技术领域technical field
本发明涉及通信技术领域,特别涉及一种鉴权信息传输方法及装置。The present invention relates to the field of communication technology, in particular to an authentication information transmission method and device.
背景技术Background technique
借助DSRC(Dedicated Short Range Communications,专用短距通信技术),通过车与车、车与道路基础设施间的直接通信,实时感知车辆周边状况并提供及时道路安全预警的车联网技术是当前世界各国解决道路安全问题的一个研究热点。With the help of DSRC (Dedicated Short Range Communications, dedicated short-range communication technology), through direct communication between vehicles and vehicles, vehicles and road infrastructure, the Internet of Vehicles technology that can sense the surrounding conditions of vehicles in real time and provide timely road safety warnings is currently the solution in various countries in the world. A research hotspot of road safety.
基于车与车、车与道路基础设施间直接通信的车联网具有无中心、自组织等特点,传统基于中心控制的无线网络,例如GSM(Global System of Mobile communication,全球移动通讯系统)、3G(3rd-Generation Mobile communication,第三代移动通信技术)、LTE(Long Term Evolution,长期演进)网络中,成熟的信息安全保障机制无法在这样的网络中使用,使得基于车与车、车与路直接通信的车联网更容易受到来自恶意节点的安全威胁。The Internet of Vehicles based on direct communication between vehicles and between vehicles and road infrastructure has the characteristics of no center and self-organization. Traditional wireless networks based on central control, such as GSM (Global System of Mobile communication, Global System for Mobile Communications), 3G ( In 3rd-Generation Mobile communication, third-generation mobile communication technology) and LTE (Long Term Evolution, long-term evolution) networks, mature information security guarantee mechanisms cannot be used in such networks, making direct The communicating IoV is more vulnerable to security threats from malicious nodes.
IEEE WAVE车辆环境无线接入工作组制定的用于车与车、车与道路基础设施间直接通信的DSRC协议由底层协议(802.11p)和上层协议(1609协议簇)两部分组成,其中,1609.2协议簇中定义了车与车、车与基础设施间通信消息的鉴权和加密机制,来防止电子欺诈、窃听。加密机制在车与车、车与道路基础设施间进行点对点通信时才需要使用;车辆及基础设施发送的道路安全消息希望覆盖范围内所有的车辆及路侧基础设施都能够接收到,因此车辆和路侧基础设施发送的道路安全消息不需要加密,只需要接收端对消息的发送者进行鉴权,以确定消息的有效性。The DSRC protocol for direct communication between vehicles and vehicles, and between vehicles and road infrastructure developed by the IEEE WAVE Vehicle Environment Wireless Access Working Group consists of two parts: the bottom layer protocol (802.11p) and the upper layer protocol (1609 protocol cluster), of which 1609.2 The protocol cluster defines authentication and encryption mechanisms for communication messages between vehicles and between vehicles and infrastructure to prevent electronic fraud and eavesdropping. The encryption mechanism is only required for point-to-point communication between vehicles and between vehicles and road infrastructure; the road safety messages sent by vehicles and infrastructure are expected to be received by all vehicles and roadside infrastructure within the coverage area, so vehicles and Road safety messages sent by roadside infrastructure do not need to be encrypted, and only the receiver needs to authenticate the sender of the message to determine the validity of the message.
SAE J2735消息集库定义了多种用于支持道路安全应用的消息格式,其中最重要的是基本安全消息(BSM),该消息用来发送支持车与车间道路安全应用的车辆状态信息,如当前的时间、车辆位置、速度以及其他一些基本的车辆状态信息。车辆间通过频繁的BSM消息交互可以跟踪彼此的位置及移动,从而使驾驶员能够采取恰当的驾驶行为来避免可能的碰撞。接收节点必须保证所接收到的BSM消息有效且未被篡改,才能够利用所接收的BSM中的信息来实现道路安全应用。The SAE J2735 message set library defines a variety of message formats used to support road safety applications, the most important of which is Basic Safety Message (BSM), which is used to send vehicle status information supporting vehicle and workshop road safety applications, such as the current time, vehicle location, speed, and other basic vehicle status information. Vehicles can track each other's position and movement through frequent BSM message interaction, so that drivers can take appropriate driving behaviors to avoid possible collisions. The receiving node must ensure that the received BSM message is valid and has not been tampered with, so that the information in the received BSM can be used to implement road safety applications.
1609.2协议簇中对接收到的消息提供了如下鉴权方式:The 1609.2 protocol suite provides the following authentication methods for received messages:
消息的发送节点拥有一个私有签名密钥和一个包含了其私有签名密钥相关联的公共密钥的证书。发送节点使用私钥对发送的消息进行数字签名,数字签名信息携带在所发送的消息中;接收节点使用该接收消息对应的发送节点的公钥对消息中携带的数字签名信息进行验证,以判断消息的发送节点是否具有消息中所发送内容的发送权限以及判断消息的有效性。The sending node of the message has a private signing key and a certificate containing the public key associated with its private signing key. The sending node uses the private key to digitally sign the sent message, and the digital signature information is carried in the sent message; the receiving node uses the public key of the sending node corresponding to the received message to verify the digital signature information carried in the message to judge Whether the sending node of the message has the permission to send the content sent in the message and judge the validity of the message.
目前每个节点发送的每条消息中均携带节点对所发消息的数字签名信息,以及包含了与其私钥相关联的公钥的证书,该证书还包括利用CA(Certificate Authority,证书管理机构)发布公钥对证书的签名。当一个节点接收到其他节点发送的消息时,先根据CA发布的公钥对该消息中包含的证书进行验证,以确定证书的有效性;对证书验证通过后,使用证书中包含的与发送节点使用的私钥相关联的公钥对接收到的消息的有效性进行验证,验证通过后,将该消息中包含的道路安全信息发送给高层处理。At present, each message sent by each node carries the node's digital signature information on the message sent, as well as a certificate containing the public key associated with its private key. The certificate also includes the use of CA (Certificate Authority, certificate management agency) Publish the signature of the public key pair certificate. When a node receives a message sent by another node, it first verifies the certificate contained in the message according to the public key issued by the CA to determine the validity of the certificate; The public key associated with the private key used is used to verify the validity of the received message, and after the verification is passed, the road safety information contained in the message is sent to the upper layer for processing.
目前,证书的发送方法主要采用以下方式:通过车与车、车与基础设施间直接通信来提高行车安全的车联网系统中,为了保证车与车、车与基础设施间交互信息的安全性和可信性,当前要求发送端节点在每条发送的消息中都携带消息的签名信息以及对应的证书,接收端节点(车辆或基础设施)对每条接收到的其他车辆或路侧基础设施发送的道路安全消息都进行鉴权。At present, the method of sending certificates mainly adopts the following methods: In the Internet of Vehicles system that improves driving safety through direct communication between vehicles and between vehicles and infrastructure, in order to ensure the security and security of interactive information between vehicles and between vehicles and infrastructure, Credibility, the sending end node is currently required to carry the message signature information and the corresponding certificate in each sent message, and the receiving end node (vehicle or infrastructure) sends a message to each received other vehicle or roadside infrastructure All road safety messages are authenticated.
节点发送的消息中包含的证书主要用来对发送节点的身份进行验证,证书中除了包含上述发送节点公钥、CA的签名外,还包含发送节点的标识(ID)、证书的序列号、证书发放机构的名称、以及能够使接收者验证证书是否已被撤销等信息。The certificate contained in the message sent by the node is mainly used to verify the identity of the sending node. In addition to the above-mentioned public key of the sending node and the signature of the CA, the certificate also includes the identification (ID) of the sending node, the serial number of the certificate, and the certificate The name of the issuing authority, and information that enables the recipient to verify that the certificate has been revoked.
此外,证书中还包含关于时间、内容、位置的范围限制信息(对于基础设施来讲,关于位置的范围限制信息是非常重要的);出于保护隐私,车辆使用一个证书通常只在有限时间有效(如5-10分钟),从而使它的轨迹不能够通过广播的道路安全信息被方便的长时间跟踪。当车辆变换证书的时候,它也会改变其发送的道路安全消息中的其他标识,如BSM消息中的源MAC地址、临时ID、序列号等。In addition, the certificate also contains range restriction information about time, content, and location (for infrastructure, the range restriction information about location is very important); for privacy protection, a vehicle using a certificate is usually only valid for a limited time (such as 5-10 minutes), so that its trajectory cannot be conveniently tracked for a long time by broadcasting road safety information. When a vehicle changes its certificate, it will also change other identifiers in the road safety messages it sends, such as the source MAC address, temporary ID, serial number, etc. in the BSM message.
证书可以采用两种方式来提供上述发送者公钥和进行CA鉴权。在显示证书中它们分别由证书中独立的域指示,如一个224bit的发送者公钥域和256bit的CA签名;在隐式证书中,发送者公钥和进行CA鉴权通过重建域隐式地提供。接收节点可以使用CA公钥和重建域的值恢复出发送者公钥,在这个过程中可以对证书本身进行鉴定,但隐式证书要求发送者和CA使用相同长度的密钥,重建域的长度等于密钥的长度。由于隐式证书中使用重建域来代替发送者公钥和CA签名域使得隐式证书相对于显示证书能够节约50-60字节。由于可以实现明显节省,1609工作组正在考虑将隐式证书设置为可选的方式。处理的负荷一定程度上取决于实现方式,但通常认为显式证书与隐式证书的处理要求基本相当。The certificate can be provided in two ways to provide the sender's public key and perform CA authentication. In the displayed certificate, they are indicated by independent fields in the certificate, such as a 224bit sender public key field and a 256bit CA signature; in the implicit certificate, the sender public key and CA authentication are implicitly reconstructed by the field supply. The receiving node can use the CA public key and the value of the reconstruction field to recover the sender's public key. In this process, the certificate itself can be identified, but the implicit certificate requires the sender and the CA to use the same length of key, and the length of the reconstruction field equal to the length of the key. Since the reconstruction field is used in the implicit certificate to replace the sender's public key and the CA signature field, the implicit certificate can save 50-60 bytes compared to the explicit certificate. Because of the obvious savings that can be achieved, the 1609 working group is considering making implicit certificates optional. The processing load is somewhat implementation dependent, but it is generally considered that explicit and implicit certificates have roughly equivalent processing requirements.
显示证书的长度一般为一百多字节,即便是较小的隐式证书相对于BSM中指示车辆状态的信息(长度一般为50~150字节)的长度也是很大的。The length of the displayed certificate is generally more than 100 bytes, and even a small implicit certificate is relatively large in length compared to the information indicating the vehicle status in the BSM (the length is generally 50-150 bytes).
发明人在实现本发明的过程中,发现现有证书的发送方案至少存在以下缺陷:In the process of implementing the present invention, the inventor found that the existing certificate sending scheme has at least the following defects:
车辆及路侧基础设施发送的消息都需要进行数字签名以便让接收该消息的车辆确定该消息的有效性。现有技术中,在终端与对端通信时,根据对端发送消息中携带证书中的发送者公钥对对端身份进行验证,然而证书的发送占用了大量的传输资源,从而使发送消息占用了大量的传输信道资源,因此极大地降低了系统资源的利用率。Messages sent by vehicles and roadside infrastructure need to be digitally signed so that the vehicle receiving the message can determine the validity of the message. In the prior art, when the terminal communicates with the opposite end, the identity of the opposite end is verified according to the sender’s public key in the certificate carried in the message sent by the opposite end. A large number of transmission channel resources, thus greatly reducing the utilization of system resources.
发明内容Contents of the invention
本发明实施例提供了一种鉴权信息传输方法及装置,用以节约信道资源及提高系统的资源利用率。Embodiments of the present invention provide a method and device for transmitting authentication information, which are used to save channel resources and improve system resource utilization.
本发明实施例中提供了一种鉴权信息传输方法,包括:An embodiment of the present invention provides an authentication information transmission method, including:
中心节点接收其覆盖的终端发送的用于对终端进行身份验证的鉴权信息;The central node receives the authentication information sent by the terminal covered by it for authenticating the terminal;
所述中心节点将接收的每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端。The central node forwards or processes the received authentication information of each terminal to all terminals covered by the central node.
较佳地,进一步包括:所述中心节点将接收的每个终端的鉴权信息转发给或处理后发送给与所述中心节点相邻的中心节点。Preferably, the method further includes: the central node forwarding or processing the received authentication information of each terminal to a central node adjacent to the central node.
较佳地,进一步包括:所述中心节点接收相邻中心节点发送的相邻中心节点覆盖的终端的鉴权信息;Preferably, it further includes: the central node receiving the authentication information of the terminal covered by the adjacent central node sent by the adjacent central node;
所述中心节点将接收的相邻中心节点覆盖的终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端,以防止小区边缘处出现盲区。The central node forwards or processes received authentication information of terminals covered by the adjacent central node to all terminals covered by the central node, so as to prevent blind spots at cell edges.
较佳地,所述鉴权信息包括发送者公钥,则终端接收到对端的未携带鉴权信息的消息时,根据存储的从中心节点接收的对端的鉴权信息中的发送者公钥对对端身份进行验证,从而保证接收到的对端的未携带鉴权信息的消息的安全性和可信性。Preferably, the authentication information includes the sender's public key, and when the terminal receives the peer's message that does not carry authentication information, it will use the sender's public key pair in the stored peer's authentication information received from the central node to Verify the identity of the peer to ensure the security and credibility of the received message without authentication information from the peer.
较佳地,所述鉴权信息还包括发送者的标识和/或证书管理机构CA的签名,则指示中心节点根据所述鉴权信息中的发送者的标识和/或CA的签名对该终端进行身份验证。Preferably, the authentication information also includes the identity of the sender and/or the signature of the certificate management authority CA, and then instructs the central node to send the terminal to the terminal according to the identity of the sender and/or the signature of the CA in the authentication information. Authenticate.
较佳地,所述鉴权信息包括发送者证书中的一项或多项内容。Preferably, the authentication information includes one or more contents in the sender's certificate.
较佳地,所述中心节点将接收的每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端之前,进一步包括:Preferably, before the central node forwards or processes the received authentication information of each terminal to all terminals covered by the central node, it further includes:
基于蜂窝网络的鉴权认证体系或接收的终端鉴权信息中CA的签名对接收的每个终端进行身份验证;Verify the identity of each received terminal based on the authentication system of the cellular network or the signature of the CA in the received terminal authentication information;
验证通过后将终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端,从而保证接收到的终端的鉴权信息的安全性和可信性。After passing the verification, the authentication information of the terminal is forwarded or processed and sent to all terminals covered by the central node, so as to ensure the security and credibility of the received authentication information of the terminal.
较佳地,所述鉴权信息为发送者证书,所述中心节点将接收的每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端,包括:Preferably, the authentication information is a sender certificate, and the central node forwards or processes the received authentication information of each terminal to all terminals covered by the central node, including:
将接收的每个终端的发送者证书或发送者证书中的部分内容发送给所述中心节点覆盖的所有终端。Send the received sender certificate or part of the sender certificate of each terminal to all terminals covered by the central node.
较佳地,所述发送者证书包括CA签名,将接收的每个终端的发送者证书中的部分内容发送给所述中心节点覆盖的所有终端,包括:Preferably, the sender certificate includes a CA signature, and part of the received sender certificate of each terminal is sent to all terminals covered by the central node, including:
将去掉CA签名的终端的发送者证书发送给所述中心节点覆盖的所有终端,以降低发送终端的鉴权信息所需的系统资源开销。The sender certificate of the terminal without the CA signature is sent to all terminals covered by the central node, so as to reduce the system resource overhead required for sending the authentication information of the terminal.
较佳地,所述中心节点将接收的每个终端的鉴权信息处理后发送给所述中心节点覆盖的终端,包括:Preferably, the central node processes the received authentication information of each terminal and sends it to the terminals covered by the central node, including:
在接收的每个终端的鉴权信息中加入利用中心节点的私有密钥所作的签名,或中心节点的公钥及利用中心节点的私有密钥所作的签名;Add the signature made by the private key of the central node, or the public key of the central node and the signature made by the private key of the central node to the authentication information of each terminal received;
将处理后的接收的每个终端的鉴权信息发送给所述中心节点覆盖的所有终端。Send the processed received authentication information of each terminal to all terminals covered by the central node.
较佳地,所述中心节点将所述终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端,包括:Preferably, the central node forwards or processes the authentication information of the terminal to all terminals covered by the central node, including:
所述中心节点按照设定时间间隔或事件触发方式,将接收的每个终端的鉴权信息发送给或处理后发送给所述中心节点覆盖的所有终端,将终端的鉴权信息按照设定时间间隔或事件触发方式统一下发给所述中心节点覆盖的所有终端,以提高网络资源利用率。The central node sends or processes the received authentication information of each terminal to all terminals covered by the central node according to the set time interval or event trigger mode, and sends the terminal's authentication information according to the set time The interval or event trigger mode is uniformly issued to all terminals covered by the central node, so as to improve the utilization rate of network resources.
较佳地,所述中心节点通过以下方式中的任一种,将接收的每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端:Preferably, the central node forwards or processes the received authentication information of each terminal to all terminals covered by the central node in any of the following ways:
广播方式;组播方式;多播方式;点对点方式。Broadcast mode; multicast mode; multicast mode; point-to-point mode.
本发明的上述实施例中,可以达到合理利用信道资源,提高系统资源利用率的目的。In the above embodiments of the present invention, the purpose of rationally utilizing channel resources and improving the utilization rate of system resources can be achieved.
本发明实施例中提供了一种鉴权信息传输方法,包括:An embodiment of the present invention provides an authentication information transmission method, including:
终端将用于对所述终端进行身份验证的鉴权信息发送给覆盖所述终端的中心节点;The terminal sends authentication information for authenticating the terminal to a central node covering the terminal;
终端接收所述中心节点发送的所述中心节点覆盖的所有终端的鉴权信息并进行存储。The terminal receives and stores the authentication information of all terminals covered by the central node sent by the central node.
较佳地,进一步包括:Preferably, it further includes:
终端接收所述中心节点发送的相邻中心节点覆盖的所有终端的鉴权信息并进行存储。The terminal receives and stores the authentication information of all terminals covered by the adjacent central nodes sent by the central node.
较佳地,所述终端发送的鉴权信息包括发送者的公钥。Preferably, the authentication information sent by the terminal includes the sender's public key.
较佳地,所述终端发送的鉴权信息还包括发送者标识和/或证书管理机构CA的签名。Preferably, the authentication information sent by the terminal further includes the sender's identification and/or the signature of the certificate management authority CA.
较佳地,所述终端发送的鉴权信息包括发送者证书中的一项或多项内容。Preferably, the authentication information sent by the terminal includes one or more contents in the sender's certificate.
较佳地,终端将鉴权信息发送给覆盖所述终端的中心节点,包括:Preferably, the terminal sends authentication information to the central node covering the terminal, including:
终端按照设定时间间隔或事件触发方式将鉴权信息发送给覆盖所述终端的中心节点。The terminal sends the authentication information to the central node covering the terminal according to a set time interval or event-triggered manner.
终端使用的鉴权信息中的发送者证书通常只在有效时间有效,采用此方式可以向中心节点发送随时间更新的发送者证书,保证了发送者证书的有效性。The sender's certificate in the authentication information used by the terminal is usually valid only during the validity period. In this way, the sender's certificate updated with time can be sent to the central node, ensuring the validity of the sender's certificate.
较佳地,所述中心节点发送的终端的鉴权信息还包括所述中心节点的签名,或包括所述中心节点的公钥及签名。Preferably, the authentication information of the terminal sent by the central node also includes the signature of the central node, or includes the public key and the signature of the central node.
本发明实施例中提供了一种终端进行身份验证的方法,包括:An embodiment of the present invention provides a method for terminal identity verification, including:
接收对端发送的未携带鉴权信息的消息;Receive the message without authentication information sent by the peer;
根据存储的从中心节点接收的对端的鉴权信息对所述对端身份进行验证。The identity of the peer is verified according to the stored authentication information of the peer received from the central node.
本发明的上述实施例中,可以降低将鉴权信息携带在终端与终端通信时发送的消息中所需的系统资源开销,从而提高了系统的资源利用率。In the above embodiments of the present invention, the system resource overhead required for carrying the authentication information in the message sent when the terminal communicates with the terminal can be reduced, thereby improving the resource utilization rate of the system.
较佳地,所述对端的鉴权信息包括对端的发送者的公钥,根据对端的鉴权信息对对端身份进行验证,包括:Preferably, the authentication information of the opposite end includes the public key of the sender of the opposite end, and the identity of the opposite end is verified according to the authentication information of the opposite end, including:
根据对端的鉴权信息中的发送者公钥对对端身份进行验证,用以保证对端发送的消息的安全性和可信性。Verify the identity of the peer according to the sender's public key in the authentication information of the peer to ensure the security and credibility of the message sent by the peer.
较佳地,所述中心节点发送的终端的鉴权信息还包括中心节点的签名,或包括中心节点的公钥及签名,所述终端接收所述中心节点发送的终端的鉴权信息之后,进一步包括:Preferably, the authentication information of the terminal sent by the central node also includes the signature of the central node, or includes the public key and the signature of the central node, and after receiving the authentication information of the terminal sent by the central node, the terminal further include:
基于所述鉴权信息中的中心节点的签名或中心节点的公钥和签名,对所述中心节点进行身份验证,从而保证中心节点发送的终端的鉴权信息的安全性和可信性;Perform identity verification on the central node based on the signature of the central node or the public key and signature of the central node in the authentication information, thereby ensuring the security and credibility of the authentication information of the terminal sent by the central node;
验证通过后,在接收到对端发送的未携带鉴权信息的消息时,根据存储的从中心节点接收的对端的鉴权信息对所述对端身份进行验证。After passing the verification, when receiving a message without authentication information sent by the peer end, verify the identity of the peer end according to the stored authentication information of the peer end received from the central node.
根据上述方法,本发明实施例中提供了一种中心节点,包括:According to the above method, an embodiment of the present invention provides a central node, including:
接收模块,用于接收其覆盖的终端发送的用于对终端进行身份验证的鉴权信息;A receiving module, configured to receive authentication information sent by a terminal covered by it for authenticating the terminal;
发送模块,用于将接收到每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端。A sending module, configured to forward or process the received authentication information of each terminal to all terminals covered by the central node.
较佳地,所述发送模块进一步用于将接收的每个终端的鉴权信息转发给或处理后发送给与所述中心节点相邻的中心节点。Preferably, the sending module is further configured to forward or process the received authentication information of each terminal to a central node adjacent to the central node.
较佳地,所述接收模块进一步用于接收相邻中心节点发送的相邻中心节点覆盖的终端的鉴权信息;Preferably, the receiving module is further configured to receive the authentication information of the terminal covered by the adjacent central node sent by the adjacent central node;
所述发送模块进一步用于将接收的相邻中心节点覆盖的终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端。The sending module is further configured to forward or process the received authentication information of the terminal covered by the adjacent central node to all terminals covered by the central node.
较佳地,所述鉴权信息包括发送者公钥。Preferably, the authentication information includes the sender's public key.
较佳地,所述鉴权信息还包括发送者的标识和/或证书管理机构CA的签名。Preferably, the authentication information further includes the identifier of the sender and/or the signature of the certificate authority CA.
较佳地,所述鉴权信息包括发送者证书中的一项或多项内容。Preferably, the authentication information includes one or more contents in the sender's certificate.
较佳地,进一步包括:Preferably, it further includes:
验证模块,用于基于蜂窝网络的鉴权认证体系或接收的终端鉴权信息中CA的签名对接收的每个终端进行身份验证;The verification module is used to verify the identity of each terminal received based on the authentication system of the cellular network or the signature of the CA in the received terminal authentication information;
所述发送模块进一步用于在验证通过后,将所述终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端。The sending module is further configured to forward or process the authentication information of the terminal to all terminals covered by the central node after the verification is passed.
较佳地,所述鉴权信息为发送者证书,所述发送模块具体用于将接收的每个终端的发送者证书或发送者证书中的部分内容发送给所述中心节点覆盖的所有终端。Preferably, the authentication information is a sender's certificate, and the sending module is specifically configured to send the received sender's certificate or part of the sender's certificate of each terminal to all terminals covered by the central node.
较佳地,所述发送者证书包括CA签名,所述发送模块具体用于将去掉CA签名的终端的发送者证书发送给所述中心节点覆盖的所有终端。Preferably, the sender certificate includes a CA signature, and the sending module is specifically configured to send the sender certificate of the terminal without the CA signature to all terminals covered by the central node.
较佳地,进一步包括:Preferably, it further includes:
处理模块,用于在接收的每个终端的鉴权信息中加入利用中心节点的私有密钥所作的签名,或中心节点的公钥及利用中心节点的私有密钥所作的签名;A processing module, configured to add a signature made using the private key of the central node, or a public key of the central node and a signature made using the private key of the central node, to the received authentication information of each terminal;
所述发送模块具体用于将处理模块处理后的接收的每个终端的鉴权信息发送给所述中心节点覆盖的所有终端。The sending module is specifically configured to send the received authentication information of each terminal processed by the processing module to all terminals covered by the central node.
较佳地,所述发送模块具体用于:Preferably, the sending module is specifically used for:
按照设定时间间隔或事件触发方式,将接收的每个终端的鉴权信息发送给或处理后发送给所述中心节点覆盖的所有终端。The received authentication information of each terminal is sent or processed and sent to all terminals covered by the central node according to a set time interval or an event triggering manner.
较佳地,所述发送模块通过以下方式中的任一种,将接收的每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端:Preferably, the sending module forwards or processes the received authentication information of each terminal to all terminals covered by the central node in any of the following ways:
广播方式;组播方式;多播方式;点对点方式。Broadcast mode; multicast mode; multicast mode; point-to-point mode.
本发明实施例还提供了一种中心节点,包括处理器和数据收发接口,其中:The embodiment of the present invention also provides a central node, including a processor and a data sending and receiving interface, wherein:
所述处理器被配置为用于:接收其覆盖的终端发送的用于对终端进行身份验证的鉴权信息,将接收到每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端;The processor is configured to: receive the authentication information sent by the covered terminal for authenticating the terminal, and forward or process the received authentication information of each terminal to the central node all terminals covered;
所述数据收发接口用于实现所述处理器与终端之间的数据通信。The data transceiving interface is used to implement data communication between the processor and the terminal.
根据上述方法,本发明实施例中提供了一种终端,包括:According to the above method, an embodiment of the present invention provides a terminal, including:
发送模块,用于将对所述终端进行身份验证的鉴权信息发送给覆盖所述终端的中心节点;a sending module, configured to send authentication information for authenticating the terminal to a central node covering the terminal;
接收模块,用于接收所述中心节点发送的所述中心节点覆盖的所有终端的鉴权信息并进行存储。The receiving module is configured to receive and store the authentication information of all terminals covered by the central node sent by the central node.
较佳地,所述接收模块进一步用于接收所述中心节点发送的相邻中心节点覆盖的所有终端的鉴权信息并进行存储。Preferably, the receiving module is further configured to receive and store authentication information of all terminals covered by adjacent central nodes sent by the central node.
较佳地,所述发送模块发送的鉴权信息包括发送者的公钥。Preferably, the authentication information sent by the sending module includes the sender's public key.
较佳地,所述发送模块发送的鉴权信息还包括发送者标识和/或证书管理机构CA的签名。Preferably, the authentication information sent by the sending module further includes the sender's identification and/or the signature of the certificate management authority CA.
较佳地,所述发送模块发送的鉴权信息包括发送者证书中的一项或多项内容。Preferably, the authentication information sent by the sending module includes one or more contents in the sender's certificate.
较佳地,所述发送模块具体用于:Preferably, the sending module is specifically used for:
按照设定时间间隔或事件触发方式将鉴权信息发送给覆盖所述终端的中心节点。The authentication information is sent to the central node covering the terminal according to a set time interval or an event triggering manner.
较佳地,所述接收模块接收的鉴权信息还包括所述中心节点的签名,或包括所述中心节点的公钥及签名。Preferably, the authentication information received by the receiving module also includes the signature of the central node, or includes the public key and signature of the central node.
较佳地,所述接收模块进一步用于接收对端发送的未携带鉴权信息的消息;Preferably, the receiving module is further configured to receive a message without authentication information sent by the opposite end;
所述终端进一步包括:The terminal further includes:
验证模块,用于在接收模块接收到对端发送的未携带鉴权信息的消息时,根据存储的从中心节点接收的对端的鉴权信息对所述对端身份进行验证。The verification module is configured to verify the identity of the peer according to the stored authentication information of the peer received from the central node when the receiving module receives a message without authentication information sent by the peer.
较佳地,所述对端的鉴权信息包括对端的发送者的公钥,验证模块具体用于在接收模块接收到对端发送的未携带鉴权信息的消息时,根据存储的从中心节点接收的对端的鉴权信息中的发送者公钥对对端身份进行验证。Preferably, the authentication information of the opposite end includes the public key of the sender of the opposite end, and the verification module is specifically configured to, when the receiving module receives a message without authentication information sent by the opposite end, according to the stored information received from the central node The sender's public key in the peer's authentication information verifies the identity of the peer.
较佳地,所述接收模块接收所述中心节点发送的终端的鉴权信息还包括中心节点的签名,或包括中心节点的公钥及签名,所述验证模块具体用于:Preferably, the terminal authentication information received by the receiving module from the central node also includes the signature of the central node, or includes the public key and signature of the central node, and the verification module is specifically used for:
基于所述鉴权信息中的中心节点的签名或中心节点的公钥和签名,对所述中心节点进行身份验证;Perform identity verification on the central node based on the signature of the central node or the public key and signature of the central node in the authentication information;
验证通过后,在接收模块接收到对端发送的未携带鉴权信息的消息时,根据存储的从中心节点接收的对端的鉴权信息对所述对端身份进行验证。After the verification is passed, when the receiving module receives the message without authentication information sent by the peer, it verifies the identity of the peer according to the stored authentication information of the peer received from the central node.
本发明还提供一种终端,包括处理器和数据收发接口,其中:The present invention also provides a terminal, including a processor and a data sending and receiving interface, wherein:
所述处理器被配置为用于将对所述终端进行身份验证的鉴权信息发送给覆盖所述终端的中心节点,接收所述中心节点发送的所述中心节点覆盖的所有终端的鉴权信息并进行存储;The processor is configured to send authentication information for identity verification of the terminal to a central node covering the terminal, and receive authentication information sent by the central node for all terminals covered by the central node and store it;
所述数据收发接口用于实现所述处理器与其它终端及中心节点间的数据通信。The data transceiving interface is used to implement data communication between the processor and other terminals and central nodes.
本发明实施例提供的鉴权信息传输方法及装置,利用中心节点对终端与终端通信时需要交互的鉴权信息进行转发的方式,极大地降低了将鉴权信息携带在终端与终端通信时发送的消息中所需的系统资源开销,从而提高了系统的资源利用率。The authentication information transmission method and device provided by the embodiments of the present invention use the way that the central node forwards the authentication information that needs to be interacted when the terminal communicates with the terminal, which greatly reduces the need to carry the authentication information when the terminal communicates with the terminal. The system resource overhead required in the message, thereby improving the resource utilization of the system.
附图说明Description of drawings
图1为本发明实施例提供的鉴权信息传输方法流程示意图;FIG. 1 is a schematic flowchart of a method for transmitting authentication information provided by an embodiment of the present invention;
图2为本发明实施例提供的终端鉴权信息传输方法流程示意图;FIG. 2 is a schematic flowchart of a method for transmitting terminal authentication information provided by an embodiment of the present invention;
图3为本发明实施例提供的终端进行身份验证的方法流程示意图;FIG. 3 is a schematic flowchart of a method for performing identity verification by a terminal provided by an embodiment of the present invention;
图4a为本发明提供的实施例一中的网络架构示意图;FIG. 4a is a schematic diagram of the network architecture in Embodiment 1 provided by the present invention;
图4b为本发明提供的实施例一的流程图;Figure 4b is a flowchart of Embodiment 1 provided by the present invention;
图4c为本发明提供的实施例二中的网络架构示意图;FIG. 4c is a schematic diagram of the network architecture in Embodiment 2 provided by the present invention;
图4d为本发明提供的实施例二的流程图;Figure 4d is a flowchart of Embodiment 2 provided by the present invention;
图4e为本发明提供的实施例三中的网络架构示意图;FIG. 4e is a schematic diagram of the network architecture in Embodiment 3 provided by the present invention;
图4f为本发明提供的实施例三的流程图;Fig. 4f is a flowchart of Embodiment 3 provided by the present invention;
图4g为本发明提供的实施例四中的网络架构示意图;FIG. 4g is a schematic diagram of the network architecture in Embodiment 4 provided by the present invention;
图4h为本发明提供的实施例四的流程图;Fig. 4h is a flowchart of Embodiment 4 provided by the present invention;
图5为本发明实施例提供的中心节点结构示意图;FIG. 5 is a schematic structural diagram of a central node provided by an embodiment of the present invention;
图6为本发明实施例提供的终端结构示意图。FIG. 6 is a schematic diagram of a terminal structure provided by an embodiment of the present invention.
具体实施方式Detailed ways
本发明实施例应用于通信系统,该系统中与本发明实施例相关的设备主要包括:中心节点、终端。利用中心节点对终端与终端通信时需要交互的鉴权信息进行转发的方式,极大地降低了将鉴权信息携带在终端与终端通信时发送的消息中所需的系统资源开销,从而提高了系统的资源利用率。The embodiment of the present invention is applied to a communication system, and the equipment related to the embodiment of the present invention in the system mainly includes: a central node and a terminal. Utilizing the way that the central node forwards the authentication information that needs to be interacted when the terminal communicates with the terminal greatly reduces the system resource overhead required to carry the authentication information in the message sent when the terminal communicates with the terminal, thus improving the system resource utilization.
下面结合附图对本发明的具体实施方式进行详细说明。Specific embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings.
参见图1,本发明实施例提供的鉴权信息传输方法的流程,具体实现步骤包括:Referring to Fig. 1, the process flow of the authentication information transmission method provided by the embodiment of the present invention, the specific implementation steps include:
步骤101、中心节点接收其覆盖的终端发送的用于对终端身份进行验证的鉴权信息。Step 101, the central node receives authentication information for verifying the identity of the terminal sent by the terminal covered by it.
鉴权信息可以是任何形式的用于对终端进行身份认证的信息。The authentication information may be any form of information used to authenticate the identity of the terminal.
优选地,鉴权信息至少包括发送者公钥。进一步优选地,鉴权信息还包括发送者的标识和/或证书管理机构CA的签名。Preferably, the authentication information includes at least the sender's public key. Further preferably, the authentication information also includes the identifier of the sender and/or the signature of the certificate authority CA.
目前发送者证书具有用于对终端身份验证的信息,除了包含上述发送者公钥、CA的签名和/或发送者的标识(ID)外、还包含证书的序列号、证书发放机构的名称、以及能够使接收者验证证书是否已被撤销等信息。优选地,鉴权信息包括发送者证书中的一项或多项内容,发送者公钥为必须包括的内容。At present, the sender's certificate has information for authenticating the terminal. In addition to the above-mentioned sender's public key, CA's signature and/or sender's identification (ID), it also includes the serial number of the certificate, the name of the certificate issuing authority, And information that enables the recipient to verify whether the certificate has been revoked. Preferably, the authentication information includes one or more items in the sender's certificate, and the sender's public key must be included.
此外,证书中还包含关于时间、内容、位置的范围限制等信息,可以根据需要确定是否将其加入鉴权信息。当然,鉴权信息可以包括证书的全部内容。In addition, the certificate also contains information such as time, content, and location restrictions, and it can be determined whether to add it to the authentication information as required. Certainly, the authentication information may include all contents of the certificate.
步骤102、所述中心节点将接收的每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端。Step 102, the central node forwards or processes the received authentication information of each terminal to all terminals covered by the central node.
中心节点对终端的鉴权信息进行处理时,可以是根据需要在鉴权信息中加入一些信息,或删除终端的鉴权信息中不必要的冗余信息,当然,还可以是其它处理方式。When the central node processes the authentication information of the terminal, it may add some information to the authentication information as required, or delete unnecessary redundant information in the authentication information of the terminal, and of course, other processing methods may also be used.
本发明实施例利用中心节点对终端与终端通信时需要交互的鉴权信息进行转发的方式,极大地降低了将鉴权信息携带在终端与终端通信时发送的消息中所需的系统资源开销,从而提高了系统的资源利用率。In the embodiment of the present invention, the central node forwards the authentication information that needs to be interacted when the terminal communicates with the terminal, which greatly reduces the system resource overhead required to carry the authentication information in the message sent when the terminal communicates with the terminal. Thus, the resource utilization rate of the system is improved.
实施中,中心节点可以采用如下方式将接收的每个终端的鉴权信息转发给或处理后发送给该中心节点覆盖的所有终端:During implementation, the central node may forward or process the received authentication information of each terminal to all terminals covered by the central node in the following manner:
1)按照设定时间间隔方式发送1) Send according to the set time interval
在设定时间间隔内中心节点接收终端的鉴权信息,当到达设定时间时,中心节点将此时间间隔内接收的每个终端的鉴权信息发送给或处理后发送给该中心节点覆盖的所有终端。The central node receives the authentication information of the terminal within the set time interval. When the set time is reached, the central node sends or processes the authentication information of each terminal received within this time interval to the network covered by the central node. all terminals.
采用此方式可以实现将多个终端的鉴权信息按照设定时间间隔统一下发,以提高网络资源利用率。In this manner, the authentication information of multiple terminals can be issued uniformly at a set time interval, so as to improve the utilization rate of network resources.
2)按照事件触发方式发送2) Send according to the event trigger mode
具体的触发方式可以是,当新接入该中心节点的终端数目达到一定数值时,将当前接收到的所有终端的鉴权信息统一下发,可以提高网络资源利用率。A specific triggering method may be that when the number of terminals newly connected to the central node reaches a certain value, the currently received authentication information of all terminals is issued in a unified manner, which can improve the utilization rate of network resources.
3)立即发送方式3) Send immediately
中心节点只要接收到终端发送的鉴权信息,则将接收的该终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端。As long as the central node receives the authentication information sent by the terminal, it forwards or processes the received authentication information of the terminal to all terminals covered by the central node.
实施中,该中心节点通过以下方式中的任一种,将接收的每个终端的鉴权信息发送给或处理后发送给所述中心节点覆盖的所有终端:In implementation, the central node sends or processes the received authentication information of each terminal to all terminals covered by the central node in any of the following ways:
广播方式;组播方式;多播方式;点对点方式。其中,广播可以为MBMS广播、车联网专用广播、系统广播等,以达到合理利用信道资源,提高系统资源利用率的目的。Broadcast mode; multicast mode; multicast mode; point-to-point mode. Among them, broadcasting can be MBMS broadcasting, dedicated broadcasting for Internet of Vehicles, system broadcasting, etc., so as to achieve the purpose of rationally using channel resources and improving the utilization rate of system resources.
依照本发明另一优选实施方式,该中心节点将接收的每个终端的鉴权信息转发给或处理后发送给与该中心节点相邻的中心节点,以防止小区边缘处出现盲区。According to another preferred embodiment of the present invention, the central node forwards or processes received authentication information of each terminal to a central node adjacent to the central node, so as to prevent blind spots at cell edges.
优选的,该方法还包括:该中心节点接收相邻中心节点发送的相邻中心节点覆盖的终端的鉴权信息;将接收的相邻中心节点覆盖的终端的鉴权信息转发给或处理后发送给该中心节点覆盖的所有终端。Preferably, the method further includes: the central node receiving the authentication information of the terminal covered by the adjacent central node sent by the adjacent central node; forwarding or processing the received authentication information of the terminal covered by the adjacent central node to to all terminals covered by the central node.
对于不管是从中心节点覆盖的终端接收的鉴权信息,还是从相邻中心节点接收的终端的鉴权信息,将终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端之前,还包括:Whether it is the authentication information received from the terminal covered by the central node or the authentication information of the terminal received from the adjacent central node, forward or process the authentication information of the terminal to all terminals covered by the central node Previously, also included:
基于蜂窝网络的鉴权认证体系或接收的终端鉴权信息中CA的签名对该终端进行身份验证;验证通过后再发送。Based on the authentication and authentication system of the cellular network or the signature of the CA in the received terminal authentication information, the identity of the terminal is verified; the verification is passed before sending.
通常,中心节点基于CA的签名对对应终端进行身份验证。中心节点对终端的身份验证方式也可以采用其他方式,如借助于现有蜂窝网络的鉴权认证体系,一旦确定终端是蜂窝网络的合法接入终端,那么认为该终端发送的鉴权信息就是可信的。Usually, the central node authenticates the corresponding terminal based on the signature of the CA. The central node can also use other methods to verify the identity of the terminal. For example, with the help of the authentication system of the existing cellular network, once the terminal is determined to be a legal access terminal of the cellular network, the authentication information sent by the terminal is considered to be valid. Faithful.
中心节点发送给所述中心节点覆盖的所有终端的鉴权信息是相同的。The authentication information sent by the central node to all terminals covered by the central node is the same.
该鉴权信息为发送者证书或发送者证书部分内容,该中心节点将接收的每个终端的发送者证书或发送者证书中的部分内容发送给所述中心节点覆盖的所有终端。The authentication information is the sender's certificate or part of the content of the sender's certificate, and the central node sends the received sender's certificate or part of the content of the sender's certificate to all terminals covered by the central node.
在鉴权信息为发送者证书部分内容时,该中心节点将去掉CA签名的终端的发送者证书发送给该中心节点覆盖的所有终端。When the authentication information is part of the content of the sender's certificate, the central node sends the sender's certificate of the terminal without the CA signature to all terminals covered by the central node.
在中心节点对终端的鉴权信息进行处理时,采用如下任一方式:When the central node processes the authentication information of the terminal, any of the following methods is adopted:
1)在终端的鉴权信息中加入利用中心节点的私有密钥所作的签名;1) Add the signature made by the private key of the central node to the authentication information of the terminal;
需要说明的是,若中心节点的公钥是公知信息时,则在规范或协议中规定或在中心节点的系统广播中通知,那么中心节点在向该中心节点覆盖的所有终端发送鉴权信息时不需要添加该中心节点的公钥。It should be noted that if the public key of the central node is publicly known information, it is stipulated in the specification or protocol or notified in the system broadcast of the central node, then when the central node sends authentication information to all terminals covered by the central node There is no need to add the public key of the central node.
2)在终端的鉴权信息中加入中心节点的公钥及利用中心节点的私有密钥所作的签名。2) Add the public key of the central node and the signature made with the private key of the central node to the authentication information of the terminal.
需要说明的是,此时中心节点的公钥是非公知信息,因此中心节点在向该中心节点覆盖的所有终端发送鉴权信息时,需要添加该中心节点的公钥。It should be noted that the public key of the central node is unknown information at this time, so when the central node sends authentication information to all terminals covered by the central node, it needs to add the public key of the central node.
基于加入的利用中心节点的私有密钥所作的签名,或中心节点的公钥及中心节点的私有密钥所作的签名,终端可以对该中心节点进行身份验证,从而保证中心节点发送的终端的鉴权信息的安全性和可信性。Based on the signature made using the private key of the central node, or the signature made by the public key of the central node and the private key of the central node, the terminal can authenticate the central node, thereby ensuring the authentication of the terminal sent by the central node. security and credibility of information.
本发明实施例对于上述鉴权信息的发送方式不做具体限制。The embodiment of the present invention does not specifically limit the sending manner of the above authentication information.
参见图2,本发明实施例提供的终端侧的鉴权信息传输方法的流程,具体实现步骤包括:Referring to FIG. 2 , the flow of the terminal-side authentication information transmission method provided by the embodiment of the present invention, the specific implementation steps include:
步骤201、将用于对该终端进行身份验证的鉴权信息发送给覆盖该终端的中心节点。Step 201. Send the authentication information for authenticating the terminal to the central node covering the terminal.
鉴权信息可以是任何形式的用于对终端进行身份认证的信息。The authentication information may be any form of information used to authenticate the identity of the terminal.
优选地,鉴权信息至少包括发送者公钥。进一步优选地,鉴权信息还包括发送者的标识和/或证书管理机构CA的签名。Preferably, the authentication information includes at least the sender's public key. Further preferably, the authentication information also includes the identifier of the sender and/or the signature of the certificate authority CA.
目前发送者证书具有用于对终端身份验证的信息,除了包含上述发送者公钥、CA的签名和/或发送者的标识(ID)外、还包含证书的序列号、证书发放机构的名称、以及能够使接收者验证证书是否已被撤销等信息。优选地,鉴权信息包括发送者证书中的一项或多项内容,若包括发送者证书一项内容,则该项内容为发送者公钥。At present, the sender's certificate has information for authenticating the terminal. In addition to the above-mentioned sender's public key, CA's signature and/or sender's identification (ID), it also includes the serial number of the certificate, the name of the certificate issuing authority, And information that enables the recipient to verify whether the certificate has been revoked. Preferably, the authentication information includes one or more items in the sender's certificate, and if one item of the sender's certificate is included, then the item is the sender's public key.
此外,证书中还包含关于时间、内容、位置的范围限制等信息,可以根据需要确定是否将其加入鉴权信息。当然,鉴权信息可以包括证书的全部内容。In addition, the certificate also contains information such as time, content, and location restrictions, and it can be determined whether to add it to the authentication information as required. Certainly, the authentication information may include all contents of the certificate.
具体的,该终端按照设定时间间隔或事件触发方式将鉴权信息发送给覆盖该终端的中心节点。Specifically, the terminal sends the authentication information to the central node covering the terminal according to a set time interval or an event triggering manner.
通常,若终端前后发送的鉴权信息中的证书的有效时间有30秒的重叠时间,那么终端可以在每两个证书的重叠时间范围内按照设定时间间隔向中心节点发送携带各自公钥的下一个将要使用的证书。Usually, if the valid time of the certificates in the authentication information sent by the terminal overlaps by 30 seconds, then the terminal can send certificates carrying their respective public keys to the central node according to the set time interval within the overlapping time range of each two certificates. The next certificate to be used.
出于保护隐私,终端使用一个证书通常只在有限时间内有效;1609.2协议中规定每个终端的证书集中任意一个时刻只有一个证书是有效的。这个原则可以放松为相邻两个证书的有效时间段可以允许一个短时间的重叠,使得证书可以在重叠的时间段内随机转换从而更好地保护隐私,另外也可以使得当一个严重的事件发生时让终端拥有一定的延迟变换证书的灵活度。To protect privacy, a certificate used by a terminal is usually only valid for a limited time; the 1609.2 protocol stipulates that only one certificate is valid at any time in the certificate set of each terminal. This principle can be relaxed to allow a short period of overlap between the validity periods of two adjacent certificates, so that the certificates can be randomly switched within the overlapping period of time to better protect privacy, and it can also be used when a serious event occurs This allows the terminal to have a certain degree of flexibility in delaying and changing certificates.
步骤202、接收所述中心节点发送的所述中心节点覆盖的所有终端的鉴权信息并进行存储。Step 202: Receive and store the authentication information of all terminals covered by the central node sent by the central node.
优选的,该方法还包括:该终端接收该中心节点发送的相邻中心节点覆盖的所有终端的鉴权信息并进行存储。Preferably, the method further includes: the terminal receives and stores the authentication information of all terminals covered by adjacent central nodes sent by the central node.
该步骤中,基于加入的利用中心节点的私有密钥所作的签名,或中心节点的公钥及中心节点的私有密钥所作的签名,终端可以对该中心节点进行身份验证,从而保证中心节点发送的终端的鉴权信息的安全性和可信性。In this step, based on the signature made by the private key of the central node, or the signature made by the public key of the central node and the private key of the central node, the terminal can authenticate the central node to ensure that the central node sends The security and credibility of the authentication information of the terminal.
需要说明的是,若中心节点的公钥是公知信息时,则在规范或协议中规定或在中心节点的系统广播中通知,那么中心节点在向该中心节点覆盖的所有终端发送鉴权信息时不需要添加该中心节点的公钥。It should be noted that if the public key of the central node is publicly known information, it is stipulated in the specification or protocol or notified in the system broadcast of the central node, then when the central node sends authentication information to all terminals covered by the central node There is no need to add the public key of the central node.
参见图3,本发明实施例提供的终端进行身份验证的方法流程,具体实现步骤包括:Referring to FIG. 3 , the flow of the method for terminal identity verification provided by the embodiment of the present invention, the specific implementation steps include:
步骤301、接收对端发送的未携带鉴权信息的消息。Step 301. Receive a message without authentication information sent by the peer end.
步骤302、根据存储的从中心节点接收的对端的鉴权信息对所述对端身份进行验证。Step 302: Verify the identity of the peer according to the stored authentication information of the peer received from the central node.
该步骤中,所述对端的鉴权信息包括对端的发送者的公钥,根据对端的鉴权信息中的发送者公钥对对端身份进行验证。In this step, the authentication information of the opposite end includes the public key of the sender of the opposite end, and the identity of the opposite end is verified according to the sender's public key in the authentication information of the opposite end.
上述实施例中,在终端接收到对端发送的未携带鉴权信息的消息时,根据存储的从中心节点接收的对端的鉴权信息对所述对端身份进行验证,以使终端利用存储的从中心节点接收的对端的鉴权信息对对端进行身份验证,这样终端与终端发送的消息中不需要携带鉴权信息,从而极大地降低了在终端与终端之间发送消息时携带鉴权信息造成的网络资源开销,显著地提高了终端与终端之间通信的效率。In the above embodiment, when the terminal receives a message without authentication information sent by the peer, it verifies the identity of the peer according to the stored authentication information of the peer received from the central node, so that the terminal uses the stored The peer authentication information received from the central node verifies the identity of the peer, so that the message sent between the terminal and the terminal does not need to carry authentication information, which greatly reduces the need to carry authentication information when sending messages between terminals The resulting network resource overhead significantly improves the efficiency of communication between terminals.
步骤303、若根据存储的从中心节点接收的对端的鉴权信息对所述对端身份进行验证,若验证通过,则转入步骤304;若验证未通过,则转入步骤305。Step 303. If the identity of the peer is verified according to the stored authentication information of the peer received from the central node, if the verification is passed, then go to step 304; if the verification is not passed, then go to step 305.
步骤304、该终端将通过身份验证的所述对端发送的未携带鉴权信息的消息递交给高层进行处理。Step 304, the terminal submits the message without authentication information sent by the peer terminal that has passed the identity verification to the upper layer for processing.
步骤305、该终端将未通过身份验证的所述对端发送的未携带鉴权信息的消息丢弃。Step 305, the terminal discards the message without authentication information sent by the peer that has not passed the authentication.
进一步地,在接收到对端发送的未携带鉴权信息的消息时,若还未存储该对端的鉴权信息,则将对端发送的消息直接丢弃。Further, when receiving a message without authentication information sent by the peer end, if the authentication information of the peer end has not been stored, the message sent by the peer end is directly discarded.
通过以上流程可以看出,本发明的上述实施例中,中心节点接收其覆盖的所有终端发送的用于对终端进行身份验证的鉴权信息;该中心节点将接收的每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端。本发明实施例中利用中心节点对终端与终端通信时需要交互的鉴权信息进行转发的方式,极大地降低了将鉴权信息携带在终端与终端通信时发送的消息中所需的系统资源开销,从而提高了系统的资源利用率。It can be seen from the above process that in the above-mentioned embodiments of the present invention, the central node receives the authentication information sent by all terminals covered by it for authenticating the terminal; the central node will receive the authentication information of each terminal forwarded to or processed and sent to all terminals covered by the central node. In the embodiment of the present invention, the central node forwards the authentication information that needs to be interacted when the terminal communicates with the terminal, which greatly reduces the system resource overhead required to carry the authentication information in the message sent when the terminal communicates with the terminal. , thereby improving the resource utilization of the system.
本发明实施例中,中心节点可以是具备基站功能的设备或是具有鉴权信息转发功能的管理设备,例如,中心节点可以为:宏(Macro)基站或微(Pico)基站或家庭(femto)基站;终端设备为至少具备物理层传输功能的设备,例如车辆节点或路侧基础设施节点。In the embodiment of the present invention, the central node can be a device with base station function or a management device with authentication information forwarding function, for example, the central node can be: macro (Macro) base station or micro (Pico) base station or home (femto) A base station; a terminal device is a device that has at least a physical layer transmission function, such as a vehicle node or a roadside infrastructure node.
下面以基站与车辆节点构成的通信系统为例,并结合具体实施例对本发明进行详细说明:The communication system composed of the base station and the vehicle node is taken as an example below, and the present invention is described in detail in combination with specific embodiments:
实施例一:基站接收其覆盖的车辆节点发送的用于对车辆节点进行身份验证的鉴权信息,该基站将接收的每个车辆节点的鉴权信息转发给或处理后发送给该基站覆盖的所有车辆节点,其中,基站基于蜂窝网络的鉴权认证体系对车辆节点进行身份验证。Embodiment 1: The base station receives the authentication information sent by the covered vehicle node for identity verification of the vehicle node, and the base station forwards or processes the received authentication information of each vehicle node to the covered vehicle node of the base station. For all vehicle nodes, the base station authenticates the vehicle nodes based on the authentication system of the cellular network.
图4a为本发明提供的实施例一中的网络架构示意图,设基站A下包含3个车辆节点a、b、c。实施例一的流程如图4b所示,步骤如下:Fig. 4a is a schematic diagram of the network architecture in Embodiment 1 provided by the present invention, assuming that base station A includes three vehicle nodes a, b, and c. The process of Embodiment 1 is shown in Figure 4b, and the steps are as follows:
步骤一、车辆节点a、b、c接入基站A后,车辆节点a、b、c将用于对车辆节点a、b、c进行身份验证的鉴权信息发送给覆盖车辆节点a、b、c的基站A。Step 1: After the vehicle nodes a, b, c access the base station A, the vehicle nodes a, b, c send the authentication information used to verify the identity of the vehicle nodes a, b, c to the covering vehicle nodes a, b, base station A of c.
该步骤中,车辆节点a、b、c按照设定时间间隔或事件触发方式将鉴权信息发送给覆盖车辆节点a、b、c的基站A。In this step, the vehicle nodes a, b, and c send authentication information to the base station A covering the vehicle nodes a, b, and c according to a set time interval or an event-triggered manner.
通常,若车辆节点a、b、c前后发送的两个发送者证书的有效时间有30秒的重叠时间,那么车辆节点a、b、c可以在每两个证书的重叠时间范围内向基站A发送携带各自公钥的下一个将要使用的证书。Usually, if the valid time of the two sender certificates sent by vehicle nodes a, b, and c has an overlapping time of 30 seconds, then vehicle nodes a, b, and c can send to base station A within the overlapping time range of each two certificates The next certificate to be used carries the respective public key.
步骤二、基站A接收其覆盖的车辆节点a、b、c发送的用于对车辆节点a、b、c进行身份验证的鉴权信息后,基于蜂窝网络的鉴权认证体系对车辆节点进行身份验证。Step 2: After the base station A receives the authentication information sent by the vehicle nodes a, b, and c covered by it for identity verification of the vehicle nodes a, b, and c, the identity of the vehicle nodes is verified based on the authentication system of the cellular network. verify.
该步骤中、基站A基于蜂窝网络的鉴权认证体系对车辆节点进行身份验证,如基站A基于车辆节点的标识对车辆节点的身份进行验证,验证通过后转入步骤三,验证未通过则将未通过身份验证的鉴权信息丢弃。In this step, base station A verifies the identity of the vehicle node based on the authentication system of the cellular network. For example, base station A verifies the identity of the vehicle node based on the identity of the vehicle node. Authentication information that has not passed authentication is discarded.
步骤三、基站A将车辆节点a、b、c的鉴权信息(发送者证书)转发给或处理后发送给其覆盖的车辆节点a、b、c。Step 3. The base station A forwards or processes the authentication information (sender certificate) of the vehicle nodes a, b, and c to the vehicle nodes a, b, and c covered by it.
需要说明的是,基站A发送给各车辆节点a、b、c的是相同的鉴权信息。具体可以为将车辆节点a、b、c的鉴权信息放在一个数据包中进行发送。It should be noted that the base station A sends the same authentication information to the vehicle nodes a, b, and c. Specifically, the authentication information of the vehicle nodes a, b, and c may be sent in one data packet.
优选的,在车辆节点的鉴权信息中加入利用基站A的私有密钥所作的签名,或基站A的公钥及利用基站A的私有密钥所作的签名;将加入利用基站A的私有密钥所作的签名,或基站A的公钥及利用该基站A的私有密钥所作的签名的车辆节点的鉴权信息发送给该基站A覆盖的车辆节点a、b、c。Preferably, a signature made using the private key of base station A is added to the authentication information of the vehicle node, or a public key of base station A and a signature made using the private key of base station A; The signature, or the public key of base station A and the authentication information of the vehicle node signed by the private key of base station A are sent to the vehicle nodes a, b, and c covered by base station A.
需要说明的是,如果基站A的公钥是公知信息时,如在规范或协议中规定或在基站A的系统广播中通知,那么基站A在向其覆盖的车辆节点a、b、c发送鉴权信息时不需要添加基站A的公钥。It should be noted that if the public key of base station A is public information, as stipulated in the specification or protocol or notified in the system broadcast of base station A, then base station A sends the authentication key to the vehicle nodes a, b, and c covered by it. It is not necessary to add the public key of base station A when accessing the authorization information.
具体实施中,设车辆节点a、b通过了身份验证,车辆节点c没有通过身份验证,那么基站A将包含车辆节点a、b的车辆节点的鉴权信息按照设定时间间隔并通过系统广播方式发送给该基站A覆盖的所有车辆节点a、b、c。In the specific implementation, assuming that vehicle nodes a and b have passed the identity verification, and vehicle node c has not passed the identity verification, then base station A will broadcast the authentication information of the vehicle nodes including vehicle nodes a and b according to the set time interval and through the system broadcast Send to all vehicle nodes a, b, c covered by the base station A.
在上述优选的实施方式中,在车辆节点a、b的鉴权信息中加入利用基站A的私有密钥所作的签名,或基站A的公钥及利用基站A的私有密钥所作的签名;将加入加入利用基站A的私有密钥所作的签名,或基站A的公钥及利用基站A的私有密钥所作的签名的车辆节点的鉴权信息按照设定时间间隔并通过系统广播方式发送给该基站A覆盖的所有车辆节点a、b、c。In the preferred embodiment above, the authentication information of the vehicle nodes a and b is added with the signature made using the private key of base station A, or the public key of base station A and the signature made with the private key of base station A; Adding the signature made with the private key of base station A, or the public key of base station A and the signature made with the private key of base station A, the authentication information of the vehicle node is sent to the vehicle node through the system broadcast at the set time interval All vehicle nodes a, b, c covered by base station A.
步骤四、车辆节点a、b、c接收基站A发送的该基站覆盖的车辆节点的鉴权信息并进行存储。Step 4: The vehicle nodes a, b, and c receive the authentication information of the vehicle nodes covered by the base station sent by the base station A and store it.
步骤五、车辆节点a、b、c接收到对端发送的未携带鉴权信息的消息时,根据存储的从覆盖车辆节点a、b、c的基站A接收的对端的鉴权信息对对端身份进行验证。Step 5. When the vehicle nodes a, b, and c receive the message without authentication information sent by the peer, they send the authentication information of the peer to the peer according to the stored authentication information received from the base station A covering the vehicle nodes a, b, and c. Identity is verified.
该步骤中,车辆节点a、b、c根据对端的鉴权信息中的发送者公钥对对端身份进行验证。具体可以为,比较根据对端的发送者公钥和发送消息生成签名信息与对端发送消息中携带的采用对端私钥所作的签名信息是否一致,如果两个签名信息一致,则认为对端是可信终端,否则认为对端是不可信终端。In this step, the vehicle nodes a, b, and c verify the identity of the peer according to the sender's public key in the authentication information of the peer. Specifically, it can be compared whether the signature information generated according to the public key of the sender of the peer and the sent message is consistent with the signature information carried in the message sent by the peer using the private key of the peer. If the two signature information are consistent, the peer is considered to be trusted terminal, otherwise the peer is considered an untrusted terminal.
优选的,基站A发送的车辆节点的鉴权信息还包括基站A的签名,或基站A的公钥及签名,车辆节点a、b、c接收该基站发送的车辆节点的鉴权信息之后,还包括:Preferably, the authentication information of the vehicle node sent by the base station A also includes the signature of the base station A, or the public key and the signature of the base station A, after the vehicle nodes a, b, c receive the authentication information of the vehicle node sent by the base station, they also include:
基于该基站A的签名,或基站A的公钥及签名对该基站A进行身份验证;Based on the signature of the base station A, or the public key and signature of the base station A, the identity verification of the base station A is performed;
验证通过后,在接收到对端发送的未携带鉴权信息的消息时,根据存储的从该基站A接收的对端的鉴权信息对对端身份进行验证。After passing the verification, when receiving a message without authentication information sent by the peer end, verify the identity of the peer end according to the stored authentication information of the peer end received from the base station A.
具体实施中,车辆节点c接收到覆盖该车辆节点的基站A发送的包含车辆节点a、b的证书的鉴权信息并进行存储后,先采用该鉴权信息中携带的基站A的签名,或基站A的公钥及签名对该基站A进行身份验证,验证通过后,车辆节点c在接收到对端车辆节点a、b发送的未携带鉴权信息的消息时,根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证。In the specific implementation, after the vehicle node c receives and stores the authentication information including the certificates of the vehicle nodes a and b sent by the base station A covering the vehicle node, it first adopts the signature of the base station A carried in the authentication information, or The public key and signature of the base station A verify the identity of the base station A. After the verification is passed, when the vehicle node c receives the message without authentication information sent by the peer vehicle nodes a and b, it The received authentication information of peer vehicle nodes a and b respectively verifies the identity of the peers.
步骤六、若车辆节点a、b、c根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证通过,则转入步骤七;若车辆节点a、b、c根据从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证未通过,则转入步骤八。Step 6. If the vehicle nodes a, b, and c pass the verification of the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a and b received from the base station A, then go to step seven; if the vehicle node a , b, and c respectively verify the identity of the opposite end according to the authentication information of the opposite end vehicle nodes a and b received from the base station A, and then go to step eight.
步骤七、车辆节点a、b、c将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理。Step 7: Vehicle nodes a, b, and c submit the message without authentication information sent by the authenticated peer to the upper layer for processing.
步骤八、车辆节点a、b、c将未通过身份验证的对端发送的未携带鉴权信息的消息丢弃。Step 8: Vehicle nodes a, b, and c discard messages without authentication information sent by peers that have not passed identity verification.
进一步地,车辆节点a、b、c对未接收到的对端的鉴权信息的对端发送的未携带鉴权信息的消息直接丢弃。Further, the vehicle nodes a, b, c directly discard the messages without authentication information sent by the peers that have not received the authentication information of the peers.
具体实施中,若车辆节点c根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证通过,则将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理;若车辆节点c根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证未通过,则将未通过身份验证的对端车辆节点a、b发送的未携带鉴权信息的消息丢弃;车辆节点a、b的操作与车辆节点c的操作类似,但由于基站A按照设定时间间隔通过系统广播形式发送的鉴权信息中没有车辆节点c的鉴权信息,因此车辆节点a、b、只能根据存储的从该基站A接收的车辆节点a、b的鉴权信息中彼此的鉴权信息对对端发送的未携带鉴权信息的消息进行验证,将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理,将未通过身份验证的对端发送的未携带鉴权信息的消息丢弃,而车辆节点a、b在接收到对端发送的未携带鉴权信息的消息时,若还未存储对端的鉴权信息,则将对端发送的消息直接丢弃,如对于接收到的车辆节点c发送的未携带鉴权信息的消息时,直接将车辆节点c发送的未携带鉴权信息的消息丢弃。In the specific implementation, if the vehicle node c has verified the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a and b received from the base station A, then the authentication information sent by the opposite end that has passed the identity verification does not carry the authentication information. The message of authorization information is submitted to the upper layer for processing; if the vehicle node c fails to verify the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a and b received from the base station A, it will fail the identity verification The messages without authentication information sent by peer vehicle nodes a and b are discarded; the operation of vehicle nodes a and b is similar to that of vehicle node c, but since the authentication information sent by base station A through the system broadcast at the set time There is no authentication information of vehicle node c in the authorization information, so vehicle nodes a and b can only send to the other end according to the authentication information of each other in the stored authentication information of vehicle nodes a and b received from the base station A Verify the message without authentication information, submit the message without authentication information sent by the authenticated peer to the upper layer for processing, and discard the message without authentication information sent by the unauthenticated peer , and when vehicle nodes a and b receive a message that does not carry authentication information sent by the peer, if the authentication information of the peer has not been stored, they will directly discard the message sent by the peer, such as for the received vehicle node When c sends a message without authentication information, directly discard the message without authentication information sent by vehicle node c.
实施例二:基站接收其覆盖的车辆节点发送的用于对车辆节点身份进行验证的鉴权信息,该基站将接收的每个车辆节点的鉴权信息转发给或处理后发送给该基站覆盖的所有车辆节点,其中,基站基于接收的车辆节点的鉴权信息中CA的签名对车辆节点进行身份验证。Embodiment 2: The base station receives the authentication information sent by the covered vehicle node for verifying the identity of the vehicle node, and the base station forwards or processes the received authentication information of each vehicle node to the covered vehicle node of the base station. For all vehicle nodes, the base station performs identity verification on the vehicle node based on the signature of the CA in the received authentication information of the vehicle node.
图4c为本发明提供的实施例二中的网络架构示意图,设基站A下包含3个车辆节点a、b、c,实施例二的流程如图4d所示,步骤如下:Figure 4c is a schematic diagram of the network architecture in Embodiment 2 provided by the present invention. It is assumed that base station A contains 3 vehicle nodes a, b, and c. The process of Embodiment 2 is shown in Figure 4d, and the steps are as follows:
步骤一、车辆节点a、b、c接入基站A后,车辆节点a、b、c将用于对车辆节点a、b、c进行身份验证的鉴权信息发送给覆盖车辆节点a、b、c的基站A。Step 1: After the vehicle nodes a, b, c access the base station A, the vehicle nodes a, b, c send the authentication information used to verify the identity of the vehicle nodes a, b, c to the covering vehicle nodes a, b, base station A of c.
该步骤的具体实施方式如实施例一中步骤一中所述。The specific implementation of this step is as described in Step 1 in Example 1.
步骤二、基站A接收其覆盖的车辆节点a、b、c发送的用于对车辆节点a、b、c进行身份验证的鉴权信息后,基于鉴权信息中CA的签名对车辆节点的身份进行验证。Step 2: After base station A receives the authentication information sent by the vehicle nodes a, b, and c covered by it for identity verification of vehicle nodes a, b, and c, it verifies the identity of the vehicle node based on the signature of CA in the authentication information. authenticating.
该步骤中、基站A基于接收的车辆节点的鉴权信息中CA的签名对车辆节点的身份进行验证,验证通过后转入步骤三,验证未通过则将未通过身份验证的鉴权信息丢弃。In this step, the base station A verifies the identity of the vehicle node based on the signature of the CA in the received authentication information of the vehicle node. After the verification is passed, go to step 3. If the verification fails, the authentication information that fails the identity verification is discarded.
步骤三、基站A将车辆节点a、b、c的鉴权信息(发送者证书)转发给或处理后发送给其覆盖的车辆节点a、b、c。Step 3. The base station A forwards or processes the authentication information (sender certificate) of the vehicle nodes a, b, and c to the vehicle nodes a, b, and c covered by it.
需要说明的是,基站A发送给各车辆节点a、b、c的是相同的鉴权信息。It should be noted that the base station A sends the same authentication information to the vehicle nodes a, b, and c.
优选的,在车辆节点a、b的鉴权信息中加入利用基站A的私有密钥所作的签名,或基站A的公钥及利用基站A的私有密钥所作的签名;将加入加入利用基站A的私有密钥所作的签名,或基站A的公钥及利用基站A的私有密钥所作的签名的车辆节点的鉴权信息按照设定时间间隔并通过系统广播方式发送给该基站A覆盖的所有车辆节点a、b、c。Preferably, a signature made using the private key of base station A, or a public key of base station A and a signature made using the private key of base station A are added to the authentication information of vehicle nodes a and b; The signature made by the private key of the base station A, or the public key of the base station A and the authentication information of the vehicle node signed by the private key of the base station A are sent to all the nodes covered by the base station A through the system broadcast at the set time interval Vehicle nodes a, b, c.
需要说明的是,如果基站A的公钥是公知信息时,如在规范或协议中规定或在基站A的系统广播中通知,那么基站A在向其覆盖的车辆节点a、b、c发送鉴权信息时不需要添加基站A的公钥。It should be noted that if the public key of base station A is public information, as stipulated in the specification or protocol or notified in the system broadcast of base station A, then base station A sends the authentication key to the vehicle nodes a, b, and c covered by it. It is not necessary to add the public key of base station A when accessing the authorization information.
具体实施中,设车辆节点a、b通过了身份验证,车辆节点c没有通过身份验证,那么基站A将车辆节点a、b的鉴权信息按照设定时间间隔并通过MBMS广播形式发送给该基站A覆盖的车辆节点a、b、c。In the specific implementation, assuming that vehicle nodes a and b have passed the identity verification, and vehicle node c has not passed the identity verification, then base station A sends the authentication information of vehicle nodes a and b to the base station in the form of MBMS broadcast at a set time interval Vehicle nodes a, b, c covered by A.
在上述优选的实施方式中,在车辆节点a、b的鉴权信息中加入利用该基站A的私有密钥所作的签名,或该基站A的公钥及利用该基站A的私有密钥所作的签名;将加入利用该基站A的私有密钥所作的签名,或该基站A的公钥及利用该基站A的私有密钥所作的签名的车辆节点a、b的鉴权信息按照设定时间间隔并通过MBMS广播形式发送给该基站A覆盖的车辆节点a、b、c。In the preferred embodiment above, the authentication information of the vehicle nodes a and b is added with the signature made using the private key of the base station A, or the public key of the base station A and the signature made with the private key of the base station A. Signature; the authentication information of vehicle nodes a and b will be added with the signature made by the private key of the base station A, or the public key of the base station A and the signature made with the private key of the base station A according to the set time interval And send it to the vehicle nodes a, b, c covered by the base station A in the form of MBMS broadcast.
步骤四、车辆节点a、b、c接收该基站A发送的该基站A覆盖的车辆节点的鉴权信息并进行存储。Step 4: The vehicle nodes a, b, and c receive and store the authentication information of the vehicle nodes covered by the base station A sent by the base station A.
步骤五、车辆节点a、b、c接收到对端发送的未携带鉴权信息的消息时,根据存储的从覆盖车辆节点a、b、c的基站A接收的对端的鉴权信息对对端身份进行验证。Step 5. When the vehicle nodes a, b, and c receive the message without authentication information sent by the peer, they send the authentication information of the peer to the peer according to the stored authentication information received from the base station A covering the vehicle nodes a, b, and c. Identity is verified.
该步骤中,车辆节点a、b、c根据对端的鉴权信息中的发送者公钥对对端身份进行验证。In this step, the vehicle nodes a, b, and c verify the identity of the peer according to the sender's public key in the authentication information of the peer.
优选的,该基站A发送的车辆节点的鉴权信息还包括该基站A的签名,或基站A的公钥及签名(当基站的公钥为公知信息时,基站A在向该基站覆盖的所有车辆节点发送鉴权信息时不需要添加该基站的公钥,即该鉴权信息中仅携带利用该基站的私有密钥所作的签名),车辆节点a、b、c接收该基站A发送的车辆节点的鉴权信息之后,还包括:Preferably, the authentication information of the vehicle node sent by the base station A also includes the signature of the base station A, or the public key and the signature of the base station A (when the public key of the base station is public When the vehicle node sends the authentication information, it is not necessary to add the public key of the base station, that is, the authentication information only carries the signature made by the private key of the base station), and the vehicle nodes a, b, and c receive the vehicle information sent by the base station A. After the authentication information of the node, it also includes:
基于该基站A的签名,或基站A的公钥及签名对该基站A进行身份验证;Based on the signature of the base station A, or the public key and signature of the base station A, the identity verification of the base station A is performed;
验证通过后,在接收到对端发送的未携带鉴权信息的消息时,根据存储的从该基站A接收的对端的鉴权信息对对端身份进行验证。After passing the verification, when receiving a message without authentication information sent by the peer end, verify the identity of the peer end according to the stored authentication information of the peer end received from the base station A.
具体实施中,车辆节点c接收到覆盖该车辆节点的基站A发送的包含车辆节点a、b的证书的鉴权信息后,先采用该鉴权信息中携带的基站A的签名,或基站A的公钥及签名对该基站A进行身份验证,验证通过后,车辆节点c在接收到对端车辆节点a、b发送的未携带鉴权信息的消息时,根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证。In the specific implementation, after the vehicle node c receives the authentication information including the certificates of the vehicle nodes a and b sent by the base station A covering the vehicle node, it first adopts the signature of the base station A carried in the authentication information, or the signature of the base station A The public key and signature are used to verify the identity of the base station A. After the verification is passed, when the vehicle node c receives the message without authentication information sent by the peer vehicle nodes a and b, it will The authentication information of the end vehicle nodes a and b respectively verify the identity of the end.
步骤六、若车辆节点a、b、c根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证通过,则转入步骤七;若车辆节点a、b、c根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证未通过,则转入步骤八。Step 6. If the vehicle nodes a, b, and c pass the verification of the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a and b received from the base station A, then go to step seven; if the vehicle node a , b, and c respectively verify the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a and b received from the base station A, and then go to step eight.
步骤七、车辆节点a、b、c将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理。Step 7: Vehicle nodes a, b, and c submit the message without authentication information sent by the authenticated peer to the upper layer for processing.
步骤八、车辆节点a、b、c将未通过身份验证的对端发送的未携带鉴权信息的消息丢弃。Step 8: Vehicle nodes a, b, and c discard messages without authentication information sent by peers that have not passed identity verification.
进一步地,车辆节点a、b、c对未接收到的对端的鉴权信息的对端发送的未携带鉴权信息的消息直接丢弃。Further, the vehicle nodes a, b, c directly discard the messages without authentication information sent by the peers that have not received the authentication information of the peers.
具体实施中,若车辆节点c根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证通过,则将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理;若车辆节点c根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证未通过,则将未通过身份验证的对端车辆节点a、b发送的未携带鉴权信息的消息丢弃;车辆节点a、b的操作与车辆节点c的操作类似,但由于基站A发送的鉴权信息中没有车辆节点c的鉴权信息,因此车辆节点a、b、只能根据存储的从基站A接收的车辆节点a、b的鉴权信息中彼此的鉴权信息对对端发送的未携带鉴权信息的消息进行验证,将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理,将未通过身份验证的对端发送的未携带鉴权信息的消息丢弃,而车辆节点a、b在接收到对端发送的未携带鉴权信息的消息时,若还未存储对端的鉴权信息,则将对端发送的消息直接丢弃,如对于接收到的车辆节点c发送的未携带鉴权信息的消息时,直接将车辆节点c发送的未携带鉴权信息的消息丢弃。In the specific implementation, if the vehicle node c has verified the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a and b received from the base station A, then the authentication information sent by the opposite end that has passed the identity verification does not carry the authentication information. The message of authorization information is submitted to the upper layer for processing; if the vehicle node c fails to verify the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a and b received from the base station A, it will fail the identity verification The messages without authentication information sent by peer vehicle nodes a and b are discarded; the operation of vehicle nodes a and b is similar to that of vehicle node c, but since the authentication information sent by base station A does not include the authentication information of vehicle node c Therefore, vehicle nodes a and b can only verify the message without authentication information sent by the other end according to the authentication information of each other in the authentication information of vehicle nodes a and b received from base station A. Submit the message without authentication information sent by the peer that has passed the identity verification to the upper layer for processing, and discard the message without the authentication information sent by the peer that has not passed the identity verification, and the vehicle nodes a and b receive When the peer sends a message that does not carry authentication information, if the authentication information of the peer has not been stored, the message sent by the peer is directly discarded, such as the received message that does not carry authentication information sent by vehicle node c , the message without authentication information sent by vehicle node c is directly discarded.
实施例三:基站接收其覆盖的车辆节点发送的用于对车辆节点身份进行验证的鉴权信息,该基站将接收的每个车辆节点的鉴权信息发送给或处理后发送给该基站覆盖的所有车辆节点,其中,基站将去掉CA签名的车辆节点的发送者证书发送给该基站覆盖的所有车辆节点;基站基于蜂窝网络的鉴权认证体系或鉴权信息中CA的签名对车辆节点的身份进行验证。Embodiment 3: The base station receives the authentication information for verifying the identity of the vehicle node sent by the vehicle node covered by it, and the base station sends or processes the received authentication information of each vehicle node to the vehicle node covered by the base station For all vehicle nodes, the base station sends the sender certificate of the vehicle node without the CA signature to all vehicle nodes covered by the base station; the base station is based on the authentication system of the cellular network or the signature of the CA in the authentication information to the identity of the vehicle node authenticating.
图4e为本发明提供的实施例三中的网络架构示意图,设基站A下包含3个车辆节点a、b、c,实施例三的流程如图4f所示,步骤如下:Fig. 4e is a schematic diagram of the network architecture in Embodiment 3 provided by the present invention. It is assumed that base station A contains 3 vehicle nodes a, b, and c. The process of Embodiment 3 is shown in Fig. 4f, and the steps are as follows:
步骤一、车辆节点a、b、c接入基站A后,车辆节点a、b、c将用于对车辆节点a、b、c身份进行验证的鉴权信息发送给覆盖车辆节点a、b、c的基站A。Step 1: After the vehicle nodes a, b, c access the base station A, the vehicle nodes a, b, c send the authentication information used to verify the identity of the vehicle nodes a, b, c to the covering vehicle nodes a, b, base station A of c.
该步骤的具体实施方式如实施例一中步骤一中所述。The specific implementation of this step is as described in Step 1 in Example 1.
步骤二、基站A接收其覆盖的车辆节点a、b、c发送的用于对车辆节点a、b、c身份进行验证的鉴权信息后,基于蜂窝网络的鉴权认证体系或鉴权信息中CA的签名对车辆节点的身份进行验证。Step 2: After the base station A receives the authentication information sent by the vehicle nodes a, b, and c covered by it for verifying the identities of the vehicle nodes a, b, and c, the authentication system based on the cellular network or the authentication information in the authentication information The CA's signature verifies the identity of the vehicle node.
该步骤中、基站A基于蜂窝网络的鉴权认证体系或CA的签名对车辆节点的身份进行验证,验证通过后转入步骤三,验证未通过则将未通过身份验证的鉴权信息丢弃。In this step, the base station A verifies the identity of the vehicle node based on the authentication system of the cellular network or the signature of the CA. After the verification is passed, go to step 3. If the verification fails, the authentication information that does not pass the identity verification is discarded.
步骤三、基站A将车辆节点a、b、c的鉴权信息(去掉CA签名的发送者证书)发送给其覆盖的所有车辆节点a、b、c。Step 3: The base station A sends the authentication information of the vehicle nodes a, b, and c (the sender certificate without the CA signature) to all the vehicle nodes a, b, and c covered by it.
需要说明的是,基站A发送给各车辆节点a、b、c的是相同的鉴权信息。It should be noted that the base station A sends the same authentication information to the vehicle nodes a, b, and c.
该步骤中,基站A去掉车辆节点a、b、c的发送者证书的CA的签名,将去掉CA的签名的车辆节点a、b、c的发送者证书(这里为去掉车辆节点a、b、c发送者证书中CA签名后的其他信息)发送给该基站A覆盖的车辆节点a、b、c。In this step, the base station A removes the CA signature of the sender certificate of the vehicle nodes a, b, c, and removes the sender certificate of the vehicle node a, b, c signed by the CA (here, removes the vehicle node a, b, c Other information signed by CA in the sender’s certificate) is sent to the vehicle nodes a, b, and c covered by the base station A.
优选的,在车辆节点a、b的鉴权信息中加入利用基站A的私有密钥所作的签名,或基站A的公钥及利用基站A的私有密钥所作的签名;将加入加入利用基站A的私有密钥所作的签名,或基站A的公钥及利用基站A的私有密钥所作的签名的车辆节点的鉴权信息按照设定时间间隔并通过系统广播方式发送给该基站A覆盖的所有车辆节点a、b、c。Preferably, a signature made using the private key of base station A, or a public key of base station A and a signature made using the private key of base station A are added to the authentication information of vehicle nodes a and b; The signature made by the private key of the base station A, or the public key of the base station A and the authentication information of the vehicle node signed by the private key of the base station A are sent to all the nodes covered by the base station A through the system broadcast at the set time interval Vehicle nodes a, b, c.
具体实施中,设车辆节点a、b通过了身份验证,车辆节点c没有通过身份验证,那么基站A将包含车辆节点a、b的车辆节点的鉴权信息按照设定时间间隔并通过车联网专用广播形式发送给该基站覆盖的车辆节点a、b、c。In the specific implementation, assuming that vehicle nodes a and b have passed the identity verification, and vehicle node c has not passed the identity verification, then base station A will pass the authentication information of the vehicle nodes including vehicle nodes a and b according to the set time interval and through the Internet of Vehicles dedicated The broadcast form is sent to the vehicle nodes a, b, and c covered by the base station.
在上述优选的实施方式中,在车辆节点a、b的鉴权信息中加入基站A的签名,或该基站A的公钥及利用该基站A的私有密钥所作的签名;将加入基站A的签名,或该基站A的公钥及利用该基站A的私有密钥所作的签名的车辆节点的鉴权信息按照设定时间间隔并通过车联网专用广播形式发送给该基站A覆盖的车辆节点a、b、c。In the above-mentioned preferred embodiment, the signature of base station A is added to the authentication information of vehicle nodes a and b, or the public key of the base station A and the signature made by the private key of the base station A; the signature of the base station A will be added Signature, or the public key of the base station A and the authentication information of the vehicle node signed by the private key of the base station A according to the set time interval and sent to the vehicle node a covered by the base station A in the form of a special broadcast for the Internet of Vehicles , b, c.
步骤四、车辆节点a、b、c接收该基站A发送的该基站A覆盖的车辆节点的鉴权信息并进行存储。Step 4: The vehicle nodes a, b, and c receive and store the authentication information of the vehicle nodes covered by the base station A sent by the base station A.
步骤五、车辆节点a、b、c接收到对端发送的未携带鉴权信息的消息时,根据存储的从覆盖车辆节点a、b、c的基站A接收的对端的鉴权信息对对端身份进行验证。Step 5. When the vehicle nodes a, b, and c receive the message without authentication information sent by the peer, they send the authentication information of the peer to the peer according to the stored authentication information received from the base station A covering the vehicle nodes a, b, and c. Identity is verified.
该步骤中,车辆节点a、b、c根据存储的对端的鉴权信息中的发送者公钥对对端身份进行验证。In this step, vehicle nodes a, b, and c verify the identity of the peer according to the sender's public key in the stored authentication information of the peer.
优选的,该基站A发送的车辆节点的鉴权信息还包括基站A的签名,或基站A的公钥及签名,车辆节点a、b、c接收基站A发送的车辆节点的鉴权信息之后,还包括:Preferably, the authentication information of the vehicle node sent by the base station A also includes the signature of the base station A, or the public key and the signature of the base station A, after the vehicle nodes a, b, and c receive the authentication information of the vehicle node sent by the base station A, Also includes:
基于接收到的基站A的签名,或基站A的公钥及签名对该基站进行身份验证;Verify the identity of the base station based on the received signature of base station A, or the public key and signature of base station A;
验证通过后,在接收到对端发送的未携带鉴权信息的消息时,根据存储的从基站A接收的对端的鉴权信息对对端身份进行验证。After passing the verification, when receiving a message without authentication information sent by the peer end, verify the identity of the peer end according to the stored authentication information of the peer end received from base station A.
具体实施中,车辆节点c接收到覆盖该车辆节点的基站A发送的包含车辆节点a、b的证书的鉴权信息后,先采用该鉴权信息中携带的基站A的签名,或基站A的公钥及签名对该基站A进行身份验证,验证通过后,车辆节点c在接收到对端车辆节点a、b发送的未携带鉴权信息的消息时,根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证。In the specific implementation, after the vehicle node c receives the authentication information including the certificates of the vehicle nodes a and b sent by the base station A covering the vehicle node, it first adopts the signature of the base station A carried in the authentication information, or the signature of the base station A The public key and signature are used to verify the identity of the base station A. After the verification is passed, when the vehicle node c receives the message without authentication information sent by the peer vehicle nodes a and b, it will The authentication information of the end vehicle nodes a and b respectively verify the identity of the end.
步骤六、若车辆节点a、b、c根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证通过,则转入步骤七;若车辆节点a、b、c根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证未通过,则转入步骤八。Step 6. If the vehicle nodes a, b, and c pass the verification of the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a and b received from the base station A, then go to step seven; if the vehicle node a , b, and c respectively verify the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a and b received from the base station A, and then go to step eight.
步骤七、车辆节点a、b、c将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理。Step 7: Vehicle nodes a, b, and c submit the message without authentication information sent by the authenticated peer to the upper layer for processing.
步骤八、车辆节点a、b、c将未通过身份验证的对端发送的未携带鉴权信息的消息丢弃。Step 8: Vehicle nodes a, b, and c discard messages without authentication information sent by peers that have not passed identity verification.
进一步地,车辆节点a、b、c对未接收到的对端的鉴权信息的对端发送的未携带鉴权信息的消息直接丢弃。Further, the vehicle nodes a, b, c directly discard the messages without authentication information sent by the peers that have not received the authentication information of the peers.
具体实施中,若车辆节点c根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证通过,则将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理;若车辆节点c根据存储的从该基站A接收的对端车辆节点a、b的鉴权信息分别对对端身份进行验证未通过,则将未通过身份验证的对端车辆节点a、b发送的未携带鉴权信息的消息丢弃;车辆节点a、b的操作与车辆节点c的操作类似,但由于基站A按照设定时间间隔通过车联网专用广播形式发送的鉴权信息中没有车辆节点c的鉴权信息,因此车辆节点a、b、只能根据存储的从基站A接收到的车辆节点a、b的鉴权信息中彼此的鉴权信息对对端发送的未携带鉴权信息的消息进行验证,将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理,将未通过身份验证的对端发送的未携带鉴权信息的消息丢弃,而车辆节点a、b在接收到对端发送的未携带鉴权信息的消息时,若还未存储对端的鉴权信息,则将对端发送的消息直接丢弃,如对于接收到的车辆节点c发送的未携带鉴权信息的消息时,直接将车辆节点c发送的未携带鉴权信息的消息丢弃。In the specific implementation, if the vehicle node c has verified the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a and b received from the base station A, then the authentication information sent by the opposite end that has passed the identity verification does not carry the authentication information. The message of authorization information is submitted to the upper layer for processing; if the vehicle node c fails to verify the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a and b received from the base station A, it will fail the identity verification Messages without authentication information sent by peer vehicle nodes a and b are discarded; the operation of vehicle nodes a and b is similar to that of vehicle node c, but since base station A sends There is no authentication information of vehicle node c in the authentication information of vehicle node c, so vehicle nodes a and b can only communicate with each other according to the authentication information of each other in the authentication information of vehicle nodes a and b received from base station A Verify the message without authentication information sent by the peer end that has passed the identity verification, submit the message without authentication information sent by the peer that has passed the identity verification to the upper layer for processing, and pass the The message is discarded, and when the vehicle nodes a and b receive the message without authentication information sent by the other end, if the authentication information of the other end has not been stored, the message sent by the other end will be discarded directly, such as for the received When the message not carrying the authentication information sent by the vehicle node c, the message not carrying the authentication information sent by the vehicle node c is directly discarded.
实施例四:基站将相邻基站发送的通过身份验证的车辆节点的鉴权信息转发给或处理后发送给该基站覆盖的所有车辆节点,其中,基站将去掉CA的签名的车辆节点的发送者证书发送给该基站覆盖的所有车辆节点,基站基于蜂窝网络的鉴权认证体系或CA的签名对车辆节点的身份进行验证。Embodiment 4: The base station forwards or processes the authentication information of the vehicle node that has passed the identity verification sent by the adjacent base station to all vehicle nodes covered by the base station, wherein the base station removes the sender of the vehicle node with the CA signature The certificate is sent to all vehicle nodes covered by the base station, and the base station verifies the identity of the vehicle node based on the authentication system of the cellular network or the signature of the CA.
图4g为本发明提供的实施例四中的网络架构示意图,设基站A下包含3个车辆节点a、b、c,基站B下包含2个车辆节点d、e,实施例四的流程如图4h所示,步骤如下:Figure 4g is a schematic diagram of the network architecture in Embodiment 4 provided by the present invention. It is assumed that base station A contains 3 vehicle nodes a, b, and c, and base station B contains 2 vehicle nodes d, e. The flow chart of Embodiment 4 is shown in the figure As shown in 4h, the steps are as follows:
步骤一、车辆节点a、b、c、d、e接入基站后,车辆节点a、b、c、d、e将用于对车辆节点a、b、c、d、e进行身份验证的鉴权信息发送给覆盖车辆节点a、b、c、d、e的基站A或B。Step 1: After the vehicle nodes a, b, c, d, and e access the base station, the vehicle nodes a, b, c, d, and e will be used to authenticate the identity of the vehicle nodes a, b, c, d, and e. The right information is sent to the base station A or B covering the vehicle nodes a, b, c, d, e.
该步骤中,车辆节点a、b、c、d、e按照设定时间间隔将鉴权信息发送给覆盖车辆节点a、b、c、d、e的基站A或B。In this step, vehicle nodes a, b, c, d, and e send authentication information to base stations A or B covering vehicle nodes a, b, c, d, and e at set time intervals.
通常,若车辆节点a、b、c、d、e前后发送的两个证书的有效时间有30秒的重叠时间,那么车辆节点a、b、c、d、e可以在每两个证书的重叠时间范围内向基站A或B发送携带各自公钥的下一个将要使用的证书。Usually, if the valid time of the two certificates sent by vehicle nodes a, b, c, d, and e has an overlapping time of 30 seconds, then vehicle nodes a, b, c, d, and e can Send the next certificate to be used carrying the respective public key to base station A or B within the time range.
步骤二、基站A或B接收其覆盖的车辆节点a、b、c、d、e发送的用于对车辆节点a、b、c、d、e身份进行验证的鉴权信息,并接收相邻基站发送的相邻基站覆盖的车辆节点的鉴权信息,然后基站A或B基于蜂窝网络的鉴权认证体系或鉴权信息中CA的签名对车辆节点的身份进行验证。Step 2. The base station A or B receives the authentication information sent by the vehicle nodes a, b, c, d, and e that it covers to verify the identities of the vehicle nodes a, b, c, d, and e, and receives the adjacent The base station sends the authentication information of the vehicle node covered by the adjacent base station, and then the base station A or B verifies the identity of the vehicle node based on the authentication system of the cellular network or the CA signature in the authentication information.
该步骤中、基站A或B基于蜂窝网络的鉴权认证体系或鉴权信息中CA的签名对车辆节点的身份进行验证,验证通过后转入步骤三,验证未通过则将未通过身份验证的鉴权信息丢弃。In this step, base station A or B verifies the identity of the vehicle node based on the authentication system of the cellular network or the signature of CA in the authentication information. Authentication information is discarded.
步骤三、基站A或B将接收的每个车辆节点的鉴权信息(去掉CA签名的发送者证书)转发给或处理后发送给其覆盖的车辆节点a、b、c、d、e。Step 3. Base station A or B forwards or processes the received authentication information of each vehicle node (sender certificate without CA signature) to the covered vehicle nodes a, b, c, d, e after processing.
该步骤中,基站A或B将接收的相邻基站覆盖的车辆节点的鉴权信息与其接收的其覆盖的车辆节点a、b、c、d、e发送的用于对车辆节点a、b、c、d、e身份进行验证的鉴权信息发送给或处理后发送给基站A或B覆盖的所有车辆节点。In this step, the base station A or B sends the received authentication information of the vehicle nodes covered by the adjacent base station and the received vehicle nodes a, b, c, d, e to the vehicle nodes a, b, c, d, e identities are verified and sent to all vehicle nodes covered by base station A or B after processing.
需要说明的是,每个基站发送给其覆盖各车辆节点的是相同的鉴权信息,但不同的基站间发送鉴权信息可以不同,如一个基站收集到了5个车辆节点的鉴权信息,那么其向其覆盖各车辆节点发送的鉴权信息最多只有收集到的5个车辆节点的鉴权信息;而另一个基站收集到了10个车辆节点的鉴权信息,那么该基站向其覆盖各车辆节点发送的鉴权信息最多可以包含收集到的10个车辆节点的鉴权信息。It should be noted that each base station sends the same authentication information to each vehicle node it covers, but the authentication information sent by different base stations can be different. For example, if a base station collects the authentication information of five vehicle nodes, then The authentication information sent to each vehicle node covered by it is only the authentication information of 5 vehicle nodes collected; and another base station has collected the authentication information of 10 vehicle nodes, then the base station will cover each vehicle node The authentication information sent may contain the collected authentication information of 10 vehicle nodes at most.
该步骤中,基站A或B去掉车辆节点a、b、c、d、e的发送者证书的CA的签名,将去掉CA签名的车辆节点a、b、c、d、e的发送者证书(这里为去掉车辆节点a、b、c、d、e发送者证书中CA签名后的其他信息)发送给基站A或B覆盖的车辆节点a、b、c、d、e。In this step, the base station A or B removes the signature of the CA of the sender certificate of the vehicle node a, b, c, d, e, and will remove the sender certificate of the vehicle node a, b, c, d, e signed by the CA ( Here, other information after removing the CA signature in the sender certificate of vehicle nodes a, b, c, d, e) is sent to vehicle nodes a, b, c, d, e covered by base station A or B.
优选的,在车辆节点的鉴权信息中加入基站的签名,或基站的公钥及签名;将加入基站的签名,或基站的公钥及签名的车辆节点的鉴权信息发送给基站A或B覆盖的车辆节点a、b、c、d、e。Preferably, the signature of the base station, or the public key and the signature of the base station are added to the authentication information of the vehicle node; Covered vehicle nodes a, b, c, d, e.
具体实施中,基站A、B采用CA签名分别对其覆盖的并且接收到鉴权信息的车辆节点进行身份验证。设车辆节点a、b通过了基站A的验证,车辆节点c没有通过基站A的验证,车辆节点d、e都通过了基站B的验证,那么基站A和基站B将通过接口将各自通过验证的鉴权信息按照设定时间间隔通过MBMS广播形式转发给或处理后发送给相邻基站与其覆盖的车辆节点。即:基站A通过接口将通过验证的车辆节点a、b的鉴权信息按照设定时间间隔通过MBMS广播形式转发给或处理后发送给相邻基站B与其覆盖的车辆节点a、b、c;基站B通过接口将通过验证的车辆节点d、e的鉴权信息按照设定时间间隔通过MBMS广播形式转发给或处理后发送给相邻基站A与其覆盖的车辆节点d、e。In a specific implementation, the base stations A and B use the CA signature to verify the identity of the vehicle nodes covered by them and receiving the authentication information. Assuming that vehicle nodes a and b have passed the verification of base station A, vehicle node c has not passed the verification of base station A, and vehicle nodes d and e have passed the verification of base station B, then base station A and base station B will pass the verification through the interface The authentication information is forwarded or processed to the adjacent base station and the vehicle nodes covered by it through MBMS broadcast at the set time interval. That is: the base station A forwards or processes the authentication information of the verified vehicle nodes a and b to the adjacent base station B and the vehicle nodes a, b and c covered by it through the MBMS broadcast at a set time interval through the interface; The base station B forwards or processes the authentication information of the verified vehicle nodes d and e to the adjacent base station A and its covered vehicle nodes d and e through the MBMS broadcast form at a set time interval through the interface.
步骤四、车辆节点a、b、c、d、e接收覆盖该车辆节点的基站A或B发送的车辆节点的鉴权信息并进行存储。Step 4: The vehicle nodes a, b, c, d, e receive and store the authentication information of the vehicle node sent by the base station A or B covering the vehicle node.
步骤五、车辆节点a、b、c、d、e接收到对端发送的未携带鉴权信息的消息时,根据存储的从覆盖该车辆节点的基站A或B接收的对端的鉴权信息对对端身份进行验证。Step 5. When the vehicle nodes a, b, c, d, and e receive the message without authentication information sent by the opposite end, according to the stored authentication information of the opposite end received from the base station A or B covering the vehicle node, the Verify the identity of the peer.
该步骤中,车辆节点a、b、c、d、e根据存储的对端的鉴权信息中的发送者公钥对对端身份进行验证。In this step, the vehicle nodes a, b, c, d, and e verify the identity of the peer according to the sender's public key in the stored authentication information of the peer.
优选的,基站发送的车辆节点的鉴权信息还包括基站的签名,或基站的公钥及签名,车辆节点a、b、c、d、e接收覆盖该车辆节点的基站A或B发送的车辆节点的鉴权信息之后,还包括:Preferably, the authentication information of the vehicle node sent by the base station also includes the signature of the base station, or the public key and signature of the base station, and the vehicle nodes a, b, c, d, e receive the vehicle node sent by the base station A or B covering the vehicle node. After the authentication information of the node, it also includes:
基于覆盖该车辆节点的基站A或B的签名或基站A或B的公钥及签名对覆盖该车辆节点的基站A或B进行身份验证;Verify the identity of the base station A or B covering the vehicle node based on the signature of the base station A or B covering the vehicle node or the public key and signature of the base station A or B;
验证通过后,在接收到对端发送的未携带鉴权信息的消息时,根据存储的从覆盖该车辆节点的基站A或B接收的对端的鉴权信息对对端身份进行验证。After the verification is passed, when receiving the message without authentication information sent by the opposite end, verify the identity of the opposite end according to the stored authentication information of the opposite end received from the base station A or B covering the vehicle node.
具体实施中,车辆节点c接收到覆盖该车辆节点的基站A发送的包含车辆节点a、b、d、e证书的鉴权消息并进行存储后,先采用该鉴权消息中携带的基站A的签名,或基站A的公钥及签名对基站A进行身份验证,验证通过后,车辆节点c在接收到对端车辆节点a、b、d、e发送的未携带鉴权信息的消息时,根据存储的从基站A接收的对端车辆节点a、b、d、e的鉴权信息分别对对端身份进行验证。In the specific implementation, after the vehicle node c receives and stores the authentication message containing the certificates of the vehicle nodes a, b, d, and e sent by the base station A covering the vehicle node, it first adopts the authentication information of the base station A carried in the authentication message. Signature, or the public key and signature of base station A to verify the identity of base station A. After the verification is passed, when vehicle node c receives the message without authentication information sent by peer vehicle node a, b, d, e, according to The stored authentication information of the peer vehicle nodes a, b, d, and e received from the base station A respectively verifies the identity of the peer.
步骤六、若车辆节点a、b、c、d、e根据存储的从覆盖该车辆节点的基站A或B接收的对端车辆节点的鉴权信息分别对对端身份进行验证通过,则转入步骤七;若车辆节点a、b、c、d、e根据存储的从覆盖该车辆节点的基站A或B接收的对端车辆节点的鉴权信息分别对对端身份进行验证未通过,则转入步骤八。Step 6. If the vehicle nodes a, b, c, d, and e pass the identity verification of the peer vehicle node according to the stored authentication information of the peer vehicle node received from the base station A or B covering the vehicle node, then transfer to Step 7: If vehicle nodes a, b, c, d, e fail to verify the identity of the opposite end according to the stored authentication information of the opposite end vehicle node received from the base station A or B covering the vehicle node, then go to Go to step eight.
步骤七、车辆节点a、b、c、d、e将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理。Step 7: Vehicle nodes a, b, c, d, and e submit messages without authentication information sent by peers that have passed identity verification to the upper layer for processing.
步骤八、车辆节点a、b、c、d、e将未通过身份验证的对端发送的未携带鉴权信息的消息丢弃。Step 8: Vehicle nodes a, b, c, d, e discard the messages without authentication information sent by peers that have not passed identity verification.
进一步地,车辆节点a、b、c、d、e对未接收到对端的鉴权信息的对端发送的未携带鉴权信息的消息直接丢弃。Further, the vehicle nodes a, b, c, d, and e directly discard the messages without authentication information sent by the peers that have not received the authentication information of the peers.
具体实施中,若车辆节点c根据存储的从基站A接收的对端车辆节点a、b、d、e的鉴权信息分别对对端身份进行验证通过,则将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理;若车辆节点c根据存储的从基站A接收的对端车辆节点a、b、d、e的鉴权信息分别对对端身份进行验证未通过,则将未通过身份验证的对端车辆节点a、b、d、e发送的未携带鉴权信息的消息丢弃;车辆节点a、b、d、e的操作与车辆节点c的操作类似,但由于基站A或B发送的鉴权信息中没有车辆节点c的鉴权信息,因此车辆节点a、b、d、e只能根据存储的车辆节点a、b、d、e的鉴权信息对对端发送的未携带鉴权信息的消息进行验证,将通过身份验证的对端发送的未携带鉴权信息的消息递交给高层进行处理,将未通过身份验证的对端发送的未携带鉴权信息的消息丢弃,而车辆节点a、b在接收到对端发送的未携带鉴权信息的消息时,若还未存储对端的鉴权信息,则将对端发送的消息直接丢弃,如对于接收到的车辆节点c发送的未携带鉴权信息的消息时,直接将车辆节点c发送的未携带鉴权信息的消息丢弃。In the specific implementation, if the vehicle node c passes the authentication of the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a, b, d, and e received from the base station A, the identity verification will be sent by the opposite end The message without authentication information is submitted to the upper layer for processing; if the vehicle node c fails to verify the identity of the opposite end according to the stored authentication information of the opposite end vehicle nodes a, b, d, and e received from the base station A, Then discard the messages without authentication information sent by peer vehicle nodes a, b, d, e that have not passed identity verification; the operation of vehicle nodes a, b, d, e is similar to that of vehicle node c, but due to The authentication information sent by base station A or B does not include the authentication information of vehicle node c, so vehicle nodes a, b, d, and e can only authenticate the peers based on the stored authentication information of vehicle nodes a, b, d, and e. Verify the message without authentication information sent by the peer end that has passed the identity verification, submit the message without authentication information sent by the peer that has passed the identity verification to the upper layer for processing, and pass the The message is discarded, and when the vehicle nodes a and b receive the message without authentication information sent by the other end, if the authentication information of the other end has not been stored, the message sent by the other end will be discarded directly, such as for the received When the message not carrying the authentication information sent by the vehicle node c, the message not carrying the authentication information sent by the vehicle node c is directly discarded.
基于相同的技术构思,本发明实施例还提供了一种中心节点、一种终端,由于该中心节点、终端设备解决问题的原理与方法相似,因此设备的实施可以参见方法的实施,重复之处不再赘述。Based on the same technical concept, the embodiment of the present invention also provides a central node and a terminal. Since the principle and method of solving the problem of the central node and terminal equipment are similar, the implementation of the equipment can refer to the implementation of the method. No longer.
如图5所示,本发明实施例提供的中心节点,可包括:As shown in Figure 5, the central node provided by the embodiment of the present invention may include:
接收模块501,用于接收其覆盖的终端发送的用于对终端进行身份验证的鉴权信息;The receiving module 501 is configured to receive authentication information for authenticating the terminal sent by the covered terminal;
发送模块502,用于将接收的每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端。The sending module 502 is configured to forward or process the received authentication information of each terminal to all terminals covered by the central node.
以上功能模块的划分方式仅为本发明实施例给出的一种优选实现方式,功能模块的划分方式不构成对本发明的限制。The above division manner of the functional modules is only a preferred implementation manner given by the embodiment of the present invention, and the division manner of the functional modules does not constitute a limitation of the present invention.
实施中,所述发送模块502进一步用于将接收的每个终端的鉴权信息转发给或处理后发送给与所述中心节点相邻的中心节点,并将接收的相邻中心节点覆盖的终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端。In implementation, the sending module 502 is further configured to forward or process the received authentication information of each terminal to a central node adjacent to the central node, and transmit the received terminal covered by the adjacent central node The authentication information is forwarded to or processed and sent to all terminals covered by the central node.
实施中,所述接收模块501进一步用于接收相邻中心节点发送的相邻中心节点覆盖的终端的鉴权信息。In implementation, the receiving module 501 is further configured to receive the authentication information of the terminal covered by the adjacent central node sent by the adjacent central node.
具体实施中,中心节点对终端的鉴权信息进行处理时,可以是根据需要在鉴权信息中加入一些信息,或删除终端的鉴权信息中不必要的冗余信息,当然,还可以是其它处理方式。In the specific implementation, when the central node processes the authentication information of the terminal, it can add some information to the authentication information as needed, or delete unnecessary redundant information in the authentication information of the terminal. Of course, it can also be other processing method.
具体实施中,鉴权信息可以是任何形式的用于对终端进行身份认证的信息。In a specific implementation, the authentication information may be any form of information used to authenticate the identity of the terminal.
优选地,鉴权信息至少包括发送者公钥。进一步优选地,鉴权信息还包括发送者的标识和/或证书管理机构CA的签名。Preferably, the authentication information includes at least the sender's public key. Further preferably, the authentication information also includes the identifier of the sender and/or the signature of the certificate authority CA.
目前发送者证书具有用于对终端身份验证的信息,除了包含上述发送者公钥、CA的签名和/或发送者的标识(ID)外、还包含证书的序列号、证书发放机构的名称、以及能够使接收者验证证书是否已被撤销等信息。优选地,鉴权信息包括发送者证书中的一项或多项内容,若包括发送者证书一项内容,则该项内容为发送者公钥。At present, the sender's certificate has information for authenticating the terminal. In addition to the above-mentioned sender's public key, CA's signature and/or sender's identification (ID), it also includes the serial number of the certificate, the name of the certificate issuing authority, And information that enables the recipient to verify whether the certificate has been revoked. Preferably, the authentication information includes one or more items in the sender's certificate, and if one item of the sender's certificate is included, then the item is the sender's public key.
此外,证书中还包含关于时间、内容、位置的范围限制等信息,可以根据需要确定是否将其加入鉴权信息。当然,鉴权信息可以包括证书的全部内容。In addition, the certificate also contains information such as time, content, and location restrictions, and it can be determined whether to add it to the authentication information as required. Certainly, the authentication information may include all contents of the certificate.
实施中,中心节点中还可以进一步包括:During implementation, the central node may further include:
验证模块503,用于基于蜂窝网络的鉴权认证体系或接收的终端鉴权信息中CA的签名对接收的每个终端进行身份验证;The verification module 503 is configured to verify the identity of each received terminal based on the authentication system of the cellular network or the signature of the CA in the received terminal authentication information;
所述发送模块502还可以进一步用于在验证通过后,将终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端。The sending module 502 may be further configured to forward or process the authentication information of the terminal to all terminals covered by the central node after the verification is passed.
对于不管是从中心节点覆盖的终端接收的鉴权信息,还是从相邻中心节点接收的终端的鉴权信息,将终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端之前,还包括:Whether it is the authentication information received from the terminal covered by the central node or the authentication information of the terminal received from the adjacent central node, forward or process the authentication information of the terminal to all terminals covered by the central node Previously, also included:
基于蜂窝网络的鉴权认证体系或接收的终端鉴权信息中CA的签名对该终端进行身份验证;验证通过后再发送。Based on the authentication and authentication system of the cellular network or the signature of the CA in the received terminal authentication information, the identity of the terminal is verified; the verification is passed before sending.
通常,中心节点基于CA的签名对对应终端进行身份验证。中心节点对终端的身份验证方式也可以采用其他方式,如借助于现有蜂窝网络的鉴权认证体系,一旦确定终端是蜂窝网络的合法接入终端,那么认为该终端发送的鉴权信息就是可信的。Usually, the central node authenticates the corresponding terminal based on the signature of the CA. The central node can also use other methods to verify the identity of the terminal. For example, with the help of the authentication system of the existing cellular network, once the terminal is determined to be a legal access terminal of the cellular network, the authentication information sent by the terminal is considered to be valid. Faithful.
实施中,所述鉴权信息为发送者证书,所述发送模块502具体用于将接收的每个终端的发送者证书或发送者证书中的部分内容发送给所述中心节点覆盖的所有终端。In implementation, the authentication information is the sender's certificate, and the sending module 502 is specifically configured to send the received sender's certificate or part of the sender's certificate of each terminal to all terminals covered by the central node.
实施中,所述发送者证书包括CA签名,所述发送模块502具体用于将去掉CA签名的终端的发送者证书发送给所述中心节点覆盖的所有终端。In implementation, the sender certificate includes a CA signature, and the sending module 502 is specifically configured to send the sender certificate of the terminal without the CA signature to all terminals covered by the central node.
需要说明的是,中心节点发送给所述中心节点覆盖的所有终端的鉴权信息是相同的。It should be noted that the authentication information sent by the central node to all terminals covered by the central node is the same.
具体实施中,该鉴权信息为发送者证书或发送者证书部分内容,该中心节点将接收的每个终端的发送者证书或发送者证书中的部分内容发送给所述中心节点覆盖的所有终端;在鉴权信息为发送者证书部分内容时,该中心节点将去掉CA签名的终端的发送者证书发送给该中心节点覆盖的所有终端。In a specific implementation, the authentication information is the sender's certificate or part of the content of the sender's certificate, and the central node sends the received sender's certificate or part of the content of the sender's certificate to all terminals covered by the central node ; When the authentication information is part of the content of the sender's certificate, the central node sends the sender's certificate of the terminal without the CA signature to all terminals covered by the central node.
实施中,中心节点中还可以进一步包括:During implementation, the central node may further include:
处理模块504,用于在接收的每个终端的鉴权信息中加入利用中心节点的私有密钥所作的签名,或中心节点的公钥及利用中心节点的私有密钥所作的签名;A processing module 504, configured to add a signature made using the private key of the central node, or a public key of the central node and a signature made using the private key of the central node, to the received authentication information of each terminal;
所述发送模块502具体用于将处理模块处理后的接收的每个终端的鉴权信息发送给所述中心节点覆盖的所有终端。The sending module 502 is specifically configured to send the received authentication information of each terminal processed by the processing module to all terminals covered by the central node.
具体实施中,在中心节点对终端的鉴权信息进行处理时,采用如下任一方式:In a specific implementation, when the central node processes the authentication information of the terminal, any of the following methods is adopted:
1)在终端的鉴权信息中加入利用中心节点的私有密钥所作的签名;1) Add the signature made by the private key of the central node to the authentication information of the terminal;
需要说明的是,若中心节点的公钥是公知信息时,则在规范或协议中规定或在中心节点的系统广播中通知,那么中心节点在向该中心节点覆盖的所有终端发送鉴权信息时不需要添加该中心节点的公钥。It should be noted that if the public key of the central node is publicly known information, it is stipulated in the specification or protocol or notified in the system broadcast of the central node, then when the central node sends authentication information to all terminals covered by the central node There is no need to add the public key of the central node.
2)在终端的鉴权信息中加入中心节点的公钥及利用中心节点的私有密钥所作的签名。2) Add the public key of the central node and the signature made with the private key of the central node to the authentication information of the terminal.
基于加入的利用中心节点的私有密钥所作的签名,或中心节点的公钥及中心节点的私有密钥所作的签名,终端可以对该中心节点进行身份验证,从而保证中心节点发送的终端的鉴权信息的安全性和可信性。Based on the signature made using the private key of the central node, or the signature made by the public key of the central node and the private key of the central node, the terminal can authenticate the central node, thereby ensuring the authentication of the terminal sent by the central node. security and credibility of information.
实施中,所述发送模块502具体用于:In implementation, the sending module 502 is specifically used for:
按照设定时间间隔或事件触发方式,将接收的每个终端的鉴权信息发送给或处理后发送给所述中心节点覆盖的所有终端。The received authentication information of each terminal is sent or processed and sent to all terminals covered by the central node according to a set time interval or an event triggering manner.
具体实施中,中心节点可以采用如下方式将接收的每个终端的鉴权信息转发给或处理后发送给该中心节点覆盖的所有终端:In a specific implementation, the central node may forward or process the received authentication information of each terminal to all terminals covered by the central node in the following manner:
1)按照设定时间间隔方式发送1) Send according to the set time interval
在设定时间间隔内中心节点接收终端的鉴权信息,当到达设定时间时,中心节点将此时间间隔内接收的每个终端的鉴权信息发送给或处理后发送给该中心节点覆盖的所有终端。The central node receives the authentication information of the terminal within the set time interval. When the set time is reached, the central node sends or processes the authentication information of each terminal received within this time interval to the network covered by the central node. all terminals.
采用此方式可以实现将多个终端的鉴权信息按照设定时间间隔统一下发,以提高网络资源利用率。In this manner, the authentication information of multiple terminals can be issued uniformly at a set time interval, so as to improve the utilization rate of network resources.
2)按照事件触发方式发送2) Send according to the event trigger mode
具体的触发方式可以是,当新接入该中心节点的终端数目达到数值时,将当前接收到的所有终端的鉴权信息统一下发,可以提高网络资源利用率。A specific triggering method may be that when the number of terminals newly connected to the central node reaches a certain value, the currently received authentication information of all terminals is uniformly issued, which can improve the utilization rate of network resources.
3)立即发送方式3) Send immediately
中心节点只要接收到终端发送的鉴权信息,则将接收的该终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端。As long as the central node receives the authentication information sent by the terminal, it forwards or processes the received authentication information of the terminal to all terminals covered by the central node.
实施中,所述发送模块502通过以下方式中的任一种,将接收的每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端:In implementation, the sending module 502 forwards or processes the received authentication information of each terminal to all terminals covered by the central node in any of the following ways:
广播方式;组播方式;多播方式;点对点方式。Broadcast mode; multicast mode; multicast mode; point-to-point mode.
其中,广播可以为MBMS广播、车联网专用广播、系统广播等,以达到合理利用信道资源,提高系统资源利用率的目的。Among them, broadcasting can be MBMS broadcasting, dedicated broadcasting for Internet of Vehicles, system broadcasting, etc., so as to achieve the purpose of rationally using channel resources and improving the utilization rate of system resources.
如图6所示,本发明实施例提供的终端,可包括:As shown in Figure 6, the terminal provided by the embodiment of the present invention may include:
发送模块601,用于将对所述终端进行身份验证的鉴权信息发送给覆盖所述终端的中心节点;A sending module 601, configured to send authentication information for identity verification of the terminal to a central node covering the terminal;
接收模块602,用于接收所述中心节点发送的所述中心节点覆盖的所有终端的鉴权信息并进行存储。The receiving module 602 is configured to receive and store authentication information of all terminals covered by the central node sent by the central node.
以上功能模块的划分方式仅为本发明实施例给出的一种优选实现方式,功能模块的划分方式不构成对本发明的限制。The above division manner of the functional modules is only a preferred implementation manner given by the embodiment of the present invention, and the division manner of the functional modules does not constitute a limitation of the present invention.
实施中,所述接收模块602进一步用于接收所述中心节点发送的相邻中心节点覆盖的所有终端的鉴权信息。In implementation, the receiving module 602 is further configured to receive authentication information of all terminals covered by adjacent central nodes sent by the central node.
实施中,所述发送模块601发送的鉴权信息包括发送者的公钥。In implementation, the authentication information sent by the sending module 601 includes the sender's public key.
实施中,所述发送模块601发送的鉴权信息还包括发送者标识和/或证书管理机构CA的签名。In implementation, the authentication information sent by the sending module 601 also includes the sender's identification and/or the signature of the certificate management authority CA.
实施中,所述发送模块601发送的鉴权信息包括发送者证书中的一项或多项内容。In implementation, the authentication information sent by the sending module 601 includes one or more contents in the sender's certificate.
实施中,所述发送模块601具体用于:In implementation, the sending module 601 is specifically used for:
按照设定时间间隔或事件触发方式将鉴权信息发送给覆盖所述终端的中心节点。The authentication information is sent to the central node covering the terminal according to a set time interval or an event triggering manner.
通常,若终端前后发送的鉴权信息中的证书的有效时间有30秒的重叠时间,那么终端可以在每两个证书的重叠时间范围内按照设定时间间隔向中心节点发送携带各自公钥的下一个将要使用的证书。Usually, if the valid time of the certificates in the authentication information sent by the terminal overlaps by 30 seconds, then the terminal can send certificates carrying their respective public keys to the central node according to the set time interval within the overlapping time range of each two certificates. The next certificate to be used.
出于保护隐私,终端使用一个证书通常只在有限时间内有效;1609.2协议中规定每个终端的证书集中任意一个时刻只有一个证书是有效的。这个原则可以放松为相邻两个证书的有效时间段可以允许一个短时间的重叠,使得证书可以在重叠的时间段内随机转换从而更好地保护隐私,另外也可以使得当一个严重的事件发生时让终端拥有一定的延迟变换证书的灵活度。To protect privacy, a certificate used by a terminal is usually only valid for a limited time; the 1609.2 protocol stipulates that only one certificate is valid at any time in the certificate set of each terminal. This principle can be relaxed to allow a short period of overlap between the validity periods of two adjacent certificates, so that the certificates can be randomly switched within the overlapping period of time to better protect privacy, and it can also be used when a serious event occurs This allows the terminal to have a certain degree of flexibility in delaying and changing certificates.
实施中,所述接收模块602接收的鉴权信息还包括所述中心节点的签名,或包括所述中心节点的公钥及签名。In implementation, the authentication information received by the receiving module 602 also includes the signature of the central node, or includes the public key and signature of the central node.
实施中,所述接收模块602还可以进一步用于接收对端发送的未携带鉴权信息的消息;In implementation, the receiving module 602 may be further configured to receive a message sent by the opposite end without authentication information;
实施中,终端中还可以进一步包括:During implementation, the terminal may further include:
验证模块603,用于在接收模块接收到对端发送的未携带鉴权信息的消息时,根据存储的从中心节点接收的对端的鉴权信息对所述对端身份进行验证。The verification module 603 is configured to verify the identity of the peer according to the stored authentication information of the peer received from the central node when the receiving module receives a message without authentication information sent by the peer.
实施中,所述对端的鉴权信息包括对端的发送者的公钥,验证模块603具体用于在接收模块602接收到对端发送的未携带鉴权信息的消息时,根据存储的从中心节点接收的对端的鉴权信息中的发送者公钥对对端身份进行验证。In implementation, the authentication information of the opposite end includes the public key of the sender of the opposite end, and the verification module 603 is specifically configured to, when the receiving module 602 receives a message that does not carry authentication information sent by the opposite end, according to the stored information from the central node The sender's public key in the received authentication information of the peer verifies the identity of the peer.
实施中,所述接收模块602接收所述中心节点发送的终端的鉴权信息还包括中心节点的签名,或包括中心节点的公钥及签名,所述验证模块603具体用于:In implementation, the terminal authentication information received by the receiving module 602 from the central node also includes the signature of the central node, or includes the public key and signature of the central node, and the verification module 603 is specifically used for:
基于所述鉴权信息中的中心节点的签名或中心节点的公钥和签名,对所述中心节点进行身份验证;Perform identity verification on the central node based on the signature of the central node or the public key and signature of the central node in the authentication information;
验证通过后,在接收模块602接收到对端发送的未携带鉴权信息的消息时,根据存储的从中心节点接收的对端的鉴权信息对所述对端身份进行验证。After the verification is passed, when the receiving module 602 receives the message without authentication information sent by the peer, it verifies the identity of the peer according to the stored authentication information of the peer received from the central node.
本发明实施例还提供了一种中心节点,包括处理器和数据收发接口,其中:The embodiment of the present invention also provides a central node, including a processor and a data sending and receiving interface, wherein:
所述处理器被配置为用于:接收其覆盖的终端发送的用于对终端进行身份验证的鉴权信息,将接收到每个终端的鉴权信息转发给或处理后发送给所述中心节点覆盖的所有终端;The processor is configured to: receive the authentication information sent by the covered terminal for authenticating the terminal, and forward or process the received authentication information of each terminal to the central node all terminals covered;
所述数据收发接口用于实现所述处理器与终端之间的数据通信。The data transceiving interface is used to implement data communication between the processor and the terminal.
本发明还提供一种终端,包括处理器和数据收发接口,其中:The present invention also provides a terminal, including a processor and a data sending and receiving interface, wherein:
所述处理器被配置为用于将对所述终端进行身份验证的鉴权信息发送给覆盖所述终端的中心节点,接收所述中心节点发送的所述中心节点覆盖的所有终端的鉴权信息并进行存储;The processor is configured to send authentication information for identity verification of the terminal to a central node covering the terminal, and receive authentication information sent by the central node for all terminals covered by the central node and store it;
所述数据收发接口用于实现所述处理器与其它终端及中心节点间的数据通信。The data transceiving interface is used to implement data communication between the processor and other terminals and central nodes.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a Means for realizing the functions specified in one or more steps of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart flow or flows and/or block diagram block or blocks.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While preferred embodiments of the invention have been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, it is intended that the appended claims be construed to cover the preferred embodiment as well as all changes and modifications which fall within the scope of the invention.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and equivalent technologies thereof, the present invention also intends to include these modifications and variations.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310418682.3ACN104469763B (en) | 2013-09-13 | 2013-09-13 | A kind of authentication information transmission method and device |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310418682.3ACN104469763B (en) | 2013-09-13 | 2013-09-13 | A kind of authentication information transmission method and device |
| Publication Number | Publication Date |
|---|---|
| CN104469763A CN104469763A (en) | 2015-03-25 |
| CN104469763Btrue CN104469763B (en) | 2018-07-17 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310418682.3AActiveCN104469763B (en) | 2013-09-13 | 2013-09-13 | A kind of authentication information transmission method and device |
| Country | Link |
|---|---|
| CN (1) | CN104469763B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11546176B2 (en)* | 2020-08-26 | 2023-01-03 | Rockwell Collins, Inc. | System and method for authentication and cryptographic ignition of remote devices |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10080124B2 (en)* | 2015-06-29 | 2018-09-18 | Qualcomm Incorporated | Methods and apparatus for cluster management in DSRC cooperative safety systems |
| CN105280003A (en)* | 2015-09-29 | 2016-01-27 | 北京航空航天大学 | Method for transmitting intersection signal lamp information to vehicle from road side |
| CN107040995A (en)* | 2016-02-04 | 2017-08-11 | 中兴通讯股份有限公司 | Broadcasting method and device, the method for building up of MBMS carryings of car networking communication V2X message |
| CN108604988B (en)* | 2016-05-03 | 2021-01-05 | 华为技术有限公司 | Certificate notification method and device |
| CN115967919A (en)* | 2021-10-13 | 2023-04-14 | 中国电信股份有限公司 | Vehicle-road collaborative safety communication method, roadside unit, and vehicle-mounted unit |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465725A (en)* | 2007-12-18 | 2009-06-24 | 中国电子科技集团公司第五十研究所 | Key distribution method for public key system based on identification |
| CN101834834A (en)* | 2009-03-09 | 2010-09-15 | 华为软件技术有限公司 | An authentication method, device and authentication system |
| CN101981892A (en)* | 2008-03-25 | 2011-02-23 | 高通股份有限公司 | Systems and methods for group key distribution and management for wireless communication systems |
| CN102291796A (en)* | 2011-09-02 | 2011-12-21 | 中国联合网络通信集团有限公司 | Service data transmission method, system and management control center |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465725A (en)* | 2007-12-18 | 2009-06-24 | 中国电子科技集团公司第五十研究所 | Key distribution method for public key system based on identification |
| CN101981892A (en)* | 2008-03-25 | 2011-02-23 | 高通股份有限公司 | Systems and methods for group key distribution and management for wireless communication systems |
| CN101834834A (en)* | 2009-03-09 | 2010-09-15 | 华为软件技术有限公司 | An authentication method, device and authentication system |
| CN102291796A (en)* | 2011-09-02 | 2011-12-21 | 中国联合网络通信集团有限公司 | Service data transmission method, system and management control center |
| Title |
|---|
| BAP:Broadcast Authentication Using Cryptographic Puzzles;Patrick Schaller等;《ACNS 2007》;20071231;全文* |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11546176B2 (en)* | 2020-08-26 | 2023-01-03 | Rockwell Collins, Inc. | System and method for authentication and cryptographic ignition of remote devices |
| Publication number | Publication date |
|---|---|
| CN104469763A (en) | 2015-03-25 |
| Publication | Publication Date | Title |
|---|---|---|
| Muhammad et al. | Survey on existing authentication issues for cellular-assisted V2X communication | |
| Alnasser et al. | Cyber security challenges and solutions for V2X communications: A survey | |
| CN103281191B (en) | The method and system communicated is carried out based on car networking | |
| Al-Kahtani | Survey on security attacks in vehicular ad hoc networks (VANETs) | |
| CN111919421B (en) | Method, network element and medium for reduced V2X receiver processing load | |
| Raw et al. | Security challenges, issues and their solutions for VANET | |
| CN108702786B (en) | Communication method, device and system | |
| Liu et al. | Securing vehicular ad hoc networks | |
| CN104469763B (en) | A kind of authentication information transmission method and device | |
| Nyangaresi et al. | Efficient group authentication protocol for secure 5G enabled vehicular communications | |
| Muhammad et al. | 5G-based V2V broadcast communications: A security perspective | |
| Zhang et al. | Group-signature and group session key combined safety message authentication protocol for VANETs | |
| EP3637672A1 (en) | V2x communication device and secured communication method thereof | |
| Bao et al. | A lightweight authentication and privacy-preserving scheme for VANETs using TESLA and Bloom Filters | |
| CN112752236B (en) | A blockchain-based networked vehicle authentication method, device and storage medium | |
| CN109362062B (en) | Anonymous authentication system and method for VANETs based on ID-based group signature | |
| CN103051726A (en) | System and method for transmitting VANET (vehicle ad hoc network) safety information aggregate based on RSU (Remote Subscriber Unit) | |
| CN110677256B (en) | VPKI-based VANETs pseudonym revocation system and method | |
| US20200336908A1 (en) | V2x communication device and secured communication method therefor | |
| Tangade et al. | Scalable and privacy-preserving authentication protocol for secure vehicular communications | |
| Houmer et al. | Secure authentication scheme for 5g-based v2x communications | |
| WO2021196043A1 (en) | Secure communication method and apparatus | |
| CN105978883A (en) | Large-scale IoV security data acquisition method | |
| Chavhan et al. | Edge-enabled blockchain-based V2X scheme for secure communication within the smart city development | |
| Xu et al. | A secure and efficient message authentication scheme for vehicular networks based on LTE-V |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | Address after:100191 No. 40, Haidian District, Beijing, Xueyuan Road Patentee after:CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY Patentee after:BEIJING GOHIGH DATA NETWORKS TECHNOLOGY Co.,Ltd. Address before:100191 No. 40, Haidian District, Beijing, Xueyuan Road Patentee before:CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY Patentee before:BEIJING GOHIGH DATA NETWORKS TECHNOLOGY Co.,Ltd. | |
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right | Effective date of registration:20211227 Address after:400040 No. 35, Jinghe Road, Huxi street, high tech Zone, Shapingba District, Chongqing Patentee after:Datang Gaohong Zhilian Technology (Chongqing) Co.,Ltd. Address before:100191 No. 40, Haidian District, Beijing, Xueyuan Road Patentee before:CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY Patentee before:BEIJING GOHIGH DATA NETWORKS TECHNOLOGY Co.,Ltd. | |
| TR01 | Transfer of patent right | ||
| CP03 | Change of name, title or address | Address after:Room 505, 5th Floor, Building 2, No. 299 Kexue Avenue, Zengjia Town, High tech Zone, Jiulongpo District, Chongqing, China 400040 Patentee after:CITIC Technology Zhilian Technology Co.,Ltd. Country or region after:China Address before:400040 No. 35, Jinghe Road, Huxi street, high tech Zone, Shapingba District, Chongqing Patentee before:Datang Gaohong Zhilian Technology (Chongqing) Co.,Ltd. Country or region before:China | |
| CP03 | Change of name, title or address |