A safety access authentication method and system of an automobile detection equipment diagnostic instrument

By using asymmetric algorithm certificate key pairs and certificate validity mechanisms, combined with dynamic routing configuration and vehicle VIN code control, the timeliness and security issues of device access authentication are solved, achieving efficient and secure access authentication for automotive testing equipment diagnostic instruments.

CN116346463BActive Publication Date: 2026-06-09CHONGQING CHANGAN TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHONGQING CHANGAN TECH CO LTD
Filing Date
2023-03-27
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing automotive testing equipment diagnostic instrument access authentication methods cannot effectively control access timeliness, resulting in insufficient security of equipment access control. Furthermore, accessing the ECU of the entire vehicle system consumes high time costs and cannot achieve control over specific vehicles.

Method used

Access authentication is performed using an asymmetric algorithm certificate key pair, combined with a certificate validity mechanism and heartbeat detection. Dynamic routing configuration is performed through the authentication gateway and switch. Vehicle VIN codes or wildcards are used for specific vehicle model control, and a secure HTTPS transmission channel is established.

Benefits of technology

It enables effective control over the timing of device access, reduces security risks, improves the efficiency and security of access authentication, reduces dependence on the performance of the authentication gateway, and ensures that devices can only access the device during legal time periods and within legal vehicles.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116346463B_ABST
    Figure CN116346463B_ABST
Patent Text Reader

Abstract

The application discloses a kind of safety access authentication method and system of automobile detection equipment diagnostic instrument, method includes the following steps: the certificate management system of automobile whole vehicle system receives equipment certificate application, and issues and generates equipment certificate;Equipment certificate is filled in detection equipment diagnostic instrument;Automobile whole vehicle system and the detection equipment diagnostic instrument filled with equipment certificate carry out mutual authentication, and establish safe HTTPS transmission channel;Automobile whole vehicle system carries out authority management to the detection equipment diagnostic instrument filled with equipment certificate through safe HTTPS transmission channel.The application achieves the control of authentication session time limit, while greatly reducing equipment authentication time.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security technology for automotive systems, and more specifically, to a secure access authentication method and system for automotive testing equipment diagnostic instruments. Background Technology

[0002] As cars become increasingly common in daily life and their functions become more powerful, there is a greater demand for the quantity and quality of onboard ECU (Electronic Control Unit) systems. Consequently, there is a growing need for diagnostic equipment to access and debug these systems. Currently, traditional electronic architecture systems connect directly to the OBD diagnostic port via diagnostic equipment. Therefore, during the vehicle development, factory assembly, and after-sales stages, diagnostic equipment can access the ECUs in the vehicle system. This can lead to malicious access or tampering with important in-vehicle data, owner privacy data, and the activation of related remote control functions, potentially even causing personal injury.

[0003] Existing external device access authentication methods involve initiating an authentication request to the external device access gateway, authenticating with the test device, and maintaining the session connection after successful authentication. Authentication is performed using random numbers; the authentication request carries a random number, and a random authentication result is generated using a random algorithm. The received request is then verified using the same random algorithm. However, this method lacks control over the validity of the authentication session and the specific vehicle accessing the device. It merely provides a device authentication method, which is not secure enough and lacks comprehensive control over device access. Furthermore, for a vehicle system with hundreds of ECUs, requiring authentication for only a few or dozens of ECUs via a cloud server incurs significant time costs. Summary of the Invention

[0004] The primary objective of this invention is to provide a secure access authentication method for automotive testing equipment diagnostic instruments, which can effectively control the duration of device access and significantly reduce device authentication time.

[0005] To solve the above-mentioned technical problems, the technical solution of the present invention is as follows:

[0006] A secure access authentication method for automotive diagnostic equipment includes the following steps:

[0007] The certificate management system for automotive vehicle systems receives equipment certificate applications and issues generated equipment certificates;

[0008] The equipment certificate is loaded into the diagnostic instrument of the testing equipment;

[0009] The vehicle system and the diagnostic equipment equipped with the equipment certificate undergo two-way authentication and a secure HTTPS transmission channel is established.

[0010] The automotive system manages access to diagnostic equipment with device certificates via a secure HTTPS transmission channel.

[0011] Preferably, the certificate management system of the vehicle system receives equipment certificate applications and issues and generates equipment certificates, specifically as follows:

[0012] The diagnostic equipment manufacturer provides identity information and optional information for certificate application. The identity information includes a username and password or a temporary identity token, and the optional information for certificate application includes the vehicle terminal mechanical code of the diagnostic equipment, the list of accessed electronic control units (ECUs), and the validity period of the certificate.

[0013] Automakers use asymmetric certificates and private key pairs to generate a standard certificate based on the optional information submitted in the certificate application. They then use the root certificate to sign the optional information in the certificate application with their private key and store the signed device certificate using a white-box algorithm.

[0014] The white-box encrypted device certificate is distributed to the testing equipment and diagnostic instrument manufacturers.

[0015] Preferably, the step of distributing the white-box encrypted device certificate to the testing equipment diagnostic instrument manufacturer specifically involves:

[0016] The white-box encrypted device certificate is sent to the testing equipment and diagnostic instrument manufacturer via HTTPS secure transmission or distributed offline via USB device.

[0017] Preferably, the vehicle system and the diagnostic testing equipment equipped with the device certificate perform two-way authentication and establish a secure HTTPS transmission channel, specifically:

[0018] The authentication gateway of the vehicle system is pre-loaded with a root certificate. The root certificate is used to verify the legality of the device certificate of the diagnostic equipment. The authentication gateway is used to establish a transmission channel with the diagnostic equipment, read device certificate information, and communicate with the switch. The switch modifies the routing table configuration according to the list of accessed electronic control units (ECUs) read by the authentication gateway to connect the diagnostic equipment with the corresponding electronic control units (ECUs).

[0019] After the authentication gateway (GATEWAY) verifies the validity of the device certificate using the root certificate, it generates a communication session key and sends the communication session key to the diagnostic instrument. The diagnostic instrument and the authentication gateway (GATEWAY) communicate using the session key for encryption and establish a secure HTTPS transmission channel based on the TLS protocol.

[0020] Preferably, the access control includes:

[0021] The authentication gateway (GATEWAY) obtains the certificate validity period and system time from the device certificate and performs timeliness authentication on the device certificate. If the device certificate is valid, the device connection authentication is successful; otherwise, the device connection authentication fails.

[0022] Preferably, the device certificate also includes the vehicle's VIN code or a wildcard.

[0023] In another embodiment, the access control includes:

[0024] The authentication gateway (GATEWAY) obtains the certificate validity period and system time from the device certificate and performs timeliness authentication on the device certificate. If the device certificate is valid, the authentication gateway (GATEWAY) retrieves the vehicle VIN code and verifies it against the vehicle VIN code, vehicle model wildcard, or all vehicle model wildcards in the signature information. If the verification passes, the device connection authentication is successful; otherwise, the device connection authentication fails. If the device certificate is not valid, the device connection authentication fails.

[0025] Preferably, after successful device connection and access authentication, the diagnostic instrument and the authentication gateway GATEWAY periodically perform heartbeat detection via HTTPS secure transmission. When the heartbeat detection stops, the switch restores the default routing configuration.

[0026] A further objective of this invention is to provide a secure access authentication system for automotive diagnostic equipment, wherein the authentication system applies the aforementioned secure access authentication method for automotive diagnostic equipment, and the authentication system includes:

[0027] The certificate application module enables the certificate management system of the vehicle system to receive equipment certificate applications and generate equipment certificates.

[0028] A filling module, used to fill the equipment certificate into the testing equipment diagnostic instrument;

[0029] The authentication module performs two-way authentication between the vehicle system and the diagnostic testing equipment equipped with the equipment certificate, and establishes a secure HTTPS transmission channel.

[0030] The access control module enables the vehicle system to manage access to diagnostic equipment with device certificates via a secure HTTPS transmission channel.

[0031] A third objective of this invention is to provide a computer storage medium that, when executed by a processor, implements the secure access authentication method for the automotive testing equipment diagnostic instrument described above.

[0032] Compared with the prior art, the beneficial effects of the technical solution of the present invention are:

[0033] 1. This invention uses asymmetric algorithm certificate key pairs to implement the access authentication process. From the perspective of complexity, the security strength of asymmetric algorithms is greater than that of symmetric algorithms. Therefore, this invention is relatively more secure.

[0034] 2. This invention employs a dynamic routing configuration rule method to configure optional ECU access services. When the vehicle system opens access permissions to the outside, it means that external devices have a way to access the internal data of the vehicle system. Legitimate access is of course allowed, but this also means that illegal access has the opportunity to intrude into the vehicle system to obtain sensitive information and construct security events, such as modifying key ECU parameters by accessing the OBD interface. This invention uses dynamic configuration rules to achieve selective access, better divide the access permissions of each ECU domain, reduce the security pressure on the vehicle system, and reduce the risk of security events.

[0035] 3. This invention employs a certificate validity mechanism and a heartbeat detection mechanism to effectively control the validity of the authentication access of testing equipment. When the testing equipment diagnostic instrument is in testing or other scenarios, it can choose to issue a time-sensitive certificate in the certificate management system, thereby reducing security pressure, avoiding a one-time solution, and truly achieving time-sensitive control of the testing equipment diagnostic instrument. This enables the testing equipment to have the ability to access authentication for a long time or temporarily, and achieves more flexible and effective control of the testing equipment access authentication in terms of time.

[0036] 4. This invention uses a combination of vehicle VIN codes or wildcards to control the access of diagnostic equipment to specific vehicle models, avoiding the possibility of one device being connected indefinitely, and the serious situation where if a safety incident occurs in one vehicle, safety incidents may also occur in other vehicles, thus achieving more secure device access authentication.

[0037] 5. This invention optimizes the system architecture for vehicle device access authentication. Traditional device access authentication uses an authentication gateway (GATEWAY) for device access authentication and routing. The access efficiency depends on the performance of the authentication gateway. In this invention, the authentication gateway is only used for device authentication and some security verification, reducing the dependence on the performance of the authentication gateway. Access routing control is distributed through a switch (SWITCH), achieving dedicated responsibilities. This does not affect the use of Ethernet and can make device access authentication faster and more efficient. Attached Figure Description

[0038] Figure 1 This is a flowchart illustrating the secure access authentication method for the automotive testing equipment diagnostic instrument of the present invention.

[0039] Figure 2 This is a schematic diagram showing the connection between the vehicle system and the diagnostic instrument of the testing equipment according to the present invention.

[0040] Figure 3 The flowchart for the timed access authentication of the diagnostic instrument provided in the embodiment is shown.

[0041] Figure 4 This is a flowchart illustrating the safe connection of the diagnostic instrument to a specific vehicle model, as provided in this embodiment.

[0042] Figure 5 This is a schematic diagram of the secure access authentication system for the automotive testing equipment diagnostic instrument of the present invention. Detailed Implementation

[0043] The accompanying drawings are for illustrative purposes only and should not be construed as limiting the scope of this patent.

[0044] To better illustrate this embodiment, some parts in the accompanying drawings may be omitted, enlarged, or reduced, and do not represent the actual product dimensions.

[0045] It will be understood by those skilled in the art that certain well-known structures and their descriptions may be omitted in the accompanying drawings.

[0046] The technical solution of the present invention will be further described below with reference to the accompanying drawings and embodiments.

[0047] Example 1

[0048] This embodiment provides a secure access authentication method for automotive diagnostic equipment, such as... Figure 1 As shown, it includes the following steps:

[0049] The certificate management system for automotive vehicle systems receives equipment certificate applications and issues generated equipment certificates;

[0050] The equipment certificate is loaded into the diagnostic instrument of the testing equipment;

[0051] The vehicle system and the diagnostic equipment equipped with the equipment certificate undergo two-way authentication and a secure HTTPS transmission channel is established.

[0052] The automotive system manages access to diagnostic equipment with device certificates via a secure HTTPS transmission channel.

[0053] The certificate management system for the automotive system receives device certificate applications and issues and generates device certificates, specifically as follows:

[0054] The diagnostic equipment manufacturer provides identity information and optional information for certificate application. The identity information includes a username and password or a temporary identity token, and the optional information for certificate application includes the vehicle terminal mechanical code of the diagnostic equipment, the list of accessed electronic control units (ECUs), and the validity period of the certificate.

[0055] Automakers use asymmetric certificates and private key pairs to generate a standard certificate based on the optional information submitted in the certificate application. They then use the root certificate to sign the optional information in the certificate application with their private key and store the signed device certificate using a white-box algorithm.

[0056] The white-box encrypted device certificate is distributed to the testing equipment and diagnostic instrument manufacturers.

[0057] The process of distributing the white-box encrypted device certificate to the testing equipment and diagnostic instrument manufacturer specifically involves:

[0058] The white-box encrypted device certificate is sent to the testing equipment and diagnostic instrument manufacturer via HTTPS secure transmission or distributed offline via USB device.

[0059] The vehicle system and the diagnostic testing equipment equipped with the device certificate undergo two-way authentication and establish a secure HTTPS transmission channel, such as... Figure 2 As shown, specifically:

[0060] The authentication gateway of the vehicle system is pre-loaded with a root certificate. The root certificate is used to verify the legality of the device certificate of the diagnostic equipment. The authentication gateway is used to establish a transmission channel with the diagnostic equipment, read device certificate information, and communicate with the switch. The switch modifies the routing table configuration according to the list of accessed electronic control units (ECUs) read by the authentication gateway to connect the diagnostic equipment with the corresponding electronic control units (ECUs).

[0061] After the authentication gateway (GATEWAY) verifies the validity of the device certificate using the root certificate, it generates a communication session key and sends the communication session key to the diagnostic instrument. The diagnostic instrument and the authentication gateway (GATEWAY) communicate using the session key for encryption and establish a secure HTTPS transmission channel based on the TLS protocol.

[0062] Example 2

[0063] This embodiment, based on Embodiment 1, continues to disclose the following content:

[0064] The access control includes:

[0065] The authentication gateway (GATEWAY) obtains the certificate validity period and system time from the device certificate and performs timeliness authentication on the device certificate. If the device certificate is valid, the device connection authentication is successful; otherwise, the device connection authentication fails.

[0066] After successful device connection and authentication, the diagnostic device and the authentication gateway GATEWAY periodically perform heartbeat checks via HTTPS secure transmission. When the heartbeat check stops, the switch restores the default routing configuration.

[0067] The testing equipment has a time-sensitive access authentication process, such as... Figure 3 As shown, specifically:

[0068] Step S11: The diagnostic equipment manufacturer logs into the car manufacturer's certificate management system through identity authentication, and selects the accessible ECU route and certificate validity period in the certificate management system, or submits the certificate application information to the certificate management system administrator.

[0069] Step S12: The certificate management system issues a device certificate for the testing equipment diagnostic instrument and encrypts the device certificate using a white-box algorithm. The certificate management system then transmits the encrypted certificate online via HTTPS securely to the testing equipment diagnostic instrument manufacturer, or the certificate management system administrator exports the encrypted certificate from the certificate management system and distributes it to the testing equipment diagnostic instrument manufacturer via a USB device. The testing equipment diagnostic instrument manufacturer then uses a filling tool on the production line to fill the testing equipment with the certificate and integrates the white-box algorithm into the testing equipment.

[0070] Step S13: Pre-install the root certificate in the authentication gateway GATEWAY.

[0071] Step S14: The diagnostic tool is connected to the vehicle system via the OBD diagnostic interface.

[0072] Step S15: The diagnostic tool establishes a communication connection with the vehicle equipment authentication gateway (GATEWAY) through the OBD diagnostic interface. The diagnostic tool sends its device certificate to the GATEWAY, which verifies the validity of the diagnostic tool's device certificate using its pre-installed root certificate. After the diagnostic tool's device certificate passes the validity verification, the GATEWAY generates a communication session key and sends it to the diagnostic tool. Communication between the diagnostic tool and the GATEWAY is encrypted using the session key. Thus, a secure HTTPS transmission channel is established between the two parties based on the TLS protocol.

[0073] Step S16: After the certificate of the testing equipment diagnostic instrument is verified to be valid, the authentication gateway GATEWAY obtains the system time and verifies the validity of the T1 testing equipment diagnostic instrument certificate.

[0074] Step S17: If the certificate verification of the testing equipment diagnostic instrument is invalid or the certificate of the testing equipment diagnostic instrument is not valid, the device access authentication will fail.

[0075] Step S18: If the certificate verification of the detection device diagnostic instrument is valid and the certificate validity period in the detection device diagnostic instrument is valid, then the authentication gateway GATEWAY sends a message to the SWITCH to modify the default route according to the selected route configuration, thereby realizing the configuration of dynamic route access.

[0076] Step S19: After the diagnostic device successfully connects and is authenticated, the diagnostic device and the authentication gateway GATEWAY periodically perform heartbeat checks via HTTPS secure transmission. Once the heartbeat stops, the switch restores its default routing configuration.

[0077] Step S110: Successful heartbeat detection indicates secure access authentication for the diagnostic equipment.

[0078] The secure access authentication function of the testing equipment mainly relies on the principle of asymmetric algorithm certificates and private keys in the certificate management system, while the dynamic routing access configuration is implemented through a signed routing access configuration list.

[0079] Example 3

[0080] This embodiment, based on Embodiment 1, continues to disclose the following content:

[0081] The access control includes:

[0082] The authentication gateway (GATEWAY) obtains the certificate validity period and system time from the device certificate and performs timeliness authentication on the device certificate. If the device certificate is valid, the authentication gateway (GATEWAY) retrieves the vehicle VIN code and verifies it against the vehicle VIN code, vehicle model wildcard, or all vehicle model wildcards in the signature information. If the verification passes, the device connection authentication is successful; otherwise, the device connection authentication fails. If the device certificate is not valid, the device connection authentication fails.

[0083] After successful device connection and authentication, the diagnostic device and the authentication gateway GATEWAY periodically perform heartbeat checks via HTTPS secure transmission. When the heartbeat check stops, the switch restores the default routing configuration.

[0084] For security authentication of devices requiring temporary access, instead of issuing a long-term certificate through a certificate management system, a temporary certificate can be applied for. The validity period of the certificate controls the timeliness of device access authentication. However, this method cannot manage the access of a specific diagnostic device. For diagnostic devices that require access to only specific vehicles or vehicle models, or all vehicle models, the specific vehicle's VIN code, or a wildcard matching the vehicle model or all vehicle models can be added during signature configuration. Certificates issued in this way can control the access of diagnostic devices to specific vehicles. A flowchart illustrating this secure access of diagnostic devices to specific vehicle models is shown below. Figure 4 As shown:

[0085] Step S21: The diagnostic equipment manufacturer logs into the vehicle manufacturer's certificate management system through identity authentication, selects the accessible ECU routes and certificate validity period on the certificate management system, selects the specific vehicle VIN to be accessed, or the wildcard for the accessed vehicle model, or the wildcard for all vehicle models, or submits the certificate application information to the certificate management system administrator.

[0086] Step S22: The certificate management system issues a device certificate for the testing equipment diagnostic instrument and encrypts the device certificate using a white-box algorithm. The certificate management system then transmits the encrypted certificate online via HTTPS securely to the testing equipment diagnostic instrument manufacturer, or the certificate management system administrator exports the encrypted certificate from the certificate management system and distributes it to the testing equipment diagnostic instrument manufacturer via a USB device. The testing equipment diagnostic instrument manufacturer then fills the testing equipment into the testing equipment on the production line using a filling tool and integrates the white-box algorithm into the testing equipment.

[0087] Step S23: Pre-install the root certificate in the authentication gateway GATEWAY.

[0088] Step S24: The diagnostic tool is connected to the vehicle system via the OBD diagnostic interface.

[0089] Step S25: The diagnostic tool establishes a communication connection with the vehicle equipment authentication gateway (GATEWAY) through the OBD diagnostic interface. The diagnostic tool sends its device certificate to the GATEWAY, which verifies the validity of the diagnostic tool's device certificate using its pre-installed root certificate. After the diagnostic tool's device certificate passes the validity verification, the GATEWAY generates a communication session key and sends it to the diagnostic tool. Communication between the diagnostic tool and the gateway is encrypted using the session key. Thus, a secure HTTPS transmission channel is established between the two parties based on the TLS protocol.

[0090] Step S26: After the diagnostic instrument certificate is verified to be valid, the authentication gateway (GATEWAY) obtains the system time and verifies the validity of the diagnostic instrument certificate.

[0091] Step S27: If the certificate verification of the testing equipment diagnostic instrument is invalid or the certificate of the testing equipment diagnostic instrument is not valid, the device access authentication will fail.

[0092] Step S28: The authentication gateway (GATEWAY) retrieves the vehicle VIN and verifies the vehicle VIN, model wildcard, or all model wildcards within the signature information to control the access of a specific diagnostic instrument to a particular device, thus securely authenticating device access.

[0093] Step S29: If the certificate verification of the detection device diagnostic instrument is valid and the certificate validity period in the detection device diagnostic instrument is valid, then the gateway (GATEWAY) sends a message to the switch (SWITCH) to modify the default route according to the selected route configuration, thereby realizing the configuration of dynamic route access.

[0094] Step S210: After successful device connection and access authentication, the diagnostic device and the authentication gateway GATEWAY periodically perform heartbeat checks via HTTPS secure transmission. Once stopped, the T5 switch SWITCH restores the default routing configuration.

[0095] Step S211: Successful heartbeat detection indicates secure access authentication for the diagnostic equipment.

[0096] By leveraging asymmetric certificates and private key algorithms, a secure HTTPS transmission channel is directly established via the TLS protocol. The legitimacy, integrity, and non-repudiation of information are guaranteed through certificate verification and the signing of critical information. Introducing specific vehicle VIN codes enables a more secure device access mechanism, preventing indiscriminate access of diagnostic equipment to vehicles. The architecture for vehicle-wide device access authentication is optimized, utilizing gateways for communication and device certificate authentication, and switches for efficient routing configuration and distribution, thus achieving simple, secure, effective, and rapid access authentication for diagnostic equipment.

[0097] Example 4

[0098] This embodiment discloses a secure access authentication system for automotive diagnostic equipment, such as... Figure 5 As shown, the authentication system applies the secure access authentication method for automotive testing equipment diagnostic instruments described in Examples 1 to 3. The authentication system includes:

[0099] The certificate application module enables the certificate management system of the vehicle system to receive equipment certificate applications and generate equipment certificates.

[0100] A filling module, used to fill the equipment certificate into the testing equipment diagnostic instrument;

[0101] The authentication module performs two-way authentication between the vehicle system and the diagnostic testing equipment equipped with the equipment certificate, and establishes a secure HTTPS transmission channel.

[0102] The access control module enables the vehicle system to manage access to diagnostic equipment with device certificates via a secure HTTPS transmission channel.

[0103] Example 5

[0104] This embodiment provides a computer storage medium, characterized in that, when the computer storage medium is executed by a processor, it implements the secure access authentication method for the automotive testing equipment diagnostic instrument described in Embodiments 1 to 3.

[0105] The same or similar labels correspond to the same or similar parts;

[0106] The terms used to describe positional relationships in the accompanying drawings are for illustrative purposes only and should not be construed as limiting this patent.

[0107] Obviously, the above embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the implementation of the present invention. Those skilled in the art will recognize that other variations or modifications can be made based on the above description. It is neither necessary nor possible to exhaustively describe all embodiments here. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the scope of protection of the claims of the present invention.

Claims

1. A secure access authentication method for a vehicle testing equipment diagnostic instrument, characterized in that, Includes the following steps: The certificate management system for automotive vehicle systems receives equipment certificate applications and issues generated equipment certificates; The equipment certificate is loaded into the diagnostic instrument of the testing equipment; The vehicle system and the diagnostic equipment equipped with the equipment certificate undergo two-way authentication and a secure HTTPS transmission channel is established. The automotive system manages access to diagnostic equipment that has been equipped with the equipment certificate through a secure HTTPS transmission channel. The vehicle system and the diagnostic testing equipment equipped with the device certificate perform two-way authentication and establish a secure HTTPS transmission channel, specifically as follows: The authentication gateway of the vehicle system is pre-loaded with a root certificate. The root certificate is used to verify the legality of the device certificate of the diagnostic equipment. The authentication gateway is used to establish a transmission channel with the diagnostic equipment, read the device certificate information, and communicate with the switch. The switch modifies the routing table configuration according to the list of accessed electronic control units (ECUs) read by the authentication gateway to connect the diagnostic equipment to the corresponding electronic control unit (ECU). After the authentication gateway (GATEWAY) verifies the validity of the device certificate using the root certificate, it generates a communication session key and sends the communication session key to the diagnostic instrument. The diagnostic instrument and the authentication gateway (GATEWAY) communicate using the session key for encryption and establish a secure HTTPS transmission channel based on the TLS protocol.

2. The secure access authentication method for automotive testing equipment diagnostic instruments according to claim 1, characterized in that, The certificate management system for the automotive system receives device certificate applications and issues and generates device certificates, specifically as follows: The diagnostic equipment manufacturer provides identity information and optional information for certificate application. The identity information includes a username and password or a temporary identity token, and the optional information for certificate application includes the vehicle terminal mechanical code of the diagnostic equipment, the list of accessed electronic control units (ECUs), and the validity period of the certificate. Automakers use asymmetric certificates and private key pairs to generate a standard certificate based on the optional information submitted in the certificate application. They then use the root certificate to sign the optional information in the certificate application with their private key and store the signed device certificate using a white-box algorithm. The white-box encrypted device certificate is distributed to the testing equipment and diagnostic instrument manufacturers.

3. The secure access authentication method for automotive testing equipment diagnostic instruments according to claim 2, characterized in that, The process of distributing the white-box encrypted device certificate to the testing equipment and diagnostic instrument manufacturer specifically involves: The white-box encrypted device certificate is sent to the testing equipment and diagnostic instrument manufacturer via HTTPS secure transmission or distributed offline via USB device.

4. The secure access authentication method for automotive testing equipment diagnostic instruments according to claim 2, characterized in that, The access control includes: The authentication gateway (GATEWAY) obtains the certificate validity period and system time from the device certificate and performs timeliness authentication on the device certificate. If the device certificate is valid, the device connection authentication is successful; otherwise, the device connection authentication fails.

5. The secure access authentication method for automotive testing equipment diagnostic instruments according to claim 2, characterized in that, The equipment certificate also includes the vehicle's VIN code or wildcard.

6. The secure access authentication method for automotive testing equipment diagnostic instruments according to claim 2, characterized in that, The access control includes: The authentication gateway (GATEWAY) obtains the certificate validity period and system time from the device certificate and performs timeliness authentication on the device certificate. If the device certificate is valid, the authentication gateway (GATEWAY) retrieves the vehicle VIN code and verifies it against the vehicle VIN code, vehicle model wildcard, or all vehicle model wildcards in the signature information. If the verification passes, the device connection authentication is successful; otherwise, the device connection authentication fails. If the device certificate is not valid, the device connection authentication fails.

7. The secure access authentication method for automotive testing equipment diagnostic instruments according to claim 4 or 6, characterized in that, After successful device connection and authentication, the diagnostic device and the authentication gateway GATEWAY periodically perform heartbeat checks via HTTPS secure transmission. When the heartbeat check stops, the switch restores the default routing configuration.

8. A secure access authentication system for a vehicle testing equipment diagnostic instrument, characterized in that, The authentication system applies the secure access authentication method for automotive diagnostic equipment as described in any one of claims 1 to 7, and the authentication system includes: The certificate application module enables the certificate management system of the vehicle system to receive equipment certificate applications and generate equipment certificates. A filling module, used to fill the equipment certificate into the testing equipment diagnostic instrument; The authentication module performs two-way authentication between the vehicle system and the diagnostic testing equipment equipped with the equipment certificate, and establishes a secure HTTPS transmission channel. The access control module enables the vehicle system to manage access to diagnostic equipment with installed device certificates via a secure HTTPS transmission channel.

9. A computer storage medium, characterized in that, When the computer storage medium is executed by the processor, it implements the secure access authentication method for the automotive testing equipment diagnostic instrument as described in any one of claims 1 to 7.