A message transmission method, apparatus and device

By employing a two-layer authentication mechanism and a hardware security module to generate key pairs between automotive electronic controllers, the problem of low security in electronic controller message transmission is solved, and the security of encrypted communication and protection of the network system are achieved.

CN122247639APending Publication Date: 2026-06-19BEIJING BANGCLE TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING BANGCLE TECH CO LTD
Filing Date
2024-12-17
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

The low security of message transmission between automotive electronic controllers makes them vulnerable to attacks, resulting in a lack of security for the vehicle's internal network system.

Method used

A two-layer authentication mechanism is adopted, which uses a first key pair and a second key pair related to the current time for authentication, and generates a third key pair in the hardware security module to encrypt the CAN message to be transmitted, so as to ensure the security of the encrypted communication process.

Benefits of technology

It improves the security of message transmission between electronic controllers, prevents attackers from analyzing and tampering with CAN messages, and ensures the security of the vehicle's internal network system.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247639A_ABST
    Figure CN122247639A_ABST
Patent Text Reader

Abstract

This specification discloses a message transmission method, apparatus, and device. The method includes: generating a first random number and a second random number after successful authentication between an electronic controller and a first electronic controller of a vehicle device; generating a third key pair based on the first random number in the hardware security module of the electronic controller according to a preset key generation rule; encrypting the private key in the third key pair using the private key in the first key pair to obtain first verifiable information, and encrypting the second random number using the public key in the third key pair to obtain second verifiable information; sending the first and second verifiable information to the first electronic controller; and encrypting a CAN message to be transmitted using the public key in the second key pair if the second random number and the third verifiable information match successfully, and sending the encrypted CAN message to the first electronic controller.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This document relates to the field of computer technology, and in particular to a message transmission method, apparatus, and device. Background Technology

[0002] With the rapid development of computer technology, automotive electrical systems are becoming increasingly complex. Currently, cars generally have a large number of electronic controllers. As attacks on electronic controllers become more rampant, the security of the internal network system of vehicle equipment cannot be guaranteed.

[0003] For example, an attacker could send malicious CAN messages to flash the gateway, thereby controlling related electronic controllers (such as windshield wipers, headlights, windows, steering systems, brakes, etc.), resulting in low security for message transmission between the electronic controllers of vehicle equipment. Therefore, embodiments of this specification provide a technical solution to improve the security of message transmission between the electronic controllers of vehicle equipment. Summary of the Invention

[0004] The purpose of the embodiments in this specification is to provide a technical solution to improve the security of message transmission between electronic controllers of vehicle equipment.

[0005] To achieve the above technical solution, the embodiments in this specification are implemented as follows: This specification provides a message transmission method applied to an electronic controller of a vehicle device. The method includes: generating a first random number and a second random number when the electronic controller successfully authenticates itself against a second key pair generated by the first electronic controller of the vehicle device based on a first key pair related to the current time; the first electronic controller being any electronic controller of the vehicle device; generating a third key pair based on the first random number in the hardware security module of the electronic controller according to a preset key generation rule; encrypting the private key in the third key pair using the private key in the first key pair to obtain first verifiable information; and encrypting the second random number using the public key in the third key pair. The system performs a encryption process to obtain second verifiable information; it then sends the first and second verifiable information to the first electronic controller and receives a third verifiable information returned by the first electronic controller. The third verifiable information is obtained by the first electronic controller decrypting the second verifiable information using a target key, which is obtained by the first electronic controller decrypting the first verifiable information using the private key in the second key pair. The system then performs a matching detection process on the second random number and the third verifiable information. If a match is successful, the system encrypts the CAN message to be transmitted using the public key in the second key pair and sends the encrypted CAN message to the first electronic controller.

[0006] This specification provides a message transmission device, comprising: a first generation module, configured to generate a first random number and a second random number when an electronic controller, based on a first key pair related to the current time, successfully authenticates the data with a second key pair generated by the first electronic controller of the vehicle equipment; the first electronic controller being any electronic controller of the vehicle equipment; a second generation module, configured to generate a third key pair based on the first random number in the hardware security module of the electronic controller, according to a preset key generation rule; and a third generation module, configured to encrypt the private key in the third key pair using the private key in the first key pair to obtain first verifiable information, and encrypt the second random number using the public key in the third key pair to obtain... The system includes a second verifiable information module; a first sending module, configured to send the first and second verifiable information to the first electronic controller, and receive a third verifiable information returned by the first electronic controller, wherein the third verifiable information is obtained by the first electronic controller decrypting the second verifiable information according to a target key, and the target key is obtained by the first electronic controller decrypting the first verifiable information according to the private key in the second key pair; and a matching detection module, configured to perform matching detection on the second random number and the third verifiable information, and, if the matching is successful, encrypt the CAN message to be transmitted according to the public key in the second key pair, and send the encrypted CAN message to the first electronic controller.

[0007] This specification provides an embodiment of a message transmission device, comprising: a processor; and a memory arranged to store computer-executable instructions, wherein the executable instructions, when executed, cause the processor to: generate a first random number and a second random number, wherein the first electronic controller is any electronic controller of the vehicle device, provided that an electronic controller has successfully authenticated the device using a first key pair related to the current time and a second key pair generated by the first electronic controller of the vehicle device; in the hardware security module of the electronic controller, generate a third key pair based on the first random number according to a preset key generation rule; encrypt the private key in the third key pair according to the private key in the first key pair to obtain first verifiable information, and encrypt the private key in the third key pair according to the private key in the first key pair. The public key is used to encrypt the second random number to obtain second verifiable information; the first and second verifiable information are sent to the first electronic controller, and a third verifiable information is received from the first electronic controller. The third verifiable information is obtained by the first electronic controller decrypting the second verifiable information according to a target key, and the target key is obtained by the first electronic controller decrypting the first verifiable information according to the private key in the second key pair; the second random number and the third verifiable information are matched and detected, and if the match is successful, the CAN message to be transmitted is encrypted according to the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller.

[0008] This specification also provides a storage medium for storing computer-executable instructions. When executed by a processor, these instructions implement the following process: If an electronic controller successfully authenticates itself with a second key pair generated by a first electronic controller of the vehicle equipment based on a first key pair related to the current time, the first electronic controller can be any electronic controller of the vehicle equipment. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule. The private key in the third key pair is encrypted using the private key in the first key pair to obtain first verifiable information. Finally, the first and second random numbers are encrypted using the public key in the third key pair. Two random numbers are encrypted to obtain second verifiable information. The first and second verifiable information are sent to the first electronic controller, and a third verifiable information is received from the first electronic controller. The third verifiable information is obtained by the first electronic controller decrypting the second verifiable information according to a target key. The target key is obtained by the first electronic controller decrypting the first verifiable information according to the private key in the second key pair. The second random number and the third verifiable information are matched and detected. If the match is successful, the CAN message to be transmitted is encrypted according to the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller.

