CN110111459B - Virtual key management method and system - Google Patents
Virtual key management method and system Download PDFInfo
- Publication number
- CN110111459B CN110111459B CN201910307501.7A CN201910307501A CN110111459B CN 110111459 B CN110111459 B CN 110111459B CN 201910307501 A CN201910307501 A CN 201910307501A CN 110111459 B CN110111459 B CN 110111459B
- Authority
- CN
- China
- Prior art keywords
- key
- vehicle
- mobile terminal
- mounted terminal
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title claims abstract description 62
- 230000005540 biological transmission Effects 0.000 claims abstract description 23
- 238000004891 communication Methods 0.000 claims abstract description 19
- 230000003993 interaction Effects 0.000 claims abstract description 6
- 238000012795 verification Methods 0.000 claims description 67
- 238000001514 detection method Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 7
- 238000000034 method Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/067—Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
- G07C2009/00412—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks the transmitted data signal being encrypted
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Lock And Its Accessories (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a virtual key management method and a virtual key management system, which comprise a key management module, a server, a mobile terminal and a vehicle-mounted terminal; the key management module includes: a key package generation unit for generating a key package; a key pack storage unit for storing a key pack; a key package management unit for managing a corresponding key package; the server side comprises: a key package updating unit for controlling the key management module to update the key package; the first authentication unit is used for authenticating the mobile terminal and the vehicle-mounted terminal; the encryption unit is used for encrypting data of the key packet during transmission; the mobile terminal includes: the second authentication unit is used for carrying out identity authentication with the vehicle-mounted terminal; the remote control unit is used for controlling the vehicle to unlock; and the third communication unit is used for carrying out data interaction. The key is updated at high frequency, so that the use of the user is safer; the size of the certificate is reduced, the time for transmitting the digital certificate by the Bluetooth in identity authentication is shortened, and the user experience is increased.
Description
Technical Field
The invention relates to the technical field of automobiles, in particular to a virtual key management method and a virtual key management system.
Background
The virtual Bluetooth key is a technology for connecting the mobile equipment and the vehicle through a Bluetooth technology to realize virtual intelligent control of the vehicle.
Under the premise that society is developing increasingly and people's life is improved increasingly, people who do not want to take car keys when going out are more and more, this scene of virtual bluetooth key can replace original car key, accomplishes the control of opening the door, starting vehicles, loudspeaker, door window … … and so on vehicle.
In many current virtual bluetooth key schemes, there are problems of security or insufficient convenience, for example, in data transmission, a clear text or a simple symmetric encryption technology is adopted, so that there is a great security risk to data. The key is not updated for a long time, resulting in the risk of key leakage.
Disclosure of Invention
In view of the above drawbacks of the prior art, an object of the present invention is to provide a virtual key management method and system, which are used to solve the problems in the prior art that a plaintext or a simple symmetric encryption technique is used in data transmission, which results in a very large security risk for data, and a key is not updated for a long time, which results in a risk of key leakage.
The invention provides a virtual key management system, which comprises a key management module, a server, a mobile terminal and a vehicle-mounted terminal, wherein the server is used for storing a key management program; the key management module includes: a key package generation unit for generating a key package; a key pack storage unit for storing a key pack; a key package management unit for managing a corresponding key package; the first communication unit is used for receiving a key packet generation instruction and transmitting the generated key packet; the server side comprises: a key package updating unit for controlling the key management module to update the key package; the first authentication unit is used for authenticating the mobile terminal and the vehicle-mounted terminal; the encryption unit is used for encrypting data of the key packet during transmission; the second communication unit is used for carrying out data transmission; the mobile terminal includes: the second authentication unit is used for carrying out identity authentication with the vehicle-mounted terminal; the remote control unit is used for controlling the vehicle to unlock; the third communication unit is used for carrying out data interaction; the vehicle-mounted terminal includes: a third authentication unit for performing identity authentication with the mobile terminal; the fourth communication unit is used for acquiring the data downloading key packet and transmitting the data; a vehicle control unit for unlocking the vehicle.
In an embodiment of the present invention, the key package of the mobile terminal includes a mobile private key, a mobile public key, a mobile terminal identity certificate, and a mobile terminal access party public key; the vehicle-mounted terminal comprises a vehicle-mounted private key, a vehicle-mounted public key, a vehicle-mounted end identity certificate and a vehicle-mounted end access party public key; the mobile public key corresponds to the public key of the vehicle-mounted terminal access party one by one; and the vehicle-mounted public key corresponds to the public key of the mobile terminal access party one by one.
In an embodiment of the present invention, the mobile terminal identity certificate and the vehicle-mounted terminal identity certificate both adopt RSA asymmetric key algorithm signature data; the mobile terminal identity certificate and the vehicle-mounted terminal identity certificate both contain company information, version information, validity period, public key and digital signature.
In an embodiment of the present invention, the second authentication unit includes a first validity verification subunit, a first integrity verification subunit, and a first validity period verification subunit; the first validity verification subunit is used for extracting a public key sent by the vehicle-mounted terminal to the mobile terminal certificate and comparing the public key with a local access public key, judging whether the public key and the local access public key are consistent, and if the public key and the local access public key are consistent, determining that the public key and the local access public key are legal, and if the public key and the local access public key are inconsistent, determining that the public key and the; the first integrity verification subunit is used for sending the data content A in the mobile terminal certificate to the vehicle-mounted terminal; acquiring a data abstract B ═ Hash (A) of data content; decrypting the digital signature by using a legal public key to obtain a data digest B1 of the digital signature; comparing whether the data digest B of the data content is the same as the data digest B1 of the digital signature, and completing integrity verification when the data digest B of the data content is the same as the data digest B1 of the digital signature; the first validity period verification subunit is used for determining whether the certificate of the vehicle-mounted terminal is expired according to whether a validity period field sent by the vehicle-mounted terminal to the mobile terminal certificate is expired; the third authentication unit comprises a second legality verifying subunit, a second integrity verifying subunit and a second validity period verifying subunit; the second legality verifying subunit is used for extracting a public key in the vehicle-mounted terminal certificate and sending the public key; the second integrity verification subunit is used for extracting the data content in the vehicle-mounted terminal certificate and sending the data content; and the second validity period verification subunit is used for extracting the data content in the vehicle-mounted terminal certificate and sending the data content.
In an embodiment of the present invention, the second authentication unit further includes a first random authentication subunit for generating a random number R; the third authentication unit further comprises a second random authentication subunit for generating a random number R'; the first random authentication subunit is further configured to sign a random number R 'using a mobile private key to obtain S (R'); the second random authentication subunit is further used for signing the random number R by using the vehicle-mounted private key to obtain S (R); the first random authentication subunit is further configured to use the public key of the vehicle-mounted terminal to sign a release s (R) to obtain a random number R1; comparing whether R is the same as R1, and finishing the random authentication of the mobile terminal when R is the same as R1; the second random authentication subunit is further configured to use the public key of the mobile terminal to sign off S (R ') to obtain a random number R1'; and comparing whether R 'is the same as R1' and finishing the random authentication of the vehicle-mounted terminal when the R 'is the same as the R1'.
