技术领域Technical Field
本申请涉及物联网技术领域,尤其涉及一种熵服务的方法及相关产品。更具体地,本申请涉及用于车辆面向服务架构(SOA)的熵即服务(EAAS)。The present application relates to the field of Internet of Things technology, and more particularly to a method and related products for providing entropy services. More specifically, the present application relates to entropy as a service (EAAS) for vehicle service-oriented architecture (SOA).
背景技术Background technique
现代车辆由数百个电子控制单元(ECU)组成,具有车辆到设备、车辆到车辆、车辆到基础设施等多个外部通信接口。此外,ECU之间的车载网络诸如区域网络(CAN)、Lin、Flexray、以太网等使系统更加复杂。车辆与外部接口和车载组件之间的安全通信需要具备鲁棒性。通信必须使用适当的安全机制来提供实体之间交换的消息/数据的机密性、真实性和完整性。Modern vehicles consist of hundreds of electronic control units (ECUs) with multiple external communication interfaces such as vehicle-to-device, vehicle-to-vehicle, and vehicle-to-infrastructure. In addition, in-vehicle networks such as CAN, Lin, Flexray, Ethernet, etc. between ECUs make the system more complex. Secure communication between the vehicle and external interfaces and in-vehicle components needs to be robust. The communication must use appropriate security mechanisms to provide confidentiality, authenticity, and integrity of messages/data exchanged between entities.
每个密码函数/机制所提供的安全性都依赖于底层的基本功能——随机数生成。随机数用作nonces、初始化向量、会话标识符,也用作密钥生成的基本材料,例如传输层安全(TLS)/Diffie-Hellman(DH)/Rivest–Shamir–Adleman(RSA)等,以及身份验证。The security provided by every cryptographic function/mechanism relies on the underlying basic function - random number generation. Random numbers are used as nonces, initialization vectors, session identifiers, and are also used as the basic material for key generation, such as Transport Layer Security (TLS)/Diffie-Hellman (DH)/Rivest–Shamir–Adleman (RSA), etc., as well as authentication.
因此,符合美国国家标准与技术研究所(NIST)标准的加密安全随机数生成对于向车辆ECU和相关安全协议(车对万物(V2X)、车载等)提供鲁棒安全性非常重要。Therefore, cryptographically secure random number generation that complies with the National Institute of Standards and Technology (NIST) standards is very important to provide robust security to vehicle ECUs and related security protocols (Vehicle-to-Everything (V2X), on-board, etc.).
提供该背景信息是为了揭示申请人认为可能与本申请相关的信息,但并非必然意图,也不应理解为任何前述信息构成针对本公开的现有技术。This background information is provided to reveal information that the applicant believes may be relevant to the present application, but it is not necessarily intended, nor should it be construed, that any of the aforementioned information constitutes prior art against the present disclosure.
发明内容Summary of the invention
有鉴于此,为了解决上述问题,本申请提供一种信号处理记录方法及相关产品,以实现一种服务记录BLE物理层特征的架构框架。In view of this, in order to solve the above problems, the present application provides a signal processing recording method and related products to implement an architectural framework for serving and recording BLE physical layer characteristics.
前述和其他目的通过独立权利要求的主题实现。进一步的实施方式在从属权利要求、具体说明和附图中显而易见。The foregoing and other objects are achieved by the subject-matter of the independent claims. Further embodiments are evident from the dependent claims, the detailed description and the drawings.
本申请第一方面涉及一种熵服务的方法,包括:第一设备与第二设备建立第一通信通道;所述第一设备通过所述第一通信通道从所述第二设备接收用于请求加入所述第一设备提供的熵服务的事件组的订阅请求消息;所述第一设备校验所述第二设备的资格;如果所述校验通过,则所述第一设备通过所述第一通信信道向所述第二设备发送熵数据。The first aspect of the present application relates to a method for entropy service, including: a first device establishes a first communication channel with a second device; the first device receives a subscription request message for requesting to join an event group of an entropy service provided by the first device from the second device through the first communication channel; the first device verifies the qualifications of the second device; if the verification passes, the first device sends entropy data to the second device through the first communication channel.
在所述第一方面的一种可能的实现方式中,在所述第一设备与第二设备建立第一通信通道之前,所述方法还包括:所述第一设备与第三设备建立第二通信通道;所述第一设备通过所述第二通信信道向所述第三设备发送用于在所述第三设备上注册所述熵服务的注册消息;所述第一设备通过所述第二通信通道接收来自所述第三设备的第二确认消息,所述第二确认消息指示所述第一设备提供的熵服务在所述第三设备注册成功。In a possible implementation of the first aspect, before the first device establishes a first communication channel with the second device, the method also includes: the first device establishes a second communication channel with a third device; the first device sends a registration message for registering the entropy service on the third device to the third device through the second communication channel; the first device receives a second confirmation message from the third device through the second communication channel, and the second confirmation message indicates that the entropy service provided by the first device is successfully registered on the third device.
在所述第一方面的一种可能的实现方式中,所述注册消息携带所述熵服务的服务ID、所述熵服务的服务实例ID、所述熵服务的描述字符串、所述熵服务的服务事件组ID、所述熵服务的状态以及所述第一设备的公钥。In a possible implementation of the first aspect, the registration message carries the service ID of the entropy service, the service instance ID of the entropy service, the description string of the entropy service, the service event group ID of the entropy service, the status of the entropy service, and the public key of the first device.
在所述第一方面的一种可能的实现方式中,所述注册消息还携带服务主版本、服务次版本、服务器主机ID、所述第一设备的互联网协议IP地址、所述第一设备的端口号、服务应用ID,以及用于在所述第一设备和所述第三设备之间建立第二通信信道且从所述第三设备获取的的第二会话ID。In a possible implementation of the first aspect, the registration message also carries a service major version, a service minor version, a server host ID, an Internet Protocol IP address of the first device, a port number of the first device, a service application ID, and a second session ID used to establish a second communication channel between the first device and the third device and obtained from the third device.
在所述第一方面的一种可能的实现方式中,所述熵服务的服务ID、所述熵服务的服务实例ID、所述熵服务的描述字符串、所述熵服务的服务事件组ID、所述熵服务的状态,所述第一设备的公钥是所述第一设备从自身的非易失性存储器(NVM)中获取的。In a possible implementation of the first aspect, the service ID of the entropy service, the service instance ID of the entropy service, the description string of the entropy service, the service event group ID of the entropy service, the status of the entropy service, and the public key of the first device are obtained by the first device from its own non-volatile memory (NVM).
在所述第一方面的一种可能的实现方式中,所述服务主版本、所述服务次版本、所述服务器主机ID、所述第一设备的互联网协议IP地址、所述第一设备的端口号、所述服务应用ID以及用于在所述第一设备和所述第三设备之间建立第二通信信道且从所述第三设备获取的第二会话ID,是所述第一设备从自身的非易失性存储器(NVM)中获取的。In a possible implementation of the first aspect, the service major version, the service minor version, the server host ID, the Internet Protocol IP address of the first device, the port number of the first device, the service application ID, and a second session ID used to establish a second communication channel between the first device and the third device and obtained from the third device are obtained by the first device from its own non-volatile memory (NVM).
在所述第一方面的一种可能的实现方式中,所述第一设备和所述第二设备为同一车辆中的不同电子控制单元。由于所述第一设备(可以是服务器)和所述第二设备(可以是客户端)在同一车辆中,因此,作为熵源的所述第一设备总是可用的。In a possible implementation of the first aspect, the first device and the second device are different electronic control units in the same vehicle. Since the first device (which may be a server) and the second device (which may be a client) are in the same vehicle, the first device as an entropy source is always available.
在所述第一方面的一种可能的实现形式中,所述第一设备和所述第二设备均基于可扩展的面向服务的中间件IP协议标准实现。In a possible implementation form of the first aspect, both the first device and the second device are implemented based on an extensible service-oriented middleware IP protocol standard.
在所述第一方面的一种可能的实现方式中,所述熵服务用于随机数生成。In a possible implementation manner of the first aspect, the entropy service is used for random number generation.
在所述第一方面的一种可能的实现方式中,所述方法基于车载网络(车辆域)实现。In a possible implementation manner of the first aspect, the method is implemented based on a vehicle network (vehicle domain).
本申请第二方面涉及一种熵服务的方法,包括:A second aspect of the present application relates to a method for entropy service, comprising:
第二设备与第一设备建立第一通信通道;所述第二设备根据业务数据,通过所述第一通信通道发送请求加入所述第一设备提供的熵服务的事件组的订阅请求消息;所述第二设备通过所述第一通信信道从所述第一设备接收熵数据。The second device establishes a first communication channel with the first device; the second device sends a subscription request message through the first communication channel requesting to join the event group of the entropy service provided by the first device based on business data; the second device receives entropy data from the first device through the first communication channel.
在第二方面的一种可能的实现方式中,在所述第二设备根据业务数据通过所述第一通信通道发送请求加入所述第一设备提供的熵服务的事件组的订阅请求消息之前,所述方法还包括:所述第二设备从第三设备获取所述业务数据,所述业务数据包括所述熵服务的服务标识ID、所述熵服务的服务实例ID、所述熵服务的服务事件组ID、所述第一设备的公钥,以及用于建立所述第一通信通道的所述第一设备的IP地址和所述第一设备的端口号。In a possible implementation of the second aspect, before the second device sends a subscription request message requesting to join the event group of the entropy service provided by the first device through the first communication channel according to the business data, the method also includes: the second device obtains the business data from a third device, and the business data includes the service identification ID of the entropy service, the service instance ID of the entropy service, the service event group ID of the entropy service, the public key of the first device, and the IP address of the first device used to establish the first communication channel and the port number of the first device.
在第二方面的一种可能的实现方式中,所述第二设备从第三设备获取所述业务数据,包括:所述第二设备与所述第三设备建立第三通信通道;所述第二设备根据预定义的数据生成查询所述熵服务的查询消息;所述第二设备通过所述第三通信信道向所述第三设备发送所述查询消息;所述第二设备通过所述第三通信通道从所述第三设备接收所述业务数据。In a possible implementation of the second aspect, the second device obtains the business data from a third device, including: the second device establishes a third communication channel with the third device; the second device generates a query message for querying the entropy service according to predefined data; the second device sends the query message to the third device through the third communication channel; the second device receives the business data from the third device through the third communication channel.
在第二方面的一种可能的实现方式中,所述第二设备通过所述第三通信通道从所述第三设备接收所述业务数据,包括:所述第二设备通过所述第三通信通道接收携带来自所述第三设备的所述业务数据的第三确认消息,所述第三确认消息指示所述第三设备成功获取所述业务数据。In a possible implementation of the second aspect, the second device receives the business data from the third device through the third communication channel, including: the second device receives a third confirmation message carrying the business data from the third device through the third communication channel, and the third confirmation message indicates that the third device successfully obtains the business data.
在所述第二方面的一种可能的实现方式中,所述预定义数据包括从所述第三设备获取的所述第三通信信道的第三会话ID、所述熵服务的描述字符串、所述熵服务的服务事件组ID。In a possible implementation manner of the second aspect, the predefined data includes a third session ID of the third communication channel obtained from the third device, a description string of the entropy service, and a service event group ID of the entropy service.
在所述第二方面的一种可能的实现方式中,所述预定义数据包括所述熵服务的服务ID和所述熵服务的服务实例ID。In a possible implementation manner of the second aspect, the predefined data includes a service ID of the entropy service and a service instance ID of the entropy service.
在第二方面的一种可能的实现方式中,所述第二设备通过所述第一通信通道从所述第一设备接收熵数据之后,所述方法还包括:所述第二设备使用所述熵数据进行随机数生成。In a possible implementation manner of the second aspect, after the second device receives entropy data from the first device through the first communication channel, the method further includes: the second device generates a random number using the entropy data.
在第二方面的一种可能的实现形式中,所述方法基于车载网络(车辆域)实现。In a possible implementation form of the second aspect, the method is implemented based on an in-vehicle network (vehicle domain).
本申请第三方面涉及一种熵服务的方法,包括:A third aspect of the present application relates to a method for entropy service, comprising:
第三设备与第一设备建立第二通信通道;The third device establishes a second communication channel with the first device;
所述第三设备通过所述第二通信信道从所述第一设备接收用于在所述第三设备上注册所述熵服务的注册消息;The third device receives, from the first device through the second communication channel, a registration message for registering the entropy service on the third device;
所述第三设备校验所述第一设备的资格;The third device verifies the qualification of the first device;
若所述校验通过,则所述第三设备通过所述第二通信通道向所述第一设备发送第二确认消息,所述第二确认消息指示所述第一设备提供的熵服务在所述第三设备注册成功。If the verification passes, the third device sends a second confirmation message to the first device through the second communication channel, and the second confirmation message indicates that the entropy service provided by the first device is successfully registered in the third device.
在所述第三方面的一种可能的实现方式中,所述第三设备为不同于所述第一设备和所述第二设备的电子控制单元ECU。In a possible implementation manner of the third aspect, the third device is an electronic control unit ECU different from the first device and the second device.
在所述第三方面的一种可能的实现方式中,所述注册消息携带所述第一设备的公钥,所述第二确认消息包括服务注册中心信息和服务注册中心签名;所述若所述校验通过,所述第三设备通过所述第二通信通道向所述第一设备发送第二确认消息,包括:所述第三设备生成服务注册中心数据;所述第三设备根据所述服务注册数据和所述第一设备的公钥获取所述服务注册中心信息;所述第三设备根据所述服务注册中心信息和所述第三设备的私钥,获取所述服务注册中心签名;如果所述校验通过,则所述第三设备通过所述第二通信信道向所述第一设备发送所述第二确认消息。In a possible implementation manner of the third aspect, the registration message carries the public key of the first device, and the second confirmation message includes service registration center information and a service registration center signature; if the verification passes, the third device sends the second confirmation message to the first device through the second communication channel, including: the third device generates service registration center data; the third device obtains the service registration center information based on the service registration data and the public key of the first device; the third device obtains the service registration center signature based on the service registration center information and the private key of the third device; if the verification passes, the third device sends the second confirmation message to the first device through the second communication channel.
在第三方面的一种可能的实现方式中,所述第二确认消息携带所述熵服务的业务ID、所述熵服务的服务实例ID和所述熵服务的服务事件组ID。In a possible implementation manner of the third aspect, the second confirmation message carries the business ID of the entropy service, the service instance ID of the entropy service, and the service event group ID of the entropy service.
在第三方面的一种可能的实现方式中,所述第三设备通过所述第三通信通道向所述第二设备传输所述业务数据,包括:In a possible implementation manner of the third aspect, the third device transmitting the service data to the second device through the third communication channel includes:
所述第三设备通过所述第三通信通道向所述第二设备发送携带有所述业务数据的第三确认消息,所述第三确认消息指示所述第三设备成功获取所述业务数据。The third device sends a third confirmation message carrying the service data to the second device through the third communication channel, and the third confirmation message indicates that the third device successfully obtains the service data.
在所述第三方面的一种可能的实现方式中,所述业务数据包括所述熵服务的服务ID、所述熵服务的服务实例ID、所述熵服务的服务事件组ID、所述熵服务的描述字符串、所述熵服务的状态、所述第一设备的端口号,所述第一设备的公钥、所述第一设备的IP地址和所述第一设备的端口号,其中,所述熵服务的服务ID、所述熵服务的服务实例ID和所述熵服务的服务事件组ID用于所述第二设备生成订阅请求消息;所述第一设备的IP地址和所述第一设备的端口号用于建立所述第一通信通道。In a possible implementation of the third aspect, the business data includes a service ID of the entropy service, a service instance ID of the entropy service, a service event group ID of the entropy service, a description string of the entropy service, a status of the entropy service, a port number of the first device, a public key of the first device, an IP address of the first device, and a port number of the first device, wherein the service ID of the entropy service, the service instance ID of the entropy service, and the service event group ID of the entropy service are used for the second device to generate a subscription request message; the IP address of the first device and the port number of the first device are used to establish the first communication channel.
在第三方面的一种可能的实现方式中,所述方法基于车载网络(车辆域)实现。In a possible implementation manner of the third aspect, the method is implemented based on a vehicle network (vehicle domain).
第四方面,涉及一种第一设备,包括:建立模块,用于与第二设备建立第一通信通道;接收模块,用于通过所述第一通信通道从所述第二设备接收用于请求加入所述第一设备提供的熵服务的事件组的订阅请求消息;校验模块,用于校验所述第二设备的资格;传输模块,用于若所述校验通过,则通过所述第一通信通道向所述第二设备传输熵数据。A fourth aspect relates to a first device, comprising: an establishment module for establishing a first communication channel with a second device; a receiving module for receiving, from the second device through the first communication channel, a subscription request message for requesting to join an event group of an entropy service provided by the first device; a verification module for verifying the qualifications of the second device; and a transmission module for transmitting entropy data to the second device through the first communication channel if the verification passes.
第五方面,涉及一种第二设备,包括:建立模块,用于与第一设备建立第一通信通道;发送模块,用于根据业务数据,通过所述第一通信通道发送请求加入所述第一设备提供的熵服务的事件组的订阅请求消息;接收模块,用于通过所述第一通信通道从所述第一设备接收熵数据。The fifth aspect relates to a second device, including: an establishing module, used to establish a first communication channel with a first device; a sending module, used to send a subscription request message requesting to join an event group of an entropy service provided by the first device through the first communication channel according to business data; and a receiving module, used to receive entropy data from the first device through the first communication channel.
第六方面,涉及一种第三设备,包括:建立模块,用于与第一设备建立第二通信通道;接收模块,用于通过所述第二通信通道从所述第一设备接收用于在所述第三设备上注册所述熵服务的注册消息;校验模块,用于校验所述第一设备的资格;发送模块,用于若所述校验通过,则通过所述第二通信通道向所述第一设备发送第二确认消息,所述第二确认消息指示所述第一设备提供的熵服务在所述第三设备注册成功。The sixth aspect relates to a third device, comprising: an establishing module for establishing a second communication channel with a first device; a receiving module for receiving a registration message for registering the entropy service on the third device from the first device through the second communication channel; a verification module for verifying the qualifications of the first device; and a sending module for sending a second confirmation message to the first device through the second communication channel if the verification passes, wherein the second confirmation message indicates that the entropy service provided by the first device is successfully registered on the third device.
第七方面,涉及一种第一设备,包括存储器、处理器、输入接口和输出接口。存储器、处理器、输入接口和输出接口通过总线系统连接。该存储器用于存储指令,该处理器用于执行该存储器存储的执行第一方面或其任意可能的实现方式中的方法的指令。A seventh aspect relates to a first device, comprising a memory, a processor, an input interface, and an output interface. The memory, the processor, the input interface, and the output interface are connected via a bus system. The memory is used to store instructions, and the processor is used to execute instructions stored in the memory for executing the method in the first aspect or any possible implementation thereof.
第八方面,涉及一种第二设备,包括存储器、处理器、输入接口和输出接口。存储器、处理器、输入接口和输出接口通过总线系统连接。该存储器用于存储指令,该处理器用于执行该存储器存储的执行上述第二方面或其任一种可能的实现方式中的方法的指令。In an eighth aspect, a second device is provided, comprising a memory, a processor, an input interface, and an output interface. The memory, the processor, the input interface, and the output interface are connected via a bus system. The memory is used to store instructions, and the processor is used to execute instructions stored in the memory for executing the method in the second aspect or any possible implementation thereof.
第九方面,涉及一种第三设备,包括存储器、处理器、输入接口和输出接口。存储器、处理器、输入接口和输出接口通过总线系统相连。该存储器用于存储指令,该处理器用于执行该存储器存储的执行上述第三方面或其任一种可能的实现方式中的方法的指令。A ninth aspect relates to a third device, comprising a memory, a processor, an input interface, and an output interface. The memory, the processor, the input interface, and the output interface are connected via a bus system. The memory is used to store instructions, and the processor is used to execute instructions stored in the memory for executing the method in the third aspect or any possible implementation thereof.
第十方面,涉及一种计算机可读存储介质,用于储存一种计算机程序,使得计算机执行上述第一方面或第二方面或第三方面的任一种可能的实现方式中的方法。The tenth aspect relates to a computer-readable storage medium for storing a computer program so that a computer executes a method in any possible implementation of the first aspect, the second aspect, or the third aspect.
第十一方面涉及一种计算机程序产品,包括使计算机执行第一方面或第二方面或第三方面的任一种可能的实现方式中的方法的计算机程序指令。The eleventh aspect relates to a computer program product, comprising computer program instructions for causing a computer to execute the method in any possible implementation manner of the first aspect, the second aspect, or the third aspect.
第十二方面,涉及一种计算机程序,所述计算机程序使得计算机执行上述第一方面或第二方面或第三方面或其任一种可能的实现方式中的方法。The twelfth aspect relates to a computer program, which enables a computer to execute the method in the above-mentioned first aspect, second aspect, or third aspect or any possible implementation thereof.
根据本申请的实施例,第一设备与第二设备之间建立第一通信通道,然后第二设备通过建立的第一通信通道发送订阅请求消息,请求订阅第一设备提供的熵服务。当从第二设备接收到预订请求消息时,第一设备校验第二设备的资格,一旦校验通过,第一设备可以向第二设备发送熵数据,所述熵数据包含第二设备以后可以用于各种操作(例如,随机数生成)的熵。作为熵源,第一设备总是可用的,第二设备因此可以在需要时随时获得熵,这在第一设备和第二设备是同一车辆中不同ECU的情况下特别有用。此外,所提出的架构简单且易于扩展,以服务于任意数量的服务。另外,与NIST提出的架构相比,本申请实施例不需要时间同步。According to an embodiment of the present application, a first communication channel is established between a first device and a second device, and then the second device sends a subscription request message through the established first communication channel, requesting to subscribe to the entropy service provided by the first device. When receiving the subscription request message from the second device, the first device verifies the qualifications of the second device. Once the verification is passed, the first device can send entropy data to the second device, and the entropy data contains entropy that the second device can use for various operations (e.g., random number generation) later. As an entropy source, the first device is always available, and the second device can therefore obtain entropy at any time when needed, which is particularly useful when the first device and the second device are different ECUs in the same vehicle. In addition, the proposed architecture is simple and easy to expand to serve any number of services. In addition, compared with the architecture proposed by NIST, the embodiment of the present application does not require time synchronization.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
以下对本申请实施例用到的附图进行介绍。The following is an introduction to the drawings used in the embodiments of the present application.
图1是相关技术中NIST的熵即服务(EAAS)架构。FIG. 1 is the NIST Entropy as a Service (EAAS) architecture in the related art.
图2a为本申请实施例提供的一种示例性的集中式EAAS架构。FIG. 2 a is an exemplary centralized EAAS architecture provided in an embodiment of the present application.
图2b为本申请实施例提供的另一种示例性的分布式EAAS架构。FIG. 2 b is another exemplary distributed EAAS architecture provided in an embodiment of the present application.
图3a和图3b示出了本申请实施例提供的熵服务的方法中的注册过程的示意性流程图。Figures 3a and 3b show a schematic flow chart of the registration process in the entropy service method provided in an embodiment of the present application.
图4a和图4b示出了本申请实施例提供的熵服务的方法中的发现过程的示意性流程图。Figures 4a and 4b show a schematic flow chart of the discovery process in the method of entropy service provided in an embodiment of the present application.
图5a和图5b示出了本申请实施例提供的熵服务的方法中的订阅过程的示意性流程图。Figures 5a and 5b show schematic flow charts of the subscription process in the method of entropy service provided in an embodiment of the present application.
图6示出了本申请实施例提供的EAAS在ECU上的一种实现方式。FIG6 shows an implementation method of EAAS on an ECU according to an embodiment of the present application.
图7是根据本公开实施例的第一设备的示意性框图。FIG. 7 is a schematic block diagram of a first device according to an embodiment of the present disclosure.
图8是根据本公开实施例的第二设备的示意性框图。FIG. 8 is a schematic block diagram of a second device according to an embodiment of the present disclosure.
图9是根据本公开实施例的服务器的示意性框图。FIG. 9 is a schematic block diagram of a server according to an embodiment of the present disclosure.
图10是根据本公开实施例的第一设备的示意性框图。FIG. 10 is a schematic block diagram of a first device according to an embodiment of the present disclosure.
图11是根据本公开实施例的第二设备的示意性框图。FIG. 11 is a schematic block diagram of a second device according to an embodiment of the present disclosure.
图12是根据本公开实施例的服务器的示意性框图。FIG. 12 is a schematic block diagram of a server according to an embodiment of the present disclosure.
具体实施方式Detailed ways
在下面的描述中,参考附图,这些附图形成本申请的一部分,并且这些附图通过说明的方式示出了本申请的实施例的具体方面或可以使用本申请的实施例的具体方面。应当理解,本申请的实施例可以用于其他方面,并且包括未在附图中描绘的结构或逻辑改变。因此,以下详细描述不应被认为是限制性的,并且本申请的范围由所附权利要求限定。In the following description, reference is made to the accompanying drawings, which form a part of the present application, and which illustrate specific aspects of the embodiments of the present application or specific aspects of the embodiments of the present application by way of illustration. It should be understood that the embodiments of the present application may be used in other aspects and include structural or logical changes not depicted in the accompanying drawings. Therefore, the following detailed description should not be considered restrictive, and the scope of the present application is defined by the appended claims.
如背景技术中所描述的,随机数生成在车辆到外部接口和车载部件之间的安全通信方面是非常重要的。然而,大多数应用或系统,包括高端系统,在熵产生和消耗管理上都存在实际的漏洞。此外,由于资源限制,许多应用可能无法访问具有真正随机性的可靠源。针对这样的挑战,解决方案是使用由外部可靠熵源提供的随机性/熵来实现稳健的安全性。应当注意,术语“随机性”和“熵”在本申请全文中可互换使用。As described in the background, random number generation is very important in secure communication between the vehicle to external interfaces and on-board components. However, most applications or systems, including high-end systems, have real vulnerabilities in entropy generation and consumption management. In addition, due to resource constraints, many applications may not have access to a reliable source of true randomness. In response to such challenges, a solution is to use randomness/entropy provided by an external reliable entropy source to achieve robust security. It should be noted that the terms "randomness" and "entropy" are used interchangeably throughout this application.
现有的用于生成熵并将熵共享给其他实体的架构是“EAAS for Web Services/IoT Architecture by the NIST”,如图1所示。在该图中,计算机图标表示其中具有硬件信任根(HRT)设备的客户机。HRT设备可以是客户机处的特定存储器,其被假定为具有高安全性,因此,存储在其中的数据(例如客户机的私钥)也是安全的。该架构中涉及的实体可以进行如下工作。An existing architecture for generating entropy and sharing it with other entities is the "EAAS for Web Services/IoT Architecture by the NIST", as shown in Figure 1. In the figure, the computer icon represents a client with a hardware root of trust (HRT) device. The HRT device can be a specific memory at the client, which is assumed to have high security, so the data stored therein (such as the client's private key) is also safe. The entities involved in the architecture can work as follows.
1.客户端系统上的专用应用(在客户端处)发起用于通过首先转向HRT设备并获取其公钥来从EAAS服务器获得熵的过程。1. A dedicated application on the client system (at the client) initiates the process for obtaining entropy from the EAAS server by first going to the HRT device and obtaining its public key.
2.专用应用使用网络时间协议(NTP)向时间服务器请求时间戳。2. The dedicated application uses the Network Time Protocol (NTP) to request a timestamp from a time server.
3.然后,专用应用经由HTTP GET调用将HRT设备的公钥发送到EAAS服务器。3. The dedicated application then sends the public key of the HRT device to the EAAS server via an HTTP GET call.
4.EAAS服务器接收请求者的公钥(即HRT设备的公钥),读取下一个可用的随机值R(si),用EAAS服务器的私钥对其签名,用当前时间加戳,并将加密值发送回客户端。4. The EAAS server receives the requester's public key (i.e., the HRT device's public key), reads the next available random value R(si), signs it with the EAAS server's private key, stamps it with the current time, and sends the encrypted value back to the client.
5.客户端上的专用应用通过超文本传输协议(HTTP)接收结果并将其发送到HRT设备。5. A dedicated application on the client receives the results via Hypertext Transfer Protocol (HTTP) and sends them to the HRT device.
6.HRT设备使用EAAS公钥验证签名,校验数据时间戳的新鲜度,使用客户端的私钥解密结果。如果签名是正确的,则随机数据被接受,并且HRT设备发出票据以允许客户端系统在以后的时间证明其已经从EAAS获得了强熵数据。6. The HRT device verifies the signature using the EAAS public key, checks the freshness of the data timestamp, and decrypts the result using the client's private key. If the signature is correct, the random data is accepted, and the HRT device issues a ticket to allow the client system to prove at a later time that it has obtained strong entropy data from the EAAS.
上述新鲜度校验旨在验证消息是新消息还是来自潜在攻击者的重放消息,每个新的时间戳指示消息发送的时间,因此新鲜度校验可以基于时间戳来进行。根据上述过程,在步骤2中,客户端获得时间戳,并且在步骤4中,EAAS服务器用当前时间对报文进行打戳,因此,在步骤6中,在接收到报文时,HRT设备可以基于在步骤2中获得的时间戳和在步骤4中由EAAS服务器打戳的当前时间来执行新鲜度校验。The above freshness check is intended to verify whether the message is a new message or a replayed message from a potential attacker. Each new timestamp indicates the time when the message was sent, so the freshness check can be performed based on the timestamp. According to the above process, in step 2, the client obtains the timestamp, and in step 4, the EAAS server stamps the message with the current time. Therefore, in step 6, when the message is received, the HRT device can perform a freshness check based on the timestamp obtained in step 2 and the current time stamped by the EAAS server in step 4.
然而,申请人发现NIST在现有的EAAS架构中可能存在一些缺陷。如上所述,HTTP用于EAAS服务器与客户端之间的通信,因此EAAS服务器与客户端之间的通信是不安全的。此外,客户端需要使用NTP向时间服务器请求时间戳以进行时间同步,这意味着客户端和服务器之间的时间同步依赖于外部源。此外,从远程无线电主动衰减过程获得的随机性(熵)是量子过程,即复杂的专用系统。因此,需要提供一个复杂度更低、安全性更高的EAAS架构。However, the applicant found that there may be some defects in the existing EAAS architecture of NIST. As mentioned above, HTTP is used for communication between the EAAS server and the client, so the communication between the EAAS server and the client is not secure. In addition, the client needs to use NTP to request a timestamp from the time server for time synchronization, which means that the time synchronization between the client and the server depends on an external source. In addition, the randomness (entropy) obtained from the remote radio active attenuation process is a quantum process, that is, a complex dedicated system. Therefore, it is necessary to provide an EAAS architecture with lower complexity and higher security.
因此,本申请提出了一种用于基于可扩展的面向服务的IP上中间件(SOMEIP)协议的面向车辆服务的体系结构的EAAS体系结构。所提出的解决方案可以容易地在任何平台中实现,如支持SOMEIP协议和以太网通信的linux、车载ECU OS、AUTOSAR栈等。本申请的实施例提供了一种在(中央)车辆ECU上部署EAAS服务器服务的方法,其具有关于在同一车辆的其他ECU上部署EAAS客户端服务和服务注册中心/服务发现的细节。此外,本申请ASO的实施例提供了一种在车辆的多个ECU上部署熵提取器服务器服务的方法以及在中央ECU托管EAAS服务器上的熵提取器客户服务的细节,以从车辆的不同噪声源获取熵/随机性。此外,本申请的实施例还定义了端到端通信保护协议,以确保基于策略/规则对在同一车辆中运行的合法客户端-服务器服务的认证和授权,以及将高质量熵比特串分配给各种ECU、安全服务和应用。Therefore, the present application proposes an EAAS architecture for an architecture for vehicle services based on a scalable service-oriented middleware on IP (SOMEIP) protocol. The proposed solution can be easily implemented in any platform, such as linux, vehicle ECU OS, AUTOSAR stack, etc. that support SOMEIP protocol and Ethernet communication. An embodiment of the present application provides a method for deploying EAAS server services on a (central) vehicle ECU, which has details about deploying EAAS client services and service registration center/service discovery on other ECUs in the same vehicle. In addition, an embodiment of the present application ASO provides a method for deploying an entropy extractor server service on multiple ECUs of a vehicle and details of the entropy extractor client service on the central ECU-hosted EAAS server to obtain entropy/randomness from different noise sources of the vehicle. In addition, an embodiment of the present application also defines an end-to-end communication protection protocol to ensure authentication and authorization of legitimate client-server services running in the same vehicle based on policies/rules, and to distribute high-quality entropy bit strings to various ECUs, security services, and applications.
在阐述本申请的技术方案之前,首先将对本申请实施例的思想和相关架构进行简单介绍。Before explaining the technical solution of the present application, the idea and related architecture of the embodiments of the present application will be briefly introduced.
本申请提供了一种用于熵服务的方法,其中可以涉及三个实体来执行该方法。可能的实体可以是提供熵服务的服务器、请求熵服务的客户机以及被称为服务注册中心(SR或SR服务)的在系统中总是处于活动状态的另一实体服务。如图2a所示的本申请实施例提供的示例性集中式EAAS架构和作为本申请实施例提供的如图2b所示的另一示例性分布式EAAS架构,在车辆与万物(V2X)场景中,服务器和客户端可以是不同的ECU,SR实际上是记录服务相关数据的数据库,在如图2a所示的集中式架构中,SR可以被实现为不同于服务器和客户端的实体,并且在如图2b所示的分布式架构中,SR可以在服务器和客户端内实现。需要说明的是,这里示出的架构仅仅是示例,而不能理解为对本申请的限制。此外,充当服务器、客户端和SR的ECU可以不一定在同一车辆上,相反,根据具体设计和要求,它们可以位于同一车辆或不同车辆上。The present application provides a method for entropy service, in which three entities may be involved to perform the method. Possible entities may be a server providing entropy service, a client requesting entropy service, and another entity service that is always active in the system, called a service registration center (SR or SR service). The exemplary centralized EAAS architecture provided by the embodiment of the present application as shown in Figure 2a and another exemplary distributed EAAS architecture as shown in Figure 2b provided as an embodiment of the present application, in the vehicle and everything (V2X) scenario, the server and the client may be different ECUs, and SR is actually a database for recording service-related data. In the centralized architecture shown in Figure 2a, SR can be implemented as an entity different from the server and the client, and in the distributed architecture shown in Figure 2b, SR can be implemented in the server and the client. It should be noted that the architecture shown here is only an example and cannot be understood as a limitation of the present application. In addition, the ECUs acting as servers, clients, and SRs may not necessarily be on the same vehicle. On the contrary, they may be located on the same vehicle or on different vehicles depending on the specific design and requirements.
熵服务的方法可以应用于如图2a和图2b所示的不同平台架构中,即如图2a所示的具有行业标准SOMEIP和ECU之间的以太网连接的集中式服务注册中心(例如Linux平台+SOMEIP、华为AOS+SOMEIP),或者如图la所示的作为具有SOMEIP和ECU之间的以太网连接的服务发现的一部分的分布式服务注册中心。下面的图2b(例如,自适应AUTOSAR+SOMEIP、GENIVI+VSOMEIP)。The approach of entropy services can be applied in different platform architectures as shown in Figures 2a and 2b, i.e., a centralized service registry with an Ethernet connection between industry standard SOMEIP and ECU as shown in Figure 2a (e.g., Linux platform + SOMEIP, Huawei AOS + SOMEIP), or a distributed service registry as part of service discovery with an Ethernet connection between SOMEIP and ECU as shown in Figure 2a below (e.g., Adaptive AUTOSAR + SOMEIP, GENIVI + VSOMEIP).
根据本申请的实施例,熵服务的方法可以分为三个阶段,包括:According to an embodiment of the present application, the entropy service method can be divided into three stages, including:
阶段1:基于服务器与SR之间的交互,熵服务的注册。服务端在提供熵服务之前,需要先在服务端注册,以便服务端在其服务列表中添加熵服务,从而使得客户端后续能够找到熵服务;Phase 1: Registration of entropy service based on the interaction between the server and SR. Before providing entropy service, the server needs to register with the server first, so that the server can add the entropy service to its service list, so that the client can find the entropy service later;
阶段2:基于客户端与SR之间的交互,发现熵服务。在该阶段,客户端可以从SR中获取业务数据,从而进一步基于该业务数据向服务端获取熵;以及Phase 2: Discovering entropy services based on the interaction between the client and the SR. In this phase, the client can obtain service data from the SR, and then further obtain entropy from the server based on the service data; and
阶段3:基于客户端与服务端之间的交互进行熵服务的订阅。在该阶段中,服务器响应于来自客户端的订阅请求而向客户端提供熵。Phase 3: Subscription to entropy service based on interaction between client and server. In this phase, the server provides entropy to the client in response to the subscription request from the client.
下面,将结合附图对熵服务的方法进行详细描述。需要说明的是,以下实施例将以集中式架构(例如,图2a所示的架构)为重点,然而,在分布式架构(例如,图2b所示的架构)中,工作原理和技术效果将类似。事实上,在面向服务的架构中,ECU将不知道服务被托管在哪里,或者服务被托管在一个ECU中,或者类似分布式被托管到所有ECU中,它们都与SR服务进行通信。用于SR的数据库可以在一些特定的ECU处托管;分布式SR意味着,每个ECU将具有运行的SR服务,且它们在后台协调。实际上,在分布式架构中,服务器仍然需要将新服务(例如,熵服务)注册到SR,以服务级别进行通信。因此,由服务器和SR完成的操作类似于在集中式架构中完成的操作。Below, the method of entropy service will be described in detail with reference to the accompanying drawings. It should be noted that the following embodiments will focus on a centralized architecture (e.g., the architecture shown in FIG. 2a ), however, in a distributed architecture (e.g., the architecture shown in FIG. 2b ), the working principles and technical effects will be similar. In fact, in a service-oriented architecture, the ECU will not know where the service is hosted, or the service is hosted in one ECU, or similarly distributed to all ECUs, and they all communicate with the SR service. The database for SR can be hosted at some specific ECUs; distributed SR means that each ECU will have a running SR service, and they coordinate in the background. In fact, in a distributed architecture, the server still needs to register new services (e.g., entropy services) to the SR to communicate at the service level. Therefore, the operations performed by the server and the SR are similar to those performed in a centralized architecture.
图3-图5是本申请实施例提供的熵服务的方法的流程示意图。其中,图3a和图3b示出了本申请实施例提供的熵服务的方法中注册过程的流程示意图,图4a和图4b示出了本申请实施例提供的熵服务的方法中发现过程的流程示意图,图5a和图5b示出了本申请实施例提供的熵服务的方法中订阅过程的流程示意图。图3a和图3b对应于前述阶段1,图4a和图4b对应于前述阶段2并且图5a和图5b对应于前述阶段3。Figures 3-5 are schematic flow charts of the method for entropy service provided in the embodiment of the present application. Among them, Figures 3a and 3b show a schematic flow chart of the registration process in the method for entropy service provided in the embodiment of the present application, Figures 4a and 4b show a schematic flow chart of the discovery process in the method for entropy service provided in the embodiment of the present application, and Figures 5a and 5b show a schematic flow chart of the subscription process in the method for entropy service provided in the embodiment of the present application. Figures 3a and 3b correspond to the aforementioned stage 1, Figures 4a and 4b correspond to the aforementioned stage 2, and Figures 5a and 5b correspond to the aforementioned stage 3.
在对本申请实施例进行详细说明之前,为了便于阅读,将先对一些数学符号进行解释说明。E(k,m)表示使用密钥k对消息m进行加密。H(.)表示对(.)中的内容的加密哈希;S(k,m)表示使用密钥k对消息m的数字签名;符号||表示级联(附加)操作。Before describing the embodiments of the present application in detail, some mathematical symbols will be explained for ease of reading. E(k, m) means encrypting message m using key k. H(.) means the encrypted hash of the content in (.); S(k, m) means the digital signature of message m using key k; the symbol || means a cascade (addition) operation.
图3a示出了第一设备和第三设备之间的交互,以图2a为例,第一设备可以是服务器,例如,图2a所示的ECU 1,第三设备可以是实现有服务注册功能的设备,例如,图2a所示的ECU 3,除此之外,在以下描述中还可以涉及第二设备,该第二设备可以是客户端,例如,图2a所示的ECU 2。Figure 3a shows the interaction between the first device and the third device. Taking Figure 2a as an example, the first device may be a server, for example, ECU 1 shown in Figure 2a, and the third device may be a device implementing a service registration function, for example, ECU 3 shown in Figure 2a. In addition, a second device may also be involved in the following description, and the second device may be a client, for example, ECU 2 shown in Figure 2a.
所述熵服务的方法包括:The method of the entropy service includes:
S301:第一设备与第二设备建立第二通信通道。S301: The first device establishes a second communication channel with the second device.
如以上描述中所解释的,SR是服务,其可以在专用主机ECU上(在集中式架构中)或者其可以作为服务在所有ECU中运行(在分布式架构中)。在以下实施例中,以前一种情况为例,即SR在另一实体中。因此,需要首先建立通信信道或连接。As explained in the above description, SR is a service that can be on a dedicated host ECU (in a centralized architecture) or it can run as a service in all ECUs (in a distributed architecture). In the following embodiments, the former case is taken as an example, that is, SR is in another entity. Therefore, a communication channel or connection needs to be established first.
为了实现第一设备向第二设备提供新业务(即熵服务),第一设备需要先在第三设备注册新业务,以便第三设备在后期向请求新业务的第二设备提供与新业务相关的信息。In order for the first device to provide a new service (ie, entropy service) to the second device, the first device needs to first register the new service with the third device so that the third device can later provide information related to the new service to the second device requesting the new service.
因此,在集中式架构中,第一设备和第三设备之间需要建立通信通道,即前述的第二通信通道。为了安全起见,第二通信信道可以是经由数据报传输层安全DTLS建立的用户数据报协议(UDP)信道或经由传输层安全TLS建立的传输控制协议(TCP)信道。Therefore, in the centralized architecture, a communication channel, i.e., the aforementioned second communication channel, needs to be established between the first device and the third device. For security reasons, the second communication channel can be a User Datagram Protocol (UDP) channel established via Datagram Transport Layer Security (DTLS) or a Transmission Control Protocol (TCP) channel established via Transport Layer Security (TLS).
在一种实现方式中,可以基于第一设备的端口号(例如,图3b中的S_Port)、第一设备的互联网协议(IP)地址(例如,图3b中的S_IP)、第三设备的端口号(例如,图3b中的SR_Port)和第三设备的IP地址(例如,图3b中的SR_IP)来建立第二通信信道。本步骤中,第一设备与第三设备相互绑定。事实上,第一设备(例如,服务器)和第三设备(例如,服务注册中心)的IP和端口用于绑定,这意味着将服务器与服务注册中心相关联以用于稍后的数据交换。这里,双方需要预先知道对方的IP地址和端口号。In one implementation, a second communication channel can be established based on the port number of the first device (e.g., S_Port in FIG. 3b ), the Internet Protocol (IP) address of the first device (e.g., S_IP in FIG. 3b ), the port number of the third device (e.g., SR_Port in FIG. 3b ), and the IP address of the third device (e.g., SR_IP in FIG. 3b ). In this step, the first device and the third device are bound to each other. In fact, the IP and port of the first device (e.g., server) and the third device (e.g., service registration center) are used for binding, which means associating the server with the service registration center for later data exchange. Here, both parties need to know the IP address and port number of the other party in advance.
在一种实现方式中,当第一设备与第三设备建立第二通信通道后,第三设备还可以与第一设备分享详情,使得第一设备可以使用分享的详情与第三设备进行通信。例如,第三设备可以共享用于到第一设备的第二通信信道的第二会话标识符(ID)(例如,图3b中的会话ID)和第二连接计数器ID(例如,图3b中的计数器ID),这些与所建立的第二通信信道相关的细节对于第一设备向第三设备发送消息/从第三设备接收消息是有用的。会话是每次当第一设备经由第二通信信道连接到第三设备直到其断开时,会话ID只是生成的唯一随机ID,并且为了安全起见对于每个新会话都是需要的。计数器ID用于跟踪连接的数量。贯穿整个描述的所有会话ID和计数器ID共享与本文所述相同的含义。In one implementation, after the first device establishes a second communication channel with the third device, the third device may also share details with the first device so that the first device can communicate with the third device using the shared details. For example, the third device may share a second session identifier (ID) (e.g., the session ID in FIG. 3b ) and a second connection counter ID (e.g., the counter ID in FIG. 3b ) for the second communication channel to the first device, and these details related to the established second communication channel are useful for the first device to send messages to/receive messages from the third device. A session is a unique random ID generated each time the first device connects to the third device via the second communication channel until it disconnects, and is required for each new session for security reasons. The counter ID is used to track the number of connections. All session IDs and counter IDs throughout the entire description share the same meaning as described herein.
在一种实现方式中,所述细节可以由第三设备使用所建立的第二通信信道通知给第一设备。In one implementation, the details may be notified to the first device by the third device using the established second communication channel.
S302:所述第一设备向所述第三设备传输用于在所述第三设备处注册所述熵服务的注册消息并且所述第三设备从所述第一设备接收所述注册消息。S302: The first device transmits a registration message for registering the entropy service at the third device to the third device, and the third device receives the registration message from the first device.
在建立第二通信信道之后,第一设备可经由第二通信信道将注册消息发射到第三设备以用于在第三设备处注册熵服务。After establishing the second communication channel, the first device may transmit a registration message to the third device via the second communication channel for registering the entropy service at the third device.
在一种实现方式中,注册消息(例如,图3b中的OfferService消息)可以携带熵服务的服务ID(例如,S_ID)、熵服务的服务实例ID(例如,S_Inst_ID)、熵服务的描述字符串(例如,S_Details_Str)、熵服务的服务事件组ID(例如,S_Evt_grp_ID)、熵服务的状态(例如,S_Status)以及第一设备的公钥(例如,图3b中的Kpub_S),上述提到的项目是熵业务的基本信息,以便后续请求熵服务的第二设备可以找到该业务并进行订阅。In one implementation, a registration message (e.g., the OfferService message in FIG. 3b ) may carry a service ID of an entropy service (e.g., S_ID), a service instance ID of an entropy service (e.g., S_Inst_ID), a description string of an entropy service (e.g., S_Details_Str), a service event group ID of an entropy service (e.g., S_Evt_grp_ID), the status of an entropy service (e.g., S_Status), and a public key of a first device (e.g., Kpub_S in FIG. 3b ), wherein the above-mentioned items are basic information of the entropy service, so that a second device that subsequently requests the entropy service can find the service and subscribe to it.
在一种实现方式中,注册消息中还可以携带其他用于更详细注册的事项。例如,注册消息可以携带服务主版本(例如,S_Maj_ver)、服务次版本(例如,S_Min_Ver)、服务器主机ID(例如,S_host_ID)、第一设备的IP地址(例如,S_IP)、第一设备的端口号(例如,S_Port,其已经绑定到第三设备的端口并且可以是第三设备上的任何可用端口号)、服务应用ID(例如,S_App_ID),以及用于在第一设备和第三设备之间建立第二通信信道且从所述第三设备获取的的第二会话ID(图3b中的会话ID)。这些可选项目可以用于更好地描述熵服务。可选项目给出关于服务的附加细节。In one implementation, the registration message may also carry other items for more detailed registration. For example, the registration message may carry a service major version (e.g., S_Maj_ver), a service minor version (e.g., S_Min_Ver), a server host ID (e.g., S_host_ID), an IP address of the first device (e.g., S_IP), a port number of the first device (e.g., S_Port, which has been bound to a port of a third device and can be any available port number on the third device), a service application ID (e.g., S_App_ID), and a second session ID (session ID in FIG. 3b ) for establishing a second communication channel between the first device and the third device and obtained from the third device. These optional items may be used to better describe the entropy service. The optional items provide additional details about the service.
在一种实现方式中,生成注册消息所需的所有这些项目都是预先配置的数据,并且可以由第一设备从其非易失性存储器(NVM)获得。In one implementation, all of these items required to generate the registration message are pre-configured data and can be obtained by the first device from its non-volatile memory (NVM).
关于注册消息的具体形式,在一种实现方式中,注册消息(例如,图3b中的OfferService消息)可以包括注册信息(例如,图3b中的E(Kpub_SR,S_Data))和注册签名(例如,图3b中的S(Kpr_S,H(E(Kpub_SR,S_Data))))。Regarding the specific form of the registration message, in one implementation, the registration message (e.g., the OfferService message in FIG. 3b ) may include registration information (e.g., E(Kpub_SR, S_Data) in FIG. 3b ) and a registration signature (e.g., S(Kpr_S, H(E(Kpub_SR, S_Data))) in FIG. 3b ).
具体的,所述注册消息可以由所述第一设备按照如下方式获取:Specifically, the registration message may be obtained by the first device in the following manner:
1)第一设备生成注册数据(例如,如图3b中的E(Kpub_SR,S_Data)中的S_Data)。1) The first device generates registration data (eg, S_Data in E(Kpub_SR, S_Data) in FIG. 3 b ).
2)第一设备根据注册数据和第三设备的公钥获取注册信息(例如,图3b中的Kpub_SR)。这里,第一设备可以使用第三设备的公钥来加密注册数据。2) The first device obtains registration information (eg, Kpub_SR in FIG. 3b ) according to the registration data and the public key of the third device. Here, the first device may use the public key of the third device to encrypt the registration data.
3)第一设备根据注册信息和第一设备的私钥(例如,图3b中的Kpr_S)。这里,第一设备可以利用第一设备的私钥对注册信息进行签名。3) The first device signs the registration information based on the registration information and the private key of the first device (eg, Kpr_S in FIG. 3 b ). Here, the first device may use the private key of the first device to sign the registration information.
4)所述第一设备将所述注册信息和所述注册签名确定为所述注册消息。4) The first device determines the registration information and the registration signature as the registration message.
如上所述,包含基本信息的S_Data可以是:As mentioned above, S_Data containing basic information can be:
S_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||Kpub_S||CMD_REGS_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||Kpub_S||CMD_REG
S_Data还可以包含可选项:S_Data can also contain optional items:
S_Data=S_Maj_ver||S_Min_Ver||S_host_ID||S_IP||S_Port||S_App_ID||Session_IDS_Data=S_Maj_ver||S_Min_Ver||S_host_ID||S_IP||S_Port||S_App_ID||Session_ID
需要说明的是,用于生成注册消息的数据,即S_Data中的项,是在第一设备处预先配置的。It should be noted that the data used to generate the registration message, ie, the items in S_Data, are pre-configured at the first device.
S303:第三设备校验第一设备的资格。S303: The third device verifies the qualification of the first device.
在从第一设备接收到注册消息时,第三设备可出于安全起见校验第一设备的资格。可以通过多种方式进行校验,本申请对此不做限制。例如,第三设备将基于某种白名单进行策略校验,以查看是否允许第一设备注册新服务。When receiving the registration message from the first device, the third device may verify the qualifications of the first device for security reasons. The verification may be performed in a variety of ways, which are not limited in this application. For example, the third device may perform a policy check based on a certain whitelist to see whether the first device is allowed to register a new service.
S304:若校验通过,则所述第三设备向所述第一设备发送第二确认消息,所述第一设备接收到所述第二确认消息。S304: If the verification passes, the third device sends a second confirmation message to the first device, and the first device receives the second confirmation message.
一旦验证第一设备的资格,第三设备就可发送第二确认消息(例如,图3b中的S(Kpr_SR,H(E(Kpub_S,m)))和E(Kpub_S,m))到第一设备。Once the qualifications of the first device are verified, the third device may send a second confirmation message (eg, S(Kpr_SR, H(E(Kpub_S, m))) and E(Kpub_S, m) in FIG. 3b ) to the first device.
此处,第二确认消息可指示由第一设备提供的熵服务在第三设备处成功注册。Here, the second confirmation message may indicate that the entropy service provided by the first device is successfully registered at the third device.
应当注意,在注册失败的情况下,第三设备还可以向第一设备发送否定确认消息(NACK),或者可能连同前一次注册失败的原因一起发送,使得第一设备将发起另一次注册。It should be noted that in case of a registration failure, the third device may also send a negative acknowledgement message (NACK) to the first device, or may send it together with the reason for the previous registration failure, so that the first device will initiate another registration.
在一种实现方式中,第二确认消息包括服务注册中心信息(例如,图3b中的E(Kpub_S,m))和服务注册中心签名(例如,图3b中的S(Kpr_SR,H(E(Kpub_S,m)))。In one implementation, the second confirmation message includes service registry information (eg, E(Kpub — S , m) in FIG. 3 b ) and a service registry signature (eg, S(Kpr_SR, H(E(Kpub — S , m)) in FIG. 3 b ).
具体的,所述第二确认消息可以由所述第三设备按照如下方式获取:Specifically, the second confirmation message may be obtained by the third device in the following manner:
1)第三设备生成服务注册中心数据(例如,图3b中的E(Kpub_S,m)中的m)所示。1) The third device generates service registration center data (eg, as shown in m in E(Kpub — S ,m) in FIG. 3 b ).
2)第三设备根据服务注册中心数据和第一设备的公钥获取服务注册中心信息(例如,图3b中Kpub_S)。这里,第三设备可以使用第一设备的公钥来加密服务注册中心数据。2) The third device obtains the service registry information (eg, Kpub_S in FIG. 3 b ) according to the service registry data and the public key of the first device. Here, the third device may use the public key of the first device to encrypt the service registry data.
3)第三设备根据服务注册中心信息和第三设备的私钥(例如,图3b中的Kpr_SR)。这里,第三设备可以用第三设备的私钥对服务注册中心信息进行签名。3) The third device signs the service registration center information based on the service registration center information and the private key of the third device (eg, Kpr_SR in FIG. 3 b ). Here, the third device may sign the service registration center information using the private key of the third device.
4)所述第三设备将所述服务注册中心信息和所述服务注册中心签名确定为所述第二确认消息。4) The third device determines the service registration center information and the service registration center signature as the second confirmation message.
第二确认消息,作为注册完成的简单确认,可以简单地携带S_ID、S_Inst_ID和S_Evt_grp_ID,也就是说,第二确认消息中的m可以是S_ID||S_Inst_ID||S_Evt_grp_ID||CMD_REG_ACK。这里,第二确认消息中携带的项目是从来自第一设备的注册消息中获得的。由于第二确认消息是来自第三设备的简单确认,即,实现有SR功能的设备,因此,它可以携带比注册消息更少的项目。The second confirmation message, as a simple confirmation of registration completion, can simply carry S_ID, S_Inst_ID and S_Evt_grp_ID, that is, m in the second confirmation message can be S_ID||S_Inst_ID||S_Evt_grp_ID||CMD_REG_ACK. Here, the items carried in the second confirmation message are obtained from the registration message from the first device. Since the second confirmation message is a simple confirmation from the third device, that is, a device that implements the SR function, it can carry fewer items than the registration message.
在一种实现方式中,第一设备和第三设备可以在它们之间交互的每个消息中附加命令ID,接收端可以使用命令ID来标识消息的类型。这可以在与图3b相关的示例中清楚地示出。命令ID有助于识别发送端正在发送哪种类型的消息/分组内容,即,用于什么目的。例如,在步骤S302中,因此,从第一设备到第三设备的注册消息中的S_Data还包括CMD_REG字段,表示第一设备想要注册,因此,从第三设备到第一设备的第二确认消息中的m还包括CMD_REG_ACK字段,表示第一设备的注册由第三设备确认。但是,需要说明的是,第一设备和第三设备识别接收到的报文的类型还可以有其他方式,本申请实施例对此不做限定。In one implementation, the first device and the third device may attach a command ID to each message exchanged between them, and the receiving end may use the command ID to identify the type of message. This can be clearly shown in the example associated with Figure 3b. The command ID helps to identify what type of message/packet content the sender is sending, that is, for what purpose. For example, in step S302, therefore, the S_Data in the registration message from the first device to the third device also includes a CMD_REG field, indicating that the first device wants to register, and therefore, the m in the second confirmation message from the third device to the first device also includes a CMD_REG_ACK field, indicating that the registration of the first device is confirmed by the third device. However, it should be noted that there may be other ways for the first device and the third device to identify the type of received message, and the embodiments of the present application are not limited to this.
在从第三设备接收到第二确认消息之后,第一设备可进入等待状态且等待来自第二设备(例如,客户端)的预订请求。After receiving the second confirmation message from the third device, the first device may enter a waiting state and wait for a subscription request from a second device (eg, a client).
因此,图3b示出了服务器和服务注册中心之间的示例性注册过程。Therefore, FIG. 3b shows an exemplary registration process between a server and a service registry.
如图3b所示,服务器启动被称为“熵服务”的新服务。为了初始化新服务所需的一些细节,服务器从其NVM中取出预先配置的数据(用于生成注册消息或OfferService消息的数据),如服务ID、事件组ID等,以及由程序员设置的任何其他信息。系统中还会有另一个始终处于活动状态的实体服务,称为Service Registry,它保存了有关现有服务的所有信息。服务注册所需的操作顺序如下所示。。As shown in Figure 3b, the server starts a new service called "Entropy Service". In order to initialize some details required for the new service, the server takes out the pre-configured data (data used to generate the Registration message or OfferService message) from its NVM, such as service ID, event group ID, etc., and any other information set by the programmer. There will also be another entity service that is always active in the system, called Service Registry, which saves all information about existing services. The order of operations required for service registration is shown below. .
首先,服务器通过DTLS与服务注册中心建立安全UDP通道。在建立安全UDP信道时,服务注册中心生成会话ID,增量连接计数器,并与服务器共享会话ID和计数器ID。这里S_IP表示服务器的IP地址,S_Port表示服务器的端口(服务器的端口号),SR_IP表示服务注册中心的IP地址,SR_Port表示服务注册中心的端口。本步骤可以与上述步骤S301相对应。First, the server establishes a secure UDP channel with the service registry through DTLS. When establishing a secure UDP channel, the service registry generates a session ID, increments the connection counter, and shares the session ID and counter ID with the server. Here, S_IP represents the IP address of the server, S_Port represents the port of the server (the port number of the server), SR_IP represents the IP address of the service registry, and SR_Port represents the port of the service registry. This step may correspond to step S301 above.
然后,服务器发送具有内容的OfferService消息(其是前述注册消息的一种可能实现方式)可以是:Then, the server sends an OfferService message with content (which is a possible implementation of the aforementioned registration message) which may be:
E(Kpub_SR,S_Data),S(Kpr_S,H(E(Kpub_SR,S_Data))),,其中E(Kpub_SR ,S_Data),S(Kpr_S ,H(E(Kpub_SR ,S_Data))), where
S_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||Kpub_S||CMD_REGS_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||Kpub_S ||CMD_REG
S_ID表示熵服务的服务ID,S_Inst_ID表示熵服务的服务实例ID,S_Details_Str表示熵服务的描述字符串,S_Evt_grp_ID表示熵服务的服务事件组ID,S_Status表示熵服务的状态(如空闲、就绪、运行、停止),Kpub_S是服务器的公钥。对于特定的服务,上述S_Inst_ID是该服务的实例ID(号码)。例如,服务可以具有同时运行的许多实例以服务许多客户端。因此所有这些实例可以具有相同的S_ID但具有不同的实例ID。S_Etv_Grp_ID是该服务类型的事件组ID。客户端在订阅时,需要指出他们想要加入哪个事件组ID。S_ID represents the service ID of the entropy service, S_Inst_ID represents the service instance ID of the entropy service, S_Details_Str represents the description string of the entropy service, S_Evt_grp_ID represents the service event group ID of the entropy service, S_Status represents the status of the entropy service (such as idle, ready, running, stopped), and Kpub_S is the public key of the server. For a specific service, the above S_Inst_ID is the instance ID (number) of the service. For example, a service can have many instances running simultaneously to serve many clients. Therefore, all these instances can have the same S_ID but different instance IDs. S_Etv_Grp_ID is the event group ID of the service type. When subscribing, clients need to indicate which event group ID they want to join.
如步骤S302所述,注册消息中可以存在一些可选项。例如,基于上述项,S_Data=S_Maj_ver||S_Min_Ver||S_host_ID||S_IP||S_Port||S_App_ID||Session_ID||CMD_REG,其中S_Maj_ver表示服务主版本,S_Min_Ver表示服务次版本,S_host_ID表示服务器主机ID,S_App_ID表示服务应用程序ID(托管该服务的应用程序),CMD_REG表示用于服务注册的命令标识符。As described in step S302, some optional items may exist in the registration message. For example, based on the above items, S_Data = S_Maj_ver||S_Min_Ver||S_host_ID||S_IP||S_Port||S_App_ID||Session_ID||CMD_REG, where S_Maj_ver indicates the service major version, S_Min_Ver indicates the service minor version, S_host_ID indicates the server host ID, S_App_ID indicates the service application ID (the application hosting the service), and CMD_REG indicates the command identifier for service registration.
然后,服务注册中心将新的服务细节添加到其数据库中,并向服务器发送第二确认消息,该第二确认消息具有以下内容:The service registry then adds the new service details to its database and sends a second confirmation message to the server with the following content:
E(Kpub_S,m),S(Kpr_SR,H(E(Kpub_S,m))),其中E(Kpub_S , m), S(Kpr_SR , H(E(Kpub_S , m))), where
m=S_ID||S_Inst_ID||S_Evt_grp_ID||CMD_REG_ACK,其中m=S_ID||S_Inst_ID||S_Evt_grp_ID||CMD_REG_ACK, where
这里CMD_REG_ACK是用于服务注册确认的命令标识符。Here CMD_REG_ACK is a command identifier for service registration confirmation.
当注册完成时,服务器开始侦听来自客户端输入的订阅请求。服务器可以由应用或者系统中的服务功能的范围决定在任何时间停止工作。在停止工作之后,服务可以根据需要在任何时间重新启动。When registration is complete, the server starts listening for incoming subscription requests from clients. The server can be stopped at any time depending on the scope of the service function in the application or system. After stopping, the service can be restarted at any time as needed.
一旦服务器在SR处注册熵服务,客户端就可以在他们想要的任何时间请求服务。然而,为了确保这种新服务可以被成功地体验,客户端可能需要首先发现该服务。因此,在上述阶段2可以执行发现过程,如图4a和图4b中所示。Once the server registers the entropy service at the SR, clients can request the service at any time they want. However, to ensure that this new service can be successfully experienced, the client may need to discover the service first. Therefore, the discovery process can be performed in the above-mentioned stage 2, as shown in Figures 4a and 4b.
图4a示出了第二设备与第三设备之间的交互,以图2a为例,第一设备可以是客户端,例如图2a所示的ECU 2。第三设备可以是实现有服务注册功能的设备,例如,图2a所示的ECU 3。除此之外,在以下描述中可以涉及第一设备,该第一设备可以是服务器,例如,图2a所示的ECU 1。FIG4a shows the interaction between the second device and the third device. Taking FIG2a as an example, the first device may be a client, such as ECU 2 shown in FIG2a. The third device may be a device that implements a service registration function, such as ECU 3 shown in FIG2a. In addition, the following description may involve the first device, which may be a server, such as ECU 1 shown in FIG2a.
所述熵服务的方法包括:The method of the entropy service includes:
S401:第三设备与第二设备建立第三通信通道;S401: The third device establishes a third communication channel with the second device;
第二设备和第三设备可能需要在它们之间建立第三通信信道,以便于可能的信息或消息交换。为了安全起见,第三通信通道可以是通过DTLS建立的UDP通道,也可以是通过TLS建立的TCP通道。The second device and the third device may need to establish a third communication channel between them to facilitate possible information or message exchange. For security reasons, the third communication channel can be a UDP channel established through DTLS or a TCP channel established through TLS.
与步骤S301中建立的第二通信通道类似,在一种实现方式中,可以基于第二设备的端口号(例如,图4b中的C_Port)、第二设备的IP地址(例如,图3b中的C_IP)、第三设备的端口号(例如,图3b中的SR_Port)和第三设备的IP地址(例如,图4b中的SR_IP)建立第三通信通道。在本步骤中,第二设备与第三设备相互绑定。事实上,第二设备(例如,客户端)和第三设备(例如,服务注册中心)的IP和端口用于绑定,这意味着将服务器与服务注册中心相关联以用于稍后的数据交换。这里,双方需要预先知道对方的IP地址和端口号。Similar to the second communication channel established in step S301, in one implementation, a third communication channel can be established based on the port number of the second device (e.g., C_Port in FIG. 4b ), the IP address of the second device (e.g., C_IP in FIG. 3b ), the port number of the third device (e.g., SR_Port in FIG. 3b ), and the IP address of the third device (e.g., SR_IP in FIG. 4b ). In this step, the second device and the third device are bound to each other. In fact, the IP and port of the second device (e.g., client) and the third device (e.g., service registration center) are used for binding, which means associating the server with the service registration center for later data exchange. Here, both parties need to know the IP address and port number of the other party in advance.
在一种实现方式中,当第二设备与第三设备建立第三通信通道后,第三设备还可以向第二设备分享详情,使得第二设备可以使用分享的详情与第三设备进行通信。例如,第三设备可以将用于第三通信信道的第三会话ID(例如,图4b中的会话ID)和第三连接计数器ID(例如,图4b中的计数器ID)分享给第二设备,这些与所建立的第三通信信道有关的细节对于第二设备向第三设备发送消息或从第三设备接收消息可以是有用的。会话是每次第二设备经由第三通信信道连接到第三设备直到其断开,会话ID仅仅是生成的唯一随机ID。In one implementation, after the second device establishes a third communication channel with the third device, the third device may also share details with the second device so that the second device can use the shared details to communicate with the third device. For example, the third device may share a third session ID (e.g., the session ID in FIG. 4b ) and a third connection counter ID (e.g., the counter ID in FIG. 4b ) for the third communication channel with the second device, and these details related to the established third communication channel may be useful for the second device to send messages to or receive messages from the third device. A session is each time the second device connects to the third device via the third communication channel until it disconnects, and the session ID is simply a unique random ID generated.
在一种实现方式中,所述细节可以由第三设备使用建立的第三通信信道通知给第二设备。In one implementation, the details may be notified to the second device by the third device using the established third communication channel.
S402:第二设备根据预定义数据生成用于查询熵服务的查询消息。S402: The second device generates a query message for querying the entropy service according to predefined data.
基于所建立的第三通信信道,第二设备可将查询消息(或称为查询或查询请求)发送到第三设备。查询消息用于从第三设备获取业务数据,业务数据可以包括:熵服务的业务标识ID、熵服务的服务实例ID、熵服务的服务事件组ID、第一设备的公钥、第一设备的IP地址和第一设备的端口号。第二设备后续将使用业务数据的一部分生成向第一设备发送的订阅请求消息。Based on the established third communication channel, the second device may send a query message (or referred to as a query or query request) to the third device. The query message is used to obtain service data from the third device, and the service data may include: a service identification ID of the entropy service, a service instance ID of the entropy service, a service event group ID of the entropy service, a public key of the first device, an IP address of the first device, and a port number of the first device. The second device will subsequently use a portion of the service data to generate a subscription request message sent to the first device.
该查询实际上是由第二设备进行的搜索,以便获得其稍后订阅所需的数据(业务数据)。通常,查询消息的内容可以根据第二设备处已经可用的数据(也称为预定义数据)而变化。The query is actually a search performed by the second device in order to obtain the data (service data) required for its later subscription. Typically, the content of the query message may vary depending on the data already available at the second device (also referred to as predefined data).
在一种实现方式中,对于一般搜索,预定义数据可以包括从第三设备获取的用于第三通信信道的第三会话标识(例如,Session_ID)、熵服务的描述字符串(例如,S_Details_Str)、熵服务的服务事件组标识(例如,S_Evt_grp_ID)。这可以适用于第二设备不知道熵服务的服务ID的场景,相反,它可以仅仅知道熵服务的事件组标识ID,而不是要查询哪个特定服务。因此,在这种情况下,第二设备可以基于第三会话标识、熵服务的描述字符串、熵服务的服务事件组标识进行搜索。In one implementation, for a general search, the predefined data may include a third session identifier (e.g., Session_ID) for a third communication channel obtained from a third device, a description string (e.g., S_Details_Str) of an entropy service, and a service event group identifier (e.g., S_Evt_grp_ID) of an entropy service. This may be applicable to scenarios where the second device does not know the service ID of the entropy service, but instead may only know the event group identifier ID of the entropy service, rather than which specific service to query. Therefore, in this case, the second device may search based on the third session identifier, the description string of the entropy service, and the service event group identifier of the entropy service.
在一种实现方式中,对于具体的搜索,预定义数据可以包括熵服务的服务ID(例如,S_ID)和熵服务的服务实例ID(例如,S_Inst_ID)。与一般搜索相比,当第二设备知道熵服务的服务ID和熵服务的服务实例ID时,这意味着第二设备确切地知道要寻找哪个服务,则它可以利用其ID和其实例ID来执行特定搜索。In one implementation, for a specific search, the predefined data may include a service ID (e.g., S_ID) of the entropy service and a service instance ID (e.g., S_Inst_ID) of the entropy service. Compared to a general search, when the second device knows the service ID of the entropy service and the service instance ID of the entropy service, it means that the second device knows exactly which service to look for, and it can perform a specific search using its ID and its instance ID.
对于查询消息的具体形式,在一种实现方式中,查询消息包括查询信息(例如,图4b中的E(Kpub_SR,Q_data))和查询签名(例如,图4b中的S(Kpr_C,H(E(Kpub_SR,Q_Data))))。As for the specific form of the query message, in one implementation, the query message includes query information (eg, E(Kpub_SR ,Q_data) in FIG. 4 b ) and a query signature (eg, S(Kpr_C,H(E(Kpub_SR ,Q_Data))) in FIG. 4 b ).
具体的,所述查询报文可以由所述第二设备按照如下方式获取:Specifically, the query message may be obtained by the second device in the following manner:
1)第二设备生成查询数据(例如,如图4b中的E(Kpub_SR,Q_data)中的Q_data)所示。1) The second device generates query data (eg, as shown by Q_data in E(Kpub_SR , Q_data) in FIG. 4 b ).
2)第二设备根据查询数据和第三设备的公钥(例如,图4b中的Kpub_SR)获取查询信息。这里,第二设备可以使用第三设备的公钥对查询数据进行加密。2) The second device obtains the query information according to the query data and the public key of the third device (eg, Kpub_SR in FIG. 4b ). Here, the second device may encrypt the query data using the public key of the third device.
3)第二设备根据查询信息和第二设备的私钥(例如,图4b中的Kpr_C)获取查询签名。这里第二设备可以利用第二设备的私钥对查询信息进行签名。3) The second device obtains the query signature according to the query information and the private key of the second device (eg, Kpr_C in FIG. 4 b ). Here, the second device may sign the query information using the private key of the second device.
4)所述第二设备将所述查询信息和所述查询签名确定为所述查询报文。4) The second device determines the query information and the query signature as the query message.
如上所述,一般搜索的Q_Data可以是:As mentioned above, the Q_Data for general search can be:
Q_Data=S_Details_Str||S_Evt_grp_ID||Session_ID||CMD_QUERYQ_Data=S_Details_Str||S_Evt_grp_ID||Session_ID||CMD_QUERY
特定搜索的Q_Data可以是:The Q_Data for a specific search can be:
Q_Data=S_ID||S_Inst_ID||CMD_QUERYQ_Data=S_ID||S_Inst_ID||CMD_QUERY
在一种实现方式中,第二设备和第三设备可以在它们之间交互的每个消息中附加命令ID,接收端可以使用该命令ID来标识消息的类型。这可以在与图4b相关的示例中清楚地示出。命令ID有助于识别发送端正在发送哪种类型的消息/分组内容,即,用于什么目的。例如,在步骤S402中,从第一设备到第三设备的注册消息中的Q_Data还包括CMD_QUERY字段,该CMD_QUERY字段表示第二设备想要寻找服务。但是,需要说明的是,第一设备和第三设备识别接收到的报文的类型还可以有其他方式,本申请实施例对此不做限定。In one implementation, the second device and the third device may attach a command ID to each message exchanged between them, and the receiving end may use the command ID to identify the type of message. This can be clearly shown in the example associated with Figure 4b. The command ID helps to identify what type of message/packet content the sender is sending, that is, for what purpose. For example, in step S402, the Q_Data in the registration message from the first device to the third device also includes a CMD_QUERY field, which indicates that the second device wants to find a service. However, it should be noted that there may be other ways for the first device and the third device to identify the type of received message, which is not limited in the embodiments of the present application.
S403:第二设备向所述第三设备传输查询消息,第三设备从第二设备接收该查询消息。S403: The second device transmits a query message to the third device, and the third device receives the query message from the second device.
这里,可以经由建立的第三通信信道来传输查询消息。Here, the query message may be transmitted via the established third communication channel.
S404:第三设备根据查询报文调取业务数据。S404: The third device retrieves the service data according to the query message.
在从第二设备接收到查询消息时,第三设备可以获取第二设备的对应数据。在一种实现方式中,第三设备可以从其NVM中取出业务数据。When receiving the query message from the second device, the third device may obtain the corresponding data of the second device. In one implementation, the third device may retrieve the service data from its NVM.
这里,业务数据是将要返回到第二设备的数据,其内容取决于搜索的类型。Here, the service data is data to be returned to the second device, and its content depends on the type of search.
如上所述,对于一般搜索,业务数据可以包括所有匹配的服务,并且对于每个匹配的服务,熵服务的服务ID(例如,S_ID)、熵服务的服务实例ID(例如,S_Inst_ID)、熵服务的服务事件组ID(例如,S_Evt_grp_ID)和第一设备的公钥(例如,Kpub_S)可以被包括;对于特定搜索,业务数据可以包括该特定服务,并且在这种情况下业务数据中包括的项目与一般搜索中针对每个匹配服务的项目相同。As described above, for a general search, the business data may include all matching services, and for each matching service, the service ID of the entropy service (e.g., S_ID), the service instance ID of the entropy service (e.g., S_Inst_ID), the service event group ID of the entropy service (e.g., S_Evt_grp_ID), and the public key of the first device (e.g., Kpub_S ) may be included; for a specific search, the business data may include the specific service, and in this case the items included in the business data are the same as those for each matching service in the general search.
此外,业务数据还可以包括熵服务的描述字符串(例如S_Details_Str)、熵服务的状态(例如S_Status)、第一设备的端口号(例如S_Port)、第一设备的公钥(例如Kpub_S)和第一设备的IP地址(例如,S_IP)和第一设备的端口号(例如,S_Port)。In addition, the business data may also include a description string of the entropy service (e.g., S_Details_Str), the status of the entropy service (e.g., S_Status), the port number of the first device (e.g., S_Port), the public key of the first device (e.g., Kpub_S ), the IP address of the first device (e.g., S_IP), and the port number of the first device (e.g., S_Port).
这里,熵服务的服务ID(例如,S_ID)、熵服务的服务实例ID(例如,S_Inst_ID)、熵服务的服务事件组ID(例如,S_Evt_grp_ID)和第一设备的公钥(例如,Kpub_S)可以稍后用于生成订阅请求消息(这将在下面的步骤S502中详细阐述),而第一设备的IP地址和第一设备的端口可以用于建立与第一设备的第一通信信道(这将在下面的步骤S501中详细阐述)。对于业务数据中的剩余项,即熵服务的描述字符串和熵服务的状态,这两项不会通过订阅请求消息回传给第一设备(即服务器),但是,它们可以指示熵服务的详细信息,例如,熵服务的状态会让第二设备,即客户端知道该服务是否正在运行。Here, the service ID of the entropy service (e.g., S_ID), the service instance ID of the entropy service (e.g., S_Inst_ID), the service event group ID of the entropy service (e.g., S_Evt_grp_ID), and the public key of the first device (e.g., Kpub_S ) can be used later to generate a subscription request message (this will be described in detail in step S502 below), and the IP address of the first device and the port of the first device can be used to establish a first communication channel with the first device (this will be described in detail in step S501 below). For the remaining items in the business data, namely the description string of the entropy service and the status of the entropy service, these two items will not be returned to the first device (i.e., the server) through the subscription request message, but they can indicate detailed information of the entropy service, for example, the status of the entropy service will let the second device, i.e., the client, know whether the service is running.
S405:第三设备向第二设备发送第三确认消息。S405: The third device sends a third confirmation message to the second device.
一旦第三设备已成功地取得该业务数据,第三设备可以通过第三通信信道向第二设备发送第三确认消息,该第三确认信息指示该业务数据已由该第三设备成功获取。Once the third device has successfully acquired the service data, the third device may send a third confirmation message to the second device through the third communication channel, where the third confirmation message indicates that the service data has been successfully acquired by the third device.
在一种实现方式中,第三确认消息包括服务发现信息(例如,图4b中的E(Kpub_C,m))和服务发现签名(例如,图4b中的S(Kpr_SR,H(E(Kpub_C,m)))。In one implementation, the third confirmation message includes the service discovery information (eg, E(Kpub — C , m) in FIG. 4 b ) and the service discovery signature (eg, S(Kpr — SR , H(E(Kpub — C , m)) in FIG. 4 b ).
具体的,所述第三确认消息可以由所述第三设备按照如下方式获取:Specifically, the third confirmation message may be obtained by the third device in the following manner:
1)第三设备生成服务发现数据(例如,图4b中的E(Kpub_C,m)中的m)。1) The third device generates service discovery data (eg, m in E(Kpub — C ,m) in FIG. 4 b ).
2)第三设备根据服务发现数据和第二设备的公钥(例如,图4b中的Kpub_C)获得服务发现信息。这里,第三设备可以使用第二设备的公钥来加密服务发现数据。2) The third device obtains service discovery information according to the service discovery data and the public key of the second device (eg, Kpub_C in FIG. 4 b ). Here, the third device may use the public key of the second device to encrypt the service discovery data.
3)第三设备根据服务发现信息和第三设备的私钥(例如,图4b中的Kpr_SR)获得服务发现签名。这里,第三设备可以用第三设备的私钥对服务发现信息进行签名。3) The third device obtains a service discovery signature according to the service discovery information and the private key of the third device (eg, Kpr_SR in FIG. 4 b ). Here, the third device may sign the service discovery information with the private key of the third device.
4)第三设备将服务发现信息和所述服务发现签名确定为所述第三确认消息。4) The third device determines the service discovery information and the service discovery signature as the third confirmation message.
第三确认消息是一个简单的确认,表示完成了搜索并且携带了业务数据。如上所述,对于一般搜索,业务数据可以包括所有匹配的服务,并且对于每个匹配的服务,熵服务的服务ID(例如,S_ID)、熵服务的服务实例ID(例如,S_Inst_ID)、熵服务的服务事件组ID(例如,S_Evt_grp_ID)和第一设备的公钥(例如,Kpub_S)可以被包括;对于特定搜索,业务数据可以包括该特定服务,并且在这种情况下业务数据中包括的项目与一般搜索中针对每个匹配服务的项目相同。The third confirmation message is a simple confirmation indicating that the search is completed and carries business data. As described above, for general searches, the business data may include all matching services, and for each matching service, the service ID of the entropy service (e.g., S_ID), the service instance ID of the entropy service (e.g., S_Inst_ID), the service event group ID of the entropy service (e.g., S_Evt_grp_ID), and the public key of the first device (e.g., Kpub_S ) may be included; for specific searches, the business data may include the specific service, and in this case the items included in the business data are the same as those for each matching service in the general search.
此外,如上所述,业务数据还可以包括熵服务的描述字符串(例如S_Details_Str)、熵服务的状态(例如S_Status)、第一设备的端口号(例如S_Port)以及第一设备的IP地址(例如S_IP)。前两项将不携带在订阅请求消息中(这将在步骤S502中详细阐述),后两项用于建立与第一设备的第一通信信道。In addition, as described above, the service data may also include a description string of the entropy service (e.g., S_Details_Str), a status of the entropy service (e.g., S_Status), a port number of the first device (e.g., S_Port), and an IP address of the first device (e.g., S_IP). The first two items will not be carried in the subscription request message (which will be elaborated in detail in step S502), and the latter two items are used to establish a first communication channel with the first device.
因此,对于一般的搜索,所述第三确认消息中的m可以为:Therefore, for a general search, m in the third confirmation message may be:
m=S_Data1||S_Data2…||S_Datai||CMD_QUERY_ACK||Session_ID(所有匹配的服务);m=S_Data1||S_Data2...||S_Datai||CMD_QUERY_ACK||Session_ID(all matching services);
其中S_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||S_IP||S_Port||Kpub_S。Wherein S_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||S_IP||S_Port||Kpub_S .
对于具体的搜索,所述第三确认消息中的m可以为:For a specific search, m in the third confirmation message may be:
m=S_Data||CMD_QUERY_ACK||Session_ID;m=S_Data||CMD_QUERY_ACK||Session_ID;
其中S_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||S_IP||S_Port||Kpub_S||CMD_QUERY_ACK。Wherein S_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||S_IP||S_Port||Kpub_S ||CMD_QUERY_ACK.
在一种实现方式中,第二设备和第三设备可以在它们之间交互的每个消息中附加命令ID,接收端可以使用命令ID来标识消息的类型。这可以在与图4b相关的示例中清楚地示出。命令ID有助于识别发送端正在发送哪种类型的消息/分组内容,即,用于什么目的。例如,在步骤S402中,从第二设备到第三设备的查询消息中的Q_Data还包括CMD_QUERY字段,表示第二设备想要寻找一些东西,并且在步骤S405中从第三设备到第二设备的第三确认消息中的m因此还包括CMD_QUERY_ACK字段,表示搜索由第三设备完成。但是,需要说明的是,第二设备和第三设备识别接收到的报文的类型还可以有其他方式,本申请实施例对此不做限定。In one implementation, the second device and the third device may attach a command ID to each message exchanged between them, and the receiving end may use the command ID to identify the type of message. This can be clearly shown in the example associated with Figure 4b. The command ID helps to identify what type of message/packet content the sender is sending, that is, for what purpose. For example, in step S402, the Q_Data in the query message from the second device to the third device also includes a CMD_QUERY field, indicating that the second device wants to find something, and in step S405, the third confirmation message from the third device to the second device also includes a CMD_QUERY_ACK field, indicating that the search is completed by the third device. However, it should be noted that there may be other ways for the second device and the third device to identify the type of received message, which is not limited in the embodiments of the present application.
在一种实现方式中,第二设备和第三设备可以在它们之间交互的每个消息中附加命令ID,接收端可以使用命令ID来标识消息的类型。这可以在与图4b相关的示例中清楚地示出。命令ID有助于识别发送端正在发送哪种类型的消息/分组内容,即,用于什么目的。例如,在步骤S402中,从第一设备到第三设备的注册消息中的Q_Data因此还包括CMD_S_REG字段,表示第二设备想要寻找服务。但是,需要说明的是,第一设备和第三设备识别接收到的报文的类型还可以有其他方式,本申请实施例对此不做限定。In one implementation, the second device and the third device can attach a command ID to each message exchanged between them, and the receiving end can use the command ID to identify the type of message. This can be clearly shown in the example associated with Figure 4b. The command ID helps to identify what type of message/packet content the sender is sending, that is, for what purpose. For example, in step S402, the Q_Data in the registration message from the first device to the third device therefore also includes a CMD_S_REG field, indicating that the second device wants to find a service. However, it should be noted that there may be other ways for the first device and the third device to identify the type of received message, which is not limited in the embodiments of the present application.
在接收到第三确认消息后,第二设备可存储其中所携载的数据以供稍后预订。After receiving the third confirmation message, the second device may store the data carried therein for later subscription.
因此,图4b示出了客户端和服务注册中心之间的示例性发现过程。Thus, FIG. 4b illustrates an exemplary discovery process between a client and a service registry.
如图4b所示,客户端启动服务,经由安全UDP和DTLS绑定到服务注册中心。C_IP和C_Port表示客户机的IP和端口。SR_IP和SR_Port分别指示服务注册中心的IP和Port。As shown in Figure 4b, the client starts the service and binds to the service registry via secure UDP and DTLS. C_IP and C_Port represent the IP and port of the client. SR_IP and SR_Port indicate the IP and port of the service registry, respectively.
客户端然后发送查询消息findService(前述的查询消息),内容如下:The client then sends a query message findService (the query message mentioned above) with the following content:
E(Kpub_SR,Q_data),S(Kpr_C,H(E(Kpub_SR,Q_Data)))E(Kpub_SR , Q_data), S(Kpr_C , H(E(Kpub_SR , Q_Data)))
其中对于以下两个子情况,Q_data内容将是不同的:The Q_data content will be different for the following two sub-cases:
1)情况1(一般搜索):Q_Data=S_Details_Str||S_Evt_grp_ID||Sessin_ID(查询中的这些细节中的一个或多个)1) Case 1 (General Search): Q_Data = S_Details_Str||S_Evt_grp_ID||Sessin_ID (one or more of these details in the query)
2)情况2(特定搜索):Q_Data=S_ID||S_Inst_ID2) Case 2 (specific search): Q_Data = S_ID||S_Inst_ID
服务注册中心根据不同情况回复以下内容:The service registration center will respond to the following questions based on different situations:
情况1(一般搜索):m=S_Data1||S_Data2…||S_Datai||CMD_S_REQ_ACK||Session_ID(所有匹配服务,其中S_Data如下描述)Case 1 (general search): m = S_Data1 || S_Data2 ... || S_Datai || CMD_S_REQ_ACK || Session_ID (all matching services, where S_Data is described below)
S_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||S_IP||S_Port||Kpub_SS_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||S_IP||S_Port||Kpub_S
情况2(特定搜索):m=S_Data||CMD_S_REQ_ACK||Session_ID,其中Case 2 (specific search): m = S_Data||CMD_S_REQ_ACK||Session_ID, where
S_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||S_IP||S_Port||Kpub_S.S_Data=S_ID||S_Inst_ID||S_Details_Str||S_Evt_grp_ID||S_Status||S_IP||S_Port||Kpub_S .
一般检索的所有项目都是基本的。SR具备所有服务的数据库,并且每个服务具有许多特征。其中一些是基本的,被用于识别特定的服务。用于一般搜索的Q_Data是当客户端不知道什么是服务的确切的S_ID和S_Inst_ID,但是知道服务的描述S_Details_Str和组ID等使用的。当客户端向SR发送查询时,SR使用客户端提交的项目在其数据库中进行搜索以寻找匹配的服务,并且稍后将细节返回给客户端。All items for general search are basic. SR has a database of all services and each service has many characteristics. Some of them are basic and are used to identify a particular service. Q_Data for general search is used when the client does not know what is the exact S_ID and S_Inst_ID of the service, but knows the description of the service S_Details_Str and Group ID etc. When a client sends a query to SR, SR searches in its database for matching services using the items submitted by the client and returns the details to the client later.
事实上,当客户端不知道它想要连接的服务ID是什么,但是知道在S_Details_Str文本串中解释的提供的服务是什么时,例如,“熵服务”,可以订阅。当新服务注册时,这些细节将被公开发布或由服务注册中心宣布/广播,因此感兴趣的客户端可以订阅事件组。相比之下,当客户端利用其ID和实例ID准确地知道要寻找哪个服务时,需要特定的搜索。In fact, a client can subscribe when it does not know what the service ID is to which it wants to connect, but knows what the provided service is as explained in the S_Details_Str text string, e.g., "entropy service". These details will be published publicly or announced/broadcasted by the service registry when a new service is registered, so interested clients can subscribe to the event group. In contrast, a specific search is required when the client knows exactly which service to look for using its ID and instance ID.
最后,客户端可以将接收到的数据存储在其NVM中。Finally, the client can store the received data in its NVM.
一旦客户端从SR获得与熵服务相关的业务数据,客户端可以在他们想要的任何时候请求服务。因此,该过程可以进行到上述阶段3,即订阅过程。这在图5a和图5b中示出。Once the client obtains the business data related to the entropy service from the SR, the client can request the service anytime they want. Therefore, the process can proceed to the above-mentioned stage 3, that is, the subscription process. This is shown in Figures 5a and 5b.
图5a示出了第一设备和第二设备之间的交互,以图2a为例,第一设备可以是服务器,例如,图2a所示的ECU 1,第二设备可以是客户端,例如,图2a所示的ECU 2。除此之外,在下面的描述中可以涉及第二设备,该第二设备可以是实现有服务注册功能的设备,例如,图2a所示的ECU 3。FIG5a shows the interaction between the first device and the second device. Taking FIG2a as an example, the first device may be a server, such as ECU 1 shown in FIG2a, and the second device may be a client, such as ECU 2 shown in FIG2a. In addition, the following description may involve a second device, which may be a device having a service registration function, such as ECU 3 shown in FIG2a.
所述熵服务的方法包括:The method of the entropy service includes:
S501:第二设备与第一设备建立第一通信通道。S501: The second device establishes a first communication channel with the first device.
在彼此通信之前,第二设备和第一设备可以首先在它们之间建立第一通信信道。Before communicating with each other, the second device and the first device may first establish a first communication channel between them.
在一种实现方式中,第一通信通道可以根据第一设备的端口号(例如,图5b中的S_Port)、第一设备的IP地址(例如,图5b中的S_IP)、第二设备的端口号(例如,图5b中的C_Port)和第二设备的IP地址(例如,图5b中的C_IP)建立。在该步骤中,第一设备和第二设备相互绑定。事实上,第一设备(例如,服务器)和第二设备(例如,客户端)的IP和端口用于绑定,这意味着将服务器与客户端相关联以用于稍后的数据交换。这里,双方需要预先知道对方的IP地址和端口号。如上所述,第二设备即客户端可以从第三设备获取的业务数据中获知第一设备的IP地址和端口号。In one implementation, the first communication channel can be established based on the port number of the first device (e.g., S_Port in FIG. 5b ), the IP address of the first device (e.g., S_IP in FIG. 5b ), the port number of the second device (e.g., C_Port in FIG. 5b ), and the IP address of the second device (e.g., C_IP in FIG. 5b ). In this step, the first device and the second device are bound to each other. In fact, the IP and port of the first device (e.g., server) and the second device (e.g., client) are used for binding, which means associating the server with the client for later data exchange. Here, both parties need to know the IP address and port number of the other party in advance. As described above, the second device, i.e., the client, can learn the IP address and port number of the first device from the business data obtained by the third device.
为了安全起见,第一通信通道可以是通过DTLS建立的UDP通道,也可以是通过TLS建立的TCP通道。For security reasons, the first communication channel may be a UDP channel established through DTLS or a TCP channel established through TLS.
在一种实现方式中,当第一设备与第二设备建立第一通信通道后,第一设备还可以向第二设备分享详情,使得第二设备可以使用分享的详情与第一设备进行通信。例如,第一设备可以向第二设备发送第一通信通道的第一会话ID(例如,图5b中的会话ID)和第一连接计数器ID(例如,图5b中的计数器ID),与第一通信信道建立相关的这些细节对于第二设备向第一设备发送消息/从第一设备接收消息可能是有用的。会话是每次当第二设备经由第一通信信道连接到第一设备直到其断开连接时,会话ID仅仅是生成的唯一随机ID。In one implementation, after the first device establishes a first communication channel with the second device, the first device may also share details with the second device so that the second device can use the shared details to communicate with the first device. For example, the first device may send the first session ID (e.g., the session ID in FIG. 5b ) and the first connection counter ID (e.g., the counter ID in FIG. 5b ) of the first communication channel to the second device, and these details related to the establishment of the first communication channel may be useful for the second device to send messages to/receive messages from the first device. A session is a unique random ID generated each time the second device connects to the first device via the first communication channel until it disconnects.
在一种实现方式中,所述细节可以由第一设备使用所建立的第一通信信道通知给第二设备。In one implementation, the details may be notified by the first device to the second device using the established first communication channel.
S502:所述第二设备根据业务数据传输用于请求加入所述第一设备提供的熵服务的事件组的订阅请求消息,所述第一设备接收所述订阅请求消息。S502: The second device transmits a subscription request message for requesting to join an event group of an entropy service provided by the first device according to the business data, and the first device receives the subscription request message.
在建立第一通信信道之后,第二设备可以经由第一通信信道向第三设备传输用于请求加入由第一设备提供的熵服务的事件组的订阅请求消息。After establishing the first communication channel, the second device may transmit, via the first communication channel, to the third device a subscription request message for requesting to join an event group of the entropy service provided by the first device.
在一种实现方式中,订阅请求消息中可以携带熵服务的业务标识(例如S_ID)、熵服务的服务实例标识(例如S_Inst_ID)和熵服务的服务事件组标识(例如S_Evt_grp_ID)。In one implementation, the subscription request message may carry the business identifier of the entropy service (eg, S_ID), the service instance identifier of the entropy service (eg, S_Inst_ID), and the service event group identifier of the entropy service (eg, S_Evt_grp_ID).
关于注册消息的具体形式,在一种实现方式中,订阅请求消息(图5b所示的“用于熵事件组的订阅”)可以包括事件信息(例如,图5b中的E(Kpub_S,Evt_Data))和事件签名(例如,图5b中的E(Kpub_S,Evt_Data))。Regarding the specific form of the registration message, in one implementation, the subscription request message (“Subscription for entropy event group” shown in FIG. 5 b ) may include event information (e.g., E(Kpub_S ,Evt_Data) in FIG. 5 b ) and an event signature (e.g., E(Kpub_S ,Evt_Data) in FIG. 5 b ).
具体地,订阅请求消息可以是第一设备按照如下方式获取的:Specifically, the subscription request message may be obtained by the first device in the following manner:
1)第二设备生成事件数据(例如,图5b中的E(Kpub_S,Evt_Data)中的Evt_Data)。1) The second device generates event data (eg, Evt_Data in E(Kpub — S , Evt_Data) in FIG. 5 b ).
2)第二设备根据事件数据和第一设备的公钥获得事件信息(例如,图5b中的Kpub_S)。这里,第二设备可以使用第一设备的公钥来加密事件数据。2) The second device obtains event information (eg, Kpub — S in FIG. 5 b ) according to the event data and the public key of the first device. Here, the second device may encrypt the event data using the public key of the first device.
3)第二设备根据事件信息和第二设备的私钥(例如,图5b的Kpr_C)中。这里第一设备可以用第二设备的私钥对事件信息进行签名。3) The second device signs the event information based on the event information and the private key of the second device (eg, Kpr_C in FIG. 5 b ). Here, the first device may sign the event information with the private key of the second device.
4)所述第二设备将所述事件信息和所述事件签名确定为所述预订请求消息。4) The second device determines the event information and the event signature as the subscription request message.
如上所述,包含基本信息的Evt_Data可以是:As mentioned above, Evt_Data containing basic information can be:
Evt_Data=Evt_Data=S_ID||S_Inst_ID||S_Evt_grp_ID||CMD_EVT_JOINEvt_Data=Evt_Data=S_ID||S_Inst_ID||S_Evt_grp_ID||CMD_EVT_JOIN
这里CMD_EVT_JOIN是用于加入事件组的命令标识符。Here CMD_EVT_JOIN is the command identifier used to join the event group.
S503:第一设备校验第二设备的资格。S503: The first device verifies the qualification of the second device.
在从第二设备接收预订请求消息时,第一设备可以出于安全性的目的校验第二设备的资格。可以通过多种方式进行校验,本申请对此不做限制。例如,第一设备将基于某种白名单进行策略校验,以查看是否允许第二设备订阅新服务。When receiving the subscription request message from the second device, the first device may verify the qualifications of the second device for security purposes. The verification may be performed in a variety of ways, which are not limited in this application. For example, the first device may perform a policy check based on a certain whitelist to see whether the second device is allowed to subscribe to a new service.
S504:第一设备若校验通过,则向第二设备发送第一确认消息,所述第二设备接收到该第一确认消息。S504: If the first device passes the verification, it sends a first confirmation message to the second device, and the second device receives the first confirmation message.
一旦校验第二设备的资格,第一设备就可经由第一通信信道将第一确认消息(例如,图5b中的E(Kpub_C,m),S(Kpr_S,H(E(Kpub_C,m))))发送到第二设备。Once the qualification of the second device is verified, the first device may send a first confirmation message (eg, E(Kpub — C , m), S(Kpr — S , H(E(Kpub — C , m)))) in FIG. 5 b ) to the second device via the first communication channel.
这里,第一确认消息指示第二设备成功订阅了第一设备提供的熵服务。Here, the first confirmation message indicates that the second device has successfully subscribed to the entropy service provided by the first device.
应当注意,在预订失败的情况下,第一设备还可以向第二设备发送否定确认消息(NACK),或者可能连同前一次预订失败的原因一起,使得第二设备可以发起另一次预订。It should be noted that in case of a reservation failure, the first device may also send a negative acknowledgement message (NACK) to the second device, possibly together with the reason why the previous reservation failed, so that the second device may initiate another reservation.
在一种实现方式中,第一确认消息包括事件组信息(例如,E(Kpub_C,m)在图5b中)和事件组签名(例如,S(Kpr_S,H(E(Kpub_C,图5b)中的m)))。In one implementation, the first confirmation message includes event group information (eg, E(Kpub_C, m) in FIG. 5b ) and an event group signature (eg, S(Kpr_S, H(E(Kpub_C, m) in FIG. 5b ))).
具体的,第一确认消息可以由第一设备按照如下方式获取:Specifically, the first confirmation message may be obtained by the first device in the following manner:
1)第一设备生成事件组数据(例如,图5b中的E(Kpub_C,m)中的m)所示。1) The first device generates event group data (eg, as shown by m in E(Kpub — C ,m) in FIG. 5 b ).
2)第一设备根据事件组数据和第二设备的公钥(例如,图5b中的Kpub_C)获得事件组信息。这里,第一设备可以使用第二设备的公钥来加密事件组数据。2) The first device obtains the event group information according to the event group data and the public key of the second device (eg, Kpub — C in FIG. 5 b ). Here, the first device may use the public key of the second device to encrypt the event group data.
3)第一设备根据事件组信息和第一设备的私钥(例如,图5b中的Kpr_S)获得事件组签中。这里第一设备可以用第一设备的私钥对事件组信息进行签名。3) The first device obtains the event group signature according to the event group information and the private key of the first device (eg, Kpr_S in FIG. 5 b ). Here, the first device may sign the event group information with the private key of the first device.
4)第一设备将事件组信息和事件组签名确定为第一确认消息。4) The first device determines the event group information and the event group signature as a first confirmation message.
第一确认消息,用于表征完成了预订的一个简单的确认,可以简单地携带S_Evt_grp_ID,也就是说,第一确认消息中的m可以是S_Inst_ID||S_Evt_grp_ID||CMD_EVT_JOIN_ACK。The first confirmation message is a simple confirmation indicating that the reservation has been completed and may simply carry S_Evt_grp_ID. That is, m in the first confirmation message may be S_Inst_ID||S_Evt_grp_ID||CMD_EVT_JOIN_ACK.
在一种实现方式中,第一设备和第二设备可以在它们之间交换的每个消息中附加命令ID,接收端可以使用命令ID来标识消息的类型。这可以在与图5b相关的示例中清楚地示出。命令ID有助于识别发送端正在发送哪种类型的消息/分组内容,即,用于什么目的。例如,在步骤S502中,从第二设备到第一设备的预订请求消息中的Evt_Data因此还包括CMD_EVT_JOIN字段,表示第二设备想要预订熵服务,从第一设备到第一设备的第一确认消息中的m因此还包括CMD_EVT_JOIN_ACK字段,表示第二设备的预订由第一设备确认。但是,需要说明的是,第一设备和第二设备识别接收到的报文的类型还可以有其他方式,本申请实施例对此不做限定。In one implementation, the first device and the second device can attach a command ID to each message exchanged between them, and the receiving end can use the command ID to identify the type of message. This can be clearly shown in the example associated with Figure 5b. The command ID helps to identify what type of message/packet content the sender is sending, that is, for what purpose. For example, in step S502, the Evt_Data in the reservation request message from the second device to the first device therefore also includes a CMD_EVT_JOIN field, indicating that the second device wants to reserve an entropy service, and the m in the first confirmation message from the first device to the first device therefore also includes a CMD_EVT_JOIN_ACK field, indicating that the reservation of the second device is confirmed by the first device. However, it should be noted that there may be other ways for the first device and the second device to identify the type of the received message, and the embodiments of the present application are not limited to this.
S505:第一设备向第二设备发送熵数据,第二设备接收熵数据。S505: The first device sends entropy data to the second device, and the second device receives the entropy data.
在确认第二装置的订阅之后,第一设备可经由第一通信信道将熵数据发射到第二设备。在一种实现方式中,所述第一设备可以发送发布消息,所述发布消息中携带所述熵数据。After confirming the subscription of the second device, the first device may transmit the entropy data to the second device via the first communication channel. In one implementation, the first device may send a publish message, wherein the publish message carries the entropy data.
在一种实现方式中,发布消息(例如,图5b所示的“发布熵事件”)包括发布信息(例如,图5b中的E(Kpub_C,Ent))和公开签名(例如,图5b中的S(Kpr_S,H(E(Kpub_C,Ent))))。In one implementation, a publication message (eg, “Publish Entropy Event” shown in FIG. 5 b ) includes publication information (eg, E(Kpub_C, Ent) in FIG. 5 b ) and a public signature (eg, S(Kpr_S , H(E(Kpub_C , Ent))) in FIG. 5 b ).
具体的,所述发布消息可以由所述第一设备按照如下方式获取:Specifically, the publishing message may be obtained by the first device in the following manner:
1)第一设备生成发布数据(例如,图5b中的E(Kpub_C,Ent)中的Ent)所示。1) The first device generates publishing data (eg, as shown in Ent in E(Kpub_C ,Ent) in FIG5 b ).
2)第一设备根据该发布数据和第二设备的公钥(例如,图5b中的Kpub_C)获取发布信息。这里,第一设备可以使用第二设备的公钥对发布数据进行加密。2) The first device obtains the publishing information according to the publishing data and the public key of the second device (eg, Kpub_C in FIG. 5 b ). Here, the first device may encrypt the publishing data using the public key of the second device.
3)第一设备根据发布信息和第一设备的私钥(例如,图5b中的Kpr_S)获得发布签名。这里第一设备可以利用第一设备的私钥对发布信息进行签名。3) The first device obtains a publishing signature according to the publishing information and the private key of the first device (eg, Kpr_S in FIG. 5 b ). Here, the first device may use the private key of the first device to sign the publishing information.
4)第一设备将发布信息和发布签名确定为发布消息。4) The first device determines the publishing information and the publishing signature as a publishing message.
发布消息中可以携带由发布消息中的"Ent"表示的熵数据,发布消息中的Ent可以是CMD_DATA||ENTROPY,其中CMD_DATA指示该消息为发布类型,且该消息用于向第二设备通知熵,ENTROPY表示该特定熵值。The publish message may carry entropy data represented by "Ent" in the publish message, where Ent in the publish message may be CMD_DATA||ENTROPY, where CMD_DATA indicates that the message is of a publish type and is used to notify the second device of entropy, and ENTROPY represents the specific entropy value.
在一种实现方式中,发布消息可以是周期性发送的。In one implementation, the publication message may be sent periodically.
因此,图5b示出了服务器和客户端之间的示例性订阅过程。Therefore, FIG. 5b shows an exemplary subscription process between a server and a client.
如图5b所示,服务器启动EAAS服务(熵服务),向服务注册中心注册,并等待传入的客户端请求订阅。As shown in Figure 5b, the server starts the EAAS service (entropy service), registers with the service registration center, and waits for incoming client requests to subscribe.
首先,客户端和服务器通过DTL在服务器的IP地址(S_IP)和端口号(S_Port)以及客户端的IP地址(C_IP)和端口号(C_Port)上建立安全UDP信道。然后,服务器创建会话ID、连接计数器ID,将其递增,并与客户端共享它们。First, the client and server establish a secure UDP channel over the server's IP address (S_IP) and port number (S_Port) and the client's IP address (C_IP) and port number (C_Port) through DTLS. The server then creates a session ID, a connection counter ID, increments it, and shares them with the client.
然后,客户端从其NVM中取出服务数据(阶段2)。The client then fetches the service data from its NVM (Phase 2).
客户端向服务器发送订阅事件组消息(前述订阅请求消息),内容如下:The client sends a subscription event group message to the server (the aforementioned subscription request message), the content of which is as follows:
E(Kpub_S,Evt_Data),S(K)pr_C,H(E(Kpub_S,Evt_Data)))E(Kpub_S, Evt_Data), S(K)pr_C, H(E(Kpub_S, Evt_Data)))
其中Evt_Data=S_ID||S_Inst_ID||S_Evt_grp_ID||CMD_EVT_JOINWhere Evt_Data = S_ID||S_Inst_ID||S_Evt_grp_ID||CMD_EVT_JOIN
服务器进行策略校验并完成认证和授权步骤,以查看是否允许客户端订阅其事件组。如果发现客户端有资格,则服务器接受订阅请求并将客户端的数据保存在其NVM中。值得说明的是,服务器可以采用多种方式对客户端进行资格校验,本申请实施例对此不做限定。The server performs a policy check and completes the authentication and authorization steps to see whether the client is allowed to subscribe to its event group. If the client is found to be eligible, the server accepts the subscription request and saves the client's data in its NVM. It is worth noting that the server can use a variety of methods to verify the eligibility of the client, which is not limited in the embodiments of the present application.
服务器然后发送确认消息(上述第一确认消息),其内容如下:The server then sends a confirmation message (the first confirmation message mentioned above) with the following content:
E(Kpub_C,m),S(Kpr_S,H(E(Kpub_C,m)))E(Kpub_C , m), S(Kpr_S , H(E(Kpub_C , m)))
其中m=S_Evt_grp_ID||CMD_EVT_JOIN_ACKWhere m = S_Evt_grp_ID||CMD_EVT_JOIN_ACK
在此之后,以发布消息类型发送周期性消息,该消息具有如下内容:After this, a periodic message is sent with the publish message type, which has the following content:
E(Kpub_C,Ent),S(Kpr_S,H(E(Kpub_C,Ent))),其中Ent=CMD_DATA||ENTROPYE(Kpub_C , Ent), S(Kpr_S , H(E(Kpub_C, Ent))), where Ent=CMD_DATA||ENTROPY
其中ENTROPY可为具有全熵(最高随机性)的256位二进制串。ENTROPY can be a 256-bit binary string with full entropy (highest randomness).
根据本申请的实施例,在第一设备和第二设备之间建立第一通信信道,然后第二设备经由所建立的第一通信信道发送订阅请求消息,请求订阅由第一设备提供的熵服务。在从所述第二设备接收到所述订购请求消息时,第一设备检查第二设备的资格,一旦校验通过,第一设备就可将熵数据发送到第二设备,所述熵数据包含稍后可由第二设备用于各种操作(例如,随机数生成)的熵。作为熵源,第一设备总是可用的,因为如果需要的话,第二设备可以在任何时间获得熵,这对于第一设备和第二设备是同一车辆中的不同ECU的情况下尤其有用。此外,所提出的体系结构是简单的,并且易于扩展以服务于任何数量的服务。此外,与NIST提出的架构相比,根据本申请的实施例,不需要时间同步。According to an embodiment of the present application, a first communication channel is established between a first device and a second device, and then the second device sends a subscription request message via the established first communication channel, requesting to subscribe to the entropy service provided by the first device. Upon receiving the subscription request message from the second device, the first device checks the qualifications of the second device, and once the verification is passed, the first device can send entropy data to the second device, and the entropy data contains entropy that can be used later by the second device for various operations (e.g., random number generation). As an entropy source, the first device is always available because the second device can obtain entropy at any time if necessary, which is particularly useful when the first device and the second device are different ECUs in the same vehicle. In addition, the proposed architecture is simple and easily expandable to serve any number of services. In addition, compared with the architecture proposed by NIST, according to an embodiment of the present application, time synchronization is not required.
图6示出了用于托管熵服务的ECU的实现细节,其示出了在车辆ECU上实现EAAS的细节。虚线表示使用SomeIP的连接,并且实线表示使用Publish(Pub)/Subscribe(Sub)的连接。虚线仅用于指示实体之间的交互。特点如下:Figure 6 shows the implementation details of an ECU for hosting an entropy service, which shows the details of implementing EAAS on a vehicle ECU. The dashed lines represent connections using SomeIP, and the solid lines represent connections using Publish (Pub)/Subscribe (Sub). The dashed lines are only used to indicate the interaction between entities. The features are as follows:
1)具有EAAS的ECU从不同的ECU收集随机性,作为NIST批准的真随机数发生器(TRNG)的输入。1) An ECU with EAAS collects randomness from different ECUs as input to a NIST-approved True Random Number Generator (TRNG).
2)它具有至少一个具有最高随机性(例如1)的熵源输入,也称为全熵,例如,电网频率(ENF)、基于光电二极管/专用电路的熵源等(将来它也可以是任何其它这样的源)。事实上,图6中所示的车内熵源(IVES,Source of Randomness)可以是任何随机性源,例如,CAN信号频率、从电动车辆(EV)充电提取的ENF、无线信号等。2) It has at least one entropy source input with the highest randomness (e.g. 1), also called total entropy, such as the grid frequency (ENF), a photodiode/dedicated circuit based entropy source, etc. (in the future it can also be any other such source). In fact, the in-vehicle entropy source (IVES) shown in Figure 6 can be any source of randomness, such as CAN signal frequency, ENF extracted from electric vehicle (EV) charging, wireless signals, etc.
3)其它ECU上的接收器应用程序使用熵,以及其它可选的输入参数如ECU_ID、Time_Stamp、密码、随机现时值等作为用于初始化其NIST批准的确定性随机比特发生器(DRBG)的种子。3) The receiver application on the other ECU uses the entropy, along with other optional input parameters such as ECU_ID, Time_Stamp, Password, Random Nonce, etc. as a seed for initializing its NIST-approved Deterministic Random Bit Generator (DRBG).
如图6所示,车辆中的其他ECU可以具有服务器服务以从外部信号/噪声等收集随机性/熵,只要可能的话。例如,具有V2X的ECU可以从外部无线连接接口提取熵/随机性信号。这被馈送到相同ECU(生产者)中的熵提取器服务。具有EAAS的ECU将使用在其上运行的客户端服务来订阅该服务(消费者)。同样地,具有EAAS的ECU将订阅托管在其他ECU上的许多服务以收集熵/随机性信号,这些信号将被馈送到NIST批准的DRBG以生成经由EAAS服务发送到车辆中的所有实体的优质熵。As shown in Figure 6, other ECUs in the vehicle can have server services to collect randomness/entropy from external signals/noise, etc., whenever possible. For example, an ECU with V2X can extract entropy/randomness signals from an external wireless connection interface. This is fed to an entropy extractor service in the same ECU (producer). The ECU with EAAS will subscribe to this service (consumer) using a client service running on it. Likewise, the ECU with EAAS will subscribe to many services hosted on other ECUs to collect entropy/randomness signals, which will be fed to the NIST-approved DRBG to generate high-quality entropy that is sent to all entities in the vehicle via the EAAS service.
如上所述,本申请提出一种用于车辆面向服务的体系架构(SOA),在ECU的车内以太网络上使用SOMEIP。该解决方案提出了在车辆系统中获取不同熵源的架构,并且部署全功能的、总是可用的、可缩放的熵提供商服务,该熵提供商服务可以在任何时间、周期性地或在查询的基础上为任何ECU/应用/服务提供新的熵。所提出的解决方案提供了在SOMEIP和以太网上的完整的端到端安全通信。该方案通过频繁的新鲜熵收获,极大增强了整车的安全性。As described above, the present application proposes a service-oriented architecture (SOA) for vehicles, using SOMEIP on the in-vehicle Ethernet network of ECUs. The solution proposes an architecture for obtaining different entropy sources in the vehicle system and deploys a full-featured, always available, scalable entropy provider service that can provide new entropy to any ECU/application/service at any time, periodically or on a query basis. The proposed solution provides complete end-to-end secure communication over SOMEIP and Ethernet. The solution greatly enhances the safety of the entire vehicle through frequent fresh entropy harvesting.
此外,即使不能够实现服务连接的传统ECU也可以通过在同一ECU或其他辅助ECU上运行的服务翻译应用来使用所提服务的熵。这里传统ECU意指旧的(甚至当前的)一代ECU硬件加软件架构,且不具有与服务直接通信的条件。它们使用直接发送到其他ECU的信号/命令/消息进行通信。用于汽车的面向服务的体系结构是最新的体系结构,并且用于未来的车辆。在这种架构下,ECU并不知道与其对话的是哪个ECU,但是它们知道它们正在与哪个服务对话。因此,传统ECU必须借助在其上运行的另一小型应用程序,该小型应用程序可以将来自ECU的命令请求转换为服务,并且将来自服务的结果直接通过信号/命令/消息返回给ECU。Furthermore, even legacy ECUs that are not capable of service connectivity can use the entropy of the proposed services through a service translation application running on the same ECU or other auxiliary ECUs. Here legacy ECUs mean old (or even current) generation ECU hardware plus software architectures that do not have the conditions for direct communication with services. They communicate using signals/commands/messages sent directly to other ECUs. Service-oriented architectures for automobiles are the latest architectures and are used for future vehicles. In this architecture, ECUs do not know which ECU they are talking to, but they know which service they are talking to. Therefore, legacy ECUs must resort to another small application running on them that can translate command requests from the ECU into services and return the results from the services directly to the ECU via signals/commands/messages.
本申请的实施例在若干方面可能是有利的:Embodiments of the present application may be advantageous in several aspects:
a)解决方案遵守SOMEIP标准,并且可以容易地在支持SOMEIP的任何平台上实现,例如,具有SOME/IP的自适应AUTOSAR、具有VSOME/IP的GENIVI、具有标准SOME/IP的Linux、具有SOME/IP的华为AOS(参考图2a和图2b所描述的)。a) The solution complies with the SOMEIP standard and can be easily implemented on any platform that supports SOMEIP, for example, Adaptive AUTOSAR with SOME/IP, GENIVI with VSOME/IP, Linux with standard SOME/IP, Huawei AOS with SOME/IP (described in reference to Figures 2a and 2b).
b)完整的车载解决方案,可随时为每一个服务、ECU应用、流程等获取新鲜的高质量熵,从而提高整车的安全性。b) A complete in-vehicle solution that can obtain fresh high-quality entropy for every service, ECU application, process, etc. at any time, thereby improving the safety of the entire vehicle.
c)可用性:熵源应该总是可用的,所提出的解决方案可以满足这个要求。在实践中,不是车辆中的所有ECU都可以具有随机性的来源,因为它们中的一些是简单的ECU,因此它们需要像经由前述熵服务那样从其他来源获得熵。外部源可能不总是可用的,然而,在所提出的解决方案中,服务器可以是与客户端位于同一车辆中的ECU,因此总是可用的。c) Availability: The entropy source should always be available and the proposed solution can meet this requirement. In practice, not all ECUs in a vehicle may have a source of randomness, as some of them are simple ECUs and therefore they need to obtain entropy from other sources like via the aforementioned entropy service. External sources may not always be available, however, in the proposed solution the server can be an ECU located in the same vehicle as the client and therefore always available.
d)可扩展性:所提出的EAAS服务可容易地扩展以服务于任何数量的服务,这取决于实现所提出的解决方案的硬件平台/系统(由系统设计者决定)。d) Scalability: The proposed EAAS service can be easily extended to serve any number of services, depending on the hardware platform/system (determined by the system designer) implementing the proposed solution.
e)不需要时间同步(NTP)。e) No time synchronization (NTP) is required.
图7是根据本公开实施例的第一设备的示意性框图。第一设备700包括:FIG7 is a schematic block diagram of a first device according to an embodiment of the present disclosure. The first device 700 includes:
建立模块701,用于与第二设备建立第一通信通道;Establishing module 701, used to establish a first communication channel with a second device;
接收模块702,被配置为通过第一通信通道从第二设备接收用于请求加入第一设备提供的熵服务的事件组的订阅请求消息;The receiving module 702 is configured to receive, from the second device through the first communication channel, a subscription request message for requesting to join an event group of an entropy service provided by the first device;
校验模块703,用于校验第二设备的资格;以及A verification module 703, used to verify the qualification of the second device; and
发送模块704,用于若校验通过,则通过第一通信信道向第二设备发送熵数据。The sending module 704 is used to send the entropy data to the second device through the first communication channel if the verification passes.
在一种可能的实现方式中,所述发送模块704还用于:In a possible implementation, the sending module 704 is further configured to:
经由所述第一通信信道向所述第二设备传输所述第一通信信道的第一会话标识符ID和第一连接计数器ID,其中,所述第一连接计数器ID指示所述第一通信信道上的连接的数量。A first session identifier ID and a first connection counter ID of the first communication channel are transmitted to the second device via the first communication channel, wherein the first connection counter ID indicates the number of connections on the first communication channel.
在一种可能的实现方式中,所述建立模块701还用于:In a possible implementation, the establishing module 701 is further configured to:
建立与第三设备的第二通信信道;establishing a second communication channel with a third device;
所述发送模块704还用于:The sending module 704 is also used for:
经由所述第二通信信道向所述第三设备发射用于在第三设备处注册所述熵服务的注册消息;以及transmitting, via the second communication channel, to the third device a registration message for registering the entropy service at the third device; and
经由所述第二通信信道从所述第三设备接收第二确认消息,其中所述第二确认消息指示由所述第一设备提供的所述熵服务在所述第三设备处成功注册。A second confirmation message is received from the third device via the second communication channel, wherein the second confirmation message indicates that the entropy service provided by the first device is successfully registered at the third device.
在一种可能的实现方式中,注册消息中携带有熵服务的服务标识、熵服务的服务实例标识、熵服务的描述字符串、熵服务的服务事件组标识、熵服务的状态和第一设备的公钥。In one possible implementation, the registration message carries the service identifier of the entropy service, the service instance identifier of the entropy service, the description string of the entropy service, the service event group identifier of the entropy service, the status of the entropy service, and the public key of the first device.
在一种可能的实现方式中,所述注册消息中还携带服务主版本、服务次版本、服务器主机ID、所述第一设备的互联网协议IP地址、所述第一设备的端口号、服务应用ID以及用于在所述第一设备和所述第三设备之间建立第二通信信道且从所述第三设备获取的的第二会话ID。In one possible implementation, the registration message also carries the service major version, service minor version, server host ID, Internet Protocol IP address of the first device, port number of the first device, service application ID, and a second session ID used to establish a second communication channel between the first device and the third device and obtained from the third device.
在一种可能的实现方式中,所述建立模块701,具体用于:In a possible implementation, the establishing module 701 is specifically configured to:
根据所述第一设备的端口号、所述第一设备的互联网协议IP地址、所述第二设备的端口号和所述第二设备的IP地址,与所述第二设备建立所述第一通信通道。The first communication channel is established with the second device according to the port number of the first device, the Internet Protocol IP address of the first device, the port number of the second device and the IP address of the second device.
在一种可能的实现方式中,所述发送模块704,具体用于:In a possible implementation, the sending module 704 is specifically configured to:
如果所述校验通过,则经由所述第一通信信道向所述第二设备发送第一确认消息,其中所述第一确认消息指示所述第二设备成功订阅了由所述第一设备提供的所述熵服务;以及If the verification passes, sending a first confirmation message to the second device via the first communication channel, wherein the first confirmation message indicates that the second device has successfully subscribed to the entropy service provided by the first device; and
经由所述第一通信信道将所述熵数据发送到所述第二设备。The entropy data is sent to the second device via the first communication channel.
在一种可能的实现方式中,所述第一设备和所述第二设备是同一车辆中的不同电子控制单元。In a possible implementation manner, the first device and the second device are different electronic control units in the same vehicle.
在一种可能的实现方式中,所述第一通信通道为通过数据报传输层安全DTLS建立的用户数据报协议UDP通道或通过传输层安全TLS建立的传输控制协议TCP通道。In a possible implementation, the first communication channel is a User Datagram Protocol (UDP) channel established through Datagram Transport Layer Security (DTLS) or a Transmission Control Protocol (TCP) channel established through Transport Layer Security (TLS).
在上述实施例的基础上,所述第一设备700还包括生成模块和获取模块,其中:Based on the above embodiment, the first device 700 further includes a generating module and an acquiring module, wherein:
所述第一确认消息包括事件组信息和事件组签名;The first confirmation message includes event group information and event group signature;
所述生成模块被配置为生成事件组数据;The generating module is configured to generate event group data;
所述获取模块用于根据所述事件组数据和所述第二设备的公钥获取所述事件组信息,并根据所述事件组信息和所述第一设备的私钥获取所述事件组签名;以及The acquisition module is used to acquire the event group information according to the event group data and the public key of the second device, and acquire the event group signature according to the event group information and the private key of the first device; and
所述发送模块704,还用于若所述校验通过,则通过所述第一通信信道向所述第二设备发送所述第一确认消息。The sending module 704 is further configured to send the first confirmation message to the second device through the first communication channel if the verification passes.
应当理解,根据本申请实施例的第一设备700可以与本申请方法实施例中的第一设备相对应,并且第一设备700中的各个单元的前述和其他操作和/或功能是用于实现上述方法中的第一设备的相应过程。为简洁起见,在此不再赘述。It should be understood that the first device 700 according to the embodiment of the present application may correspond to the first device in the embodiment of the method of the present application, and the aforementioned and other operations and/or functions of each unit in the first device 700 are used to implement the corresponding process of the first device in the above method. For the sake of brevity, it will not be repeated here.
图8是根据本公开实施例的第二设备的示意性框图。所述第二设备800包括:FIG8 is a schematic block diagram of a second device according to an embodiment of the present disclosure. The second device 800 includes:
建立模块801,用于与第一设备建立第一通信通道;Establishing module 801, used to establish a first communication channel with a first device;
发送模块802,被配置为根据业务数据经由第一通信信道发送用于请求加入所述第一设备提供的熵服务的事件组的订阅请求消息;以及A sending module 802 is configured to send a subscription request message for requesting to join an event group of an entropy service provided by the first device via a first communication channel according to the service data; and
接收模块803,用于通过所述第一通信信道接收来自所述第一设备的熵数据。The receiving module 803 is used to receive entropy data from the first device through the first communication channel.
在一种可能的实现方式中,所述第二装置还包括:In a possible implementation manner, the second device further includes:
获取模块,用于从第三设备获取所述业务数据,所述业务数据包括:所述熵服务的服务标识ID、所述熵服务的服务实例ID、所述熵服务的服务事件组ID、所述熵服务的描述字符串、所述熵服务的状态、所述第一设备的公钥、所述第一设备的IP地址和所述第一设备的端口号;其中,熵服务的服务实例ID和熵服务的服务事件组ID用于生成订阅请求消息,第一设备的IP地址和第一设备的端口号用于建立第一通信通道。An acquisition module is used to acquire the business data from a third device, wherein the business data includes: a service identification ID of the entropy service, a service instance ID of the entropy service, a service event group ID of the entropy service, a description string of the entropy service, a status of the entropy service, a public key of the first device, an IP address of the first device, and a port number of the first device; wherein the service instance ID of the entropy service and the service event group ID of the entropy service are used to generate a subscription request message, and the IP address of the first device and the port number of the first device are used to establish a first communication channel.
在一种可能的实现方式中,所述接收模块803还用于:In a possible implementation, the receiving module 803 is further configured to:
经由所述第三通信通道接收来自所述第三设备的携带所述业务数据的第三确认消息,所述第三确认消息指示所述业务数据被所述第三设备成功取出。A third confirmation message carrying the service data is received from the third device via the third communication channel, wherein the third confirmation message indicates that the service data is successfully retrieved by the third device.
在可能的实现方式中,预定义数据包括从第三设备获取的用于第三通信信道的第三会话ID、熵服务的描述字符串、熵服务的服务事件组ID。In a possible implementation, the predefined data includes a third session ID for a third communication channel obtained from a third device, a description string of the entropy service, and a service event group ID of the entropy service.
在一种可能的实现方式中,预定义数据包括熵服务的服务ID和熵服务的服务实例ID。In a possible implementation, the predefined data includes a service ID of the entropy service and a service instance ID of the entropy service.
在一种可能的实现方式中,所述接收模块803具体用于:In a possible implementation, the receiving module 803 is specifically configured to:
经由所述第一通信信道从所述第一设备接收第一确认消息,所述第一确认消息指示所述第二设备成功订阅了由所述第一设备提供的所述熵服务;以及receiving a first confirmation message from the first device via the first communication channel, the first confirmation message indicating that the second device has successfully subscribed to the entropy service provided by the first device; and
经由所述第一通信信道从所述第一装置接收所述熵数据。The entropy data is received from the first device via the first communication channel.
在上述实施例的基础上,所述第二装置800还包括生成模块,其中:Based on the above embodiment, the second device 800 further includes a generating module, wherein:
所述建立模块801,还用于与所述第三设备建立第三通信通道;The establishing module 801 is further configured to establish a third communication channel with the third device;
所述生成模块用于根据预定义数据生成用于查询熵服务信息的查询消息;The generating module is used to generate a query message for querying entropy service information according to predefined data;
所述发送模块802,还用于通过所述第三通信通道向所述第三设备发送所述查询报文;以及The sending module 802 is further configured to send the query message to the third device through the third communication channel; and
所述接收模块803还用于通过所述第三通信通道接收来自所述第三设备的所述业务数据。The receiving module 803 is further configured to receive the service data from the third device through the third communication channel.
应当理解,根据本申请实施例的第一设备800可以与本申请方法实施例中的第一设备相对应,并且第一设备800中的各个单元的前述和其他操作和/或功能是用于实现上述方法中的第一设备的相应过程。为简洁起见,在此不再赘述。It should be understood that the first device 800 according to the embodiment of the present application may correspond to the first device in the embodiment of the method of the present application, and the aforementioned and other operations and/or functions of each unit in the first device 800 are used to implement the corresponding process of the first device in the above method. For the sake of brevity, it will not be repeated here.
图9为本公开实施例提供的一种服务器的示意性框图。所述第三装置900包括:FIG9 is a schematic block diagram of a server provided by an embodiment of the present disclosure. The third device 900 includes:
建立模块901,用于与第一设备建立第二通信通道;Establishing module 901, used to establish a second communication channel with the first device;
接收模块902,被配置为经由第二通信信道从第一设备接收用于在第三设备处注册熵服务的注册消息;The receiving module 902 is configured to receive a registration message for registering an entropy service at a third device from the first device via a second communication channel;
校验模块903,用于校验所述第一设备的资格;以及A verification module 903, configured to verify the qualification of the first device; and
发送模块904,用于若校验通过,则通过所述第二通信信道向所述第一设备发送第二确认消息,所述第二确认消息指示所述第一设备提供的熵服务在所述第三设备注册成功。The sending module 904 is used to send a second confirmation message to the first device through the second communication channel if the verification passes, and the second confirmation message indicates that the entropy service provided by the first device is successfully registered in the third device.
在一种可能的实现方式中,所述发送模块904还用于:In a possible implementation, the sending module 904 is further configured to:
经由所述第三通信信道向所述第二设备发送携带所述业务数据的第三确认消息,所述第三确认消息指示所述业务数据被所述第三设备成功提取。A third confirmation message carrying the service data is sent to the second device via the third communication channel, wherein the third confirmation message indicates that the service data is successfully extracted by the third device.
在可能的实现方式中,所述第三设备是不同于所述第一设备和所述第二设备的电子控制单元ECU。In a possible implementation, the third device is an electronic control unit ECU different from the first device and the second device.
在上述实施例的基础上,所述第三装置900还包括生成模块和获取模块,其中:Based on the above embodiment, the third device 900 further includes a generating module and an acquiring module, wherein:
所述注册消息中携带有所述第一设备的公钥,所述第二确认消息中包括业务注册中心信息和业务注册中心签名;The registration message carries the public key of the first device, and the second confirmation message includes service registration center information and a service registration center signature;
所述生成模块,被配置为生成服务注册中心数据;The generating module is configured to generate service registration center data;
所述获取模块,用于根据所述服务注册中心数据和所述第一设备的公钥获取所述服务注册中心信息,根据所述服务注册中心信息和所述第三设备的私钥获取所述服务注册中心签名;以及The acquisition module is used to acquire the service registration center information according to the service registration center data and the public key of the first device, and acquire the service registration center signature according to the service registration center information and the private key of the third device; and
所述发送模块904还用于:The sending module 904 is also used for:
如果所述检查通过,则经由所述第二通信信道将所述第二确认消息发送到所述第一装置。If the check passes, the second confirmation message is sent to the first device via the second communication channel.
在上述实施例的基础上,所述第三装置900还包括调取模块,其中:Based on the above embodiment, the third device 900 further includes a calling module, wherein:
所述建立模块901还用于与所述第二设备建立第三通信通道,所述接收模块902还用于通过所述第三通信通道从所述第二设备接收用于查询所述熵服务的信息的查询消息,所述查询消息由所述第二设备根据预定义数据生成;所述调取模块,还用于根据所述查询消息调取业务数据;所述发送模块904还用于通过所述第三通信通道向所述第二设备发送所述业务数据。The establishment module 901 is also used to establish a third communication channel with the second device, and the receiving module 902 is also used to receive a query message for querying information about the entropy service from the second device through the third communication channel, and the query message is generated by the second device based on predefined data; the retrieval module is also used to retrieve business data based on the query message; the sending module 904 is also used to send the business data to the second device through the third communication channel.
在上述实施例的一种可能的实现方式中,所述业务数据包括:所述熵服务的服务标识ID,所述熵服务的服务实例ID,所述熵服务的服务事件组ID,所述熵服务的描述字符串,所述熵服务的状态,所述第一设备的端口号,所述第一设备的公钥,所述第一设备的IP地址和所述第一设备的端口号;熵服务的服务实例ID和熵服务的服务事件组ID用于第二设备生成订阅请求消息,第一设备的IP地址和第一设备的端口号用于建立第一通信通道。In a possible implementation of the above embodiment, the business data includes: a service identification ID of the entropy service, a service instance ID of the entropy service, a service event group ID of the entropy service, a description string of the entropy service, the status of the entropy service, the port number of the first device, the public key of the first device, the IP address of the first device and the port number of the first device; the service instance ID of the entropy service and the service event group ID of the entropy service are used for the second device to generate a subscription request message, and the IP address of the first device and the port number of the first device are used to establish a first communication channel.
应当理解,根据本申请实施例的第一设备900可以与本申请方法实施例中的第一设备相对应,并且第一设备900中的各个单元的前述和其他操作和/或功能是用于实现上述方法中的第一装置的相应过程。为简洁起见,在此不再赘述。It should be understood that the first device 900 according to the embodiment of the present application may correspond to the first device in the embodiment of the method of the present application, and the aforementioned and other operations and/or functions of each unit in the first device 900 are corresponding processes for implementing the first device in the above method. For the sake of brevity, they will not be described here.
图10是根据本公开实施例的第一设备的示意性框图。FIG. 10 is a schematic block diagram of a first device according to an embodiment of the present disclosure.
如图10所示,本公开实施例还提供了一种第一设备1000。设备1000可以是图7中的设备700,其可以被配置为实现属于方法实施例中的方法对应的第一设备的内容。设备1000包括输入接口1010、输出接口1020、处理器1030和存储器1040。其中,输入接口1010、输出接口1020、处理器1030、存储器1040可以通过总线系统连接。存储器1040被配置为存储程序、指令或代码。处理器1030,用于执行存储器1040中的程序、指令或代码,以控制输入接口1010接收信号,以及控制输出接口1020发送信号,完成上述各方法实施例中的操作。As shown in Figure 10, the embodiment of the present disclosure also provides a first device 1000. Device 1000 may be device 700 in Figure 7, which may be configured to implement the content of the first device corresponding to the method in the method embodiment. Device 1000 includes an input interface 1010, an output interface 1020, a processor 1030 and a memory 1040. Among them, the input interface 1010, the output interface 1020, the processor 1030, and the memory 1040 may be connected via a bus system. The memory 1040 is configured to store programs, instructions or codes. The processor 1030 is used to execute the programs, instructions or codes in the memory 1040 to control the input interface 1010 to receive signals and control the output interface 1020 to send signals to complete the operations in the above-mentioned method embodiments.
具体实现中,图7所示的装置700中的发送模块704可以与图10中的输出接口1020一起实现,同样,接收模块702可以与图10中的输入接口1010一起实现,图7所示的装置700中的建立模块701和校验模块703可以与图10中的处理器1030一起实现。In a specific implementation, the sending module 704 in the device 700 shown in Figure 7 can be implemented together with the output interface 1020 in Figure 10. Similarly, the receiving module 702 can be implemented together with the input interface 1010 in Figure 10. The establishment module 701 and the verification module 703 in the device 700 shown in Figure 7 can be implemented together with the processor 1030 in Figure 10.
图11是根据本公开实施例的第二设备的示意性框图。FIG. 11 is a schematic block diagram of a second device according to an embodiment of the present disclosure.
如图11所示,本公开实施例还提供了一种第二设备1100。设备1100可以是图8中的设备800,其可以被配置为实现属于与方法实施例中的方法对应的第一设备的内容。设备1100包括输入接口1110、输出接口1120、处理器1130和存储器1140。其中,输入接口1110、输出接口1120、处理器1130和存储器1140可以通过总线系统连接。存储器1140被配置为存储程序、指令或代码。处理器1130用于执行存储器1140中的程序、指令或代码,以控制输入接口1110接收信号以及控制输出接口1120发送信号,完成上述各方法实施例中的操作。As shown in Figure 11, the embodiment of the present disclosure also provides a second device 1100. Device 1100 may be device 800 in Figure 8, which may be configured to implement the content of the first device corresponding to the method in the method embodiment. Device 1100 includes an input interface 1110, an output interface 1120, a processor 1130, and a memory 1140. Among them, the input interface 1110, the output interface 1120, the processor 1130, and the memory 1140 may be connected via a bus system. The memory 1140 is configured to store programs, instructions, or codes. The processor 1130 is used to execute the programs, instructions, or codes in the memory 1140 to control the input interface 1110 to receive signals and control the output interface 1120 to send signals, thereby completing the operations in the above-mentioned method embodiments.
具体实现中,图8所示的装置800中的发送模块803可以与图11中的输出接口1120实现,同样,接收模块803可以与图11中的输入接口1110实现,图8所示的装置800中的建立模块801可以与图11中的处理器1130实现。In a specific implementation, the sending module 803 in the device 800 shown in Figure 8 can be implemented with the output interface 1120 in Figure 11. Similarly, the receiving module 803 can be implemented with the input interface 1110 in Figure 11. The establishing module 801 in the device 800 shown in Figure 8 can be implemented with the processor 1130 in Figure 11.
图12是根据本公开实施例的第三设备的示意性框图。FIG. 12 is a schematic block diagram of a third device according to an embodiment of the present disclosure.
如图12所示,本公开实施例还提供了一种第三设备1200。设备1200可以是图9中的装置900,其可以被配置为实现与方法实施例中的方法对应的属于第一装置的内容。设备1200包括输入接口1210、输出接口1212、处理器1230和存储器1240。输入接口810、输出接口1212、处理器1230和存储器1240可以通过总线系统连接。存储器1240被配置为存储程序、指令或代码。所述处理器1230用于执行所述存储器1240中的程序、指令或代码,以控制所述输入接口1210接收信号,以及控制所述输出接口1212发送信号,完成上述各方法实施例中的操作。As shown in Figure 12, the embodiment of the present disclosure also provides a third device 1200. Device 1200 may be the device 900 in Figure 9, which may be configured to implement the content belonging to the first device corresponding to the method in the method embodiment. Device 1200 includes an input interface 1210, an output interface 1212, a processor 1230, and a memory 1240. The input interface 810, the output interface 1212, the processor 1230, and the memory 1240 may be connected via a bus system. The memory 1240 is configured to store programs, instructions, or codes. The processor 1230 is used to execute the programs, instructions, or codes in the memory 1240 to control the input interface 1210 to receive signals, and to control the output interface 1212 to send signals, so as to complete the operations in the above-mentioned method embodiments.
具体实现中,图9所示的装置900中的发送模块904可以与图12中的输出接口1220实现,同样,接收模块902可以与图12中的输入接口1210实现,图9所示的装置900中的建立模块901和校验模块903可以与图12中的处理器1230实现。In a specific implementation, the sending module 904 in the device 900 shown in Figure 9 can be implemented with the output interface 1220 in Figure 12. Similarly, the receiving module 902 can be implemented with the input interface 1210 in Figure 12. The establishment module 901 and the verification module 903 in the device 900 shown in Figure 9 can be implemented with the processor 1230 in Figure 12.
本申请实施例还提供了一种计算机可读存储介质,用于存储计算机程序。An embodiment of the present application also provides a computer-readable storage medium for storing a computer program.
在一种可能的实现形式中,所述计算机可读存储介质可以应用于本申请实施例中的第一设备,所述计算机程序可以使计算机执行本申请实施例中各种方法中第一设备实现的相应流程。为了简单起见,在此不对其进行描述。In a possible implementation form, the computer-readable storage medium can be applied to the first device in the embodiment of the present application, and the computer program can enable the computer to execute the corresponding process implemented by the first device in various methods in the embodiment of the present application. For the sake of simplicity, it is not described here.
在一种可能的实现形式中,所述计算机可读存储介质可以应用于本申请实施例中的第二设备,所述计算机程序可以使计算机执行本申请实施例中各种方法中第二设备实现的相应流程。为了简单起见,在此不对其进行描述。In a possible implementation form, the computer-readable storage medium can be applied to the second device in the embodiment of the present application, and the computer program can enable the computer to execute the corresponding process implemented by the second device in various methods in the embodiment of the present application. For the sake of simplicity, it is not described here.
在一种可能的实现形式中,所述计算机可读存储介质可以应用于本申请实施例中的第三装置,所述计算机程序可以使计算机执行本申请实施例中各种方法中第三装置实现的相应流程。为了简单起见,在此不对其进行描述。In a possible implementation form, the computer-readable storage medium can be applied to the third device in the embodiment of the present application, and the computer program can enable the computer to execute the corresponding process implemented by the third device in various methods in the embodiments of the present application. For the sake of simplicity, it is not described here.
本申请实施例还提供了一种计算机程序产品,该计算机程序产品包括计算机程序指令。An embodiment of the present application also provides a computer program product, which includes computer program instructions.
在一种可能的实现形式中,该计算机程序产品可以应用于本申请实施例中的第一设备,该计算机程序指令可以使计算机执行本申请实施例中的各种方法中由第一设备实现的相应流程。为了简单起见,在此不对其进行描述。In a possible implementation form, the computer program product can be applied to the first device in the embodiment of the present application, and the computer program instructions can enable the computer to execute the corresponding processes implemented by the first device in the various methods in the embodiment of the present application. For the sake of simplicity, it is not described here.
在一种可能的实现形式中,该计算机程序产品可以应用于本申请实施例中的第二设备,该计算机程序指令可以使计算机执行本申请实施例中各种方法中第二设备实现的相应流程。为了简单起见,在此不对其进行描述。In a possible implementation form, the computer program product can be applied to the second device in the embodiment of the present application, and the computer program instructions can enable the computer to execute the corresponding process implemented by the second device in various methods in the embodiment of the present application. For the sake of simplicity, it is not described here.
在一种可能的实现形式中,该计算机程序产品可以应用于本申请实施例中的第三设备,该计算机程序指令可以使计算机执行本申请实施例中各种方法中第三设备实现的相应流程。为了简单起见,在此不对其进行描述。In a possible implementation form, the computer program product can be applied to the third device in the embodiment of the present application, and the computer program instructions can enable the computer to execute the corresponding process implemented by the third device in various methods in the embodiment of the present application. For the sake of simplicity, it is not described here.
本申请实施例还提供了一种计算机程序。The embodiment of the present application also provides a computer program.
在一种可能的实现形式中,该计算机程序可以应用于本申请实施例中的第一设备,当该计算机程序在计算机上运行时,可以使得计算机执行本申请实施例中各种方法中第一设备实现的相应流程。为了简单起见,在此不对其进行描述。In a possible implementation form, the computer program can be applied to the first device in the embodiment of the present application, and when the computer program is run on a computer, the computer can execute the corresponding process implemented by the first device in various methods in the embodiment of the present application. For the sake of simplicity, it is not described here.
在一种可能的实现形式中,该计算机程序可以应用于本申请实施例中的第二设备,当该计算机程序在计算机上运行时,可以使得计算机执行本申请实施例中各种方法中第二设备实现的相应流程。为了简单起见,在此不对其进行描述。In a possible implementation form, the computer program can be applied to the second device in the embodiment of the present application, and when the computer program is run on a computer, the computer can execute the corresponding process implemented by the second device in various methods in the embodiment of the present application. For the sake of simplicity, it is not described here.
在一种可能的实现形式中,该计算机程序可以应用于本申请实施例中的第三设备中,当该计算机程序在计算机上运行时,可以使得计算机执行本申请实施例中各种方法中第三设备实现的相应流程。为了简单起见,在此不对其进行描述。In a possible implementation form, the computer program can be applied to the third device in the embodiment of the present application. When the computer program is run on a computer, the computer can execute the corresponding process implemented by the third device in various methods in the embodiment of the present application. For the sake of simplicity, it is not described here.
本申请的说明书和权利要求书以及上述附图中的“第一”、“第二”等术语是用于区别不同对象,而不是用于限定特定顺序。The terms "first", "second" and the like in the specification and claims of this application and the above-mentioned drawings are used to distinguish different objects rather than to limit a specific order.
本申请实施例中的“和/或”等术语仅用于描述关联对象之间的关联,这表示可以存在三种关系,例如,A和/或B可以表示仅存在A、既存在A又存在B,以及仅存在B。The terms such as "and/or" in the embodiments of the present application are only used to describe the association between associated objects, which means that three relationships may exist. For example, A and/or B may mean that only A exists, both A and B exist, and only B exists.
在本申请实施例中,“示例性”或“例如”等表述用于表示对示例或实例的说明。在本申请实施例中,任何被描述为“示例性”或“例如”的实施例或设计方案不应被解释为比其他实施例或设计方案优选或有利。特别地,“示例性”或“例如”的使用旨在以特定方式呈现相关概念。In the embodiments of the present application, expressions such as "exemplary" or "for example" are used to indicate the description of an example or instance. In the embodiments of the present application, any embodiment or design described as "exemplary" or "for example" should not be interpreted as being preferred or advantageous over other embodiments or designs. In particular, the use of "exemplary" or "for example" is intended to present related concepts in a specific way.
本领域普通技术人员可以意识到,本文中所公开的实施例中所描述的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能是以硬件还是软件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业人员可以对每个特定的应用使用不同的方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those skilled in the art will appreciate that the units and algorithm steps described in the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professionals can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices and units described above can refer to the corresponding processes in the aforementioned method embodiments and will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上描述的装置实施例仅仅是示意性的。例如,所述单元的划分仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。例如,可以将多个单元或组件结合或集成在另一个系统中,或者可以忽略或不执行一些特征。在另一个方面,所显示或讨论的彼此耦合或直接耦合或通信连接可以是通过一些接口。所述装置或单元的间接耦合或通信连接可以是电性、机械或其它形式。In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are merely schematic. For example, the division of the units is only a logical function division, and there may be other division methods in actual implementation. For example, multiple units or components can be combined or integrated in another system, or some features can be ignored or not performed. In another aspect, the coupling or direct coupling or communication connection shown or discussed can be through some interfaces. The indirect coupling or communication connection of the device or unit can be electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元分别物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的一部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application, or the part that contributes to the prior art or a part of the technical solution, can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for a computing device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in each embodiment of the present application. The aforementioned storage medium includes: various media that can store program codes, such as a USB flash drive, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此。任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应该以权利要求的保护范围为准。The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any changes or substitutions that can be easily thought of by a person skilled in the art within the technical scope disclosed in the present application should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2021/108146WO2023000304A1 (en) | 2021-07-23 | 2021-07-23 | Method for entropy service and related products |
| Publication Number | Publication Date |
|---|---|
| CN117918011Atrue CN117918011A (en) | 2024-04-23 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202180100877.6APendingCN117918011A (en) | 2021-07-23 | 2021-07-23 | Entropy service methods and related products |
| Country | Link |
|---|---|
| CN (1) | CN117918011A (en) |
| WO (1) | WO2023000304A1 (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118138626B (en)* | 2024-01-23 | 2024-11-01 | 镁佳(武汉)科技有限公司 | SOMEIP communication intermediate layer implementation system, method and vehicle |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2841070B1 (en)* | 2002-06-17 | 2005-02-04 | Cryptolog | INTERFACE METHOD AND DEVICE FOR PROTECTED EXCHANGING ONLINE CONTENT DATA |
| US9749127B1 (en)* | 2014-06-03 | 2017-08-29 | Amazon Technologies, Inc. | Establishing entropy on a system |
| US10375070B2 (en)* | 2015-04-20 | 2019-08-06 | Certicom Corp. | Generating cryptographic function parameters from compact source code |
| EP3657318A1 (en)* | 2018-11-23 | 2020-05-27 | Nagravision S.A. | Client-side entropy collection for server-side usage |
| US11444751B2 (en)* | 2018-12-05 | 2022-09-13 | Introspective Power, Inc. | System and method for sending and/or receiving entropy and entropy expansion |
| Publication number | Publication date |
|---|---|
| WO2023000304A1 (en) | 2023-01-26 |
| Publication | Publication Date | Title |
|---|---|---|
| EP3742696B1 (en) | Identity management method, equipment, communication network, and storage medium | |
| US7127613B2 (en) | Secured peer-to-peer network data exchange | |
| US11722316B2 (en) | Cryptographic communication system and cryptographic communication method based on blockchain | |
| US11303431B2 (en) | Method and system for performing SSL handshake | |
| US9912644B2 (en) | System and method to communicate sensitive information via one or more untrusted intermediate nodes with resilience to disconnected network topology | |
| JP5944501B2 (en) | Facilitating group access control for data objects in peer-to-peer overlay networks | |
| CN102577230B (en) | Low latency peer session establishment | |
| US8782414B2 (en) | Mutually authenticated secure channel | |
| CN109496414B (en) | Identifying a network node to which data is to be copied | |
| US9021552B2 (en) | User authentication for intermediate representational state transfer (REST) client via certificate authority | |
| WO2019041809A1 (en) | Registration method and apparatus based on service-oriented architecture | |
| JP6326173B1 (en) | Data transmission / reception system and data transmission / reception method | |
| CN107659406A (en) | A kind of resource operating methods and device | |
| KR102266654B1 (en) | Method and system for mqtt-sn security management for security of mqtt-sn protocol | |
| EP3479540A1 (en) | Multi-hop secure content routing based on cryptographic partial blind signatures and embedded terms | |
| US11606193B2 (en) | Distributed session resumption | |
| US10158610B2 (en) | Secure application communication system | |
| US12245034B2 (en) | Secure and trusted peer-to-peer offline communication systems and methods | |
| CN115276998A (en) | IoT authentication method, device and IoT device | |
| US20140181508A1 (en) | Communication device and computer program product | |
| US11611541B2 (en) | Secure method to replicate on-premise secrets in a cloud environment | |
| WO2023000304A1 (en) | Method for entropy service and related products | |
| EP3220604A1 (en) | Methods for client certificate delegation and devices thereof | |
| KR101165350B1 (en) | An Authentication Method of Device Member In Ubiquitous Computing Network | |
| WO2022206247A1 (en) | Certificate lookup method, and apparatus |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right | Effective date of registration:20241108 Address after:518129 Huawei Headquarters Office Building 101, Wankecheng Community, Bantian Street, Longgang District, Shenzhen, Guangdong Applicant after:Shenzhen Yinwang Intelligent Technology Co.,Ltd. Country or region after:China Address before:518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Applicant before:HUAWEI TECHNOLOGIES Co.,Ltd. Country or region before:China |