[0009] This specification also provides a computer program product, including a computer program that, when executed by a processor, implements the following process: If an electronic controller successfully authenticates itself with a second key pair generated by the first electronic controller of the vehicle equipment based on a first key pair related to the current time, the first random number and the second random number are generated, where the first electronic controller is any electronic controller of the vehicle equipment; in the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule; the private key in the third key pair is encrypted using the private key in the first key pair to obtain first verifiable information, and the second random number is encrypted using the public key in the third key pair. The system performs encryption to obtain second verifiable information; it then sends the first and second verifiable information to the first electronic controller and receives a third verifiable information returned by the first electronic controller. The third verifiable information is obtained by the first electronic controller decrypting the second verifiable information using a target key, which is obtained by the first electronic controller decrypting the first verifiable information using the private key in the second key pair. The system then performs a matching detection process on the second random number and the third verifiable information. If a match is successful, the system encrypts the CAN message to be transmitted using the public key in the second key pair and sends the encrypted CAN message to the first electronic controller. Attached Figure Description

[0010] To more clearly illustrate the technical solutions in the embodiments or prior art of this specification, the drawings used in the description of the embodiments or prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort. Figure 1 This is an embodiment of a message transmission method described in this specification; Figure 2 This is yet another embodiment of a message transmission method described in this specification; Figure 3 This is a schematic diagram of a message transmission process described in this specification; Figure 4 This is yet another embodiment of a message transmission method described in this specification; Figure 5 This is yet another embodiment of a message transmission method described in this specification; Figure 6 This is one embodiment of a message transmission device described in this specification; Figure 7 This is an embodiment of a message transmission device described in this specification. Detailed Implementation

[0011] This specification provides a message transmission method, apparatus, and device through its embodiments.

[0012] To enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this specification, and not all embodiments. Based on the embodiments in this specification, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of this specification.

[0013] This specification provides a technical solution to improve the security of message transmission between electronic controllers in vehicle equipment. With the rapid development of computer technology, automotive electrical systems are becoming increasingly complex. Current vehicles generally have a large number of electronic controllers. As attacks targeting these controllers become more rampant, the security of the internal network system of vehicle equipment is compromised. For example, attackers can send malicious CAN messages to flash the gateway, thereby controlling related electronic controllers (such as windshield wipers, headlights, windows, steering systems, brakes, etc.), leading to low security in message transmission between the electronic controllers of vehicle equipment. Therefore, this specification provides a technical solution to improve the security of message transmission between electronic controllers in vehicle equipment. In this scheme, after the electronic controller successfully authenticates itself with the second key pair generated by the first electronic controller of the vehicle equipment based on the first key pair related to the current time, it generates a first random number and a second random number. The first electronic controller can be any electronic controller of the vehicle equipment. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule. The private key in the third key pair is encrypted using the private key in the first key pair to obtain first verifiable information. The second random number is encrypted using the public key in the third key pair to obtain second verifiable information. The first and second verifiable information are sent to the first electronic controller, and the system receives the third verifiable information returned by the first electronic controller. The third verifiable information can be obtained by the first electronic controller decrypting the second verifiable information using a target key. The target key can be obtained by the first electronic controller decrypting the first verifiable information using the private key in the second key pair. The second random number and the third verifiable information are matched and detected. If the match is successful, the CAN message to be transmitted is encrypted using the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller. In this way, the authentication security between electronic controllers can be improved by two layers of verification (i.e., authentication by a first key pair and a second key pair related to the current time, and matching verification by verifiable information generated by random numbers). In the matching verification process, the key pair generated in the authentication process (i.e., the first key pair) can be used to protect the key pair generated in the matching verification process (i.e., the third key pair), thereby improving the security of the encrypted communication process. Furthermore, the security of data processing can also be improved through the hardware security module.In addition, when a match is successful, the CAN message to be transmitted is encrypted. After encryption, it is no longer transmitted in plaintext. Only the ciphertext (i.e. the encrypted CAN message) is sent to the first electronic controller for transmission to the receiver. This prevents attackers from analyzing the specific meaning of the CAN message and then replaying, forging, or tampering with it. This can improve the security of message transmission between electronic controllers of vehicle equipment and ensure the security of the internal network system of vehicle equipment.

[0014] like Figure 1 As shown in the embodiments of this specification, a message transmission method is provided. The execution subject of this method can be the Electronic Control Unit (ECU) of a vehicle device. The ECU can take signal (data) acquisition, calculation, processing, analysis, judgment, and countermeasure determination as input, and then take issuing control commands and directing actuators as output. The ECU can also provide stable power or reference voltage to sensors. All functions of the ECU can be accomplished by the sum of various hardware and software, and its core is a microcomputer system based on a microcontroller. The method may specifically include the following steps: In step S102, if the electronic controller successfully authenticates the first key pair generated by the first electronic controller of the vehicle equipment based on the first key pair related to the current time and the second key pair generated by the first electronic controller, a first random number and a second random number are generated.

[0015] The first electronic controller can be any electronic controller of the vehicle equipment.

[0016] In implementation, there can be multiple first electronic controllers. Each first electronic controller can generate a first key pair based on the current time according to the first key generation rule. That is, the first key pairs corresponding to different first electronic controllers can be different.

[0017] Before authentication, the electronic controller can send a pre-defined CAN message to each first electronic controller. The pre-defined CAN message can be used to inform the first electronic controller that authentication is about to be performed. After receiving the CAN message, the first electronic controller can return a response message to the electronic controller.

[0018] The electronic controller can determine whether the first electronic controller agrees to authentication based on the response message. If the electronic controller determines that the first electronic controller agrees to authentication based on the response message, the electronic controller can authenticate with the second key pair generated by the first electronic controller based on the first key pair related to the current time.

[0019] During authentication, the electronic controller can sign the timestamp corresponding to the current time based on the encryption key in the first key pair and send an authentication request to the first electronic controller. The authentication request can carry the timestamp corresponding to the current time and the signature.

[0020] The first electronic controller can generate a second key pair based on the timestamp corresponding to the current time, and sign the timestamp corresponding to the current time based on the encryption key in the second key pair. Then, the first electronic controller can perform a matching detection between the received signature and the generated signature, and send a response message for the authentication request to the electronic controller based on the matching detection result.

[0021] If the electronic controller determines that the signature match is successful based on the response message, it can confirm that the authentication between the electronic controller and the first electronic controller is successful.

[0022] Furthermore, the above-mentioned identity verification process is an optional and implementable process. In actual application scenarios, there can be a variety of different processes. Different processes can be selected according to different actual application scenarios. This specification does not specifically limit this.

[0023] Once authentication is confirmed, the electronic controller can generate a first random number and a second random number based on a preset number of random bits. The number of bits in the first random number and the second random number can be the same or different.

[0024] In step S104, in the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to the preset key generation rules.

[0025] Among them, the Hardware Security Module (HSM) is a physical device that can be used to handle high-security encryption operations, key management, and digital signatures. It can be used to ensure the security of networks and applications. HSMs can be used in banking, payment systems, government agencies, enterprise IT security, and other fields to ensure the security of keys and sensitive data. In the field of vehicle equipment, HSMs can be embedded in in-vehicle microcontroller units (MCUs) as an important tool for realizing in-vehicle communication security (such as SECOC), software updates (OTA), and data privacy protection.

[0026] In implementation, the electronic controller can call the HSM and generate a third key pair based on the first random number according to the preset key generation rules in the HSM, so as to ensure the security of the key generation process through the HSM.

[0027] In step S106, the private key in the third key pair is encrypted based on the private key in the first key pair to obtain the first verifiable information, and the second random number is encrypted based on the public key in the third key pair to obtain the second verifiable information.

[0028] In implementation, the electronic controller can call the HSM, which encrypts the private key in the third key pair based on the private key in the first key pair to obtain the first verifiable information, and encrypts the second random number based on the public key in the third key pair to obtain the second verifiable information.

[0029] In step S108, the first verifiable information and the second verifiable information are sent to the first electronic controller, and the third verifiable information returned by the first electronic controller is received.

[0030] The third verifiable information can be obtained by the first electronic controller decrypting the second verifiable information according to the target key. The target key can be obtained by the first electronic controller decrypting the first verifiable information according to the private key in the second key pair.

[0031] In implementation, the first electronic controller can decrypt the first verifiable information based on the private key in the second key pair to obtain the target key, and then decrypt the second verifiable information based on the target key to obtain the third verifiable information.

[0032] In step S110, the second random number and the third verifiable information are matched and detected. If the match is successful, the CAN message to be transmitted is encrypted according to the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller.

[0033] A CAN message can be a data frame transmitted on the CAN bus. A CAN message can consist of multiple parts, such as frame ID, frame data, direction, frame type, and data length.

[0034] This specification provides a message transmission method. When an electronic controller successfully authenticates itself with a second key pair generated by the first electronic controller of a vehicle device based on a first key pair related to the current time, a first random number and a second random number are generated. The first electronic controller can be any electronic controller of the vehicle device. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule. The private key in the third key pair is encrypted using the private key in the first key pair to obtain first verifiable information. Finally, the second random number is encrypted using the public key in the third key pair to obtain second verifiable information. The system verifies information by sending first and second verifiable information to the first electronic controller and receiving third verifiable information returned by the first electronic controller. The third verifiable information can be obtained by the first electronic controller decrypting the second verifiable information using a target key. The target key can be obtained by the first electronic controller decrypting the first verifiable information using the private key in the second key pair. A matching check is performed between the second random number and the third verifiable information. If a match is successful, the CAN message to be transmitted is encrypted using the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller. This two-layer verification (authentication using the first and second key pairs related to the current time, and matching verification using verifiable information generated by a random number) improves the security of verification between electronic controllers. Furthermore, during the matching verification process, the key pair generated during the authentication process (i.e., the first key pair) can protect the key pair generated during the matching verification process (i.e., the third key pair), enhancing the security of the encrypted communication process. Additionally, the hardware security module further improves the security of data processing. In addition, when a match is successful, the CAN message to be transmitted is encrypted. After encryption, it is no longer transmitted in plaintext. Only the ciphertext (i.e. the encrypted CAN message) is sent to the first electronic controller for transmission to the receiver. This prevents attackers from analyzing the specific meaning of the CAN message and then replaying, forging, or tampering with it. This can improve the security of message transmission between electronic controllers of vehicle equipment and ensure the security of the internal network system of vehicle equipment.

[0035] In practical applications, authentication can also be performed based on the first key pair and the second key pair. There are various authentication processing methods; one optional method is provided below. Figure 2 As shown, the specific process may include the following steps S202 to S210.

[0036] In step S202, the current time is obtained using the hardware security module in the electronic controller, and a first key pair is generated based on the current time.

[0037] In implementation, the electronic controller can call the secure clock module in the HSM to obtain the current time, so as to ensure the accuracy of the obtained current time through a trusted data source (such as the secure clock module in the HSM).

[0038] The electronic controller can generate a first key pair in the HSM according to the first key generation rules and the current time.

[0039] In step S204, fourth verifiable information is generated for the public key in the first key pair.

[0040] In step S206, the timestamp corresponding to the current time and the fourth verifiable information are sent to the first electronic controller.

[0041] In step S208, an authentication message returned by the first electronic controller is received.

[0042] The authentication message can be determined by the first electronic controller through matching the fifth verifiable information and the fourth verifiable information. The fifth verifiable message can be verifiable information generated by the first electronic controller for the public key in the second key pair. The second key pair can be a key pair generated by the first electronic controller based on the timestamp.

[0043] In step S210, it is determined whether the authentication is successful based on the authentication message.

[0044] In practical applications, the first and second random numbers can be random numbers generated by the electronic controller using a hardware random number generator in the hardware security module.

[0045] In practice, taking ECU A as the electronic controller and ECU B as the first electronic controller as an example, ECU A and ECU B can be any electronic controller in the vehicle equipment.

[0046] like Figure 3 As shown, the communication process between ECU A and ECU B can be divided into a key synchronization stage and an encrypted communication stage. The key synchronization stage can include an authentication stage and a matching detection stage.

[0047] Specifically, during the authentication phase, ECU A can send a specific set of CAN messages (i.e., pre-defined CAN messages) to ECU B, informing ECU B that an encrypted communication is about to take place. After receiving the encrypted communication request, ECU B will send a corresponding response message. If ECU B does not agree, the subsequent process ends. If ECU B agrees, ECU A will first call the internal HSM's secure clock module to generate a public-private key pair (i.e., the first key pair): pub_a_1 and key_a_1, based on the current time and according to certain rules (such as the first key generation rule). The generated private key key_a_1 can be stored in the HSM.

[0048] A fourth verifiable information can be generated based on the public key. For example, the fourth verifiable information can be the hash value pub_a_1_hash obtained by hashing the public key. Then, the fourth verifiable information and the timestamp corresponding to the current time can be sent out of the HSM to ECU B.

[0049] After receiving the message (i.e., the fourth verifiable information and the timestamp corresponding to the current time), ECU B can transmit the current actual timestamp and the fourth verifiable information sent by ECU A to HSM. HSM can generate the same public-private key pair (i.e., the second key pair): pub_b_1 and key_b_1, based on the current timestamp and following the same first key generation rules. HSM will then use the hash value pub_b_1_hash of the generated public key as the fifth verifiable information. ECU B can then match the fifth verifiable information with the public key hash value pub_a_1_hash (i.e., the fourth verifiable information) sent by ECU A to determine the authentication message. The authentication message is then returned to ECU A. Specifically, if they match, ECU B sends an authentication message indicating successful first key synchronization to ECU A and continues with subsequent steps; if they differ, ECU B sends an authentication message indicating failed first key synchronization to ECU A and repeats the previous steps.

[0050] In practical applications, the specific processing method for encrypting the CAN message to be transmitted based on the public key in the second key pair and sending the encrypted CAN message to the first electronic controller in step S110 can vary. One optional processing method is provided below, such as... Figure 4 As shown, the specific process may include the following steps S1102 to S1108.

[0051] In step S1102, the sixth and seventh verifiable information sent by the first electronic controller are received.

[0052] The sixth verifiable information can be obtained by encrypting the private key in the fourth key pair in the local hardware security module of the first electronic controller based on the private key in the second key pair. The fourth key pair can be a key pair generated by the first electronic controller based on the generated third random number according to the preset key generation rules. The seventh verifiable information can be obtained by encrypting the generated fourth random number based on the public key in the fourth key pair.

[0053] In step S1104, the sixth verifiable information is decrypted according to the private key in the first key pair, and the seventh verifiable information is decrypted according to the key obtained from the decryption process to obtain the eighth verifiable information.

[0054] In step S1106, the eighth verifiable information is sent to the first electronic controller, and the key synchronization message returned by the first electronic controller is received.

[0055] Among them, the key synchronization message can be determined by the first electronic controller in its local hardware security module by matching the eighth verifiable information and the fourth random number.

[0056] In step S1108, if the eighth verifiable information and the fourth random number are successfully matched according to the key synchronization message, the hardware security module encrypts the CAN message to be transmitted according to the public key in the second key pair, and sends the encrypted CAN message to the first electronic controller.

[0057] In implementation, such as Figure 3 As shown, during the matching and detection phase, after the first key synchronization is successful (i.e., authentication is successful), ECU A will continue to make a second key synchronization request. ECU A calls HSM again, which can generate two sets of random numbers (i.e., the first random number and the second random number) through the internal hardware random number generator. Based on the first random number, according to the preset key generation rules, a second public-private key pair (i.e., the third key pair) is generated: pub_a_2 and key_a_2.

[0058] ECU A can use the private key key_a_1 in the first key pair to encrypt the private key key_a_2 in the third key pair to obtain the first verifiable information key_a_2_enc. At the same time, ECU A can use the public key pub_a_2 in the second public-private key pair (i.e., the third key pair) to encrypt the second random number seed_a to obtain the second verifiable information idc_a. Subsequently, ECU A can transmit the generated first verifiable information key_a_2_enc and second verifiable information idc_a out of HSM to ECU A, and ECU A will then forward it to ECU B.

[0059] After receiving the message, ECU B will send the sent key_a_2_enc and idc_a to HSM. HSM can use the private key key_b_1 from the second key pair generated during the first key synchronization to decrypt key_a_2_enc to obtain the target key key_a_2. Then, it uses the target key key_a_2 to decrypt idc_a to obtain the third verifiable information idc_a_dec. Then, it sends the third verifiable information idc_a_dec out of HSM to ECU B. ECU B then forwards the third verifiable information idc_a_dec to ECU A for confirmation.

[0060] After receiving the third verifiable information idc_a_dec, ECU A can pass the third verifiable information idc_a_dec to HSM. HSM compares the third verifiable information idc_a_dec with the second random number seed_a. If they are the same, it will send a message to ECU B that the second key synchronization between ECU A and ECU B is successful and continue with the subsequent steps. If they are different, it will send a message to ECU B that the second key synchronization between ECU A and ECU B fails and repeat the previous steps.

[0061] After the second key synchronization from ECU A to ECU B is successful, ECU B will follow the same steps to perform the second key synchronization process from ECU B to ECU A. ECU B can call HSM again to generate two sets of random numbers (i.e., the third random number and the fourth random number) through the internal hardware random number generator, and generate a second public-private key pair (i.e., the fourth key pair) based on the third random number according to the preset key generation rules: pub_b_2 and key_b_2.

[0062] ECU B can use the private key key_b_1 from the second key pair to encrypt the private key key_b_2 from the fourth key pair, obtaining the sixth verifiable information key_b_2_enc. Simultaneously, it can use the public key from the fourth key pair to encrypt the generated fourth random number seed_b, obtaining the seventh verifiable information idc_b. Then, it can transmit the sixth verifiable information key_b_2_enc and the seventh verifiable information idc_b out of the HSM to ECU B, which then forwards them to ECU A.

[0063] After receiving the message, ECU A can transmit the sixth verifiable information key_b_2_enc and the seventh verifiable information idc_b to HSM. HSM can use the private key key_a_1 from the first key pair generated during the first key synchronization to decrypt the sixth verifiable information key_b_2_enc to obtain key_b_2. Then, it uses key_b_2 (i.e., the key obtained from the decryption process) to decrypt the seventh verifiable information idc_b to obtain the eighth verifiable information idc_b_dec. Then, it transmits the eighth verifiable information idc_b_dec out of HSM to ECU A, and ECU A forwards it to ECU B for confirmation.

[0064] After receiving the eighth verifiable information idc_b_dec, ECU B can pass the eighth verifiable information idc_b_dec into HSM and match it with the fourth random number seed_b to determine the key synchronization message. Then, ECU B sends the key synchronization message to ECU A. Specifically, if the match is successful, ECU B will send a key synchronization message to ECU A indicating that the second key synchronization between ECU B and ECU A has succeeded, and continue with the subsequent steps. If the match is unsuccessful, ECU B will send a key synchronization message to ECU A indicating that the second key synchronization between ECU B and ECU A has failed, and repeat the previous steps.

[0065] In practical applications, the specific processing method for encrypting the CAN message to be transmitted based on the public key in the second key pair in step S110 above can be varied. One optional processing method is provided below, such as... Figure 5 As shown, the specific process may include the following steps S11010 to S11012.

[0066] In step S11010, the second random number and the third verifiable information are matched and detected. If the match is successful, the target time corresponding to the CAN message to be transmitted is obtained by using the hardware security module in the electronic controller.

[0067] In step S11012, the timestamp of the target time and the CAN message to be transmitted are concatenated, and the concatenated message is encrypted according to the public key in the second key pair to obtain the encrypted CAN message.

[0068] In implementation, such as Figure 3As shown, during the encrypted communication phase, after the second key synchronization is successful, ECU A and ECU B will conduct corresponding encrypted communication. During each communication, ECU A will send the CAN message it wants to transmit to the HSM. The HSM calls its internal secure clock module to obtain the timestamp of the target time corresponding to the CAN message to be transmitted, and then concatenates the timestamp of the target time with the CAN message to be transmitted. Then, it can encrypt the concatenated message according to the public key pub_a_2 in the second key pair, and then send the encrypted CAN message out of the HSM to ECU A, which then forwards it to ECU B.

[0069] When ECU B receives the encrypted CAN message, it passes it to the HSM and decrypts it using the target key key_a_2 to obtain the CAN message to be transmitted and the target time timestamp. The timestamp of the target time can be verified. If the verification is successful, the CAN message to be transmitted can be sent out of the HSM to ECU B for processing. Similarly, ECU B will also pass the CAN message it wants to send to the HSM. The HSM can call the internal secure clock module to add a timestamp and encrypt it using the public key pub_b_2 in the fourth key pair. Then, the HSM is sent out to ECU B to send to ECU A. After receiving the encrypted CAN message, ECU A can pass it to the HSM, decrypt it using key_b_2, and verify the timestamp. If the verification is successful, the CAN message can be sent out of the HSM to ECU A for processing.

[0070] In practical applications, the first and third key pairs can be stored in the hardware security module. Correspondingly, upon termination of communication, the relevant key pairs stored in the hardware security module can be deleted. The specific processing method for deleting key pairs can vary; one optional method is provided below, such as... Figure 5 As shown, the specific process may include the following steps S502 to S504.

[0071] In step S502, a request message to end communication is sent to the first electronic controller.

[0072] In step S504, upon receiving an agreement message from the first electronic controller in response to the request message, the first key pair and the third key pair stored in the hardware security module are deleted.

[0073] In practice, after encrypted communication is completed, ECU A or ECU B can send a request message to the other party to end the encrypted communication. The other party will respond after receiving the request. If it does not agree, it will return a negative response to continue encrypted communication. If it agrees, it will send a positive response (i.e., an agreement message). Then, both parties will destroy the two public and private key pairs generated earlier (i.e., delete the key pairs stored in the hardware security module). Thus, a secure encrypted communication is completed.

[0074] In this way, whenever different ECUs within the vehicle communicate using CAN bus commands, a newly generated key can be used to encrypt CAN messages within a given time period, thereby protecting the CAN communication messages within the vehicle.

[0075] After the vehicle's equipment is operational, if an ECU A wants to communicate with another ECU B via the CAN bus, it first calls its own HSM (Host Smart Message) and generates a public-private key pair based on the current time. The private key is then stored in the HSM, and the hash of the public key is sent to the desired ECU B. Upon receiving the message, ECU B also generates its own public-private key pair and compares it with the sent public key. If they match, it continues with the subsequent steps; otherwise, it reports a failure and repeats the above steps.

[0076] After the two ECUs communicating successfully synchronize their keys for the first time, the ECU initiating the communication will generate a public-private key pair again using a hardware random number generator to generate truly random numbers. It will then encrypt the private key from the second generated key pair using the public key from the first generated key pair and send the encrypted key to the other ECU. The receiving ECU receives the key and sends it to its HSM (Hardware Name System). Within the HSM, it decrypts the key using the private key from the first generated key pair to obtain the sent private key. It then uses the same method to generate a public-private key pair using the hardware random number generator, encrypts the private key from the second generated key pair using the public key from the first generated key pair, and sends it to the sending ECU. The sending ECU, upon receiving the encrypted private key, can also send it to its HSM and decrypt it internally to obtain the private key.

[0077] After the two ECUs communicating successfully synchronize their second key, the sending ECU that initiated the communication can encrypt the data using the public key synchronized for the second time, and then send the encrypted data to the receiving end. The receiving end can then decrypt the data using the private key synchronized for the second time. Similarly, the receiving ECU will also encrypt the data using the public key synchronized for the second time, and then send the encrypted data to the sending end. The sending end will also decrypt the data using the private key synchronized for the second time.

[0078] After the communication ends, the sending end will send a data packet to inform the receiving end that the communication has ended. Then, both parties will destroy the two sets of public and private keys involved in this encryption. Thus, a secure encrypted communication ends.

[0079] Instead of calculating the message MAC (Message Authentication Code), the ECU chip's HSM (Hardware Message Manager) performs encryption and decryption operations on the CAN message itself. The entire communication message is encrypted, and the encrypted ciphertext is transmitted only, not the plaintext. When an attacker or hacker successfully enters a sensitive domain of the vehicle (such as a domain related to autonomous driving), they cannot directly obtain the plaintext CAN message, reducing the risk of sensitive information leakage and preventing the direct forging of malicious CAN message messages to control or damage the vehicle.

[0080] In addition, two key exchange processes are performed before encrypted communication. During the first key exchange, the public and private key pairs are generated according to time, and the private key is not transmitted outside the HSM. During the second key exchange, the public and private key pairs are randomly generated and protected by the private key generated in the first exchange. The security of the entire encrypted communication process is guaranteed by the chip HSM.

[0081] This specification provides a message transmission method. When an electronic controller successfully authenticates itself with a second key pair generated by the first electronic controller of a vehicle device based on a first key pair related to the current time, a first random number and a second random number are generated. The first electronic controller can be any electronic controller of the vehicle device. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule. The private key in the third key pair is encrypted using the private key in the first key pair to obtain first verifiable information. Finally, the second random number is encrypted using the public key in the third key pair to obtain second verifiable information. The system verifies information by sending first and second verifiable information to the first electronic controller and receiving third verifiable information returned by the first electronic controller. The third verifiable information can be obtained by the first electronic controller decrypting the second verifiable information using a target key. The target key can be obtained by the first electronic controller decrypting the first verifiable information using the private key in the second key pair. A matching check is performed between the second random number and the third verifiable information. If a match is successful, the CAN message to be transmitted is encrypted using the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller. This two-layer verification (authentication using the first and second key pairs related to the current time, and matching verification using verifiable information generated by a random number) improves the security of verification between electronic controllers. Furthermore, during the matching verification process, the key pair generated during the authentication process (i.e., the first key pair) can protect the key pair generated during the matching verification process (i.e., the third key pair), enhancing the security of the encrypted communication process. Additionally, the hardware security module further improves the security of data processing. In addition, when a match is successful, the CAN message to be transmitted is encrypted. After encryption, it is no longer transmitted in plaintext. Only the ciphertext (i.e. the encrypted CAN message) is sent to the first electronic controller for transmission to the receiver. This prevents attackers from analyzing the specific meaning of the CAN message and then replaying, forging, or tampering with it. This can improve the security of message transmission between electronic controllers of vehicle equipment and ensure the security of the internal network system of vehicle equipment.

[0082] The above describes the message transmission method provided in the embodiments of this specification. Based on the same idea, the embodiments of this specification also provide a message transmission device, such as... Figure 6 As shown.

[0083] The message transmission device includes: a first generation module 601, a second generation module 602, a third generation module 604, a first sending module 605, and a matching detection module 606, wherein: The first generation module 601 is used to generate a first random number and a second random number when the electronic controller successfully authenticates the second key pair generated by the first electronic controller of the vehicle equipment based on the first key pair related to the current time. The first electronic controller can be any electronic controller of the vehicle equipment. The second generation module 602 is used in the hardware security module of the electronic controller to generate a third key pair based on the first random number according to a preset key generation rule. The third generation module 603 is used to encrypt the private key in the third key pair according to the private key in the first key pair to obtain the first verifiable information, and to encrypt the second random number according to the public key in the third key pair to obtain the second verifiable information. The first sending module 604 is used to send the first verifiable information and the second verifiable information to the first electronic controller, and to receive the third verifiable information returned by the first electronic controller. The third verifiable information is obtained by the first electronic controller decrypting the second verifiable information according to the target key. The target key is obtained by the first electronic controller decrypting the first verifiable information according to the private key in the second key pair. The matching detection module 605 is used to perform matching detection processing on the second random number and the third verifiable information, and if the matching is successful, to encrypt the CAN message to be transmitted according to the public key in the second key pair, and to send the encrypted CAN message to the first electronic controller.

[0084] In the embodiments described in this specification, the device further includes: The fourth generation module is used to obtain the current time using the hardware security module in the electronic controller, and generate the first key pair based on the current time; The fifth generation module is used to generate fourth verifiable information for the public key in the first key pair; The second sending module is used to send the timestamp corresponding to the current time and the fourth verifiable information to the first electronic controller; The message receiving module is used to receive an authentication message returned by the first electronic controller. The authentication message is determined by the first electronic controller through matching processing based on the fifth verifiable information and the fourth verifiable information. The fifth verifiable information is verifiable information generated by the first electronic controller for the public key in the second key pair. The second key pair is a key pair generated by the first electronic controller based on the timestamp. An authentication module is used to determine whether authentication is successful based on the authentication message.

[0085] In the embodiments described in this specification, the first random number and the second random number are random numbers generated by the electronic controller in the hardware security module using a hardware random number generator.

[0086] In the embodiments described in this specification, the matching detection module 605 is used for: The system receives a sixth verifiable information and a seventh verifiable information sent by the first electronic controller. The sixth verifiable information is obtained by the first electronic controller in its local hardware security module by encrypting the private key in the fourth key pair based on the private key in the second key pair. The fourth key pair is a key pair generated by the first electronic controller based on the third random number generated according to the preset key generation rule. The seventh verifiable information is obtained by the first electronic controller by encrypting the fourth random number generated based on the public key in the fourth key pair. Based on the private key in the first key pair, the sixth verifiable information is decrypted, and based on the key obtained from the decryption process, the seventh verifiable information is decrypted to obtain the eighth verifiable information. The eighth verifiable information is sent to the first electronic controller, and a key synchronization message is received from the first electronic controller. The key synchronization message is determined by the first electronic controller in its local hardware security module by matching the eighth verifiable information and the fourth random number. If the eighth verifiable information and the fourth random number are successfully matched according to the key synchronization message, the hardware security module encrypts the CAN message to be transmitted according to the public key in the second key pair, and sends the encrypted CAN message to the first electronic controller.

[0087] In the embodiments described in this specification, the matching detection module 605 is used for: The target time corresponding to the CAN message to be transmitted is obtained using the hardware security module in the electronic controller. The timestamp of the target time and the CAN message to be transmitted are concatenated, and the concatenated message is encrypted according to the public key in the second key pair to obtain the encrypted CAN message.

[0088] In this embodiment of the specification, the first key pair and the third key pair are stored in the hardware security module, and the device further includes: The message sending module is used to send a request message to the first electronic controller to end communication; The key deletion module is used to delete the first key pair and the third key pair stored in the hardware security module upon receiving an agreement message returned by the first electronic controller in response to the request message.

[0089] This specification provides a message transmission device. When an electronic controller successfully authenticates itself with a second key pair generated by the first electronic controller of a vehicle device using a first key pair related to the current time, the device generates a first random number and a second random number. The first electronic controller can be any electronic controller of the vehicle device. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule. The private key in the third key pair is encrypted using the private key in the first key pair to obtain first verifiable information. Finally, the second random number is encrypted using the public key in the third key pair to obtain second verifiable information. The system verifies information by sending first and second verifiable information to the first electronic controller and receiving third verifiable information returned by the first electronic controller. The third verifiable information can be obtained by the first electronic controller decrypting the second verifiable information using a target key. The target key can be obtained by the first electronic controller decrypting the first verifiable information using the private key in the second key pair. A matching check is performed between the second random number and the third verifiable information. If a match is successful, the CAN message to be transmitted is encrypted using the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller. This two-layer verification (authentication using the first and second key pairs related to the current time, and matching verification using verifiable information generated by a random number) improves the security of verification between electronic controllers. Furthermore, during the matching verification process, the key pair generated during the authentication process (i.e., the first key pair) can protect the key pair generated during the matching verification process (i.e., the third key pair), enhancing the security of the encrypted communication process. Additionally, the hardware security module further improves the security of data processing. In addition, when a match is successful, the CAN message to be transmitted is encrypted. After encryption, it is no longer transmitted in plaintext. Only the ciphertext (i.e. the encrypted CAN message) is sent to the first electronic controller for transmission to the receiver. This prevents attackers from analyzing the specific meaning of the CAN message and then replaying, forging, or tampering with it. This can improve the security of message transmission between electronic controllers of vehicle equipment and ensure the security of the internal network system of vehicle equipment.

[0090] The above are the message transmission devices provided in the embodiments of this specification. Based on the same idea, the embodiments of this specification also provide a message transmission device, such as... Figure 7 As shown.

[0091] The message transmission device can provide a terminal device or server, etc., for the above embodiments.

[0092] The message transmission device can vary considerably depending on its configuration or performance, and may include one or more processors 701 and memory 702. Memory 702 may store one or more application programs or data. Memory 702 may be temporary or persistent storage. The application programs stored in memory 702 may include one or more modules (not shown in the figures), each module including a series of computer-executable instructions for the message transmission device. Furthermore, processor 701 may be configured to communicate with memory 702 and execute the series of computer-executable instructions in memory 702 on the message transmission device. The message transmission device may also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input / output interfaces 705, and one or more keyboards 706.

[0093] Specifically, in this embodiment, the message transmission device includes a memory and one or more programs, wherein one or more programs are stored in the memory, and one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the message transmission device, and is configured to be executed by one or more processors. The one or more programs include computer-executable instructions for performing the following: If the electronic controller successfully authenticates itself with the second key pair generated by the first electronic controller of the vehicle equipment based on the first key pair related to the current time, a first random number and a second random number are generated, wherein the first electronic controller is any electronic controller of the vehicle equipment. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule; Based on the private key in the first key pair, the private key in the third key pair is encrypted to obtain the first verifiable information; and based on the public key in the third key pair, the second random number is encrypted to obtain the second verifiable information. The first verifiable information and the second verifiable information are sent to the first electronic controller, and the third verifiable information returned by the first electronic controller is received. The third verifiable information is obtained by the first electronic controller by decrypting the second verifiable information according to the target key. The target key is obtained by the first electronic controller by decrypting the first verifiable information according to the private key in the second key pair. The second random number and the third verifiable information are matched and detected. If the match is successful, the CAN message to be transmitted is encrypted according to the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller.

[0094] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on its differences from other embodiments. In particular, the message transmission device embodiments are basically similar to the method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions of the method embodiments.

[0095] This specification provides a message transmission device. When an electronic controller successfully authenticates itself with a second key pair generated by the first electronic controller of a vehicle device using a first key pair related to the current time, the device generates a first random number and a second random number. The first electronic controller can be any electronic controller of the vehicle device. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule. The private key in the third key pair is encrypted using the private key in the first key pair to obtain first verifiable information. Finally, the second random number is encrypted using the public key in the third key pair to obtain second verifiable information. The system verifies information by sending first and second verifiable information to the first electronic controller and receiving third verifiable information returned by the first electronic controller. The third verifiable information can be obtained by the first electronic controller decrypting the second verifiable information using a target key. The target key can be obtained by the first electronic controller decrypting the first verifiable information using the private key in the second key pair. A matching check is performed between the second random number and the third verifiable information. If a match is successful, the CAN message to be transmitted is encrypted using the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller. This two-layer verification (authentication using the first and second key pairs related to the current time, and matching verification using verifiable information generated by a random number) improves the security of verification between electronic controllers. Furthermore, during the matching verification process, the key pair generated during the authentication process (i.e., the first key pair) can protect the key pair generated during the matching verification process (i.e., the third key pair), enhancing the security of the encrypted communication process. Additionally, the hardware security module further improves the security of data processing. In addition, when a match is successful, the CAN message to be transmitted is encrypted. After encryption, it is no longer transmitted in plaintext. Only the ciphertext (i.e. the encrypted CAN message) is sent to the first electronic controller for transmission to the receiver. This prevents attackers from analyzing the specific meaning of the CAN message and then replaying, forging, or tampering with it. This can improve the security of message transmission between electronic controllers of vehicle equipment and ensure the security of the internal network system of vehicle equipment.

[0096] Furthermore, based on the above Figures 1 to 5 The method shown in this specification, along with one or more embodiments, also provides a storage medium for storing computer-executable instruction information. In one specific embodiment, the storage medium can be a USB flash drive, optical disc, hard disk, etc. When the computer-executable instruction information stored in the storage medium is executed by a processor, it can achieve the following process: If the electronic controller successfully authenticates itself with the second key pair generated by the first electronic controller of the vehicle equipment based on the first key pair related to the current time, a first random number and a second random number are generated, wherein the first electronic controller is any electronic controller of the vehicle equipment. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule; Based on the private key in the first key pair, the private key in the third key pair is encrypted to obtain the first verifiable information; and based on the public key in the third key pair, the second random number is encrypted to obtain the second verifiable information. The first verifiable information and the second verifiable information are sent to the first electronic controller, and the third verifiable information returned by the first electronic controller is received. The third verifiable information is obtained by the first electronic controller by decrypting the second verifiable information according to the target key. The target key is obtained by the first electronic controller by decrypting the first verifiable information according to the private key in the second key pair. The second random number and the third verifiable information are matched and detected. If the match is successful, the CAN message to be transmitted is encrypted according to the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller.

[0097] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to mutually. Each embodiment focuses on describing the differences from other embodiments. In particular, the above-described storage medium embodiment is basically similar to the method embodiment, so the description is relatively simple; relevant parts can be referred to the description of the method embodiment.

[0098] This specification provides a storage medium that, when an electronic controller successfully authenticates itself using a first key pair related to the current time and a second key pair generated by the first electronic controller of a vehicle device, generates a first random number and a second random number. The first electronic controller can be any electronic controller of the vehicle device. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule. The private key in the third key pair is encrypted using the private key in the first key pair to obtain first verifiable information. Finally, the second random number is encrypted using the public key in the third key pair to obtain second verifiable information. The system verifies information by sending first and second verifiable information to the first electronic controller and receiving third verifiable information returned by the first electronic controller. The third verifiable information can be obtained by the first electronic controller decrypting the second verifiable information using a target key, and the target key can be obtained by the first electronic controller decrypting the first verifiable information using the private key in the second key pair. A matching detection process is performed between the second random number and the third verifiable information. If a match is successful, the CAN message to be transmitted is encrypted using the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller. This two-layer verification (authentication using the first and second key pairs related to the current time, and matching verification using verifiable information generated by a random number) improves the security of verification between electronic controllers. Furthermore, during the matching verification process, the key pair generated during the authentication process (i.e., the first key pair) can protect the key pair generated during the matching verification process (i.e., the third key pair), enhancing the security of the encrypted communication process. Additionally, the hardware security module further improves the security of data processing. In addition, when a match is successful, the CAN message to be transmitted is encrypted. After encryption, it is no longer transmitted in plaintext. Only the ciphertext (i.e. the encrypted CAN message) is sent to the first electronic controller for transmission to the receiver. This prevents attackers from analyzing the specific meaning of the CAN message and then replaying, forging, or tampering with it. This can improve the security of message transmission between electronic controllers of vehicle equipment and ensure the security of the internal network system of vehicle equipment.

[0099] Furthermore, based on the above Figures 1 to 5 The method shown in this specification, along with one or more embodiments, also provides a computer program product including a computer program that, when executed by a processor, performs the following process: If the electronic controller successfully authenticates itself with the second key pair generated by the first electronic controller of the vehicle equipment based on the first key pair related to the current time, a first random number and a second random number are generated, wherein the first electronic controller is any electronic controller of the vehicle equipment. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule; Based on the private key in the first key pair, the private key in the third key pair is encrypted to obtain the first verifiable information; and based on the public key in the third key pair, the second random number is encrypted to obtain the second verifiable information. The first verifiable information and the second verifiable information are sent to the first electronic controller, and the third verifiable information returned by the first electronic controller is received. The third verifiable information is obtained by the first electronic controller by decrypting the second verifiable information according to the target key. The target key is obtained by the first electronic controller by decrypting the first verifiable information according to the private key in the second key pair. The second random number and the third verifiable information are matched and detected. If the match is successful, the CAN message to be transmitted is encrypted according to the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller.

[0100] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to mutually. Each embodiment focuses on describing the differences from other embodiments. In particular, the above-described embodiment of a computer program product is relatively simple in description because it is fundamentally similar to the method embodiment; relevant parts can be referred to the description of the method embodiment.

[0101] This specification provides a computer program product that, upon successful authentication between an electronic controller and a second key pair generated by the first electronic controller of a vehicle device, based on a first key pair related to the current time, generates a first random number and a second random number. The first electronic controller can be any electronic controller of the vehicle device. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule. The private key in the third key pair is encrypted using the private key in the first key pair to obtain first verifiable information. Finally, the second random number is encrypted using the public key in the third key pair to obtain a second... Verifiable information is sent to the first electronic controller via first and second verifiable information, and a third verifiable information is received from the first electronic controller. The third verifiable information can be obtained by the first electronic controller decrypting the second verifiable information using a target key, and the target key can be obtained by the first electronic controller decrypting the first verifiable information using the private key in the second key pair. A matching detection process is performed between the second random number and the third verifiable information. If a match is successful, the CAN message to be transmitted is encrypted using the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller. This two-layer verification (authentication via the first and second key pairs related to the current time, and matching verification via verifiable information generated from a random number) improves the security of verification between electronic controllers. Furthermore, during the matching verification process, the key pair generated during the authentication process (i.e., the first key pair) can protect the key pair generated during the matching verification process (i.e., the third key pair), enhancing the security of the encrypted communication process. Additionally, the hardware security module also improves the security of data processing. In addition, when a match is successful, the CAN message to be transmitted is encrypted. After encryption, it is no longer transmitted in plaintext. Only the ciphertext (i.e. the encrypted CAN message) is sent to the first electronic controller for transmission to the receiver. This prevents attackers from analyzing the specific meaning of the CAN message and then replaying, forging, or tampering with it. This can improve the security of message transmission between electronic controllers of vehicle equipment and ensure the security of the internal network system of vehicle equipment.

[0102] The foregoing has described specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims may be performed in a different order than that shown in the embodiments and may still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require the specific or sequential order shown to achieve the desired result. In some embodiments, multitasking and parallel processing are possible or may be advantageous.

[0103] In the 1990s, improvements to a technology could be clearly distinguished as either hardware improvements (e.g., improvements to the circuit structure of diodes, transistors, switches, etc.) or software improvements (improvements to the methodology). However, with technological advancements, many methodological improvements today can be considered direct improvements to the hardware circuit structure. Designers almost always obtain the corresponding hardware circuit structure by programming the improved methodology into the hardware circuit. Therefore, it cannot be said that a methodological improvement cannot be implemented using hardware physical modules. For example, a Programmable Logic Device (PLD) (such as a Field Programmable Gate Array (FPGA)) is such an integrated circuit whose logic function is determined by the user programming the device. Designers can program and "integrate" a digital system onto a PLD themselves, without needing chip manufacturers to design and manufacture dedicated integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing integrated circuit chips, this programming is mostly implemented using "logic compiler" software. Similar to the software compiler used in program development, the original code before compilation must also be written in a specific programming language, called a Hardware Description Language (HDL). There are many HDLs, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, and RHDL (Ruby Hardware Description Language). Currently, the most commonly used are VHDL (Very-High-Speed ​​Integrated Circuit Hardware Description Language) and Verilog. Those skilled in the art should also understand that by simply performing some logic programming on the method flow using one of these hardware description languages ​​and programming it into an integrated circuit, the hardware circuit implementing the logical method flow can be easily obtained.

[0104] The controller can be implemented in any suitable manner. For example, it can take the form of a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro)processor, logic gates, switches, application-specific integrated circuits (ASICs), programmable logic controllers, and embedded microcontrollers. Examples of controllers include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicon Labs C8051F320. A memory controller can also be implemented as part of the control logic of the memory. Those skilled in the art will also recognize that, in addition to implementing the controller in purely computer-readable program code form, the same functionality can be achieved by logically programming the method steps to make the controller take the form of logic gates, switches, application-specific integrated circuits, programmable logic controllers, and embedded microcontrollers. Therefore, such a controller can be considered a hardware component, and the means included therein for implementing various functions can also be considered as structures within the hardware component. Alternatively, the means for implementing various functions can be considered as both software modules implementing the method and structures within the hardware component.

[0105] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, a computer can be, for example, a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or any combination of these devices.

[0106] For ease of description, the above apparatus is described by dividing it into various functional units. Of course, when implementing one or more embodiments of this specification, the functions of each unit can be implemented in one or more software and / or hardware.

[0107] Those skilled in the art will understand that the embodiments of this specification can be provided as methods, systems, or computer program products. Therefore, one or more embodiments of this specification may take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of this specification may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0108] Embodiments in this specification are described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this specification. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable parallel device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable parallel device, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0109] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable fraud device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0110] These computer program instructions can also be loaded onto a computer or other programmable device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable device for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0111] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.

[0112] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.

[0113] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.

[0114] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0115] Those skilled in the art will understand that the embodiments of this specification can be provided as methods, systems, or computer program products. Therefore, one or more embodiments of this specification may take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of this specification may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0116] One or more embodiments of this specification can be described in the general context of computer-executable instructions, such as program modules, that are executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform a particular task or implement a particular abstract data type. One or more embodiments of this specification can also be practiced in distributed computing environments where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.

[0117] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on describing the differences from other embodiments. In particular, the system embodiments are basically similar to the method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions in the method embodiments.

[0118] The above description is merely an embodiment of this specification and is not intended to limit this document. Various modifications and variations can be made to this specification by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this specification should be included within the scope of the claims of this specification.

Claims

1. A message transmission method, the method being applied to an electronic controller of vehicle equipment, the method comprising: If the electronic controller successfully authenticates itself with the second key pair generated by the first electronic controller of the vehicle equipment based on the first key pair related to the current time, a first random number and a second random number are generated, wherein the first electronic controller is any electronic controller of the vehicle equipment. In the hardware security module of the electronic controller, a third key pair is generated based on the first random number according to a preset key generation rule; Based on the private key in the first key pair, the private key in the third key pair is encrypted to obtain the first verifiable information; and based on the public key in the third key pair, the second random number is encrypted to obtain the second verifiable information. The first verifiable information and the second verifiable information are sent to the first electronic controller, and the third verifiable information returned by the first electronic controller is received. The third verifiable information is obtained by the first electronic controller by decrypting the second verifiable information according to the target key. The target key is obtained by the first electronic controller by decrypting the first verifiable information according to the private key in the second key pair. The second random number and the third verifiable information are matched and detected. If the match is successful, the CAN message to be transmitted is encrypted according to the public key in the second key pair, and the encrypted CAN message is sent to the first electronic controller.

2. The method according to claim 1, further comprising, before generating the first random number and the second random number in the hardware security module of the electronic controller, in the case that the electronic controller successfully authenticates the second random number with the first key pair related to the current time and the second random number generated by the first electronic controller of the vehicle equipment, the method further comprises: The current time is obtained using the hardware security module in the electronic controller, and the first key pair is generated based on the current time. Generate fourth verifiable information based on the public key in the first key pair; The timestamp corresponding to the current time and the fourth verifiable information are sent to the first electronic controller; The system receives an authentication message returned by the first electronic controller. The authentication message is determined by the first electronic controller through matching processing based on the fifth verifiable information and the fourth verifiable information. The fifth verifiable information is verifiable information generated by the first electronic controller for the public key in the second key pair. The second key pair is a key pair generated by the first electronic controller based on the timestamp. Based on the authentication message, determine whether the authentication was successful.

3. The method according to claim 2, wherein the first random number and the second random number are random numbers generated by the electronic controller in the hardware security module using a hardware random number generator.

4. The method according to claim 3, wherein encrypting the CAN message to be transmitted based on the public key in the second key pair and sending the encrypted CAN message to the first electronic controller comprises: The system receives a sixth verifiable information and a seventh verifiable information sent by the first electronic controller. The sixth verifiable information is obtained by the first electronic controller in its local hardware security module by encrypting the private key in the fourth key pair based on the private key in the second key pair. The fourth key pair is a key pair generated by the first electronic controller based on the third random number generated according to the preset key generation rule. The seventh verifiable information is obtained by the first electronic controller by encrypting the fourth random number generated based on the public key in the fourth key pair. Based on the private key in the first key pair, the sixth verifiable information is decrypted, and based on the key obtained from the decryption process, the seventh verifiable information is decrypted to obtain the eighth verifiable information. The eighth verifiable information is sent to the first electronic controller, and a key synchronization message is received from the first electronic controller. The key synchronization message is determined by the first electronic controller in its local hardware security module by matching the eighth verifiable information and the fourth random number. If the eighth verifiable information and the fourth random number are successfully matched according to the key synchronization message, the hardware security module encrypts the CAN message to be transmitted according to the public key in the second key pair, and sends the encrypted CAN message to the first electronic controller.

5. The method according to claim 1, wherein encrypting the CAN message to be transmitted based on the public key in the second key pair comprises: The target time corresponding to the CAN message to be transmitted is obtained using the hardware security module in the electronic controller. The timestamp of the target time and the CAN message to be transmitted are concatenated, and the concatenated message is encrypted according to the public key in the second key pair to obtain the encrypted CAN message.

6. The method according to claim 1, wherein the first key pair and the third key pair are stored in the hardware security module, the method further comprising: Send a request message to the first electronic controller to end communication; Upon receiving an agreement message from the first electronic controller in response to the request message, the first key pair and the third key pair stored in the hardware security module are deleted.

7. A message transmission device, the device comprising: The first generation module is used to generate a first random number and a second random number when the electronic controller successfully authenticates the first key pair related to the current time with the second key pair generated by the first electronic controller of the vehicle equipment. The first electronic controller can be any electronic controller of the vehicle equipment. The second generation module is used in the hardware security module of the electronic controller to generate a third key pair based on the first random number according to a preset key generation rule. The third generation module is used to encrypt the private key in the third key pair according to the private key in the first key pair to obtain the first verifiable information, and to encrypt the second random number according to the public key in the third key pair to obtain the second verifiable information. The first sending module is configured to send the first verifiable information and the second verifiable information to the first electronic controller, and receive the third verifiable information returned by the first electronic controller. The third verifiable information is obtained by the first electronic controller decrypting the second verifiable information according to a target key. The target key is obtained by the first electronic controller decrypting the first verifiable information according to the private key in the second key pair. The matching detection module is used to perform matching detection processing on the second random number and the third verifiable information, and if the matching is successful, to encrypt the CAN message to be transmitted according to the public key in the second key pair, and send the encrypted CAN message to the first electronic controller.

8. A message transmission device, characterized in that, It includes a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the computer program, when executed by the processor, implements the steps of the message transmission method as described in any one of claims 1 to 6.

9. A computer-readable storage medium, characterized in that, A computer program is stored on the computer-readable storage medium, which, when executed by a processor, implements the steps of the message transmission method as described in any one of claims 1 to 6.

10. A computer program product, characterized in that, Includes a computer program that, when executed by a processor, implements the steps of the message transmission method according to any one of claims 1 to 6.