Search

CN-121984696-A - Vehicle PKI authentication method, system and readable storage medium

CN121984696ACN 121984696 ACN121984696 ACN 121984696ACN-121984696-A

Abstract

The invention discloses a vehicle PKI authentication method, a system and a readable storage medium, which ensure that an authentication APP is activated through communication between a diagnostic instrument and the authentication APP, so that PKI authentication has an accurate authentication premise, a CA certificate is stored through the authentication APP, the diagnostic instrument can acquire the CA certificate only through the authentication APP, and the risk of tampering and leakage of the CA certificate is reduced. And establishing communication between the diagnostic instrument and the authentication APP and the vehicle end, and completing signing releasing of the CA certificate and signing releasing of the random number signature sent by the diagnostic instrument by the vehicle end, so that relay risk in the PKI authentication process is further reduced through twice information authentication of the vehicle end. The communication between the vehicle-mounted terminal and the authorized diagnostic instrument can be ensured, and the safety, the effectiveness and the high efficiency of the PKI authentication process are improved.

Inventors

  • SU DEXIU
  • Cui Jiatong
  • WANG FEI
  • CHEN XIAODONG
  • ZHAO JINGYI
  • ZHANG YUQIANG
  • ZHAO KE
  • WU MINGHUI
  • HU ZHIDONG

Assignees

  • 郑州日产汽车有限公司

Dates

Publication Date
20260505
Application Date
20251211

Claims (10)

  1. 1. A vehicle PKI authentication method, comprising the steps of: The method comprises the steps that S1, a diagnostic instrument sends a VCI identifier to an authentication APP, the authentication APP judges whether the authentication APP is activated or not, if yes, the authentication APP reads CA certificate data stored by the authentication APP and sends a CA certificate to the diagnostic instrument, if not, the authentication APP sends an unactivated result to the diagnostic instrument, and after the diagnostic instrument activates the authentication APP through a cloud by using an activation code provided by a manufacturer, the authentication APP reads the CA certificate data stored by the authentication APP and sends the CA certificate to the diagnostic instrument; s2, the diagnostic instrument sends a CA certificate to the vehicle end for diagnosis request, the vehicle end signs the CA certificate through a self-filled CA public key, obtains a VCI identifier and the public key and sends a VCI verification request to the diagnostic instrument; S3, after receiving the verification request, the diagnostic instrument sends the current VCI identification to the vehicle end, the vehicle end judges whether the VCI identification which is checked out is consistent with the current VCI identification of the diagnostic instrument, if so, random number information is generated, the random number information is sent to the diagnostic instrument, and a CA private key verification request is initiated, and step S4 is executed; s4, the diagnostic instrument sends random number information and a signature request to the authentication APP, the authentication APP uses a private key to sign the random number, a diagnostic certificate is generated and sent to the diagnostic instrument, and the diagnostic instrument sends the diagnostic certificate to the vehicle end; and S5, the vehicle end signs the diagnosis certificate through a public key obtained from the CA certificate, checks the time stamp, judges whether the timeliness of the time stamp is within a set range, if so, sends a check passing result to the diagnosis instrument end, starts conventional diagnosis between the diagnosis instrument and the vehicle end, and if not, carries out alarm reminding.
  2. 2. The vehicle PKI authentication method according to claim 1, wherein the specific steps of the diagnostic apparatus in step S1 activating the authentication APP by the cloud using the activation code provided by the manufacturer are as follows: The diagnostic instrument sends the activation code and the VCI identifier to the authentication APP, and the authentication APP obtains the diagnostic instrument identifier, generates a public and private key pair and CSR, and sends the activation code, the VCI identifier, the diagnostic instrument identifier, the public key and the CSR to the cloud for authentication APP activation request; and D2, checking the activation code by the cloud, binding the activation code and the VCI, sending the CA certificate and the CA private key to the authentication APP, storing the CA certificate and the CA private key by the authentication APP, and sending the CA certificate to the diagnostic instrument.
  3. 3. The PKI authentication method for a vehicle according to claim 1, wherein the judgment criterion for whether the authentication APP is activated in the step S1 is whether the CA certificate stored in the authentication APP is within a valid period, and if so, the authentication APP is considered to be activated, and if not, the authentication APP is considered to be not activated.
  4. 4. The method for authenticating a vehicle PKI in accordance with claim 3, wherein the expiration date is assigned by the cloud according to different vehicle conditions.
  5. 5. The method according to claim 1, wherein the random number information in step S3 includes a random number, a time stamp, and a VCI identification.
  6. 6. The method for vehicle PKI authentication according to claim 1, wherein the timeliness setting range of the time stamp in step S5 is not more than 1S.
  7. 7. A PKI authentication system employing the vehicle PKI authentication method of any one of claims 1-6, comprising: The diagnostic instrument is used for sending a VCI identifier, an activation code, random number information and a signature request provided by a manufacturer to the authentication APP, receiving an unactivated result and a CA certificate sent by the authentication APP, sending the CA certificate to the vehicle end to carry out a diagnosis request, receiving a VCI verification request sent by the vehicle end, and sending the current VCI identifier to the vehicle end; The authentication APP is integrated on the diagnostic instrument and stores a CA certificate, and is used for reading CA certificate data stored by the APP and sending the CA certificate to the diagnostic instrument, and sending an unactivated result to the diagnostic instrument; The cloud end is used for activating the authentication APP; The vehicle end is used for signing the CA certificate through the self-filled CA public key, acquiring a VCI identifier and a public key, sending a VCI verification request to the diagnostic instrument, judging whether the VCI identifier obtained through signing is consistent with the current VCI identifier of the diagnostic instrument, generating random number information, sending the random number information to the diagnostic instrument and initiating a CA private key verification request, alarming, prompting, signing the diagnostic certificate through the public key acquired from the CA certificate, verifying the timestamp, judging whether the timeliness of the timestamp is in a set range, and sending a verification passing result to the diagnostic instrument end.
  8. 8. The PKI authentication system employing the vehicle PKI authentication method according to claim 7, wherein the authentication APP is further used for acquiring the diagnostic instrument identifier, generating a public-private key pair and CSR, sending an activation code, a VCI identifier, the diagnostic instrument identifier, a public key and CSR to the cloud for authentication APP activation request, and storing the CA private key.
  9. 9. The PKI authentication system according to claim 8, wherein the cloud end is further configured to verify the activation code, bind the activation code and the VCI identifier, and send the CA certificate and the CA private key to the authentication APP.
  10. 10. A computer readable storage medium storing a computer program, wherein the computer program, when executed by a processor, causes a device in which the computer readable storage medium resides to perform the method of any one of claims 1-6.

Description

Vehicle PKI authentication method, system and readable storage medium Technical Field The invention belongs to the technical field of vehicle PKI authentication, and particularly relates to a vehicle PKI authentication method, a vehicle PKI authentication system and a readable storage medium. Background In the prior art, according to the requirements of GB44495 standard, an external interface (such as an OBD-II interface and a diagnosis port) of a vehicle is required to be provided with access control protection to prevent unauthorized access, authentication based on PKI (public key infrastructure) is required to be realized between a diagnosis instrument and a vehicle body domain controller (Body Domain Controller, BDC) through 0x29 service, the diagnosis operation can be carried out only after the authentication is passed, the specific authentication process is that 1, the certificate is filled in, in the production process, the OEM (original equipment manufacturer) directly burns the certificate and a private key into the storage of the diagnosis instrument, the diagnosis instrument downloads and installs the certificate from the OEM platform through an OTA (Over-the-Air) update mechanism after the certificate is expired, the vehicle body domain controller also acquires a new public key certificate from the OEM platform and stores the new public key certificate in a local certificate storage library, 2, the diagnosis instrument firstly sends a connection request through Bluetooth, the vehicle body domain controller receives the request of the diagnosis instrument, the public key stored in the vehicle body domain is verified, the public key stored in the public domain is verified, the public key is not signed by the public key of the vehicle body domain, and the public key is not signed by the public key of the public domain, and the public key is not signed by the public domain after the public key is used for verification. 3. And the authentication is completed, namely the diagnostic instrument and the vehicle body domain controller establish secure connection through CA certificates. At this time, the diagnostic apparatus may continue to request the diagnostic status certificate, and perform operations such as vehicle diagnosis and trouble reading. Although the authentication mechanism enhances the security, the method still has the defects that ① diagnostic instruments directly store CA certificates and private keys in practical application, so that the CA certificates are in risk of being revealed or tampered, ② attackers can disguise as legal equipment to carry out unauthorized access, the relay risk of PKI authentication process is improved, ② because the CA certificates are issued in advance, the diagnostic instruments are sold to the market, and the life cycle management, updating and revocation of the later CA certificates are very difficult. A new vehicle PKI authentication method is needed to solve the above-mentioned technical problems. Disclosure of Invention The invention aims to provide a vehicle PKI authentication method which is used for solving the technical problems of high risk of CA certificate tampering and leakage and high relay risk in the PKI authentication process in the prior art. The invention also aims to provide a PKI authentication system adopting the vehicle PKI authentication method. It is also an object of the present invention to provide a computer readable storage medium. The technical scheme for solving the technical problems is as follows: a vehicle PKI authentication method, comprising the steps of: The method comprises the steps that S1, a diagnostic instrument sends a VCI identifier to an authentication APP, the authentication APP judges whether the authentication APP is activated or not, if yes, the authentication APP reads CA certificate data stored by the authentication APP and sends a CA certificate to the diagnostic instrument, if not, the authentication APP sends an unactivated result to the diagnostic instrument, and after the diagnostic instrument activates the authentication APP through a cloud by using an activation code provided by a manufacturer, the authentication APP reads the CA certificate data stored by the authentication APP and sends the CA certificate to the diagnostic instrument; s2, the diagnostic instrument sends a CA certificate to the vehicle end for diagnosis request, the vehicle end signs the CA certificate through a self-filled CA public key, obtains a VCI identifier and the public key and sends a VCI verification request to the diagnostic instrument; S3, after receiving the verification request, the diagnostic instrument sends the current VCI identification to the vehicle end, the vehicle end judges whether the VCI identification which is checked out is consistent with the current VCI identification of the diagnostic instrument, if so, random number information is generated, the random number information is sent to the diagnostic instr