The invention provides a virtual key management method, which is based on the virtual key management system and comprises the following steps: s1, generating corresponding key packages, and respectively issuing at least two pairs of key packages to the mobile terminal and the vehicle-mounted terminal; s2, performing identity authentication on the mobile terminal and the corresponding key packages in the vehicle-mounted terminal and then matching; s3, checking whether a pair of corresponding key packages in the mobile terminal and the vehicle-mounted terminal is used; if not, continuing checking; if yes, respectively updating a pair of key packages used in the mobile terminal and the vehicle-mounted terminal, and keeping the unused key packages for waiting for the next use; s4, detecting whether the vehicle is used again; if yes, repeating the steps S2 to S4, otherwise, continuing the detection.
In an embodiment of the present invention, the step S1 includes the steps of: s11, the mobile terminal and the vehicle-mounted terminal respectively send a key packet generation request to the server; s12, the server side requests the key management module to generate a key package; and S13, after the key management module generates a key package, the corresponding key package is respectively sent to the mobile terminal and the vehicle-mounted terminal through the server side.
In an embodiment of the present invention, the step S2 includes the steps of: s21, sending the certificate in the key packet required to be used in the mobile terminal to the vehicle-mounted terminal; s22, the vehicle-mounted terminal verifies the certificate provided by the mobile terminal; if the vehicle does not pass through the device, the vehicle cannot be started; if the verification is passed, the flow proceeds to step S23; s23, sending the corresponding certificate in the vehicle-mounted terminal to the mobile terminal; s24, the mobile terminal verifies the certificate of the vehicle-mounted terminal; if the vehicle does not pass through the device, the vehicle cannot be started; if the verification is passed, the flow proceeds to step S25; s25, verifying private keys of the mobile terminal and the vehicle-mounted terminal; if the vehicle does not pass through the device, the vehicle cannot be started; and if the verification is passed, the identity authentication is completed, and the vehicle-mounted terminal generates a symmetric encryption key to match and unlock the key packet.
In an embodiment of the present invention, the identity authentication includes validity verification, integrity verification, validity period verification and random verification; the validity verification comprises the following steps: the vehicle-mounted terminal sends a certificate to the mobile terminal, and the public key of the certificate extracted by the mobile terminal is compared with the local access public key; if the two are consistent, the validity is determined; if the two are not consistent, the two are determined to be illegal; the integrity verification comprises the steps of: after the validity is verified to be legal, the mobile terminal extracts the data content A of the certificate of the vehicle-mounted terminal; acquiring a data abstract B ═ Hash (A) of data content; decrypting the digital signature by using a legal public key to obtain a data digest B1 of the digital signature; comparing whether the data digest B of the data content is the same as the data digest B1 of the digital signature, and if so, finishing the integrity verification; the validity period verification comprises the steps of: determining whether the certificate of the vehicle-mounted terminal is expired by verifying whether a validity field in the certificate of the vehicle-mounted terminal is expired; the random authentication includes the steps of: after the integrity is verified to be legal, the mobile terminal and the vehicle-mounted terminal respectively generate random numbers R and R'; the vehicle-mounted terminal and the mobile terminal respectively use respective private key to sign corresponding random numbers R and R 'to respectively obtain S (R) and S (R'); the mobile terminal and the vehicle-mounted terminal respectively use public keys of the other party to correspondingly sign off S (R) and S (R ') to respectively obtain data R1 and R1'; and comparing whether the R is the same as the R1 and the R 'is the same as the R1', and if the R is the same as the R1, finishing the random authentication.
In an embodiment of the present invention, the step S4 includes the steps of: s41, the vehicle-mounted terminal requests the server side to update the used key package; s42, the server side judges whether the rest key packages of the vehicle-mounted terminal are matched with the rest key packages of the mobile terminal; if not, not updating the used key bag; if so, updating the key packet used by the vehicle-mounted terminal to generate an updated key packet; s43, the mobile terminal requests the server to update the used key package; s44, the server side judges whether the rest key packages of the mobile terminal are matched with the rest key packages of the vehicle-mounted terminal; if not, not updating the used key bag; if so, updating the key packet used by the mobile terminal to generate an updated key packet; and S45, the updated key package of the mobile terminal corresponds to the updated key package of the vehicle-mounted terminal.
As described above, the virtual key management method and system of the present invention have the following advantages:
the key package is required to be updated after being used, so that the key is updated at high frequency, and the use of a user is safer; according to the standard X905 digital certificate format, the digital certificate is adapted to a user-defined certificate, the size of the certificate is reduced, the time for transmitting the digital certificate by Bluetooth in identity authentication is shortened, and the user experience is improved.
Drawings
Fig. 1 is a block diagram showing the structure of a virtual key management system according to the present invention.
Fig. 2 is a schematic structural diagram of a key package in the virtual key management system according to the present invention.
Fig. 3 is a block diagram illustrating a flow of a virtual key management method according to the present invention.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, and the components related to the present invention are only shown in the drawings rather than drawn according to the number, shape and size of the components in actual implementation, and the type, quantity and proportion of the components in actual implementation may be changed freely, and the layout of the components may be more complicated.
Referring to fig. 1 to 3, it should be understood that the structures, ratios, sizes, and the like shown in the drawings are only used for matching the disclosure of the present disclosure, and are not used to limit the conditions that the present disclosure can be implemented, so the present disclosure has no technical significance, and any structural modifications, ratio changes or size adjustments should still fall within the scope of the present disclosure without affecting the efficacy and the achievable purpose of the present disclosure. In addition, the terms "upper", "lower", "left", "right", "middle" and "one" used in the present specification are for clarity of description, and are not intended to limit the scope of the present invention, and the relative relationship between the terms and the terms is not to be construed as a scope of the present invention.
As shown in fig. 1 to 2, fig. 1 is a block diagram illustrating a virtual key management system according to the present invention. Fig. 2 is a schematic structural diagram of a key package in the virtual key management system according to the present invention. The invention provides a virtual key management system, which comprises a key management module, a server, a mobile terminal and a vehicle-mounted terminal, wherein the server is used for storing a key management program; the key management module includes: a key package generation unit for generating a key package; a key pack storage unit for storing a key pack; a key package management unit for managing a corresponding key package; the first communication unit is used for receiving a key packet generation instruction and transmitting the generated key packet; the server side comprises: a key package updating unit for controlling the key management module to update the key package; the first authentication unit is used for authenticating the mobile terminal and the vehicle-mounted terminal; the encryption unit is used for encrypting data of the key packet during transmission; the second communication unit is used for carrying out data transmission; the mobile terminal includes: the second authentication unit is used for carrying out identity authentication with the vehicle-mounted terminal; the remote control unit is used for controlling the vehicle to unlock; the third communication unit is used for carrying out data interaction; the vehicle-mounted terminal includes: a third authentication unit for performing identity authentication with the mobile terminal; the fourth communication unit is used for acquiring the data downloading key packet and transmitting the data; a vehicle control unit for unlocking the vehicle.
Generally, the key Management module adopts a kms (key Management service) key Management system; the Service end adopts TSP (telematics Service provider) remote communication Service; the vehicle-mounted terminal adopts a TCU (telecommunication Control Unit) remote communication controller;
taking an embodiment as an example, the KMS is responsible for generation and management of the key packages, and the KMS generates a corresponding owner key package and a borrower key package (the key packages include digital certificates) for each vehicle, and binds and manages the key packages with the corresponding vehicle. The TSP is responsible for issuing the key generated by the KMS to the server, when the server requests to activate the key package or update the key package, the TSP acquires the key of the corresponding vehicle from the KMS and issues the key to the mobile terminal and the vehicle-mounted terminal, and after the key is issued to the mobile terminal and the vehicle-mounted terminal, the virtual key can be normally used for controlling the vehicle without being on line. The mobile terminal, for example, cell-phone APP passes through bluetooth BLE4.0 technique, connects the TCU of vehicle, and after the bluetooth connection was successful, vehicle terminal bluetooth module stopped broadcasting bluetooth information, and other personnel do not allow the access this moment promptly, and cell-phone APP and TCU carry out two-way authentication immediately, send control command control vehicle after the authentication is successful. In this embodiment, when the mobile phone APP and the TCU perform identity authentication, a standard TLS authentication policy is adopted, the digital certificate is adapted by using a standard X509 format certificate, a standard asymmetric encryption technology (RSA) encryption technology is adopted for data encryption in data transmission during the identity authentication, a standard MD5 post-signing policy is also adopted for verifying data integrity, and a standard symmetric encryption key RC4 ensures data encryption transmission after the identity authentication is completed.
In an embodiment of the present invention, the key package of the mobile terminal includes a mobile private key, a mobile public key, a mobile terminal identity certificate, and a mobile terminal access party public key; the vehicle-mounted terminal comprises a vehicle-mounted private key, a vehicle-mounted public key, a vehicle-mounted end identity certificate and a vehicle-mounted end access party public key; the mobile public key corresponds to the public key of the vehicle-mounted terminal access party one by one; and the vehicle-mounted public key corresponds to the public key of the mobile terminal access party one by one. Furthermore, the mobile terminal identity certificate and the vehicle-mounted terminal identity certificate adopt RSA asymmetric key algorithm to sign data; the mobile terminal identity certificate and the vehicle-mounted terminal identity certificate both contain company information, version information, validity period, public key and digital signature. The identity authentication method and the identity authentication system can be more quickly transmitted when the mobile terminal and the vehicle-mounted terminal carry out identity authentication, reduce the identity authentication time and increase the user experience. The public key of the access party is designed to more conveniently verify the validity of the identity authentication, for example, the public key of the vehicle-mounted terminal key package 1 exists in the mobile terminal key package 1, the public key of the vehicle-mounted terminal key package 2 exists in the mobile terminal key package 2, the public key of the mobile terminal key package 1 exists in the vehicle-mounted terminal key package 1, and the public key of the mobile terminal key package 2 exists in the vehicle-mounted terminal key package 2. The purpose of the setting is that when the mobile terminal is connected with the vehicle-mounted terminal and transmits the identity certificate, whether the public key of the corresponding key access party of the vehicle-mounted terminal is consistent or not can be judged, and the legality of the mobile terminal can be effectively judged. For example, the access public key in the key package 1 in the owner APP is the access public key of the owner TCU key package 1 and vice versa. Therefore, the first step of verification process which is passed in identity authentication after the key correlation matching can be met. Each pair of one-to-one corresponding key packages has the same interrelationship. When the vehicle is sold and a user binds the vehicle by using the mobile phone APP, the TSP requests the KMS to generate a corresponding vehicle key (for example, two car owner keys and two car borrower keys are generated at the moment, the car owner keys are mainly used for car owners, and the car borrower keys are mainly used for sharing the keys to other people for use).
The key bag at the moment replaces the original vehicle key with the virtual Bluetooth key bag, namely, the vehicle is controlled through the key bag of the mobile terminal. When the key package of virtual bluetooth is used, the key package can be downloaded from TSP to corresponding mobile terminal, and mobile terminal can be connected to vehicle-mounted terminal through the bluetooth, carries out two-way authentication, can carry out vehicle control after authentication.
The vehicle-mounted terminal checks whether the key package of the corresponding vehicle exists or not every time the vehicle-mounted terminal logs in the server, and if the key package exists, the key package is downloaded to the corresponding vehicle-mounted terminal. In this embodiment, the TCU end downloads 4 keys corresponding to two car owners and two car borrowers, respectively, the two car owner keys at the TCU end correspond to two keys in the car owner mobile terminal, and the two car borrower keys at the TCU end correspond to two keys (existing after the car owners share the keys) in the car borrower mobile terminal, and correspond to each other during the authentication. When the TCU-side key is used, the TSP is requested to update the used key, and the TSP is requested to update the corresponding key packet by the KMS. Because the TCU end has two car owner key packages, so another key package is not influenced when upgrading a key package this moment, even if the APP end does not update to the newest to this key package, do not influence the authentication of another key package yet. Therefore, when the TCU updates the key package, the TSP needs to ensure that the APP end still has the key package matching with the TCU end after the key package is updated. When the mobile terminal operates, the TSP is checked whether an updated key exists, and the TSP checks that the TCU end has updated one key, namely, the corresponding key is updated to the mobile terminal.
In a preferred embodiment, the second authentication unit includes a first validity verification subunit, a first integrity verification subunit and a first validity period verification subunit; the first validity verification subunit is used for extracting a public key sent by the vehicle-mounted terminal to the mobile terminal certificate and comparing the public key with a local access public key, judging whether the public key and the local access public key are consistent, and if the public key and the local access public key are consistent, determining that the public key and the local access public key are legal, and if the public key and the local access public key are inconsistent, determining that the public key and the; the first integrity verification subunit is used for sending the data content A in the mobile terminal certificate to the vehicle-mounted terminal; acquiring a data abstract B ═ Hash (A) of data content; decrypting the digital signature by using a legal public key to obtain a data digest B1 of the digital signature; comparing whether the data digest B of the data content is the same as the data digest B1 of the digital signature, and completing integrity verification when the data digest B of the data content is the same as the data digest B1 of the digital signature; the first validity period verification subunit is used for determining whether the certificate of the vehicle-mounted terminal is expired according to whether a validity period field sent by the vehicle-mounted terminal to the mobile terminal certificate is expired; the third authentication unit comprises a second legality verifying subunit, a second integrity verifying subunit and a second validity period verifying subunit; the second legality verifying subunit is used for extracting a public key in the vehicle-mounted terminal certificate and sending the public key; the second integrity verification subunit is used for extracting the data content in the vehicle-mounted terminal certificate and sending the data content; and the second validity period verification subunit is used for extracting the data content in the vehicle-mounted terminal certificate and sending the data content.
Further, the second authentication unit further comprises a first random authentication subunit for generating a random number R; the third authentication unit further comprises a second random authentication subunit for generating a random number R'; the first random authentication subunit is further configured to sign a random number R 'using a mobile private key to obtain S (R'); the second random authentication subunit is further used for signing the random number R by using the vehicle-mounted private key to obtain S (R); the first random authentication subunit is further configured to use the public key of the vehicle-mounted terminal to sign a release s (R) to obtain a random number R1; comparing whether R is the same as R1, and finishing the random authentication of the mobile terminal when R is the same as R1; the second random authentication subunit is further configured to use the public key of the mobile terminal to sign off S (R ') to obtain a random number R1'; and comparing whether R 'is the same as R1' and finishing the random authentication of the vehicle-mounted terminal when the R 'is the same as the R1'. During specific work, the mobile terminal: the mobile terminal generates a random number R and sends the random number R to the vehicle-mounted terminal; after receiving the random number R, the vehicle-mounted terminal signs the random number R by using a private key of the vehicle-mounted terminal to obtain S (R); the vehicle-mounted terminal sends the S (R) to the mobile terminal; after the mobile terminal receives the S (R), the public key in the vehicle-mounted terminal certificate is used for signing the S (R) to obtain a random number R1; and comparing R with R1, and judging that the random authentication is successful. The vehicle-mounted terminal: (the vehicle-mounted terminal verifies the private key of the mobile terminal); generating a random number R ', and sending the random number R' to the mobile terminal; after receiving R ', the mobile terminal signs the random number R ' by using the private key of the mobile terminal to obtain S (R '); the mobile terminal sends S (R') to the vehicle-mounted terminal; after receiving the S (R '), the vehicle-mounted terminal uses the public key in the mobile terminal certificate to sign the S (R ') to obtain a random number R1 '; and comparing R 'with R1', and the random authentication is successful if the R 'and the R1' are equal. The digital certificate is adapted by referring to a standard X509 format digital certificate, the integrity of the digital certificate adopts a standard MD5 algorithm, and the digital signature also adopts a private key signature strategy. The key bag contains a digital certificate, the digital certificate is a mark for proving the identity of the user, the integrity of data is guaranteed by adopting an MD5 algorithm, and the data is signed by adopting an RSA asymmetric key algorithm. The right digital certificate is possessed, which means that the right identity is possessed, so that the validity of the mobile phone terminal and the vehicle-mounted terminal equipment is verified through the digital certificate. Because the virtual bluetooth key uses bluetooth transmission data when the mobile phone end and the vehicle-mounted terminal carry out identity authentication, because of the restriction of the size of the bluetooth transmission data, in order to shorten the time of identity authentication, a user-defined certificate is adopted in the scheme of the virtual bluetooth key. The data volume is small, the time of identity authentication is effectively shortened, and the user experience is greatly improved.
Take two key packages as an example, after the bluetooth connection succeeds, the APP submits two local keys to mark the TCU, and the TCU judges which key (the key matched with the TCU) to adopt for communication and returns to the APP. When the two ends match the key bag, the greeting is finished. The APP can send the certificate to the TCU side, the TCU can verify the legality, the integrity and the validity of the certificate of the APP, the TCU certificate is sent to the APP after the certificate passes the verification, and the APP can conduct the same verification. And after the certificate at the two ends passes the verification, the private keys at the two ends are verified, and whether the APP and the TCU have the private keys of the APP and the TCU is determined. And after the private key verification is finished, the identity authentication is finished. Secure interaction of data is ensured. Off-line use of the key is not affected.
Two key cases will be described below as an example. When the key bag is updated, the vehicle-mounted terminal comprises two key bags K1 and K2; the mobile terminal comprises two key bags K11 and K12; k1 for K11, K2 for K12; after the key package (K1) is used by the vehicle-mounted terminal 1, the vehicle-mounted terminal requests the server side to update the used key package (K1), the server side judges whether the other pair of key packages (K2 and K12) of the vehicle-mounted terminal and the mobile terminal are matched, if not, the other pair of key packages are not updated, if so, the other pair of key packages are updated, and if so, the vehicle-mounted terminal updates the key package K1 to be K3. After updating: the vehicle-mounted terminal comprises two keys K3 and K2; two keys K11 and K12 of the mobile terminal; k3 does not correspond to K11, K2 corresponds to K12; when the vehicle-mounted terminal requests to update the K2 again, the server judges that the two keys of the K11 and the K12 of the mobile terminal cannot be matched with the K3, so that the K2 is not updated; when the mobile terminal requests to update the used key K11, the server determines whether the vehicle-mounted terminals K3 and K2 match with K12, and finds that K2 matches with K12, so that the K11 key of the mobile terminal is updated to be K13. After the update: the vehicle-mounted terminal comprises two keys K3 and K2; two keys K13 and K12 of the mobile terminal; k3 for K13, K2 for K12;
when authenticating for identity. The first example is that the vehicle-mounted terminal has two key package IDs: ID1, ID 2; the mobile terminal comprises two key packages ID: ID11, ID 12; ID1 for ID11, ID2 for ID 12; the mobile terminal submits two locally stored key package identification IDs (ID11 and ID12) to the vehicle-mounted terminal, the vehicle-mounted terminal judges whether the two key IDs are matched with the local key ID, two pairs of judgment results are matched, and one key package is randomly selected for identity authentication and data transmission; the second example is that the vehicle-mounted terminal has two key package IDs: ID3, ID 2; the mobile terminal comprises two key packages ID: ID11, ID 12; ID3 for ID11, ID2 for ID 12; the mobile terminal submits two locally stored key package identification IDs (ID11 and ID12) to the vehicle-mounted terminal, the vehicle-mounted terminal judges whether the two key IDs are matched with the local key ID, the judgment result is only that the ID2 is matched with the ID12, and the ID2 and the ID12 key packages are selected for identity authentication and data transmission; the third example is that the vehicle-mounted terminal has two key package IDs: ID3, ID 2; the mobile terminal comprises two key packages ID: ID13, ID 12; ID1 for ID11, ID3 for ID 13; the mobile terminal submits two locally stored key package identification IDs (ID13 and ID12) to the vehicle-mounted terminal, the vehicle-mounted terminal judges whether the two key IDs are matched with the local key ID, two pairs of judgment results are matched, and one key package is randomly selected for identity authentication and data transmission.
Additionally, as the owner of the car, a scene of using the car for other people exists, and the functions of car borrowing and time-sharing leasing can be completed according to the requirement. The owner sets corresponding authority and time in the mobile terminal, the owner appoints to share the authority and the time to a borrower, the borrower can download the key package of the corresponding borrower of the corresponding vehicle after logging in, and the vehicle can be controlled after the identity authentication of the key package is passed.
As shown in fig. 2 and fig. 3, fig. 3 is a block diagram illustrating a flow of a virtual key management method according to the present invention. The invention also provides a virtual key management method, based on the virtual key management system, comprising the following steps: s1, generating corresponding key packages, and respectively issuing at least two pairs of key packages to the mobile terminal and the vehicle-mounted terminal; s2, performing identity authentication on the mobile terminal and the corresponding key packages in the vehicle-mounted terminal and then matching; s3, checking whether a pair of corresponding key packages in the mobile terminal and the vehicle-mounted terminal is used; if not, continuing checking; if yes, respectively updating a pair of key packages used in the mobile terminal and the vehicle-mounted terminal, and keeping the unused key packages for waiting for the next use; s4, detecting whether the vehicle is used again; if yes, repeating the steps S2 to S4, otherwise, continuing the detection.
Generally, the key management module adopts a kms (key management service) key management system; the service end adopts TSP (telematics service provider) remote communication service; the vehicle-mounted terminal adopts a TCU (telecommunications control unit) remote communication controller;
taking an embodiment as an example, the KMS is responsible for generation and management of the key packages, and the KMS generates a corresponding owner key package and a borrower key package (the key packages include digital certificates) for each vehicle, and binds and manages the key packages with the corresponding vehicle. The TSP is responsible for issuing the key generated by the KMS to the server, when the server requests to activate the key package or update the key package, the TSP acquires the key of the corresponding vehicle from the KMS and issues the key to the mobile terminal and the vehicle-mounted terminal, and after the key is issued to the mobile terminal and the vehicle-mounted terminal, the virtual key can be normally used for controlling the vehicle without being on line. The mobile terminal, for example, cell-phone APP passes through bluetooth BLE4.0 technique, connects the TCU of vehicle, and after the bluetooth connection was successful, vehicle terminal bluetooth module stopped broadcasting bluetooth information, and other personnel do not allow the access this moment promptly, and cell-phone APP and TCU carry out two-way authentication immediately, send control command control vehicle after the authentication is successful. In this embodiment, when the mobile phone APP and the TCU perform identity authentication, a standard TLS authentication policy is adopted, the digital certificate is adapted by using a standard X509 format certificate, a standard asymmetric encryption technology (RSA) encryption technology is adopted for data encryption in data transmission during the identity authentication, a standard MD5 post-signing policy is also adopted for verifying data integrity, and a standard symmetric encryption key RC4 ensures data encryption transmission after the identity authentication is completed.
Further, the step S1 includes the steps of: s11, the mobile terminal and the vehicle-mounted terminal respectively send a key packet generation request to the server; s12, the server side requests the key management module to generate a key package; and S13, after the key management module generates a key package, the corresponding key package is respectively sent to the mobile terminal and the vehicle-mounted terminal through the server side. Preferably, the step S2 includes the steps of: s21, sending the certificate of the mobile terminal to the vehicle-mounted terminal; s22, the vehicle-mounted terminal verifies the certificate of the mobile terminal; if the vehicle does not pass through the device, the vehicle cannot be started; if the verification is passed, the flow proceeds to step S23; s23, sending the certificate of the vehicle-mounted terminal to the mobile terminal; s24, the mobile terminal verifies the certificate of the vehicle-mounted terminal; if the vehicle does not pass through the device, the vehicle cannot be started; if the verification is passed, the flow proceeds to step S25; s25, verifying private keys of the mobile terminal and the vehicle-mounted terminal; if the vehicle does not pass through the device, the vehicle cannot be started; and if the verification is passed, the identity authentication is completed, and the vehicle-mounted terminal generates a symmetric encryption key to match and unlock the key packet.
The identity authentication method and the identity authentication system can be more quickly transmitted when the mobile terminal and the vehicle-mounted terminal carry out identity authentication, reduce the identity authentication time and increase the user experience. The public key of the access party is designed to more conveniently verify the validity of the identity authentication, for example, the public key of the vehicle-mounted terminal key package 1 exists in the mobile terminal key package 1, the public key of the vehicle-mounted terminal key package 2 exists in the mobile terminal key package 2, the public key of the mobile terminal key package 1 exists in the vehicle-mounted terminal key package 1, and the public key of the mobile terminal key package 2 exists in the vehicle-mounted terminal key package 2. The purpose of the setting is that when the mobile terminal is connected with the vehicle-mounted terminal and transmits the identity certificate, whether the public key of the corresponding key access party of the vehicle-mounted terminal is consistent or not can be judged, and the legality of the mobile terminal can be effectively judged. For example, the access public key in the key package 1 in the owner APP is the access public key of the owner TCU key package 1 and vice versa. Therefore, the first step of verification process which is passed in identity authentication after the key correlation matching can be met. Each pair of one-to-one corresponding key packages has the same interrelationship. When the vehicle is sold and a user binds the vehicle by using the mobile phone APP, the TSP requests the KMS to generate a corresponding vehicle key (for example, two car owner keys and two car borrower keys are generated at the moment, the car owner keys are mainly used for car owners, and the car borrower keys are mainly used for sharing the keys to other people for use).
The key bag at the moment replaces the original vehicle key with the virtual Bluetooth key bag, namely, the vehicle is controlled through the key bag of the mobile terminal. When the key package of virtual bluetooth is used, the key package can be downloaded from TSP to corresponding mobile terminal, and mobile terminal can be connected to vehicle-mounted terminal through the bluetooth, carries out two-way authentication, can carry out vehicle control after authentication.
The vehicle-mounted terminal checks whether the key package of the corresponding vehicle exists or not every time the vehicle-mounted terminal logs in the server, and if the key package exists, the key package is downloaded to the corresponding vehicle-mounted terminal. In this embodiment, the TCU end downloads 4 keys corresponding to two car owners and two car borrowers, respectively, the two car owner keys at the TCU end correspond to two keys in the car owner mobile terminal, and the two car borrower keys at the TCU end correspond to two keys (existing after the car owners share the keys) in the car borrower mobile terminal, and correspond to each other during the authentication. When the TCU-side key is used, the TSP is requested to update the used key, and the TSP is requested to update the corresponding key packet by the KMS. Because the TCU end has two car owner key packages, so another key package is not influenced when upgrading a key package this moment, even if the APP end does not update to the newest to this key package, do not influence the authentication of another key package yet. Therefore, when the TCU updates the key package, the TSP needs to ensure that the APP end still has the key package matching with the TCU end after the key package is updated. When the mobile terminal operates, the TSP is checked whether an updated key exists, and the TSP checks that the TCU end has updated one key, namely, the corresponding key is updated to the mobile terminal.
In a preferred embodiment of the present invention, the identity authentication includes validity verification, integrity verification and validity period verification;
the validity verification comprises the following steps: the vehicle-mounted terminal sends a certificate to the mobile terminal, and the public key of the certificate extracted by the mobile terminal is compared with the local access public key; if the two are consistent, the validity is determined; if the two are not consistent, the two are determined to be illegal;
the integrity verification comprises the steps of: after the validity is verified to be legal, the mobile terminal extracts the data content A of the certificate of the vehicle-mounted terminal; acquiring a data abstract B ═ Hash (A) of data content; decrypting the digital signature by using a legal public key to obtain a data digest B1 of the digital signature; comparing whether the data digest B of the data content is the same as the data digest B1 of the digital signature, and if so, finishing the integrity verification;
the validity period verification comprises the steps of: and determining whether the certificate of the vehicle-mounted terminal is expired by verifying whether a validity field in the certificate of the vehicle-mounted terminal is expired.
Further, the identity authentication also comprises random authentication;
the random authentication includes the steps of: after the integrity is verified to be legal, the mobile terminal and the vehicle-mounted terminal respectively generate random numbers R and R'; the vehicle-mounted terminal and the mobile terminal respectively use respective private key to sign corresponding random numbers R and R 'to respectively obtain S (R) and S (R'); the mobile terminal and the vehicle-mounted terminal respectively use public keys of the other party to correspondingly sign off S (R) and S (R ') to respectively obtain data R1 and R1'; and comparing whether the R is the same as the R1 and the R 'is the same as the R1', and if the R is the same as the R1, finishing the random authentication. During specific work, the mobile terminal: the mobile terminal generates a random number R and sends the random number R to the vehicle-mounted terminal; after receiving the random number R, the vehicle-mounted terminal signs the random number R by using a private key of the vehicle-mounted terminal to obtain S (R); the vehicle-mounted terminal sends the S (R) to the mobile terminal; after the mobile terminal receives the S (R), the public key in the vehicle-mounted terminal certificate is used for signing the S (R) to obtain a random number R1; and comparing R with R1, and judging that the random authentication is successful. The vehicle-mounted terminal: (the vehicle-mounted terminal verifies the private key of the mobile terminal); generating a random number R ', and sending the random number R' to the mobile terminal; after receiving R ', the mobile terminal signs the random number R ' by using the private key of the mobile terminal to obtain S (R '); the mobile terminal sends S (R') to the vehicle-mounted terminal; after receiving the S (R '), the vehicle-mounted terminal uses the public key in the mobile terminal certificate to sign the S (R ') to obtain a random number R1 '; and comparing R 'with R1', and the random authentication is successful if the R 'and the R1' are equal. The digital certificate is adapted by referring to a standard X509 format digital certificate, the integrity of the digital certificate adopts a standard MD5 algorithm, and the digital signature also adopts a private key signature strategy. The key bag contains a digital certificate, the digital certificate is a mark for proving the identity of the user, the integrity of data is guaranteed by adopting an MD5 algorithm, and the data is signed by adopting an RSA asymmetric key algorithm. The right digital certificate is possessed, which means that the right identity is possessed, so that the validity of the mobile phone terminal and the vehicle-mounted terminal equipment is verified through the digital certificate. Because the virtual bluetooth key uses bluetooth transmission data when the mobile phone end and the vehicle-mounted terminal carry out identity authentication, because of the restriction of the size of the bluetooth transmission data, in order to shorten the time of identity authentication, a user-defined certificate is adopted in the scheme of the virtual bluetooth key. The data volume is small, the time of identity authentication is effectively shortened, and the user experience is greatly improved.
After the bluetooth connection succeeds, the APP submits two local keys to mark the TCU, and the TCU judges which key (the key matched with the TCU) is adopted for communication and returns the key to the APP. When the two ends match the key bag, the greeting is finished. The APP can send the certificate to the TCU side, the TCU can verify the legality, the integrity and the validity of the certificate of the APP, the TCU certificate is sent to the APP after the certificate passes the verification, and the APP can conduct the same verification. And after the certificate at the two ends passes the verification, the private keys at the two ends are verified, and whether the APP and the TCU have the private keys of the APP and the TCU is determined. And after the private key verification is finished, the identity authentication is finished. Secure interaction of data is ensured. Off-line use of the key is not affected.
The step S4 includes the steps of: s41, the vehicle-mounted terminal requests the server side to update the used key package; s42, the server side judges whether the rest key packages of the vehicle-mounted terminal are matched with the rest key packages of the mobile terminal; if not, not updating the used key bag; if so, updating the key packet used by the vehicle-mounted terminal to generate an updated key packet; s43, the mobile terminal requests the server to update the used key package; s44, the server side judges whether the rest key packages of the mobile terminal are matched with the rest key packages of the vehicle-mounted terminal; if not, not updating the used key bag; if so, updating the key packet used by the mobile terminal to generate an updated key packet; and S45, the updated key package of the mobile terminal corresponds to the updated key package of the vehicle-mounted terminal.
Two key cases will be described below as an example. When the key bag is updated, the vehicle-mounted terminal comprises two key bags K1 and K2; the mobile terminal comprises two key bags K11 and K12; k1 for K11, K2 for K12; after the key package (K1) is used by the vehicle-mounted terminal 1, the vehicle-mounted terminal requests the server side to update the used key package (K1), the server side judges whether the other pair of key packages (K2 and K12) of the vehicle-mounted terminal and the mobile terminal are matched, if not, the other pair of key packages are not updated, if so, the other pair of key packages are updated, and if so, the vehicle-mounted terminal updates the key package K1 to be K3. After updating: the vehicle-mounted terminal comprises two keys K3 and K2; two keys K11 and K12 of the mobile terminal; k3 does not correspond to K11, K2 corresponds to K12; when the vehicle-mounted terminal requests to update the K2 again, the server judges that the two keys of the K11 and the K12 of the mobile terminal cannot be matched with the K3, so that the K2 is not updated; when the mobile terminal requests to update the used key K11, the server determines whether the vehicle-mounted terminals K3 and K2 match with K12, and finds that K2 matches with K12, so that the K11 key of the mobile terminal is updated to be K13. After the update: the vehicle-mounted terminal comprises two keys K3 and K2; two keys K13 and K12 of the mobile terminal; k3 for K13, K2 for K12;
when authenticating for identity. The first example is that the vehicle-mounted terminal has two key package IDs: ID1, ID 2; the mobile terminal comprises two key packages ID: ID11, ID 12; ID1 for ID11, ID2 for ID 12; the mobile terminal submits two locally stored key package identification IDs (ID11 and ID12) to the vehicle-mounted terminal, the vehicle-mounted terminal judges whether the two key IDs are matched with the local key ID, two pairs of judgment results are matched, and one key package is randomly selected for identity authentication and data transmission; the second example is that the vehicle-mounted terminal has two key package IDs: ID3, ID 2; the mobile terminal comprises two key packages ID: ID11, ID 12; ID3 for ID11, ID2 for ID 12; the mobile terminal submits two locally stored key package identification IDs (ID11 and ID12) to the vehicle-mounted terminal, the vehicle-mounted terminal judges whether the two key IDs are matched with the local key ID, the judgment result is only that the ID2 is matched with the ID12, and the ID2 and the ID12 key packages are selected for identity authentication and data transmission; the third example is that the vehicle-mounted terminal has two key package IDs: ID3, ID 2; the mobile terminal comprises two key packages ID: ID13, ID 12; ID1 for ID11, ID3 for ID 13; the mobile terminal submits two locally stored key package identification IDs (ID13 and ID12) to the vehicle-mounted terminal, the vehicle-mounted terminal judges whether the two key IDs are matched with the local key ID, two pairs of judgment results are matched, and one key package is randomly selected for identity authentication and data transmission.
Additionally, as the owner of the car, a scene of using the car for other people exists, and the functions of car borrowing and time-sharing leasing can be completed according to the requirement. The owner sets corresponding authority and time in the mobile terminal, the owner appoints to share the authority and the time to a borrower, the borrower can download the key package of the corresponding borrower of the corresponding vehicle after logging in, and the vehicle can be controlled after the identity authentication of the key package is passed.
In summary, the virtual key management method and system of the present invention have a complete key update strategy, and the key package requires updating after being used, so that the key is updated with high frequency, and the user can use the key more safely; according to the standard X905 digital certificate format, the digital certificate is adapted to a user-defined certificate, the size of the certificate is reduced, the time for transmitting the digital certificate by Bluetooth in identity authentication is shortened, and the user experience is improved. Therefore, the invention effectively overcomes various defects in the prior art and has high industrial utilization value.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.
Claims (8)
1. A virtual key management method is realized based on a virtual key management system, wherein the virtual key management system comprises a key management module, a server, a mobile terminal and a vehicle-mounted terminal;
the key management module includes:
a key package generation unit for generating a key package;
a key pack storage unit for storing a key pack;
a key package management unit for managing a corresponding key package;
the first communication unit is used for receiving a key packet generation instruction and transmitting the generated key packet;
the server side comprises:
a key package updating unit for controlling the key management module to update the key package;
the first authentication unit is used for authenticating the mobile terminal and the vehicle-mounted terminal;
the encryption unit is used for encrypting data of the key packet during transmission;
the second communication unit is used for carrying out data transmission;
the mobile terminal includes:
the second authentication unit is used for carrying out identity authentication with the vehicle-mounted terminal;
the remote control unit is used for controlling the vehicle to unlock;
the third communication unit is used for carrying out data interaction;
the vehicle-mounted terminal includes:
a third authentication unit for performing identity authentication with the mobile terminal;
the fourth communication unit is used for acquiring the data downloading key packet and transmitting the data;
a vehicle control unit for unlocking the vehicle;
the virtual key management method is characterized by comprising the following steps:
s1, generating corresponding key packages, and respectively issuing at least two pairs of key packages to the mobile terminal and the vehicle-mounted terminal;
s2, performing identity authentication on the mobile terminal and the corresponding key packages in the vehicle-mounted terminal and then matching;
s3, checking whether a pair of corresponding key packages in the mobile terminal and the vehicle-mounted terminal is used; if not, continuing checking; if yes, respectively updating a pair of key packages used in the mobile terminal and the vehicle-mounted terminal, and keeping the unused key packages for waiting for the next use;
s4, detecting whether the vehicle is used again; if yes, repeating the steps S2 to S4, otherwise, continuing the detection.
2. The virtual key management method according to claim 1, wherein the key package of the mobile terminal includes a mobile private key, a mobile public key, a mobile terminal identity certificate, and a mobile terminal access party public key; the key packet of the vehicle-mounted terminal comprises a vehicle-mounted private key, a vehicle-mounted public key, a vehicle-mounted terminal identity certificate and a vehicle-mounted terminal access party public key; the mobile public key corresponds to the public key of the vehicle-mounted terminal access party one by one; and the vehicle-mounted public key corresponds to the public key of the mobile terminal access party one by one.
3. The virtual key management method according to claim 2, wherein the mobile terminal identity certificate and the vehicle-mounted terminal identity certificate both employ RSA asymmetric key algorithm signature data; the mobile terminal identity certificate and the vehicle-mounted terminal identity certificate both contain company information, version information, validity period, public key and digital signature.
4. The virtual key management method according to claim 3, wherein the second authentication unit includes a first validity verifying subunit, a first integrity verifying subunit, and a first validity period verifying subunit; the first validity verification subunit is used for extracting a public key sent by the vehicle-mounted terminal to the mobile terminal certificate and comparing the public key with a local access public key, judging whether the public key and the local access public key are consistent, and if the public key and the local access public key are consistent, determining that the public key and the local access public key are legal, and if the public key and the local access public key are inconsistent, determining that the public key and the; the first integrity verification subunit is used for sending the data content A in the mobile terminal certificate to the vehicle-mounted terminal; acquiring a data abstract B ═ Hash (A) of data content; decrypting the digital signature by using a legal public key to obtain a data digest B1 of the digital signature; comparing whether the data digest B of the data content is the same as the data digest B1 of the digital signature, and completing integrity verification when the data digest B of the data content is the same as the data digest B1 of the digital signature; the first validity period verification subunit is used for determining whether the certificate of the vehicle-mounted terminal is expired according to whether a validity period field sent by the vehicle-mounted terminal to the mobile terminal certificate is expired;
the third authentication unit comprises a second legality verifying subunit, a second integrity verifying subunit and a second validity period verifying subunit; the second legality verifying subunit is used for extracting a public key in the vehicle-mounted terminal certificate and sending the public key; the second integrity verification subunit is used for extracting the data content in the vehicle-mounted terminal certificate and sending the data content; and the second validity period verification subunit is used for extracting the data content in the vehicle-mounted terminal certificate and sending the data content.
5. The virtual key management method according to claim 4, wherein the second authentication unit further includes a first random authentication subunit for generating a random number R; the third authentication unit further comprises a second random authentication subunit for generating a random number R';
the first random authentication subunit is further configured to sign a random number R 'using a mobile private key to obtain S (R'); the second random authentication subunit is further used for signing the random number R by using the vehicle-mounted private key to obtain S (R);
the first random authentication subunit is further configured to use the public key of the vehicle-mounted terminal to sign a release s (R) to obtain a random number R1; comparing whether R is the same as R1, and finishing the random authentication of the mobile terminal when R is the same as R1; the second random authentication subunit is further configured to use the public key of the mobile terminal to sign off S (R ') to obtain a random number R1'; and comparing whether R 'is the same as R1' and finishing the random authentication of the vehicle-mounted terminal when the R 'is the same as the R1'.
6. The virtual key management method according to claim 1, wherein said step S1 includes the steps of:
s11, the mobile terminal and the vehicle-mounted terminal respectively send a key packet generation request to the server;
s12, the server side requests the key management module to generate a key package;
and S13, after the key management module generates a key package, the corresponding key package is respectively sent to the mobile terminal and the vehicle-mounted terminal through the server side.
7. The virtual key management method according to claim 1, wherein said step S2 includes the steps of:
s21, sending the certificate in the key packet required to be used in the mobile terminal to the vehicle-mounted terminal;
s22, the vehicle-mounted terminal verifies the certificate provided by the mobile terminal; if the vehicle does not pass through the device, the vehicle cannot be started; if the verification is passed, the flow proceeds to step S23;
s23, sending the corresponding certificate in the vehicle-mounted terminal to the mobile terminal;
s24, the mobile terminal verifies the certificate of the vehicle-mounted terminal; if the vehicle does not pass through the device, the vehicle cannot be started; if the verification is passed, the flow proceeds to step S25;
s25, verifying private keys of the mobile terminal and the vehicle-mounted terminal; if the vehicle does not pass through the device, the vehicle cannot be started; and if the verification is passed, the identity authentication is completed, and the vehicle-mounted terminal generates a symmetric encryption key to match and unlock the key packet.
8. The virtual key management method of claim 7, wherein the identity authentication includes validity verification, integrity verification, validity period verification, and random verification;
the validity verification comprises the following steps: the vehicle-mounted terminal sends a certificate to the mobile terminal, and the public key of the certificate extracted by the mobile terminal is compared with the local access public key; if the two are consistent, the validity is determined; if the two are not consistent, the two are determined to be illegal;
the integrity verification comprises the steps of: after the validity is verified to be legal, the mobile terminal extracts the data content A of the certificate of the vehicle-mounted terminal; acquiring a data abstract B ═ Hash (A) of data content; decrypting the digital signature by using a legal public key to obtain a data digest B1 of the digital signature; comparing whether the data digest B of the data content is the same as the data digest B1 of the digital signature, and if so, finishing the integrity verification;
the validity period verification comprises the steps of: determining whether the certificate of the vehicle-mounted terminal is expired by verifying whether a validity field in the certificate of the vehicle-mounted terminal is expired;
the random authentication includes the steps of: after the integrity is verified to be legal, the mobile terminal and the vehicle-mounted terminal respectively generate random numbers R and R'; the vehicle-mounted terminal and the mobile terminal respectively use respective private key to sign corresponding random numbers R and R 'to respectively obtain S (R) and S (R'); the mobile terminal and the vehicle-mounted terminal respectively use public keys of the other party to correspondingly sign off S (R) and S (R ') to respectively obtain data R1 and R1'; and comparing whether R is identical to R1 or R 'is identical to R1', and if the R is identical to the R 'is identical to the R1', finishing the random verification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910307501.7A CN110111459B (en) | 2019-04-16 | 2019-04-16 | Virtual key management method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910307501.7A CN110111459B (en) | 2019-04-16 | 2019-04-16 | Virtual key management method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110111459A CN110111459A (en) | 2019-08-09 |
| CN110111459B true CN110111459B (en) | 2021-07-09 |
Family
ID=67485678
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910307501.7A Active CN110111459B (en) | 2019-04-16 | 2019-04-16 | Virtual key management method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110111459B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111572493B (en) * | 2020-05-08 | 2021-04-13 | 郑州信大捷安信息技术股份有限公司 | Vehicle keyless entry and starting system and method based on Internet of vehicles |
| WO2022016409A1 (en) * | 2020-07-22 | 2022-01-27 | 宁波吉利汽车研究开发有限公司 | Virtual vehicle key management method and system based on internet of vehicles |
| CN111935302B (en) * | 2020-08-20 | 2023-01-31 | 捷德(中国)科技有限公司 | Key management device, method and equipment |
| CN112102529B (en) * | 2020-09-25 | 2022-05-20 | 无锡职业技术学院 | A power facility protection system based on passive intelligent lock and its execution process |
| CN112669104B (en) * | 2020-12-08 | 2023-07-28 | 上海钧正网络科技有限公司 | Data processing method of leasing equipment |
| CN113301167B (en) * | 2021-06-30 | 2023-01-13 | 深圳市雪球科技有限公司 | Cross-specification sharing method, device and equipment for digital key |
| CN113965328B (en) * | 2021-10-21 | 2023-05-26 | 上海交通大学 | Authority transfer method and system for digital key offline condition of trusted execution environment |
| CN114845286A (en) * | 2022-04-21 | 2022-08-02 | 重庆长安汽车股份有限公司 | Noninductive Bluetooth short-range vehicle control method and system based on micro-positioning technology and vehicle |
| CN115396893B (en) * | 2022-08-26 | 2025-04-01 | 江苏先安科技有限公司 | A digital key issuance and verification method and system |
| CN115675361B (en) * | 2022-11-30 | 2025-01-28 | 成都赛力斯科技有限公司 | A method and system for adjusting cabin status |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005318572A (en) * | 2004-03-31 | 2005-11-10 | Ricoh Co Ltd | Communication device, digital certificate transfer device, authentication data transfer device, digital certificate setting system, authentication data setting system, communication device control method, digital certificate setting method, authentication data setting method, program, and recording medium |
| CN102571349A (en) * | 2011-12-29 | 2012-07-11 | 北京握奇数据系统有限公司 | Information updating method for smart key, smart key and system |
| CN106408700A (en) * | 2016-08-31 | 2017-02-15 | 长城汽车股份有限公司 | Mobile terminal, server, vehicle and control system |
| WO2017147207A1 (en) * | 2016-02-22 | 2017-08-31 | Continental Automotive Systems, Inc. | Method to establish and update keys for secure in-vehicle network communication |
| CN107426178A (en) * | 2017-06-13 | 2017-12-01 | 上海奥宜电子科技有限公司 | A kind of data managing method and system of virtual key |
| CN107516365A (en) * | 2017-09-28 | 2017-12-26 | 北京新能源汽车股份有限公司 | Virtual key management method, device and system |
| CN108055236A (en) * | 2017-11-03 | 2018-05-18 | 深圳市轱辘车联数据技术有限公司 | A kind of data processing method, mobile unit and electronic equipment |
| CN108206996A (en) * | 2017-12-08 | 2018-06-26 | 中兴通讯股份有限公司 | Auth method and device |
| CN108599961A (en) * | 2018-05-08 | 2018-09-28 | 济南浪潮高新科技投资发展有限公司 | A kind of communication means, car-mounted terminal, automobile services platform and system |
| CN109412816A (en) * | 2018-12-20 | 2019-03-01 | 东北大学 | An anonymous communication system and method for in-vehicle network based on ring signature |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105487869A (en) * | 2015-11-30 | 2016-04-13 | 深圳联友科技有限公司 | Vehicular double-system device and starting method thereof |
| CN107968774B (en) * | 2016-10-20 | 2020-10-09 | 深圳联友科技有限公司 | Information safety protection method for terminal equipment of Internet of vehicles |
-
2019
- 2019-04-16 CN CN201910307501.7A patent/CN110111459B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005318572A (en) * | 2004-03-31 | 2005-11-10 | Ricoh Co Ltd | Communication device, digital certificate transfer device, authentication data transfer device, digital certificate setting system, authentication data setting system, communication device control method, digital certificate setting method, authentication data setting method, program, and recording medium |
| CN102571349A (en) * | 2011-12-29 | 2012-07-11 | 北京握奇数据系统有限公司 | Information updating method for smart key, smart key and system |
| WO2017147207A1 (en) * | 2016-02-22 | 2017-08-31 | Continental Automotive Systems, Inc. | Method to establish and update keys for secure in-vehicle network communication |
| CN106408700A (en) * | 2016-08-31 | 2017-02-15 | 长城汽车股份有限公司 | Mobile terminal, server, vehicle and control system |
| CN107426178A (en) * | 2017-06-13 | 2017-12-01 | 上海奥宜电子科技有限公司 | A kind of data managing method and system of virtual key |
| CN107516365A (en) * | 2017-09-28 | 2017-12-26 | 北京新能源汽车股份有限公司 | Virtual key management method, device and system |
| CN108055236A (en) * | 2017-11-03 | 2018-05-18 | 深圳市轱辘车联数据技术有限公司 | A kind of data processing method, mobile unit and electronic equipment |
| CN108206996A (en) * | 2017-12-08 | 2018-06-26 | 中兴通讯股份有限公司 | Auth method and device |
| CN108599961A (en) * | 2018-05-08 | 2018-09-28 | 济南浪潮高新科技投资发展有限公司 | A kind of communication means, car-mounted terminal, automobile services platform and system |
| CN109412816A (en) * | 2018-12-20 | 2019-03-01 | 东北大学 | An anonymous communication system and method for in-vehicle network based on ring signature |
Non-Patent Citations (2)
| Title |
|---|
| Chan-Kuk Jang,JaeHoon Lee,JaeHoon Lee.Encryption scheme In Portable Electric Vehicle Charging Infrastructure.《2017 4th International Conference on Computer Applications and Information Processing Technology (CAIPT)》.2018, * |
| 周会.基于蓝牙的智能车虚拟钥匙共享方法研究与应用.《中国优秀硕士学位论文全文数据库信息科技辑》.《中国学术期刊(光盘版)》电子杂志社有限公司编辑出版,2017,(第11期), * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110111459A (en) | 2019-08-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110111459B (en) | Virtual key management method and system | |
| TWI779139B (en) | Vehicle virtual key generation and use method, system and user terminal | |
| CN110769393B (en) | Identity authentication system and method for vehicle-road cooperation | |
| CN107085870B (en) | Regulating vehicle access using encryption methods | |
| KR102426930B1 (en) | Method for managing digital key of mobile device for vehicle-sharing and key server using the same | |
| US20030147534A1 (en) | Method and apparatus for in-vehicle device authentication and secure data delivery in a distributed vehicle network | |
| CN111865919B (en) | Digital certificate application method and system based on V2X | |
| CN109842862A (en) | Secure short range wireless communication connection is established in the car | |
| CN107040368A (en) | Method for the guarded communication of vehicle | |
| CN111275857A (en) | Control method of intelligent lock and intelligent lock | |
| CN110572418A (en) | Vehicle identity authentication method and device, computer equipment and storage medium | |
| CN111083696B (en) | Communication verification method and system, mobile terminal and vehicle machine side | |
| CN112565294B (en) | Identity authentication method based on block chain electronic signature | |
| CN110288729A (en) | A kind of vehicle starting method and system based on wireless near field communication | |
| JP2022101819A (en) | Electronic key system | |
| CN112533211A (en) | Certificate updating method and system for eSIM card and storage medium | |
| CN115119208A (en) | An upgrade package encryption and decryption method and device | |
| JP7143744B2 (en) | Equipment integration system and update management system | |
| CN116368771A (en) | System for authenticating a user at a charging device and reporting usage regarding the charging device | |
| CN109472890A (en) | intelligent lock and intelligent lock control method | |
| CN109005537A (en) | A kind of cloud security quickly matches network method and distribution network systems | |
| CN112423298B (en) | Identity authentication system and method for road traffic signal management and control facility | |
| CN118200885A (en) | Bluetooth-based information interaction method and device | |
| CN111127715A (en) | Bluetooth key replacement method and device | |
| KR102049262B1 (en) | Telematics system with security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |