shown in fig. 1. But in more examples they are components of other systems on the vehicle or components of the vehicle-mounted device that are multiplexed with other systems. For example, the functions of the sensor 110 may be implemented with a camera in the context awareness unit; as another example, the functions of the processor 120 may be implemented with domain controllers within various vehicle domains; also for example, the in-vehicle communication module 130 may be a module in a vehicle communication system, such as a bluetooth communication module, a WiFi communication module, a 4G/5G communication module, and the like.
The in-vehicle security processing module 140 is connected to the in-vehicle processor 120 and the in-vehicle communication module 130, and is configured to perform security related tasks (e.g., key generation, encryption and decryption operations, etc.). Fig. 2 shows a schematic block diagram of an in-vehicle security processing module. The in-vehicle security processing module 140 shown in fig. 2 includes an encryption/decryption unit 141, a key management unit 142, a secure storage 143, a secure interface 144, and an access control mechanism 145. The encryption/decryption unit 141 is used to perform encryption and decryption operations, supporting various encryption algorithms, such as AES, RSA, ECC, etc. The key management unit 142 is responsible for generating, storing, and managing encryption keys, ensuring the security of the keys. Secure storage 143 provides secure storage space for storing sensitive data. The security interface 144 is used for performing secure communication with components external to the vehicle-mounted security processing module, and preventing data from being intercepted or tampered with during transmission. The access control mechanism 145 controls access to resources internal to the vehicle security module, ensuring that only authorized users or processes can access sensitive data.
It should be noted that the architecture shown in fig. 2 is merely exemplary. Those skilled in the art will recognize after reading this disclosure that other architecture-based secure processing modules or secure processors, so long as they are capable of performing the secure processing tasks described below, may be used as the in-vehicle secure processing module 140 in fig. 1 and 2.
Fig. 3 is a flow chart of a method for verifying a vehicle user's identity, which may be used to enable registration of a vehicle networking account, in accordance with another embodiment of the present disclosure. Illustratively, in the following description, it is assumed that the respective steps of the method shown in fig. 3 are implemented using the in-vehicle apparatus shown in fig. 1.
As shown in FIG. 3, the method of the present embodiment includes steps 310-360 that are performed sequentially. The respective steps are described in detail below.
Step 310: acquisition of biological data
In step 310, biometric data of the user is acquired using the in-vehicle sensor 110. As described above, the biological data has various types. In some examples, the acquired biometric data includes two types of biometric data, such as a fingerprint acquired with a scanner and a facial profile acquired with a camera. The use of two or more types of biological data can increase the difficulty of counterfeit identities and increase security.
Step 320: extraction of biological characteristics
In step 320, a biometric feature (hereinafter referred to as f) is extracted from the biometric data acquired in step 310 using the in-vehicle processor 120. In the case of using multiple types of biometric data for authentication, each type has a respective corresponding biometric feature f 1…fi …. As described above, the biometric feature may be represented in the form of a biometric feature vector. Taking the example given above where the data types include fingerprints and facial contours, the fingerprint data and facial contour data are denoted herein as D 1 and D 2, and the biometric vectors extracted from D 1 and D 2 are denoted herein asAndWherein m and n are eachAndIs a dimension of (c). The onboard processor 120 will extract corresponding biometric vectors from the fingerprint data D 1 and the facial contour data D 2, respectivelyAndAnd then outputs these biometric vectors to the in-vehicle security processing module 140.
A typical feature extraction process may include pre-processing (e.g., denoising, image enhancement, normalization, etc.) the biological or raw data acquired with the sensor, and then extracting feature information from the pre-processed data. For fingerprints, features may include the orientation and location of the ridge line, the bifurcation and termination points of the ridge line, and so on. The extracted features are then encoded (e.g., converted to numerical form) to generate a biometric vector.
Step 330: generation of keys
In the user authentication process of the present embodiment, two pairs of asymmetric keys are used to encrypt and decrypt data related to authentication. Illustratively, two pairs of asymmetric keys are denoted below as (P 1,S1) and (P 2,S2), where P 1 and P 2 represent public keys and S 1 and S 2 represent private keys corresponding to P 1 and P 2, respectively.
In step 330, the key management unit 142 of the in-vehicle security processing module 140 generates a first public key P 1 and a first private key S 1. Asymmetric encryption algorithm keys used to generate the keys include, for example, but are not limited to, RSA algorithm, ECC algorithm, SM2 algorithm, and the like.
In the present embodiment, the second public key P 2 and the second private key S 2 may be generated in advance. In some examples, a pair of keys (e.g., P 2,S2) consisting of a public key and a private key may be generated by an authentication server, where private key S 2 is maintained at the authentication server and public key P 2 is submitted to a Certificate Authority (CA). It should be noted that, the key pair (P 2,S2) may be shared by a plurality of users, or may be generated separately by the authentication server for each user. The CA authority may generate a digital certificate after the authentication server passes authentication and issue the generated digital certificate to the authentication server. The digital certificate may contain the public key P 2 of the authentication server, the identity information, and the digital signature of the CA authority. Accordingly, upon initializing the in-vehicle security processing module 140, the public key P 2 may be extracted from the digital certificate issued by the CA institution and written into the key management unit 142.
Step 340: execution of encryption operations
In step 340, the in-vehicle security processing module 140 (e.g., the encryption/decryption unit 141 it contains) encrypts the biometric feature f extracted in step 320 using the first private key S 1 generated in step 330; on the other hand, it also encrypts the user's account ACC, the vehicle identification VIN (which is used to identify the vehicle associated with the user's account), and the first public key P 1 generated in step 330 with the second public key P 2 stored in the key management unit 142.
In case the biometric data may comprise a plurality of types, the security of the authentication process may be further improved by the following way. Specifically, still taking the example in which the data types include fingerprints and facial contours as an example, the in-vehicle security processing module 140 first receives from the in-vehicle processor 120 corresponding biometric vectors extracted from the fingerprint data D 1 and the facial contour data D 2, respectivelyAnd. Subsequently, the in-vehicle security processing module 140 constructs the biometric vector with a predetermined algorithmAndIs hereinafter referred to as a combination of (2). Next, the in-vehicle security processing module 140 encrypts the combination of biometric vectors using the first private key S 1 . The above-combined construction operation may be performed by the encryption/decryption unit 141 or the key management unit 142, for example.
Various algorithms may be employed to construct the above combinations including, for example, but not limited to, vector concatenation and vector component interleaving. Illustratively, the vector concatenation may include one of the following forms:
(1)
(1')
vector component interleaving is the interleaving of components of two or more biometric vectors together in a set pattern to form a new biometric component. Taking the above example as an example, the interleaving form may include one of the following:
(2)
(2')
(3)
(4)
(5)
……
It should be noted that, when the algorithm for constructing the combination is unknown to the devices other than the in-vehicle security processing module 140 and the authentication server 20, even if the biometric vector is intercepted AndAnd the first private key S 1 is stolen or hacked, the encrypted biometric vector of the correct form cannot be transmitted to the authentication server in the subsequent step 360.
In some examples, as with the second public key P 2, the algorithm used to construct the combination is also written to the in-vehicle security processing module 140 (e.g., in the key management unit 142) at the time of initialization thereof.
In a further example, a plurality of candidate algorithms that may be used to construct the combination may be stored in the on-board security processing module 140 (e.g., in the key management unit 142). In performing the operation of the combined construction, the encryption/decryption unit 141 or the key management unit 142 may select one of the candidate algorithms in a random manner or with a set rule (e.g., periodically). Accordingly, in these examples, the encryption/decryption unit 141 encrypts the identification alg_id of the selected candidate algorithm with the first private key S 1 or the second public key P 2 in addition to the biometric, the account ACC of the user, the vehicle identification VIN, and the first public key P 1.
Step 350: generation of registration request messages
In step 350, the in-vehicle communication module 140 (e.g., the encryption/decryption unit 141) generates a registration request message M1. The message M1 contains the biometric f 'encrypted with the first private key S 1, the account ACC' of the user encrypted with the second public key P 2, the vehicle identification VIN 'and the first public key P 1'. In some examples, message M1 also contains an identification alg_id' encrypted with either the first private key S 1 or the second public key P 2. The generated message M1 is sent to the in-vehicle communication module 130.
Step 360: transmission of registration request message
In step 360, the in-vehicle communication module 130 transmits the registration request message M1 generated in step 350 to the authentication server 20.
When the authentication server 20 receives the registration request message M1, it decrypts the account ACC ', the vehicle identification VIN' and the first public key P 1 'in the message using the second private key S 2, and then decrypts the biometric feature f' using the decrypted first public key P 1 in the message M1. The authentication server 20 may establish a binding relationship between the user's account ACC, the vehicle identification VIN, and the biometric feature f and store the binding relationship in the authentication server 20 or the database 30, thereby completing registration of the internet of vehicles account.
FIG. 4 is a flow chart of a method for verifying the identity of a vehicle user, which may be used to enable a user to log in to an Internet of vehicles account system, in accordance with another embodiment of the present disclosure. This embodiment may include one or more of the features described above with respect to the embodiment depicted in fig. 3. Aspects related to the login process and different from the embodiment shown in fig. 3 will be described below with emphasis.
As shown in FIG. 4, the method of the present embodiment includes steps 410-450, which are performed sequentially, as will be further described below.
Step 410: acquisition of biological data
In step 410, biometric data of the user is acquired using the in-vehicle sensor 110. In some examples, the acquired biometric data includes two or more types of biometric data to increase the difficulty of counterfeit identities.
Step 420: extraction of biological characteristics
In step 420, a biometric feature f is extracted from the biometric data acquired in step 410 using the in-vehicle processor 120.
Step 430: execution of encryption operations
In step 430, the onboard security processing module 140 (e.g., the encryption/decryption unit 141 it contains) encrypts the biometric feature f extracted in step 420 using the first private key S 1 generated locally during the registration described above; on the other hand, it also encrypts the account ACC of the user, the vehicle identification VIN, and the first public key P 1 generated in step 330 with the second public key P 2 stored in the key management unit 142. Optionally, the in-vehicle security processing module 140 also encrypts the identification alg_id of the selected algorithm for constructing the combination using the first private key S 1 or the second public key P 2.
Step 440: generation of login request message
In step 440, the in-vehicle communication module 140 (e.g., the encryption/decryption unit 141) generates a login request message M2. The message M2 contains the biometric f 'encrypted with the first private key S 1, the account ACC' of the user encrypted with the second public key P 2, the vehicle identification VIN 'and the first public key P 1'. In some examples, message M2 also contains an identification alg_id' encrypted with either the first private key S 1 or the second public key P 2. The generated message M2 is sent to the in-vehicle communication module 130.
Step 450: transmission of login request message
In step 450, the in-vehicle communication module 130 transmits the login request message M2 generated in step 440 to the authentication server 20.
When the authentication server 20 receives the login request message M2, it decrypts the account ACC ', the vehicle identification VIN' and the first public key P 1 'in the message using the second private key S 2, and then decrypts the biometric feature f' using the decrypted first public key P 1 in the message M2. The identity authentication server 20 looks up the corresponding biometric template locally or in the database 30 based on the user's account ACC and the vehicle identification VIN, and compares the found biometric template with the decrypted biometric f to determine whether to allow logging into the internet of vehicles account system 40.
It should be noted that the identity authentication server 20, database 30 and internet of vehicle account system 40 are shown in fig. 1 as separate units, but this is merely exemplary and these units may be integrated together in various combinations.
Fig. 5 is a flow chart of a method for verifying the identity of a vehicle user, which may be used to effect account de-registration of the user at a vehicle networking account system, in accordance with another embodiment of the present disclosure. This embodiment may include one or more of the features described above with respect to the embodiments described with reference to fig. 3 and 4. Aspects related to the logoff process and different from the embodiments shown in fig. 3 and 4 will be described with emphasis.
As shown in FIG. 5, the method of the present embodiment includes steps 510-550 that are performed sequentially, as will be further described below.
Step 510: acquisition of biological data
In step 510, biometric data of the user is acquired using the in-vehicle sensor 110.
Step 520: extraction of biological characteristics
In step 520, a biometric feature f is extracted from the biometric data acquired in step 510 using the in-vehicle processor 120.
Step 530: execution of encryption operations
In step 530, the onboard security processing module 140 (e.g., the encryption/decryption unit 141 it contains) encrypts the biometric feature f extracted in step 520 using the first private key S 1 generated locally during the registration described above; on the other hand, it also encrypts the account ACC of the user, the vehicle identification VIN, and the first public key P 1 generated in step 330 with the second public key P 2 stored in the key management unit 142. Optionally, the in-vehicle security processing module 140 also encrypts the identification alg_id of the selected algorithm for constructing the combination using the first private key S 1 or the second public key P 2.
Step 540: generation of logoff request messages
In step 440, the in-vehicle communication module 140 (e.g., the encryption/decryption unit 141) generates a logoff request message M3. The message M3 contains the biometric f 'encrypted with the first private key S 1, the account ACC' of the user encrypted with the second public key P 2, the vehicle identification VIN 'and the first public key P 1'. In some examples, message M3 also contains an identification alg_id' encrypted with either first private key S 1 or second public key P 2. The generated message M3 is sent to the in-vehicle communication module 130.
Step 550: sending of logout request messages
In step 550, the in-vehicle communication module 130 transmits the logout request message M3 generated in step 540 to the authentication server 20.
When the authentication server 20 receives the logout request message M3, it decrypts the account ACC ', the vehicle identification VIN' and the first public key P 1 'in the message using the second private key S 2, and then decrypts the biometric feature f' using the decrypted first public key P 1 in the message M3. The identity authentication server 20 looks up the corresponding biometric template locally or in the database 30 based on the user's account ACC and the vehicle identification VIN, and compares the found biometric template with the decrypted biometric f to determine whether to allow the account to be logged off in the internet of vehicle account system 40.
Those of skill would appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both.
To demonstrate interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Implementation of such functionality in hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
Although only a few specific embodiments of the present application have been described, those skilled in the art will appreciate that the present application may be embodied in many other forms without departing from the spirit or scope thereof. Accordingly, the present examples and embodiments are to be considered as illustrative and not restrictive, and the application is intended to cover various modifications and substitutions without departing from the spirit and scope of the application as defined by the appended claims.
The embodiments and examples set forth herein are presented to best explain the embodiments in accordance with the present technology and its particular application and to thereby enable those skilled in the art to make and use the application. Those skilled in the art will recognize that the foregoing description and examples have been presented for the purpose of illustration and example only. The description as set forth is not intended to cover various aspects of the application or to limit the application to the precise form disclosed.

Claims (14)

1. A method for authenticating a vehicle user identity, comprising:
A1, acquiring biological data of a user by using a vehicle-mounted sensor;
a2, extracting biological characteristics from the biological data by using an on-board processor;
a3, generating a first public key P 1 and a first private key S 1 corresponding to the first public key P 1 by utilizing a vehicle-mounted security processing module;
A4, encrypting the biometric feature with the first private key S 1 and encrypting the user' S account number, vehicle identification and the first public key P 1 with a second public key P 2 using the vehicle-mounted secure processing module, wherein the second public key P 2 and a second private key S 2 corresponding to the second public key P 2 are stored at the vehicle-mounted secure processing module and an identity authentication server, respectively;
A5, a registration request message containing the encrypted biological characteristics, the encrypted account number, the encrypted vehicle identifier and the encrypted first public key P 1 is sent to the identity authentication server by utilizing the vehicle-mounted communication module.
2. The method of claim 1, wherein the second private key S 2 is used by the authentication server to decrypt the account number, the vehicle identification, and the first public key P 1 in the registration request message, and the decrypted first public key P 1 is used by the authentication server to decrypt the biometric in the registration request message, thereby establishing a binding relationship between the account number, the vehicle identification, and the biometric of the user at the authentication server.
3. The method of claim 1 or 2, wherein the biological data comprises at least two types, wherein step A2 comprises:
Extracting corresponding biometric vectors from various types of biometric data;
The biometric vector is provided as the biometric to the security processing module.
4. A method according to claim 3, wherein in step A4, the biometric feature is encrypted in the following way:
constructing a combination of the biometric vectors with a predetermined algorithm;
the combination of biometric vectors is encrypted with the first private key S 1.
5. The method of claim 4, wherein the second public key P 2 and the predetermined algorithm are written to the secure processing module at initialization.
6. The method of claim 4, wherein the predetermined algorithm is selected from one of a plurality of candidate algorithms stored in the secure processing module, step A4 further comprises encrypting an identification of the predetermined algorithm with the first private key S 1 or with the second public key P 2, and the registration request message further comprises the encrypted identification of the predetermined algorithm.
7. A method for authenticating a vehicle user identity, comprising:
b1, acquiring biological data of a user by using a vehicle-mounted sensor;
b2, extracting biological characteristics from the biological data by using an on-board processor;
B3, encrypting the biometric feature with a first private key S 1 and encrypting the account number and the vehicle identification of the user with a second public key P 2, wherein the first private key S 1 and a first public key P 1 corresponding to the first private key S 1 are generated by the vehicle-mounted secure processing module, the first public key P 1 is stored at the identity authentication server, and the second public key P 2 and a second private key S 2 corresponding to the second public key P 2 are stored at the vehicle-mounted secure processing module and the identity authentication server, respectively;
And B4, transmitting a login request message or a logout request message containing the encrypted biological characteristics, the encrypted account number and the encrypted vehicle identifier to the identity authentication server by utilizing the vehicle-mounted communication module.
8. The method of claim 7, wherein the second private key S 2 is used by the authentication server to decrypt an account number and a vehicle identification in the login request message or the logout request message, and the first public key P 1 is used by the authentication server to decrypt a biometric in the login request message or the logout request message, thereby enabling the authentication server to determine whether the account number, the vehicle identification, and the biometric in the login request message or the logout request message match.
9. The method of claim 7 or 8, wherein the biological data comprises at least two types, wherein step B2 comprises:
Extracting corresponding biometric vectors from various types of biometric data;
The biometric vector is provided as the biometric to the security processing module.
10. The method of claim 9, wherein in step B3, the biometric feature is encrypted in the following manner:
constructing a combination of the biometric vectors with a predetermined algorithm;
the combination of biometric vectors is encrypted with the first private key S 1.
11. The method of claim 10, wherein the second public key P 2 and the predetermined algorithm are written to the secure processing module at initialization.
12. The method of claim 10, wherein the predetermined algorithm is selected from one of a plurality of candidate algorithms stored in the secure processing module, step B3 further comprises encrypting an identification of the predetermined algorithm with the first private key S 1 or second public key P 2, and the login request message or the logoff request message further comprises the encrypted identification of the predetermined algorithm.
13. An in-vehicle apparatus for authenticating a user identity of a vehicle, comprising:
a sensor configured to acquire biometric data of a user;
A processor coupled to the sensor and configured to extract a biometric feature from the biometric data;
a communication module configured to establish a communication connection with an authentication server;
and a security processing module connected to the processor and the communication module and configured to:
Generating a first public key P 1 and a first private key S 1 corresponding to the first public key P 1;
Encrypting the biometric with the first private key S 1 and encrypting the user' S account number, vehicle identification and the first public key P 1 with a second public key P 2, wherein a second private key S 2 corresponding to the second public key P 2 is stored at the authentication server;
And sending a registration request message containing the encrypted biological feature, the encrypted account number, the encrypted vehicle identifier and the encrypted first public key P 1 to the identity authentication server through the communication module.
14. An in-vehicle apparatus for authenticating a user identity of a vehicle, comprising:
a sensor configured to acquire biometric data of a user;
A processor coupled to the sensor and configured to extract a biometric feature from the biometric data;
a communication module configured to establish a communication connection with an authentication server;
and the vehicle-mounted safety processing module is connected with the processor and the communication module and is configured to:
Encrypting the biometric feature with a first private key S 1 and encrypting the user' S account number and vehicle identification with a second public key P 2, wherein the first private key S 1 and a first public key P 1 corresponding to the first private key S 1 are generated by the vehicle-mounted secure processing module, the first public key P 1 is stored at the identity authentication server, and the second public key P 2 and a second private key S 2 corresponding to the second public key P 2 are stored at the vehicle-mounted secure processing module and the identity authentication server, respectively;
and sending a login request message or a logout request message containing the encrypted biological characteristics, the encrypted account number and the encrypted vehicle identifier to the identity authentication server by utilizing the vehicle-mounted communication module.
CN202410947488.2A 2024-07-16 2024-07-16 Method and vehicle-mounted device for authenticating vehicle user identity Active CN118487880B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410947488.2A CN118487880B (en) 2024-07-16 2024-07-16 Method and vehicle-mounted device for authenticating vehicle user identity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410947488.2A CN118487880B (en) 2024-07-16 2024-07-16 Method and vehicle-mounted device for authenticating vehicle user identity

Publications (2)

Publication Number Publication Date
CN118487880A CN118487880A (en) 2024-08-13
CN118487880B true CN118487880B (en) 2024-11-15

Family

ID=92191518

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410947488.2A Active CN118487880B (en) 2024-07-16 2024-07-16 Method and vehicle-mounted device for authenticating vehicle user identity

Country Status (1)

Country Link
CN (1) CN118487880B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112153638A (en) * 2019-08-20 2020-12-29 安波福电子(苏州)有限公司 Safety authentication method and equipment for vehicle-mounted mobile terminal
CN114915414A (en) * 2022-03-31 2022-08-16 郑州信大捷安信息技术股份有限公司 Method and system for authenticating and checking personnel in vehicle based on Internet of vehicles

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4621688A3 (en) * 2020-10-09 2025-12-03 Unho Choi Chain of authentication using public key infrastructure
CN112836238B (en) * 2021-02-18 2023-10-27 支付宝(杭州)信息技术有限公司 Verification methods, devices, equipment and systems based on privacy protection

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112153638A (en) * 2019-08-20 2020-12-29 安波福电子(苏州)有限公司 Safety authentication method and equipment for vehicle-mounted mobile terminal
CN114915414A (en) * 2022-03-31 2022-08-16 郑州信大捷安信息技术股份有限公司 Method and system for authenticating and checking personnel in vehicle based on Internet of vehicles

Also Published As

Publication number Publication date
CN118487880A (en) 2024-08-13

Similar Documents

Publication Publication Date Title
KR101226651B1 (en) User authentication method based on the utilization of biometric identification techniques and related architecture
US11108546B2 (en) Biometric verification of a blockchain database transaction contributor
CN107251477B (en) System and method for securely managing biometric data
US9165130B2 (en) Mapping biometrics to a unique key
JP5816750B2 (en) Authentication method and apparatus using disposable password including biometric image information
EP1865442B1 (en) Method, system and program for authenticating a user by biometric information
CN105429761B (en) A kind of key generation method and device
US20160294555A1 (en) System and method for hierarchical cryptographic key generation using biometric data
US9384338B2 (en) Architectures for privacy protection of biometric templates
CN111401901B (en) Authentication method and device of biological payment device, computer device and storage medium
CN101340283A (en) Multisystem biometric token
JPWO2007094165A1 (en) Identification system and program, and identification method
JP4470373B2 (en) Authentication processing apparatus and security processing method
CN112232814A (en) Encryption and decryption method of payment key, payment authentication method and terminal equipment
US20220078020A1 (en) Biometric acquisition system and method
JP6151627B2 (en) Biometric authentication system, biometric authentication method, and computer program
JP6841781B2 (en) Authentication server device, authentication system and authentication method
CN112334897A (en) Method and electronic equipment for authenticating user
CN118487880B (en) Method and vehicle-mounted device for authenticating vehicle user identity
EP3745289B1 (en) Apparatus and method for registering biometric information, apparatus and method for biometric authentication
KR102389587B1 (en) Apparatus and method for verifying liveness of facial recognition biometric information
CN119734660A (en) Vehicle starting method and system based on face recognition
JP2006323691A (en) Authentication device, registration device, registration method, and authentication method
JP2007249629A (en) Biometric information registration system
HK1240360B (en) Methods for digitally signing an electronic file and authenticating method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant