Search

CN-121984673-A - Software upgrading implementation method, vehicle, server and system

CN121984673ACN 121984673 ACN121984673 ACN 121984673ACN-121984673-A

Abstract

The invention provides a software upgrading realization method, a vehicle, a server and a system, which belong to the technical field of remote upgrading of automobiles, wherein the method comprises the steps of generating a signature key pair through a hardware security module, wherein the key pair comprises a private key and a public key, and configuring the private key to be forbidden to be exported from the hardware security module; the method comprises the steps of generating a key identifier uniquely bound with a key pair through a hardware security module, generating a target upgrade package through a server, dividing the target upgrade package into a plurality of data blocks, calling the hardware security module to carry out digital signature on each data block based on a private key and the key identifier to generate corresponding signature data, and issuing each data block and the corresponding signature data to a vehicle through the server so that a security chip of the vehicle can sequentially carry out signature verification on each data block based on a public key, and merging and installing the data blocks after all data blocks pass verification. The invention improves the upgrade safety and stability.

Inventors

  • GAO LANG
  • WANG SHUPING

Assignees

  • 武汉江夏楚能汽车技术研发有限公司

Dates

Publication Date
20260505
Application Date
20260202

Claims (10)

  1. 1. The method for realizing the software upgrading is characterized by being executed by a server, wherein the server comprises a hardware security module and a server side, and the method comprises the following steps: Generating, by the hardware security module, a signing key pair comprising a private key and a public key, and configuring the private key to prohibit derivation from the hardware security module; generating, by the hardware security module, a key identifier uniquely bound to the key pair; generating a target upgrade package through the server side, and dividing the target upgrade package into a plurality of data blocks; invoking the hardware security module to digitally sign each data block based on the private key and the key identifier to generate corresponding signature data; And issuing each data block and the signature data corresponding to the data block to a vehicle through the server side so that a security chip of the vehicle can sequentially perform signature verification on each data block based on the public key, and combining and installing the data blocks after all the data blocks pass verification.
  2. 2. The method according to claim 1, wherein said invoking the hardware security module to digitally sign each of the data blocks based on the private key and the key identifier to generate corresponding signature data comprises: The server side calls the hardware security module to calculate the encryption hash value of each data block; Transmitting the encrypted hash value and the key identifier of each data block to the hardware security module through the server; Based on the hardware security module, acquiring the corresponding private key according to the key identifier, and executing signature operation according to the private key and the encryption hash value to generate a signature result corresponding to each data block; And generating the corresponding signature data based on the hardware security module according to the signature result of each data block, the key identifier, the time stamp, the random number and the signature hash value, wherein the signature hash value is the hash value of the signature result.
  3. 3. The software upgrade implementation method of claim 1, further comprising: The public key is derived from the hardware security module, and a public key certificate is generated through the server according to the public key and the key identifier; Carrying out integrity check and validity check on the public key certificate based on the server side; If the public key certificate passes the integrity check and the validity check, distributing the public key certificate to the vehicle and a protected storage area of the server through the server; if the verification fails, destroying the corresponding key pair in the hardware security module.
  4. 4. The software upgrade implementation method of claim 1, further comprising: In response to a backup request, encrypting a first private key of an original hardware security module by using a public key of an authorized target hardware security module by the original hardware security module to generate an encrypted backup package; In response to a recovery request, the target hardware security module uses a second private key of the target hardware security module to decrypt the encrypted backup packet, and the first private key obtained by decryption is recovered into a protected storage area of the target hardware security module; And responding to a destroying instruction, and performing erasing operation on a storage medium storing the first private key by the original hardware security module.
  5. 5. A software upgrade implementation method, characterized by being performed by a vehicle comprising a security chip, a client and an electronic control unit, the method comprising: The method comprises the steps of receiving a plurality of data blocks and signature data corresponding to the data blocks issued by a server, wherein the plurality of data blocks are generated by the server and are segmented, the signature data are generated by a hardware security module of the server on the basis of a private key and a key identifier, the private key is generated by the hardware security module, and the private key is configured to be forbidden to be derived from the hardware security module; for each received data block, performing signature verification by the security chip based on the signature data corresponding to the data block; And merging all the stored data blocks passing the signature verification to obtain the target upgrade package, so that the electronic control unit installs the target data package.
  6. 6. The software upgrade implementation method of claim 5, wherein the performing, by the security chip, signature verification based on the signature data corresponding to the data blocks for each received data block comprises: Analyzing the signature data corresponding to the current data block through the client, and extracting the key identifier, the signature result and the signature hash value; Transmitting the current data block, the key identifier, the signature result and the signature hash value to the security chip through the client; reading a corresponding public key from a protected storage area through the security chip according to the key identifier, wherein the public key is generated by the hardware security module; Calculating a first hash value of the current data block in the security chip; calculating the signature result by using the public key based on the security chip to obtain a second hash value; and comparing the first hash value with the second hash value based on the security chip, if the first hash value and the second hash value are consistent, determining that the signature verification of the current data block is passed, and if the first hash value and the second hash value are inconsistent, determining that the signature verification of the current data block is not passed.
  7. 7. The software upgrade implementation method according to claim 5 or 6, wherein, before signature verification by the security chip based on the signature data corresponding to the data block for each received data block, the method comprises: the client performs pre-verification on the current data block, wherein the pre-verification comprises a time stamp validity verification, a random number uniqueness verification and a signature data integrity verification; If any one of the pre-verification is not passed, refusing signature verification on the current data block by the client; And if the front verification is completely passed, the client side allows signature verification to be carried out on the current data block.
  8. 8. A server, characterized in that the server comprises a hardware security module and a server, wherein the hardware security module and the server are used for implementing the steps in the software upgrade implementation method according to any one of the preceding claims 1 to 4.
  9. 9. A vehicle, characterized in that the vehicle comprises a client, a security chip and an electronic control unit, wherein the client, the security chip and the electronic control unit are adapted to implement the steps of the software upgrade implementation method according to any of the preceding claims 5 to 7.
  10. 10. A software upgrade implementing system, comprising the server of claim 8 and the vehicle of claim 9.

Description

Software upgrading implementation method, vehicle, server and system Technical Field The invention relates to the technical field of remote upgrade of automobiles, in particular to a software upgrade realization method, a vehicle, a server and a system. Background Under The background of rapid development of intelligent and networking of automobiles, an OTA (Over-The-Air) technology has become a core means of vehicle software updating and function iteration. To ensure the reliability and security of the upgrade process, digital signature mechanisms are widely used to verify the source authenticity and content integrity of the upgrade package, which is inherently dependent on the non-counterfeitability of the private key signature in public key cryptography. Currently mainstream OTA signature schemes commonly employ a software-based Public Key Infrastructure (PKI) architecture. In the system, a signature private key is usually stored in a server file system or a key library in a software encryption mode, a signed upgrade package is distributed to a vehicle through a network, and the vehicle performs signature verification by using a preset public key, so that validity verification is completed. However, the above prior art solutions centered on software have fundamental security drawbacks in that, on the one hand, the private key is usually stored in the form of an encrypted file in the server hard disk or in the software keystore, and its decryption key is still exposed in some form to the memory or configuration file, creating an infinite recursion problem of the key protection key. The attacker can finally extract the plaintext of the private key by utilizing system loopholes (such as memory leakage), physical contact storage media or a permeation supply chain, on the other hand, the private key needs to be decrypted and loaded into the memory and the CPU of the general server for execution during signature operation. The private key plaintext is temporarily appeared in the memory, and is a target which can be stolen by memory dump, CPU side channel attack (such as by using fusing loopholes) or by a malicious virtual machine monitoring program. The general purpose computing environment cannot provide physical level protection against such attacks. The defects make the signature private key the weakest link in the whole OTA safety chain, once the private key is revealed, an attacker can issue any malicious upgrade package, and serious threat is formed to the safety of vehicle functions. The existing scheme is difficult to provide eradication protection thoroughly isolating software and hardware attacks in the whole life cycle of the key. Disclosure of Invention In view of the foregoing, it is necessary to provide a software upgrade implementation method, a vehicle, a server and a system for solving the technical problem that in the prior art, an OTA signature scheme has a risk that a private key is extracted or stolen in the whole life cycle of the key. In order to solve the above technical problems, in a first aspect, the present invention provides a software upgrade implementation method, which is executed by a server, where the server includes a hardware security module and a server, and the method includes: Generating, by the hardware security module, a signing key pair comprising a private key and a public key, and configuring the private key to prohibit derivation from the hardware security module; generating, by the hardware security module, a key identifier uniquely bound to the key pair; generating a target upgrade package through the server side, and dividing the target upgrade package into a plurality of data blocks; invoking the hardware security module to digitally sign each data block based on the private key and the key identifier to generate corresponding signature data; And issuing each data block and the signature data corresponding to the data block to a vehicle through the server side so that a security chip of the vehicle can sequentially perform signature verification on each data block based on the public key, and combining and installing the data blocks after all the data blocks pass verification. In one possible implementation manner, the invoking the hardware security module to digitally sign each data block based on the private key and the key identifier to generate corresponding signature data includes: The server side calls the hardware security module to calculate the encryption hash value of each data block; Transmitting the encrypted hash value and the key identifier of each data block to the hardware security module through the server; Based on the hardware security module, acquiring the corresponding private key according to the key identifier, and executing signature operation according to the private key and the encryption hash value to generate a signature result corresponding to each data block; And generating the corresponding signature data based on the hardware secu