[go: up one dir, main page]

CN120124041A - Safety authentication method, device, vehicle and storage medium for on-board diagnostic service - Google Patents

Safety authentication method, device, vehicle and storage medium for on-board diagnostic service Download PDF

Info

Publication number
CN120124041A
CN120124041A CN202510134141.0A CN202510134141A CN120124041A CN 120124041 A CN120124041 A CN 120124041A CN 202510134141 A CN202510134141 A CN 202510134141A CN 120124041 A CN120124041 A CN 120124041A
Authority
CN
China
Prior art keywords
data
target
authenticated
authentication
target byte
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510134141.0A
Other languages
Chinese (zh)
Inventor
刘真谛
秦志东
闫康康
于雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Caven New Energy Vehicle Co ltd
Original Assignee
Beijing Caven New Energy Vehicle Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Caven New Energy Vehicle Co ltd filed Critical Beijing Caven New Energy Vehicle Co ltd
Priority to CN202510134141.0A priority Critical patent/CN120124041A/en
Publication of CN120124041A publication Critical patent/CN120124041A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Bioethics (AREA)
  • Lock And Its Accessories (AREA)

Abstract

本申请涉及车载诊断服务技术领域,特别涉及一种车载诊断服务的安全认证方法、装置、车辆及存储介质,其中,方法包括:在接收到诊断认证请求指令时,生成第一目标字节的初始数据并对初始数据进行数据处理,得到第二目标字节的待认证数据,同时接收经目标云端数据处理后的第三目标字节的待认证数据,若第二目标字节和第三目标字节的待认证数据满足预设的匹配条件,则判定车载诊断服务认证通过,并对车载诊断服务进行解锁,以基于诊断认证请求指令,控制车载诊断服务进行诊断。由此,解决了由于相关技术中的安全算法较简单、掩码较短,且安全算法和掩码通过明文传输,从而导致算法易被破解,提高泄露可能性等问题。

The present application relates to the technical field of on-board diagnostic services, and in particular to a method, device, vehicle and storage medium for secure authentication of on-board diagnostic services, wherein the method comprises: upon receiving a diagnostic authentication request instruction, generating initial data of a first target byte and performing data processing on the initial data to obtain data to be authenticated of a second target byte, and simultaneously receiving data to be authenticated of a third target byte after being processed by target cloud data, and if the data to be authenticated of the second target byte and the third target byte meet a preset matching condition, then the on-board diagnostic service authentication is determined to be passed, and the on-board diagnostic service is unlocked, so as to control the on-board diagnostic service to perform diagnosis based on the diagnostic authentication request instruction. Thus, the problem that the security algorithm in the related technology is relatively simple, the mask is relatively short, and the security algorithm and the mask are transmitted in plain text, which makes the algorithm easy to be cracked and increases the possibility of leakage is solved.

Description

Safety authentication method and device for vehicle-mounted diagnosis service, vehicle and storage medium
Technical Field
The present application relates to the field of vehicle-mounted diagnostic services, and in particular, to a method and apparatus for authenticating safety of a vehicle-mounted diagnostic service, a vehicle, and a storage medium.
Background
With the development of electronic technology of vehicles, there are more and more electronic control units integrated in vehicles, and these electronic control units are connected to each other and communicate through a complex network to implement various functions and services, so it is important to ensure the safety of these communications when these electronic control units perform critical operations such as fault diagnosis and software update.
In the related art, the vehicle-mounted diagnosis service generally adopts a custom class exclusive or to combine a security algorithm and a shorter mask for security authentication.
However, the above-mentioned security algorithm needs to pre-make a mask in advance, and then release the security algorithm and the mask to the diagnosis service side, there is a risk of being cracked, and the security algorithm and the mask are directly released and transmitted in plaintext, and meanwhile, the possibility of leakage is increased, which needs to be solved.
Disclosure of Invention
The application provides a safety authentication method, a safety authentication device, a vehicle and a storage medium for vehicle-mounted diagnosis service, which are used for solving the problems that the safety algorithm in the related technology is simpler, the mask is shorter, and the safety algorithm and the mask are transmitted through plaintext, so that the algorithm is easy to break, the leakage possibility is improved and the like.
An embodiment of a first aspect of the present application provides a security authentication method for a vehicle-mounted diagnostic service, including the steps of:
Judging whether a diagnosis authentication request instruction is received or not;
If the diagnosis and authentication request instruction is received, generating initial data of a first target byte, and performing data processing on the initial data to obtain data to be authenticated of a second target byte;
And receiving data to be authenticated of a third target byte processed by the target cloud data, if the data to be authenticated of the second target byte and the data to be authenticated of the third target byte meet a preset matching condition, judging that the vehicle-mounted diagnosis service passes the authentication, and unlocking the vehicle-mounted diagnosis service so as to control the vehicle-mounted diagnosis service to diagnose based on the diagnosis authentication request instruction.
According to an embodiment of the present application, the data processing of the initial data to obtain the data to be authenticated of the second target byte includes:
the initial data are arranged and combined to generate data to be encrypted of a fourth target byte;
invoking a pre-stored target symmetric key to encrypt the data to be encrypted by using a preset encryption algorithm based on the target symmetric key to obtain the encrypted data of the fourth target byte, and simultaneously, cutting the encrypted data of the fourth target byte to obtain the data to be authenticated of the second target byte.
According to one embodiment of the present application, before the data processing is performed on the initial data, the method further includes:
Constructing a mapping relation table of each electronic element to be diagnosed and a corresponding target symmetric key, and storing the mapping relation table to a target cloud;
And updating the mapping relation table with a preset updating period by utilizing a preset safety updating strategy, and sending the updated mapping relation table to the target cloud for synchronous replacement by a preset safety communication protocol.
According to one embodiment of the present application, after receiving the data to be authenticated of the third target byte after the target cloud data processing, the method further includes:
If the to-be-authenticated data of the second target byte and the to-be-authenticated data of the third target byte do not meet the preset matching condition, judging that the vehicle-mounted diagnosis service fails to be authenticated, not unlocking the vehicle-mounted diagnosis service, and simultaneously, sending information that the vehicle-mounted diagnosis service fails to be authenticated to preset diagnosis equipment.
According to one embodiment of the present application, after determining that the authentication of the on-board diagnostic service fails, the method further includes:
Recording and analyzing failure information of each authentication failure, and storing the failure information and analysis results into a preset information database so as to optimize the data processing based on the analysis results;
Judging whether the authentication times are greater than a preset threshold value, if so, generating a safety alarm notice, adjusting the preset threshold value, locking the data address of the failure information, and unlocking after the authentication of the vehicle-mounted diagnosis service is passed.
According to the safety authentication method of the vehicle-mounted diagnosis service, when a diagnosis authentication request instruction is received, initial data of a first target byte are generated, the initial data are subjected to data processing to obtain data to be authenticated of a second target byte, meanwhile, data to be authenticated of a third target byte after being subjected to target cloud data processing are received, if the data to be authenticated of the second target byte and the third target byte meet preset matching conditions, the vehicle-mounted diagnosis service is judged to pass authentication, and unlocking is carried out on the vehicle-mounted diagnosis service, so that diagnosis is carried out by the vehicle-mounted diagnosis service based on the diagnosis authentication request instruction. Therefore, the problems that the safety algorithm in the related technology is simpler, the mask is shorter, the safety algorithm and the mask are transmitted through a plaintext, so that the algorithm is easy to be broken, the leakage possibility is improved and the like are solved, the secret key is generated and stored by the cloud secret key management system by utilizing the secret key science symmetric algorithm, and the secret keys are injected and updated to each controller in the form of diagnostic service, so that the safe storage and transmission of the secret keys are ensured, and the risk of secret key leakage is reduced.
An embodiment of the second aspect of the present application provides a security authentication device for a vehicle-mounted diagnostic service, including:
the judging module is used for judging whether a diagnosis authentication request instruction is received or not;
The data processing module is used for generating initial data of a first target byte if the diagnosis and authentication request instruction is received, and performing data processing on the initial data to obtain data to be authenticated of a second target byte;
And the authentication module is used for receiving data to be authenticated of a third target byte processed by the target cloud data, judging that the vehicle-mounted diagnosis service passes the authentication if the data to be authenticated of the second target byte and the data to be authenticated of the third target byte meet preset matching conditions, and unlocking the vehicle-mounted diagnosis service so as to control the vehicle-mounted diagnosis service to diagnose based on the diagnosis authentication request instruction.
According to one embodiment of the application, the data processing module comprises:
The generating unit is used for arranging and combining the initial data to generate data to be encrypted of a fourth target byte;
the encryption unit is used for calling a pre-stored target symmetric key to encrypt the data to be encrypted by utilizing a preset encryption algorithm based on the target symmetric key to obtain the encrypted data of the fourth target byte, and simultaneously, cutting the encrypted data of the fourth target byte to obtain the data to be authenticated of the second target byte.
According to one embodiment of the present application, before performing data processing on the initial data, the data processing module further includes:
the construction unit is used for constructing a mapping relation table of each electronic element to be diagnosed and the corresponding target symmetric key, and storing the mapping relation table to the target cloud;
And the updating unit is used for updating the mapping relation table with a preset updating period by utilizing a preset safety updating strategy, and sending the updated mapping relation table to the target cloud for synchronous replacement through a preset safety communication protocol.
According to one embodiment of the present application, after receiving the data to be authenticated of the third target byte after the target cloud data processing, the authentication module further includes:
and the judging unit is used for judging that the vehicle-mounted diagnosis service fails to authenticate and does not unlock the vehicle-mounted diagnosis service if the data to be authenticated of the second target byte and the data to be authenticated of the third target byte do not meet the preset matching condition, and simultaneously, sending the information that the vehicle-mounted diagnosis service fails to authenticate to preset diagnosis equipment.
According to an embodiment of the present application, after determining that the in-vehicle diagnostic service fails to authenticate, the determination unit further includes:
the optimizing subunit is used for recording and analyzing the failure information of each authentication failure, and storing the failure information and the analysis result into a preset information database so as to optimize the data processing based on the analysis result;
The generation subunit is used for judging whether the authentication times are greater than a preset threshold value, if so, generating a safety alarm notification, adjusting the preset threshold value, locking the data address of the failure information, and unlocking after the vehicle-mounted diagnosis service passes the authentication.
According to the safety authentication device of the vehicle-mounted diagnosis service, when a diagnosis authentication request instruction is received, initial data of a first target byte are generated, the initial data are subjected to data processing to obtain data to be authenticated of a second target byte, meanwhile, data to be authenticated of a third target byte after being subjected to target cloud data processing are received, if the data to be authenticated of the second target byte and the third target byte meet preset matching conditions, the vehicle-mounted diagnosis service is judged to pass authentication, and the vehicle-mounted diagnosis service is unlocked, so that the vehicle-mounted diagnosis service is controlled to perform diagnosis based on the diagnosis authentication request instruction. Therefore, the problems that the safety algorithm in the related technology is simpler, the mask is shorter, the safety algorithm and the mask are transmitted through a plaintext, so that the algorithm is easy to be broken, the leakage possibility is improved and the like are solved, the secret key is generated and stored by the cloud secret key management system by utilizing the secret key science symmetric algorithm, and the secret keys are injected and updated to each controller in the form of diagnostic service, so that the safe storage and transmission of the secret keys are ensured, and the risk of secret key leakage is reduced.
An embodiment of the third aspect of the present application provides a vehicle, including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor executing the program to implement the security authentication method of the on-board diagnostic service as described in the above embodiment.
An embodiment of a fourth aspect of the present application provides a computer-readable storage medium storing computer instructions for causing the computer to execute the security authentication method of the on-vehicle diagnostic service as described in the above embodiment.
An embodiment of a fifth aspect of the present application provides a computer program product including a computer program executed for implementing the security authentication method of the on-board diagnostic service described in the above embodiment.
Additional aspects and advantages of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the application.
Drawings
The foregoing and/or additional aspects and advantages of the application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
Fig. 1 is a flowchart of a security authentication method for a vehicle-mounted diagnostic service according to an embodiment of the present application;
FIG. 2 is a security authentication flow diagram of a vehicle on-diagnostic UDS (Unified Diagnostic Services, unified diagnostic service) 27 according to one embodiment of the application;
FIG. 3 is an exemplary diagram of a security authentication device for an in-vehicle diagnostic service according to an embodiment of the present application;
fig. 4 is a schematic structural view of a vehicle according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative and intended to explain the present application and should not be construed as limiting the application.
The following describes a security authentication method, apparatus, vehicle and storage medium of an in-vehicle diagnostic service according to an embodiment of the present application with reference to the accompanying drawings. Aiming at the problems that the related art has simpler security algorithm and shorter mask, and the security algorithm and the mask are transmitted through plaintext, so that the algorithm is easy to be broken and the leakage possibility is improved, the application provides a security authentication method of vehicle-mounted diagnosis service, which comprises the steps of generating initial data of a first target byte and performing data processing on the initial data when a diagnosis authentication request instruction is received, and obtaining data to be authenticated of a second target byte, receiving data to be authenticated of a third target byte processed by the target cloud data, judging that the vehicle-mounted diagnosis service passes the authentication if the data to be authenticated of the second target byte and the third target byte meet a preset matching condition, and unlocking the vehicle-mounted diagnosis service so as to control the vehicle-mounted diagnosis service to diagnose based on a diagnosis authentication request instruction. Therefore, the problems that the safety algorithm in the related technology is simpler, the mask is shorter, the safety algorithm and the mask are transmitted through a plaintext, so that the algorithm is easy to be broken, the leakage possibility is improved and the like are solved, the secret key is generated and stored by the cloud secret key management system by utilizing the secret key science symmetric algorithm, and the secret keys are injected and updated to each controller in the form of diagnostic service, so that the safe storage and transmission of the secret keys are ensured, and the risk of secret key leakage is reduced.
Specifically, before describing the embodiments of the present application, the problems existing in the related art will be described first, the security authentication method of the vehicle-mounted diagnostic system in the related art is generally used to define the security algorithm in the process of unlocking through the UDS27, and the security algorithm is generally in the form of class-or-combination, and meanwhile, a mask is pre-made in advance in the security algorithm, so that the security algorithm and the mask are released to related embodiments of diagnostic services (such as a spare part provider, a test department, an after-sales department, etc.), since the self-defined security algorithm exists in the above-mentioned scheme, the security algorithm is simpler, and the mask length is shorter, so that the security algorithm is easier to be cracked, and since the security algorithm and the mask are both released and transmitted directly in plaintext, the risk of leakage is increased, therefore, the embodiments of the present application upgrade the self-defined class-or-combination algorithm into the cryptographic symmetric algorithm, such as AES (Advanced Encryption Standard ) 128, SM4, etc., where in the present stage key science theory, the security of AES, etc. is mainly derived from its complex encryption mechanism and higher key length, and the secret key management system is used to update and store the secret key management system, and release the secret key by the relevant key management system, thereby reducing the risk of secret key leakage to the relevant key management and transmission by the personnel.
Specifically, fig. 1 is a flow chart of a security authentication method for a vehicle-mounted diagnostic service according to an embodiment of the present application.
As shown in fig. 1, the security authentication method of the vehicle-mounted diagnosis service includes the steps of:
in step S101, it is determined whether a diagnostic authentication request instruction is received.
Specifically, the application performs information interaction mainly through three parties of a KMS (KEY MANAGEMENT SYSTEM, a key management system), diagnostic equipment (such as a diagnostic instrument) and an ECU (Electronic Control Unit, an electronic control unit) of a target cloud, wherein the KMS of the target cloud is the key management system and can provide operation services such as symmetric key generation, safe storage, symmetric encryption and decryption and the like so as to avoid directly transmitting the key to related technicians, establish safe communication with the diagnostic equipment, and send a UDS27 diagnosis authentication request instruction to the ECU by the diagnostic equipment, so that the ECU performs data encryption and data interception operations through the diagnosis authentication request instruction.
In step S102, if a diagnostic authentication request instruction is received, initial data of a first target byte is generated, and data processing is performed on the initial data to obtain data to be authenticated of a second target byte.
According to one embodiment of the application, before the initial data is processed, the method further comprises the steps of constructing a mapping relation table of each electronic element to be diagnosed and a corresponding target symmetric key, storing the mapping relation table to a target cloud, updating the mapping relation table with a preset updating period by utilizing a preset safety updating strategy, and sending the updated mapping relation table to the target cloud for synchronous replacement through a preset safety communication protocol.
The first target byte is target byte data randomly generated in the ECU, for example, the first target byte may be 4 bytes, the second target byte is encrypted and cut target byte data, for example, the second target byte may be 16 bytes, the electronic component to be diagnosed may be a plurality of vehicle-mounted ECUs, and the preset security update policy, the preset update period and the preset security communication protocol may be set by those skilled in the art based on actual diagnostic authentication requirements, which is not limited herein.
Specifically, since each electronic component to be diagnosed needs to have a unique target symmetric key for encryption and decryption operations, so as to ensure that even if the target symmetric key of one electronic component to be diagnosed is leaked, the security of other electronic components to be diagnosed is not affected, in the embodiment of the application, first, in the system initialization or configuration stage, a mapping relationship table of each electronic component to be diagnosed and the corresponding target symmetric key needs to be constructed, namely, a mapping relation table of each vehicle-mounted ECU and the symmetrical target symmetric key thereof is constructed, wherein the mapping relation table can comprise, but is not limited to, a unique identifier (such as a serial number and the like) of each electronic component to be diagnosed, a corresponding target symmetric key and other related information (such as the type of the electronic component to be diagnosed and the like), and the mapping relation table is stored in a key management system of a target cloud so as to ensure the safety and manageability of the key.
In order to further improve the security of the target symmetric key, the target symmetric key corresponding to each electronic element to be diagnosed can be replaced according to a preset updating period (such as monthly, quarterly and the like) based on a preset security updating strategy, and the mapping relation table is correspondingly updated, so that a reliable backup mechanism of the mapping relation table is ensured, the mapping relation table can be quickly restored when faults occur, and meanwhile, the updated mapping relation table is sent to a target cloud for synchronous replacement through a preset security communication protocol, so that the security risk caused by long-term use of the same target symmetric key is avoided.
It should be noted that if a potential security threat is detected, the system is attacked, or it is found that the target symmetric key may have been revealed, in this case, the target symmetric key needs to be updated in time, so as to avoid further disclosure of the target symmetric key, and improve overall security.
Finally, after the electronic component to be diagnosed receives the diagnosis authentication request instruction sent by the diagnosis equipment, the electronic component to be diagnosed calls a random generator to randomly generate initial data of the first target byte, for example, generates random data of 4 bytes (such as 67 01xx xx xx xx), and performs data processing on the initial data of the first target byte to obtain data to be authenticated of the second target byte.
According to one embodiment of the application, the method comprises the steps of carrying out data processing on initial data to obtain data to be authenticated of a second target byte, wherein the steps of carrying out permutation and combination on the initial data to generate data to be encrypted of a fourth target byte, calling a pre-stored target symmetric key to encrypt the data to be encrypted by utilizing a preset encryption algorithm based on the target symmetric key to obtain the encrypted data of the fourth target byte, and simultaneously cutting the encrypted data of the fourth target byte to obtain the data to be authenticated of the second target byte.
The fourth target byte is the target byte data obtained by arranging and combining the initial data of the first target byte.
Specifically, as shown in fig. 2, after the random generator is invoked inside the electronic component to be diagnosed to randomly generate the initial data of the first target byte, firstly, the initial data of the first target byte is arranged and combined inside the electronic component to be diagnosed to obtain the data to be encrypted of the fourth target byte, for example, to adapt to the data length of an encryption algorithm, after the random data of 4 bytes are arranged and combined, the data to be encrypted of 16 bytes is obtained, secondly, the key management system of the target cloud is used for storing the target symmetric key inside the electronic component to be diagnosed in advance, and the preset encryption algorithm (for example, the AES128 algorithm) is used for carrying out encryption calculation on the data to be encrypted of the fourth target byte, for example, to obtain the encrypted data of 16 bytes, finally, the encrypted data of the fourth target byte is cut to obtain the data to be authenticated of the second target byte calculated inside the electronic component to be diagnosed, that is to improve the safety of the data, the data to be authenticated of the fourth target byte can be cut, for example, the data to be cut off the data of 16 bytes can be cut off, the data to be cut off the data is based on the 16 bytes can be easily, the traditional scheme is changed, the data is cut off, the data is completely, and the system is changed, the system is easy to be changed, and the system is easy to be changed to obtain, and the data is easy to be completely based on the system to be changed, and the system is easy to be more completely, and the system is easy to be changed.
The method mainly designs two aspects for the target symmetric key inside the electronic element to be diagnosed, namely, the target symmetric key is injected and updated in a production line of a host manufacturer in a diagnosis service mode, so that the target symmetric key is ensured not to be transferred to related technicians, and is not required to be processed and transferred by any engineer, and the huge risks of leakage and artificial leakage are reduced, and on the other hand, the safe storage of the target symmetric key at the electronic element to be diagnosed can be divided into two cases, wherein one case is provided with a hardware security module for the electronic element to be diagnosed, such as an HSM (Hardware Security Module ), SHE (Secure Hardware Extension, secure hardware extension) and the like, the storage of the target symmetric key can be performed by using the hardware security module, and the other case is provided with the target symmetric key stored in a software white box cryptographic module mode, so that the leakage risk of the target symmetric key is reduced.
In step S103, receiving the data to be authenticated of the third target byte after the target cloud data processing, if the data to be authenticated of the second target byte and the data to be authenticated of the third target byte meet a preset matching condition, determining that the vehicle-mounted diagnosis service passes the authentication, and unlocking the vehicle-mounted diagnosis service to control the vehicle-mounted diagnosis service to perform diagnosis based on the diagnosis authentication request instruction.
The third target byte is target byte data obtained after data encryption is performed on the target cloud, and preset matching conditions can be set by a person skilled in the art according to actual security authentication requirements, and are not limited in detail herein.
Specifically, as shown in fig. 2, after the random generator is called in the electronic component to be diagnosed to randomly generate initial data of a first target byte, the initial data is required to be sent to the diagnostic device at the same time, then the diagnostic device sends the received initial data of the first target byte to the target cloud, then the key management system of the target cloud performs permutation and combination on the received initial data of the first target byte to obtain data to be encrypted of a fifth target byte, for example, to obtain 16 bytes of data to be encrypted, secondly, the key management system of the target cloud performs encryption calculation on the data to be encrypted of the fifth target byte by using a preset encryption algorithm to obtain encrypted data of the fifth target byte, for example, to obtain encrypted data of 16 bytes, finally, the encrypted data of the fifth target byte is cut to obtain data to be authenticated of a third target byte calculated by the key management system of the target cloud, for example, after the encrypted data of 16 bytes is cut to obtain data to be authenticated of 4 bytes (for example, 02xxxxxxxx xx is performed), and the calculated data to be authenticated of the third target byte is sent to the diagnostic device to the electronic component to be diagnosed.
Further, after the to-be-diagnosed electronic component receives the to-be-authenticated data of the third target byte sent by the diagnostic device, it is required to further compare the to-be-authenticated data of the second target byte obtained by calculation in the to-be-diagnosed electronic component with the received to-be-authenticated data of the third target byte of the target cloud key management system, and determine whether the to-be-authenticated data of the second target byte is matched with the to-be-authenticated data of the third target byte, that is, whether a preset matching condition is met, if the to-be-authenticated data of the second target byte and the to-be-authenticated data of the third target byte meet the preset matching condition, that is, the to-be-authenticated data of the second target byte and the to-be-authenticated data of the third target byte are mutually matched (that is, identical), at this time, it can be determined that the vehicle-mounted diagnostic service authentication passes, and respond positively, thereby unlocking of the vehicle-mounted diagnostic service is completed, and diagnosis can be controlled based on the diagnostic authentication request instruction.
According to one embodiment of the application, after receiving the data to be authenticated of the third target byte processed by the target cloud data, if the data to be authenticated of the second target byte and the data to be authenticated of the third target byte do not meet a preset matching condition, judging that the authentication of the vehicle-mounted diagnosis service fails, unlocking the vehicle-mounted diagnosis service, and simultaneously, sending information that the authentication of the vehicle-mounted diagnosis service fails to the preset diagnosis equipment.
Specifically, if the to-be-authenticated data of the second target byte and the to-be-authenticated data of the third target byte are compared, it is determined that the to-be-authenticated data of the second target byte and the to-be-authenticated data of the third target byte do not meet a preset matching condition, that is, the to-be-authenticated data of the second target byte and the to-be-authenticated data of the third target byte are not matched (i.e., are not identical), at this time, it is determined that the vehicle-mounted diagnostic service fails to be authenticated, the vehicle-mounted diagnostic service is not unlocked, and meanwhile, information that the vehicle-mounted diagnostic service authentication fails is sent to preset diagnostic equipment, thereby avoiding malicious use by other people and reducing the security of the key.
It should be noted that, the communication between the diagnostic device and the target cloud needs to ensure two-way authentication between the diagnostic device and the key management system of the target cloud, that is, the diagnostic device authenticates the identity validity of the key management system of the target cloud, and the key management system also needs to authenticate the identity validity of the diagnostic device, so as to ensure the transmission security of the channel.
According to one embodiment of the application, after judging that the vehicle-mounted diagnosis service fails to authenticate, the vehicle-mounted diagnosis service authentication method further comprises the steps of recording and analyzing failure information of each authentication failure, storing the failure information and analysis results into a preset information database to optimize data processing based on the analysis results, judging whether the authentication times are larger than a preset threshold value, generating a safety alarm notice and adjusting the preset threshold value if the authentication times are larger than the preset threshold value, locking a data address of the failure information, and unlocking after the vehicle-mounted diagnosis service authentication is passed.
The preset information database and the preset threshold value can be set by a person skilled in the art based on the actual diagnostic authentication requirement, and are not particularly limited herein.
Specifically, in order to optimize the security authentication method of the vehicle-mounted diagnostic service, after the authentication failure of the vehicle-mounted diagnostic service is determined, failure information of each authentication failure can be further recorded and analyzed, potential security threats or abnormal behaviors are identified, the failure information and analysis results are stored in a preset information database, and when the potential security threats or abnormal behaviors are identified later, related information in the preset information database is called, and data processing is optimized based on the analysis results.
Further, in order to avoid malicious tampering or multiple attacks on the target symmetric key by other personnel, the application further needs to judge the authentication times and judge whether the authentication times are greater than a preset threshold (for example, 5 times), if the authentication times are greater than the preset threshold, the condition that the target symmetric key is tampered or multiple attacks exist is indicated, and the target symmetric key is at risk of leakage, so that the preset threshold can be adjusted (for example, the authentication times are reduced to 3 times), the data address of failure information is locked, and then the data address of failure information can be directly locked when a safety authentication instruction sent by the data address of the failure information is received, and a safety alarm notification is generated to unlock after the vehicle-mounted diagnosis service is reauthenticated, thereby effectively improving the safety of the vehicle-mounted diagnosis service, and timely finding and coping with potential safety threats.
Thus, based on the description of the above specific embodiments, the following advantageous effects can be achieved:
(1) Based on a multi-layer authentication mechanism, multi-layer security protection is provided by combining random data generation, a symmetric encryption algorithm (such as AES128 or SM 4) and data processing and matching verification based on a target cloud, so that unauthorized access is effectively prevented, meanwhile, periodic updating of a target symmetric key is supported, risks caused by long-term use of the same target symmetric key are reduced, and the target symmetric key can be safely managed and distributed through the cloud, so that authentication security is improved.
(2) The data integrity protection ensures that the data is not tampered in the transmission process by encrypting and verifying the initial data, ensures the integrity and consistency of the data, and simultaneously enhances the fault tolerance and recovery capability of the system by constructing a mapping relation table of each electronic element to be diagnosed and a corresponding target symmetric key and periodically updating and backing up the mapping relation table, thereby improving the reliability of safety authentication.
According to the safety authentication method of the vehicle-mounted diagnosis service, when a diagnosis authentication request instruction is received, initial data of a first target byte are generated, the initial data are subjected to data processing to obtain data to be authenticated of a second target byte, meanwhile, data to be authenticated of a third target byte after being subjected to target cloud data processing are received, if the data to be authenticated of the second target byte and the third target byte meet preset matching conditions, the vehicle-mounted diagnosis service is judged to pass authentication, and unlocking is carried out on the vehicle-mounted diagnosis service, so that diagnosis is carried out by the vehicle-mounted diagnosis service based on the diagnosis authentication request instruction. Therefore, the problems that the safety algorithm in the related technology is simpler, the mask is shorter, the safety algorithm and the mask are transmitted through a plaintext, so that the algorithm is easy to be broken, the leakage possibility is improved and the like are solved, the secret key is generated and stored by the cloud secret key management system by utilizing the secret key science symmetric algorithm, and the secret keys are injected and updated to each controller in the form of diagnostic service, so that the safe storage and transmission of the secret keys are ensured, and the risk of secret key leakage is reduced.
Next, a security authentication device for an in-vehicle diagnostic service according to an embodiment of the present application will be described with reference to the accompanying drawings.
Fig. 3 is a block diagram schematically illustrating a security authentication device for an in-vehicle diagnostic service according to an embodiment of the present application.
As shown in fig. 3, the security authentication device 10 of the vehicle-mounted diagnosis service includes a judgment module 100, a data processing module 200, and an authentication module 300.
The judging module 100 is configured to judge whether a diagnostic authentication request instruction is received;
The data processing module 200 is configured to generate initial data of a first target byte if a diagnostic authentication request instruction is received, and perform data processing on the initial data to obtain data to be authenticated of a second target byte;
the authentication module 300 is configured to receive the data to be authenticated of the third target byte after the target cloud data processing, determine that the vehicle-mounted diagnostic service passes the authentication if the data to be authenticated of the second target byte and the data to be authenticated of the third target byte meet a preset matching condition, and unlock the vehicle-mounted diagnostic service to control the vehicle-mounted diagnostic service to perform diagnosis based on the diagnostic authentication request instruction.
According to one embodiment of the application, the data processing module 200 comprises:
the generating unit is used for arranging and combining the initial data to generate data to be encrypted of a fourth target byte;
The encryption unit is used for calling a pre-stored target symmetric key to encrypt the data to be encrypted by utilizing a preset encryption algorithm based on the target symmetric key to obtain encrypted data of a fourth target byte, and simultaneously, cutting the encrypted data of the fourth target byte to obtain data to be authenticated of a second target byte.
According to one embodiment of the present application, the data processing module 200 further includes, before performing data processing on the initial data:
the construction unit is used for constructing a mapping relation table of each electronic element to be diagnosed and the corresponding target symmetric key and storing the mapping relation table to the target cloud;
The updating unit is used for updating the mapping relation table with a preset updating period by utilizing a preset safety updating strategy, and sending the updated mapping relation table to the target cloud for synchronous replacement through a preset safety communication protocol.
According to an embodiment of the present application, after receiving the data to be authenticated of the third target byte after the target cloud data processing, the authentication module 300 further includes:
And the judging unit is used for judging that the vehicle-mounted diagnosis service fails to be authenticated if the data to be authenticated of the second target byte and the data to be authenticated of the third target byte do not meet the preset matching condition, unlocking the vehicle-mounted diagnosis service, and sending information that the vehicle-mounted diagnosis service fails to be authenticated to the preset diagnosis equipment.
According to one embodiment of the present application, after determining that the authentication of the in-vehicle diagnostic service fails, the determination unit further includes:
The optimizing subunit is used for recording and analyzing the failure information of each authentication failure, and storing the failure information and the analysis result into a preset information database so as to optimize data processing based on the analysis result;
The generation subunit is used for judging whether the authentication times are greater than a preset threshold value, if the authentication times are greater than the preset threshold value, generating a safety alarm notification, adjusting the preset threshold value, locking the data address of failure information, and unlocking after the vehicle-mounted diagnosis service passes the authentication.
According to the safety authentication device of the vehicle-mounted diagnosis service, when a diagnosis authentication request instruction is received, initial data of a first target byte are generated, the initial data are subjected to data processing to obtain data to be authenticated of a second target byte, meanwhile, data to be authenticated of a third target byte after being subjected to target cloud data processing are received, if the data to be authenticated of the second target byte and the third target byte meet preset matching conditions, the vehicle-mounted diagnosis service is judged to pass authentication, and the vehicle-mounted diagnosis service is unlocked, so that the vehicle-mounted diagnosis service is controlled to perform diagnosis based on the diagnosis authentication request instruction. Therefore, the problems that the safety algorithm in the related technology is simpler, the mask is shorter, the safety algorithm and the mask are transmitted through a plaintext, so that the algorithm is easy to be broken, the leakage possibility is improved and the like are solved, the secret key is generated and stored by the cloud secret key management system by utilizing the secret key science symmetric algorithm, and the secret keys are injected and updated to each controller in the form of diagnostic service, so that the safe storage and transmission of the secret keys are ensured, and the risk of secret key leakage is reduced.
Fig. 4 is a schematic structural diagram of a vehicle according to an embodiment of the present application. The vehicle may include:
Memory 401, processor 402, and a computer program stored on memory 401 and executable on processor 402.
The processor 402 implements the security authentication method of the in-vehicle diagnostic service provided in the above-described embodiment when executing the program.
Further, the vehicle further includes:
a communication interface 403 for communication between the memory 401 and the processor 402.
A memory 401 for storing a computer program executable on the processor 402.
Memory 401 may comprise high-speed RAM memory or may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
If the memory 401, the processor 402, and the communication interface 403 are implemented independently, the communication interface 403, the memory 401, and the processor 402 may be connected to each other by a bus and perform communication with each other. The bus may be an industry standard architecture (Industry Standard Architecture, abbreviated ISA) bus, an external device interconnect (PERIPHERAL COMPONENT INTERCONNECT, abbreviated PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 4, but not only one bus or one type of bus.
Alternatively, in a specific implementation, if the memory 401, the processor 402, and the communication interface 403 are integrated on a chip, the memory 401, the processor 402, and the communication interface 403 may perform communication with each other through internal interfaces.
Processor 402 may be a central processing unit (Central Processing Unit, abbreviated as CPU), or an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the application.
The present embodiment also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the security authentication method of the on-vehicle diagnostic service as above.
The present embodiment also provides a computer program product including a computer program executed for implementing the security authentication method of the vehicle-mounted diagnostic service of the above embodiment.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or N embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present application, "N" means at least two, for example, two, three, etc., unless specifically defined otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more N executable instructions for implementing specific logical functions or steps of the process, and further implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present application.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include an electrical connection (an electronic device) having one or more wires, a portable computer diskette (a magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium may even be paper or other suitable medium upon which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the N steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. If implemented in hardware as in another embodiment, may be implemented using any one or combination of techniques known in the art, discrete logic circuits with logic gates for implementing logic functions on data signals, application specific integrated circuits with appropriate combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), etc.
Those of ordinary skill in the art will appreciate that all or part of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, and the program may be stored in a computer readable storage medium, where the program when executed includes one or a combination of the steps of the method embodiments.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented as software functional modules and sold or used as a stand-alone product.
The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like. While embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims (10)

1.一种车载诊断服务的安全认证方法,其特征在于,包括以下步骤:1. A security authentication method for an on-board diagnostic service, comprising the following steps: 判断是否接收到诊断认证请求指令;Determining whether a diagnostic authentication request instruction is received; 若接收到所述诊断认证请求指令,则生成第一目标字节的初始数据,并对所述初始数据进行数据处理,得到第二目标字节的待认证数据;If the diagnostic authentication request instruction is received, initial data of the first target byte is generated, and data processing is performed on the initial data to obtain data to be authenticated of the second target byte; 接收经目标云端数据处理后的第三目标字节的待认证数据,若所述第二目标字节的待认证数据和所述第三目标字节的待认证数据满足预设的匹配条件,则判定所述车载诊断服务认证通过,并对所述车载诊断服务进行解锁,以基于所述诊断认证请求指令,控制车载诊断服务进行诊断。Receive the data to be authenticated of the third target byte after target cloud data processing; if the data to be authenticated of the second target byte and the data to be authenticated of the third target byte meet a preset matching condition, determine that the on-board diagnostic service authentication is successful, and unlock the on-board diagnostic service to control the on-board diagnostic service to perform diagnosis based on the diagnostic authentication request instruction. 2.根据权利要求1所述的方法,其特征在于,所述对所述初始数据进行数据处理,得到所述第二目标字节的待认证数据,包括:2. The method according to claim 1, characterized in that the step of processing the initial data to obtain the second target byte of data to be authenticated comprises: 对所述初始数据进行排列组合,生成第四目标字节的待加密数据;Arrange and combine the initial data to generate data to be encrypted of a fourth target byte; 调用预先存储的目标对称密钥,以基于所述目标对称密钥,利用预设的加密算法对所述待加密数据进行加密,得到所述第四目标字节的加密数据,同时,对所述第四目标字节的加密数据进行裁剪,得到所述第二目标字节的待认证数据。The pre-stored target symmetric key is called to encrypt the data to be encrypted based on the target symmetric key using a preset encryption algorithm to obtain the encrypted data of the fourth target byte. At the same time, the encrypted data of the fourth target byte is trimmed to obtain the data to be authenticated of the second target byte. 3.根据权利要求1所述的方法,其特征在于,在对所述初始数据进行数据处理之前,还包括:3. The method according to claim 1, characterized in that before processing the initial data, it also includes: 构建每个待诊断电子元件与对应的目标对称密钥的映射关系表,并将所述映射关系表存储至目标云端;Constructing a mapping relationship table between each electronic component to be diagnosed and the corresponding target symmetric key, and storing the mapping relationship table in the target cloud; 利用预设的安全更新策略,以预设的更新周期对所述映射关系表进行更新,并通过预设的安全通信协议将更新后的映射关系表发送至所述目标云端进行同步替换。The mapping relationship table is updated with a preset update cycle using a preset security update strategy, and the updated mapping relationship table is sent to the target cloud for synchronous replacement via a preset security communication protocol. 4.根据权利要求1所述的方法,其特征在于,在接收经目标云端数据处理后的第三目标字节的待认证数据之后,还包括:4. The method according to claim 1, characterized in that after receiving the third target byte of data to be authenticated after being processed by the target cloud data, it further comprises: 若所述第二目标字节的待认证数据和所述第三目标字节的待认证数据不满足所述预设的匹配条件,则判定所述车载诊断服务认证失败,并不对所述车载诊断服务进行解锁,同时,向预设的诊断设备发送所述车载诊断服务认证未通过的信息。If the data to be authenticated of the second target byte and the data to be authenticated of the third target byte do not satisfy the preset matching condition, the on-board diagnostic service authentication is determined to have failed, and the on-board diagnostic service is not unlocked. At the same time, information indicating that the on-board diagnostic service authentication has failed is sent to the preset diagnostic device. 5.根据权利要求4所述的方法,其特征在于,在判定所述车载诊断服务认证失败之后,还包括:5. The method according to claim 4, characterized in that after determining that the on-board diagnostic service authentication fails, it also includes: 记录每次认证失败的失败信息并进行分析,并将所述失败信息和分析结果存储至预设的信息数据库,以基于所述分析结果对所述数据处理进行优化;Record and analyze the failure information of each authentication failure, and store the failure information and the analysis results in a preset information database to optimize the data processing based on the analysis results; 判断所述认证次数是否大于预设阈值,若所述认证次数大于所述预设阈值时,则生成安全报警通知,并对所述预设阈值进行调整,同时锁定所述失败信息的数据地址,并在车载诊断服务认证通过后进行解锁。Determine whether the number of authentication times is greater than a preset threshold. If the number of authentication times is greater than the preset threshold, generate a security alarm notification, adjust the preset threshold, lock the data address of the failure information, and unlock it after the on-board diagnostic service authentication is passed. 6.一种车载诊断服务的安全认证装置,其特征在于,包括:6. A safety authentication device for an on-board diagnostic service, comprising: 判断模块,用于判断是否接收到诊断认证请求指令;A determination module, used to determine whether a diagnostic authentication request instruction is received; 数据处理模块,用于若接收到所述诊断认证请求指令,则生成第一目标字节的初始数据,并对所述初始数据进行数据处理,得到第二目标字节的待认证数据;A data processing module, configured to generate initial data of a first target byte upon receiving the diagnostic authentication request instruction, and perform data processing on the initial data to obtain data to be authenticated of a second target byte; 认证模块,用于接收经目标云端数据处理后的第三目标字节的待认证数据,若所述第二目标字节的待认证数据和所述第三目标字节的待认证数据满足预设的匹配条件,则判定所述车载诊断服务认证通过,并对所述车载诊断服务进行解锁,以基于所述诊断认证请求指令,控制车载诊断服务进行诊断。An authentication module is used to receive the data to be authenticated of the third target byte after being processed by the target cloud data. If the data to be authenticated of the second target byte and the data to be authenticated of the third target byte meet the preset matching conditions, it is determined that the on-board diagnostic service authentication is passed, and the on-board diagnostic service is unlocked to control the on-board diagnostic service to perform diagnosis based on the diagnostic authentication request instruction. 7.根据权利要求6所述的装置,其特征在于,所述数据处理模块,包括:7. The device according to claim 6, characterized in that the data processing module comprises: 生成单元,用于对所述初始数据进行排列组合,生成第四目标字节的待加密数据;A generating unit, used for arranging and combining the initial data to generate data to be encrypted of a fourth target byte; 加密单元,用于调用预先存储的目标对称密钥,以基于所述目标对称密钥,利用预设的加密算法对所述待加密数据进行加密,得到所述第四目标字节的加密数据,同时,对所述第四目标字节的加密数据进行裁剪,得到所述第二目标字节的待认证数据。An encryption unit is used to call a pre-stored target symmetric key to encrypt the data to be encrypted based on the target symmetric key using a preset encryption algorithm to obtain encrypted data of the fourth target byte, and at the same time, to trim the encrypted data of the fourth target byte to obtain the data to be authenticated of the second target byte. 8.根据权利要求6所述的装置,其特征在于,在对所述初始数据进行数据处理之前,所述数据处理模块,还包括:8. The device according to claim 6, characterized in that before processing the initial data, the data processing module further comprises: 构建单元,用于构建每个待诊断电子元件与对应的目标对称密钥的映射关系表,并将所述映射关系表存储至目标云端;A construction unit, used to construct a mapping relationship table between each electronic component to be diagnosed and the corresponding target symmetric key, and store the mapping relationship table in a target cloud; 更新单元,用于利用预设的安全更新策略,以预设的更新周期对所述映射关系表进行更新,并通过预设的安全通信协议将更新后的映射关系表发送至所述目标云端进行同步替换。An updating unit is used to update the mapping relationship table with a preset update cycle using a preset security update strategy, and send the updated mapping relationship table to the target cloud for synchronous replacement through a preset security communication protocol. 9.一种车辆,其特征在于,包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述程序,以实现如权利要求1-5任一项所述的车载诊断服务的安全认证方法。9. A vehicle, characterized in that it comprises: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the safety authentication method for on-board diagnostic services as described in any one of claims 1 to 5. 10.一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行,以用于实现如权利要求1-5任一项所述的车载诊断服务的安全认证方法。10. A computer-readable storage medium having a computer program stored thereon, wherein the program is executed by a processor to implement the security authentication method for an on-board diagnostic service as claimed in any one of claims 1 to 5.
CN202510134141.0A 2025-02-06 2025-02-06 Safety authentication method, device, vehicle and storage medium for on-board diagnostic service Pending CN120124041A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510134141.0A CN120124041A (en) 2025-02-06 2025-02-06 Safety authentication method, device, vehicle and storage medium for on-board diagnostic service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510134141.0A CN120124041A (en) 2025-02-06 2025-02-06 Safety authentication method, device, vehicle and storage medium for on-board diagnostic service

Publications (1)

Publication Number Publication Date
CN120124041A true CN120124041A (en) 2025-06-10

Family

ID=95919633

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510134141.0A Pending CN120124041A (en) 2025-02-06 2025-02-06 Safety authentication method, device, vehicle and storage medium for on-board diagnostic service

Country Status (1)

Country Link
CN (1) CN120124041A (en)

Similar Documents

Publication Publication Date Title
CN109257374B (en) Security control method and device and computer equipment
CN110708388B (en) Vehicle body safety anchor node device, method and network system for providing safety service
JP5310761B2 (en) Vehicle network system
EP4080818B1 (en) Communication method and device, ecu, vehicle and storage medium
CN117353893B (en) Network information security verification method and system based on blockchain technology
CN113226858A (en) Information processing apparatus
CN116781359B (en) Portal security design method using network isolation and cryptograph
US20230205887A1 (en) Secure automotive system
TWI716135B (en) Security monitoring apparatus and method for vehicle network
Kent et al. Assuring vehicle update integrity using asymmetric public key infrastructure (PKI) and public key cryptography (PKC)
Shipman et al. A zero trust architecture for automotive networks
CN114721693B (en) Microprocessor, BIOS firmware updating method, computer equipment and storage medium
KR101675223B1 (en) Watchdog, security system and method for watchdog
WO2023000313A1 (en) Key verification method and related apparatus
CN120124041A (en) Safety authentication method, device, vehicle and storage medium for on-board diagnostic service
JP4321303B2 (en) Program distribution system and in-vehicle gateway device
CN116881936A (en) Trusted computing method and related equipment
CN116599678A (en) Information security management method based on HSM module
CN115495123A (en) Flash method and system of hardware security module
CN113868628A (en) Signature verification method and device, computer equipment and storage medium
CN120509025B (en) Device authentication method and device, storage medium and electronic device
CN114615075B (en) Software tamper-proof system and method of controller and storage medium
CN118094520B (en) Service authority management method, device, node equipment, system and storage medium
US12406050B2 (en) Method and system for diagnostic services with remote attestation
CN115766012B (en) LKJ data file sharing encryption interface, method, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination