Summary of the invention
The object of the present invention is to provide a kind of safety that can be improved communication authentication between client terminal and charging unit,Avoid loss using the client terminal of security mechanism and the communication authentication method of charging unit.
In order to achieve the above objectives, the technical solution adopted by the present invention is that:
It is a kind of using the client terminal of security mechanism and the communication authentication method of charging unit, this method are as follows: client terminalThe final ciphertext at least partly by the unique corresponding public key encryption of the client terminal is sent to charging unit by Internet of Things net mode,The client terminal information whether legal by request content that Internet of Things net mode receives charging unit forwarding, thus completeAt communication authentication process;
Wherein, the final ciphertext includes the unique SID of the client terminal and the request content;The charging unitThe final ciphertext is transmitted to the server of its connection, the server by the SID uniquely decrypt by corresponding private keyThe final ciphertext simultaneously judges whether the request content is legal, and the whether legal information of request content is sent to described fillElectric installation;When the client terminal is to the server registration, by the corresponding SID for generating the client terminal of the server,The public key, the private key, the SID of the client terminal, the public key are sent to the client terminal, institute by the serverIt states private key to be stored in the server, for communication authentication process use.
In above scheme, the unique SID of client terminal and request time stamp, charge request content use the public keyEncryption forms level-one ciphertext, and the level-one ciphertext is spliced to form the final ciphertext with the unique SID of the client terminal again;
The server splits out the SID spliced in the final ciphertext and finds the unique corresponding private of the SIDKey decrypts the level-one ciphertext by the private key and obtains the request time and stabs, and the server is by the timestamp of its ownIt is compared with request time stamp and judges whether the request content is legal.
Preferably, allow when the phase difference of request time stamp and the timestamp of the server itself in threshold value δIn range, then judge that the request content is legal.
Preferably, the client terminal will be in the SID of plaintext character, request time stamp, the charge requestAfter appearance is converted to plaintext byte stream, level-one ciphertext is formed using the public key encryption;
After the plaintext byte circulation that the server will decrypt the level-one ciphertext acquisition is changed to plaintext character, described in acquisitionSID, request time stamp, the charge request content.
The Internet of Things net mode is the communication mode using any one communication protocol in NFC, bluetooth, zigbee, 433M.
It is a kind of using the client terminal of security mechanism and the communication authentication method of charging unit, this method are as follows: charging unitBy Internet of Things net mode receive that client terminal sends at least partly by the final of the unique corresponding public key encryption of the client terminalAfter ciphertext, it is transmitted to server, the charging unit is forwarded to the client terminal by the server by Internet of Things net modeThe whether legal information of the request content obtained, to complete communication authentication process;
Wherein, the final ciphertext includes the unique SID of the client terminal and the request content;The server is logicalCrossing the SID, uniquely corresponding private key decrypts the final ciphertext and judges whether the request content is legal, and will requestThe whether legal information of content is sent to the charging unit;When the client terminal is to the server registration, by the clothesBe engaged in corresponding SID, the public key, the private key for generating the client terminal of device, the SID of the client terminal, the public key byThe server is sent to the client terminal, and the private key is stored in the server, for the communication authentication processIt uses.
In above scheme, the unique SID of client terminal and request time stamp, charge request content use the public keyEncryption forms level-one ciphertext, and the level-one ciphertext is spliced to form the final ciphertext with the unique SID of the client terminal again;
The server splits out the SID spliced in the final ciphertext and finds the unique corresponding private of the SIDKey decrypts the level-one ciphertext by the private key and obtains the request time and stabs, and the server is by the timestamp of its ownIt is compared with request time stamp and judges whether the request content is legal.
Preferably, allow when the phase difference of request time stamp and the timestamp of the server itself in threshold value δIn range, then judge that the request content is legal.
Preferably, the client terminal will be in the SID of plaintext character, request time stamp, the charge requestAfter appearance is converted to plaintext byte stream, level-one ciphertext is formed using the public key encryption;
After the plaintext byte circulation that the server will decrypt the level-one ciphertext acquisition is changed to plaintext character, described in acquisitionSID, request time stamp, the charge request content.
The Internet of Things net mode is the communication mode using any one communication protocol in NFC, bluetooth, zigbee, 433M.
Due to the above technical solutions, the present invention has the following advantages over the prior art: the present invention utilizes clientThe unique SID of terminal, public key, key realize the communication authentication between client terminal and charging unit, solve server withAnd charging unit to client terminal authentication the problem of, the safety problem of transmission and legacy protocol process it is cumbersome, speedThe slower problem of rate, safety with higher are more advantageous to user and obtain good experience.
Embodiment one: as shown in Fig. 1 by user terminal (usually mobile phone), charging unit (charging pile) and serverThe electrically-charging equipment of composition needs user to pass through client before user is connect by client terminal with charging unit and to be chargedTerminal is registered.Register flow path is as shown in Fig. 2, since client terminal often uses mobile phone, register flow path are as follows:
1) user inputs telephone number in client terminal, and is sent to server;
2) server requests to send identifying code to Short Message Service Gateway;
3) identifying code is sent to client terminal by Short Message Service Gateway;
4) after client terminal receives the short message containing identifying code, identifying code is sent to server;
5) identifying code that server is sent according to client terminal completes verifying, and it is unique corresponding for new user to create itSID(Secure ID) and public private key pair (Kpub(Public Key) and Kpri(Private Key)), and by SID and public key KpubIt is sent to client terminal, and private key KpriIt then saves in the server.
In the above process, in order to guarantee the safety of Internet of Things Network Communication, with user orientation server submit application for registration stage,Design a unique user identification code SID for identification for different user, and be different from normal registration process itIt is in server is the RSA public private key pair that each user generates a 2048 new bit, is used for subsequent user identityThe encryption and decryption of certification and Content of Communication.
In order to guarantee the confidentiality of user information, server can carry out SHA-1 encryption according to the cell-phone number of user, generate 20The SID of a byte, the convenient phone number for not obtained user easily by malicious attacker in message transmitting procedure.SHA-1 addsClose process is as shown in Fig. 3, and SHA-1 one cycle iterative process is illustrated in diagram: A, B, C, D and E are the blocks of 32bit;F isNon-linear variable;N=5 in < < < n(figure, 30) show the digit of ring shift left, iterative process n is different each time;WtIt is thisTake turns the extension information word of t;KtIt is the circulation constant of epicycle t;Right side field word frame indicates to increase by 32 powers of mould 2 in figure.It is inputtingEnd input user mobile phone number, encrypts by SHA-1 after carrying out cover, piecemeal, generates the SID of 20 bytes.SHA-1 Encryption AlgorithmIt is irreversible, anti-collision, and there is good avalanche effect, so by the SID of the encrypted generation of SHA-1 as userTransmission of the information between client terminal and server has good confidentiality.Calculate user's using SHA-1 in the present inventionSummary info not only can guarantee that the SID that different user information generates was different, but also can guarantee in the case where SID leakage, Yong HuxinBreath will not be compromised, so that user be allowed to enjoy higher safety guarantee.
RSA is current most influential public key encryption algorithm, it can resist up to the present known mostCryptographic attack is recommended as public key data encryption standard by ISO.Server firstly generates a pair of 2048 RSA according to SIDKey, one of them is privacy key, also referred to as private key, is saved by server;Another is public-key cryptography, can external disclosure,Also referred to as public key sends jointly to user's client terminal together with SID by server and saves.RSA Algorithm is a kind of asymmetricCryptographic algorithm, it is so-called asymmetric, just refer to that the algorithm needs a pair of secret keys, using one of encryption, then needs to use anotherIt could decrypt.In server end, RSA public private key pair is produced using OPENSSL:
L generates private key: openssl genrsa-out privatekey.key 2048
L corresponds to public key: openssl rsa-in privatekey.key-pubout-out pubkey.key
Use RSA(asymmetric encryption), rather than AES(symmetric cryptography), it is to be obtained since symmetric cryptography decruption key is identicalTake one kind of wherein encryption key or decruption key that can crack and forge all data, very not for data transmission securityBenefit.So choosing RSA as the encryption method in data transmission, and set private key and be merely stored on server, can preventExisting identity forgery problem (being more common in man-in-the-middle attack) after the leakage of one side's key.
After completing above-mentioned register flow path, it can be communicated by client terminal with charging unit, it is between the two when completingCommunication authentication after, i.e., implementable specific charging instruction.
It is a kind of using the client terminal of security mechanism and the communication authentication method of charging unit, for client terminal,This method are as follows: client terminal is sent at least partly to charging unit by the unique corresponding public affairs of the client terminal by Internet of Things net modeThe final ciphertext of key encryption, the client terminal letter whether legal by the request content of Internet of Things net mode reception charging unit forwardingBreath, to complete communication authentication process.And for charging unit, this method are as follows: a kind of client using security mechanism is wholeThe communication authentication method at end and charging unit, this method are as follows: charging unit receives what client terminal was sent by Internet of Things net modeAt least partly by the client terminal uniquely final ciphertext of corresponding public key encryption after, be transmitted to server, charging unit passes throughThe whether legal information of the request content that Internet of Things net mode is obtained to client terminal forwarding by server, to complete communication authenticationProcess.In the above method, final ciphertext includes the unique SID of client terminal and request content;Charging unit turns final ciphertextThe server of its connection is issued, uniquely corresponding private key to decrypt final ciphertext and judges that request content is to server by SIDIt is no legal, and the whether legal information of request content is sent to charging unit;When client terminal is to server registration, by servicingCorresponding SID, public key, the private key for generating client terminal of device, the SID of client terminal, public key are sent to client terminal by server, privateKey saves in the server, for the use of communication authentication process.Here Internet of Things net mode be using NFC, bluetooth, zigbee,The communication mode of any one communication protocol in 433M.
The detailed process of this method is as shown in Fig. 4, comprising the following steps:
1) client terminal is established Internet of Things with charging unit and is connect;
2) after connection is established, charging unit sends OK instruction, and notice client terminal can send order;
3) client terminal uses public key, and SID, current request time are stabbed TS(Time Stamp) and charge request contentCT(Content splice after) encrypting with SID, obtained data are passed through to the connection of Internet of Things communication module, be sent to charging dressIt sets;
4) user data is transmitted to server judgement (passing through HTTPS) by network connection by charging unit;
5) server finds respective private keys according to SID, to data deciphering, stabs TS according to request time and judges having for data packetEffect property/legitimacy (preventing Replay Attack);
6) if request of data is invalid/and it is illegal, server, which is sent, requests invalid response;If request is effective/legal,Server returns to the effective response of request;
7) charging unit executes corresponding operating, and returns result to client terminal.
In the step 3) of the above process, the unique SID of client terminal is adopted with request time stamp TS, charge request content CTWith public key KpubEncryption forms level-one ciphertext Kpub(SID, TS, CT), level-one ciphertext Kpub(SID, TS, CT) is whole with client againUnique SID is held to be spliced to form final ciphertext SID | Kpub(SID, TS, CT).Wherein, client terminal is by plaintext characterAfter SID, request time stamp TS, charge request content CT are converted to plaintext byte stream, using public key KpubEncryption forms level-one ciphertextKpub(SID, TS, CT), as shown in Fig. 5.And in step 5), server splits out final ciphertext SID | Kpub(SID, TS,CT the SID that is spliced in) simultaneously finds the SID uniquely corresponding private key Kpri, pass through private key KpriDecrypt level-one ciphertext Kpub(SID,TS, CT) obtain request time stamp TS.Wherein, server will decrypt level-one ciphertext KpubThe plaintext word that (SID, TS, CT) is obtainedAfter throttling is converted to plaintext character, SID, request time stamp TS, charge request content CT are obtained, as shown in Fig. 5.Server willThe timestamp of its own and request time stamp TS are compared and are judged whether request content legal, upon request between stab and serverThe phase difference of the timestamp of itself then judges that request content is legal in the range of threshold value δ allows.
User is securely communicated by the Internet of Things communication module in client terminal with charging unit, can ensure that user believesThe safety of breath, it is ensured that the confidentiality and integrity of entire communication process.Firstly, user opens the Internet of Things Network Communication mould of client terminalBlock (the Internet of Things communication module of client terminal is managed at which to work under the control of device), searches neighbouring charging unit, carries out(the Internet of Things communication module of charging unit works under the control of its CPU, and CPU can also connect Wi-Fi mould for Internet of Things connectionBlock, charging unit and server are connected by HTTPS mode), if successful connection, client terminal, which can obtain, to be filledThe title of electric installation equipment and address can be communicated, as shown in Fig. 6.
In terms of above-mentioned communication authentication method essentially consists in the advantage of safety following four:
1, subscriber authentication
The SID decrypted is compared server with the SID splitted out before, if it does, showing to be transmitted acrossCheng Anquan, ciphertext are not held as a hostage, and are believable.
2, Brute Force is prevented
2048bit RSA is the one kind for the safest cipher mode being currently known, if using the calculating being currently knownMode, it is impossible to the communication key of client and server is obtained by the way of Brute Force, 2048bit RSA is also armyWith a kind of cipher mode common in communication.
3, Replay Attack is prevented
It include current time stamp TS in encrypted fields during link transmission, data are passed by Internet of Things communication moduleIt is defeated to arrive charging unit, then server is issued after server decryption by charging unit and obtains the timestamp in field, and with itselfTimestamp compares, if the two difference is no more than threshold values δ (δ is determined by network delay and Internet of Things transmission rate), judgesFor valid data;It otherwise, is invalid data (attack data).
4, man-in-the-middle attack is prevented
The core of man-in-the-middle attack is to need to establish connection respectively with client and charging unit, and can decrypt after connectingThe communication key of both sides has used RSA public key encryption for such attack, and go-between can not decrypt, altered data, can notForged identity, so attack is invalid.
The communication authentication method is that each user generates different public private key pairs in registration phase, even if because poleSituation is held, the leakage of single user's public key will not influence the communication security of other users.Even if client public key leaks, go-betweenPrivate key (be stored in server-side, and be not handed down to user) can not be obtained, so the server-side that can not also disguise oneself as, steals user's letterBreath.
In general, in order to guarantee the communication security in charging process, charging unit carry out charging operations when needed forCommunication authentication step are as follows: click client terminal open Internet of Things communication module --- being attached with charging unit --- connectCharge request --- charging unit is uploaded to user identity and charge request data by network for client terminal initiation after success--- server carries out authentication --- sending instructions under after success to charging unit ---, and user opens charging operations to server.From above step as can be seen that can also pass through Internet of Things when user cannot pass through network and communicate with charging unitCommunication module carries out communication and subsequent operation, and process is not only simple, speed is fast, but also safety is stronger, is more advantageous to userObtain good experience.The communication authentication method can be successfully applied on the electrically-charging equipment based on cloud platform, can allow new energySource user vehicle is securely communicated by Internet of Things communication module and charging unit, charge confirmation and charging operations.
The above embodiments merely illustrate the technical concept and features of the present invention, and its object is to allow person skilled in the artScholar cans understand the content of the present invention and implement it accordingly, and it is not intended to limit the scope of the present invention.It is all according to the present inventionEquivalent change or modification made by Spirit Essence, should be covered by the protection scope of the present invention.