[go: up one dir, main page]

CN117978454A - Vehicle SOA service authentication mechanism - Google Patents

Vehicle SOA service authentication mechanism Download PDF

Info

Publication number
CN117978454A
CN117978454A CN202410023560.2A CN202410023560A CN117978454A CN 117978454 A CN117978454 A CN 117978454A CN 202410023560 A CN202410023560 A CN 202410023560A CN 117978454 A CN117978454 A CN 117978454A
Authority
CN
China
Prior art keywords
authentication
service
vehicle
unit
white list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410023560.2A
Other languages
Chinese (zh)
Inventor
黄海军
李军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Faw Beijing Software Technology Co ltd
FAW Group Corp
Original Assignee
Faw Beijing Software Technology Co ltd
FAW Group Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Faw Beijing Software Technology Co ltd, FAW Group Corp filed Critical Faw Beijing Software Technology Co ltd
Priority to CN202410023560.2A priority Critical patent/CN117978454A/en
Publication of CN117978454A publication Critical patent/CN117978454A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a vehicle SOA service authentication mechanism, which relates to the technical field of vehicle SOA service and comprises a generation mechanism authentication system, wherein an authentication application adding module, a white list construction module, a cache backup module and a double-end control module are arranged to provide selectable authority control for all service publishers and subscribers by using a white list mode.

Description

一种车辆SOA服务鉴权机制A vehicle SOA service authentication mechanism

技术领域Technical Field

本发明涉及车辆SOA服务技术领域,具体而言,涉及一种车辆SOA服务鉴权机制。The present invention relates to the technical field of vehicle SOA services, and in particular to a vehicle SOA service authentication mechanism.

背景技术Background technique

随着软件定义汽车的发展,当前车辆的EEA采用了SOA架构方式,一辆车上通常定义的SOA服务矩阵有成千上万条,包括一些敏感操作的处理,然而当前SOA的架构下缺少对服务提供和订阅的认证机制,容易遭遇恶意攻击,数据嗅探等危机。With the development of software-defined cars, the current EEA of vehicles adopts the SOA architecture. There are usually thousands of SOA service matrices defined on a car, including the processing of some sensitive operations. However, the current SOA architecture lacks an authentication mechanism for service provision and subscription, which makes it easy to encounter malicious attacks, data sniffing and other crises.

现有技术中容易被非法应用订阅并接收重要数据,或是发送恶意指令,导致危机,如何实现对SOA服务发布和订阅权限控制,确保敏感操作不被恶意获取,确保敏感服务抵御DOS攻击,确保不会发送恶意SOA信号危害车辆行驶,提高车辆网络安全防护能力,减少暴露点,成为车企关注的焦点问题,因此基于与以上问题,本发明需要设计一种车辆SOA服务鉴权机制来解决上述出现的问题In the prior art, it is easy for illegal applications to subscribe and receive important data, or send malicious instructions, leading to crises. How to achieve SOA service publishing and subscription authority control, ensure that sensitive operations are not maliciously obtained, ensure that sensitive services resist DOS attacks, ensure that malicious SOA signals are not sent to endanger vehicle driving, improve vehicle network security protection capabilities, and reduce exposure points have become the focus of attention of automobile companies. Therefore, based on the above problems, the present invention needs to design a vehicle SOA service authentication mechanism to solve the above problems.

因此,本申请提供了一种车辆SOA服务鉴权机制,以解决上述技术问题之一。Therefore, the present application provides a vehicle SOA service authentication mechanism to solve one of the above technical problems.

发明内容Summary of the invention

本申请的目的在于提供一种车辆SOA服务鉴权机制,能够解决上述提到的至少一个技术问题。具体方案如下:The purpose of this application is to provide a vehicle SOA service authentication mechanism that can solve at least one of the above-mentioned technical problems. The specific solution is as follows:

根据本申请的具体实施方式,本申请提供本发明的目的就在于为了解决上述问题而提供一种车辆SOA服务鉴权机制,解决了背景技术中提到容易被非法应用订阅并接收重要数据,或是发送恶意指令,导致危机,如何实现对SOA服务发布和订阅权限控制,确保敏感操作不被恶意获取,确保敏感服务抵御DOS攻击,确保不会发送恶意SOA信号危害车辆行驶,提高车辆网络安全防护能力,减少暴露点的问题。According to the specific implementation mode of the present application, the purpose of the present application is to provide a vehicle SOA service authentication mechanism in order to solve the above-mentioned problem, which solves the problem mentioned in the background technology that it is easy for illegal applications to subscribe and receive important data, or send malicious instructions, leading to crises, and how to achieve SOA service publishing and subscription permission control, ensure that sensitive operations are not maliciously obtained, ensure that sensitive services resist DOS attacks, ensure that malicious SOA signals are not sent to endanger vehicle driving, improve vehicle network security protection capabilities, and reduce exposure points.

为了解决上述问题,本发明提供了一种技术方案:In order to solve the above problems, the present invention provides a technical solution:

一种车辆SOA服务鉴权机制,包括以下具体步骤:A vehicle SOA service authentication mechanism includes the following specific steps:

S1、生成机制鉴权系统,通过使用白名单方式,对所有的服务发布者和订阅者都提供可选权限控制;S1. Generate a mechanism authentication system that provides optional permission control for all service publishers and subscribers by using a whitelist approach;

S2、单独增加一个应用设备负责鉴权操作,修改原来使用someip通信的静态库,在其订阅和发布中嵌入鉴权流程;S2. Add a separate application device to be responsible for authentication operations, modify the static library that originally uses someip communication, and embed the authentication process in its subscription and publication;

S3、基于someip协议配置SOA服务和订阅SOA服务都需要提前申请,会将带有应用标识和所发布、订阅的服务信息一起构建白名单,当上电后,新增鉴权应用模块会优先启动并初始化白名单,进行一次流程执行操作。S3. Both configuring SOA services and subscribing to SOA services based on the someip protocol need to be applied for in advance. A whitelist will be constructed with the application identifier and the published and subscribed service information. After power-on, the newly added authentication application module will be started first and the whitelist will be initialized to perform a process execution operation.

作为一种优选的技术方案,步骤S3中当优先启动并初始化白名单策略后,其他SOA服务使用者进行服务发布或者订阅时,需要先通过鉴权应用获取权限,通过才被允许,不通过会返回给具体服务错误码信息。As a preferred technical solution, after the whitelist policy is preferentially started and initialized in step S3, other SOA service users need to obtain permission through the authentication application before publishing or subscribing to services. If they pass, they will be allowed. If they fail, a specific service error code information will be returned.

作为一种优选的技术方案,步骤S2中的someip通信的静态库包括:As a preferred technical solution, the static library of someip communication in step S2 includes:

libsomeip;libsomeip;

libsomeip-xtf;libsomeip-xtf;

libsomeip-rtp。libsomeip-rtp.

作为一种优选的技术方案,步骤S1中的权限包括访问权限、服务权限、安全权限、管理权限和审计权限。As a preferred technical solution, the permissions in step S1 include access permissions, service permissions, security permissions, management permissions and audit permissions.

作为一种优选的技术方案,所述访问权限用于读取与提交相关服务提供的车辆数据,所述服务权限用于针对特定的服务进行授权,包括定位服务、导航服务、驾驶辅助服务,所述安全权限用于使用数字签名技术对数据进行验证和防篡改,所述管理权限用于管理和配置访问策略、安全策略,所述审计权限用于查看审计日志,包括自身的访问日志和其他车辆或服务的访问日志。As a preferred technical solution, the access permission is used to read and submit vehicle data provided by related services, the service permission is used to authorize specific services, including positioning services, navigation services, and driving assistance services, the security permission is used to verify and tamper-proof data using digital signature technology, the management permission is used to manage and configure access policies and security policies, and the audit permission is used to view audit logs, including its own access logs and access logs of other vehicles or services.

作为一种优选的技术方案,所述机制鉴权系统包括鉴权应用添加模块、白名单构建模块、缓存备份模块和双端控制模块,所述鉴权应用添加模块的输出端与白名单构建模块的输入端通讯连接,所述白名单构建模块的输出端与缓存备份模块的输入端通讯连接,所述缓存备份模块的输出端与双端控制模块的输入端通讯连接。As a preferred technical solution, the mechanism authentication system includes an authentication application adding module, a whitelist building module, a cache backup module and a dual-end control module, the output end of the authentication application adding module is communicatively connected to the input end of the whitelist building module, the output end of the whitelist building module is communicatively connected to the input end of the cache backup module, and the output end of the cache backup module is communicatively connected to the input end of the dual-end control module.

作为一种优选的技术方案,所述鉴权应用添加模块包括应用添加单元、鉴权应用单元和嵌入管理单元,所述应用添加单元的输出端与鉴权应用单元的输入端通讯连接,所述鉴权应用单元和嵌入管理单元双向通讯连接,所述鉴权应用单元的输出端与白名单构建模块的输入端通讯连接;As a preferred technical solution, the authentication application adding module includes an application adding unit, an authentication application unit and an embedding management unit, the output end of the application adding unit is communicatively connected to the input end of the authentication application unit, the authentication application unit and the embedding management unit are bidirectionally communicatively connected, and the output end of the authentication application unit is communicatively connected to the input end of the whitelist building module;

所述应用添加单元用于对所有的服务发布者和订阅者提供可选权限控制,制定详细的访问策略,确保车辆只能被访问其被授权的服务,可选权限的内容可预先进行设定、编辑;The application adding unit is used to provide optional permission control for all service publishers and subscribers, formulate detailed access policies, ensure that vehicles can only access authorized services, and the content of optional permissions can be set and edited in advance;

所述鉴权应用单元用于修改原来使用someip通信的静态库,在其订阅和发布中进行应用鉴权;The authentication application unit is used to modify the static library that originally used someip communication, and perform application authentication in its subscription and publication;

所述嵌入管理单元集成于所述鉴权应用单元内部,所述嵌入管理单元用于在其订阅和发布中嵌入鉴权流程,对整个流程进行实时监管处理。The embedded management unit is integrated inside the authentication application unit, and is used to embed the authentication process in its subscription and publication, and perform real-time supervision and processing on the entire process.

作为一种优选的技术方案,所述白名单构建模块包括白名单更新单元、白名单管理模型和白名单加密单元,所述白名单管理模型的输出端与白名单更新单元的输入端通讯连接,所述白名单更新单元和白名单管理模型均与白名单加密单元双向通讯连接,所述白名单更新单元的输出端与缓存备份模块的输入端通讯连接;As a preferred technical solution, the whitelist construction module includes a whitelist update unit, a whitelist management model and a whitelist encryption unit, the output end of the whitelist management model is communicatively connected to the input end of the whitelist update unit, the whitelist update unit and the whitelist management model are bidirectionally communicatively connected to the whitelist encryption unit, and the output end of the whitelist update unit is communicatively connected to the input end of the cache backup module;

所述白名单更新单元用于对实时更新的白名单模型进行数据同步与更新,将带有应用标识和所发布、订阅的服务信息一起构建白名单,会优先启动并初始化白名单,进行一次流程执行操作;The whitelist update unit is used to synchronize and update the data of the real-time updated whitelist model, build a whitelist with the application identifier and the published and subscribed service information, and preferentially start and initialize the whitelist to perform a process execution operation;

所述白名单管理模型用于对每一次鉴权时机制进行模型生成,进行不断更新与管理;The whitelist management model is used to generate a model for each authentication mechanism, and to continuously update and manage it;

所述白名单加密单元用于通过使用HTTPS协议,确保服务请求和响应在传输过程加密,防止白名单信息泄漏。The whitelist encryption unit is used to ensure that service requests and responses are encrypted during transmission by using the HTTPS protocol to prevent whitelist information leakage.

作为一种优选的技术方案,所述缓存备份模块包括内部缓存单元和数据备份单元,所述内部缓存单元的输出端与数据备份单元的输入端通讯连接,所述内部缓存单元的输出端与双端控制模块的输入端通讯连接;As a preferred technical solution, the cache backup module includes an internal cache unit and a data backup unit, the output end of the internal cache unit is communicatively connected to the input end of the data backup unit, and the output end of the internal cache unit is communicatively connected to the input end of the double-end control module;

所述内部缓存单元用于通过减少周期内和鉴权应用设备的交互,达到减少频繁申请和鉴权静态库有缓存机制;The internal cache unit is used to reduce the interaction with the authentication application device within the cycle, thereby reducing frequent applications and the authentication static library has a cache mechanism;

所述数据备份单元用于对接收的全部数据进行备份处理。The data backup unit is used to perform backup processing on all received data.

作为一种优选的技术方案,所述双端控制模块包括发布者操作端口和订阅者操作端口,所述发布者操作端口和订阅者操作端口双向通讯连接;As a preferred technical solution, the double-end control module includes a publisher operation port and a subscriber operation port, and the publisher operation port and the subscriber operation port are bidirectionally connected;

所述发布者操作端口用于发布者登录与访问所述机制鉴权系统内部,允许根据实时情况调整和更新,制定细粒度的访问策略,以确保只有授权的车辆能够执行特定的操作;The publisher operation port is used for the publisher to log in and access the internal authentication system of the mechanism, allowing adjustment and update according to real-time conditions, and formulating fine-grained access policies to ensure that only authorized vehicles can perform specific operations;

所述订阅者操作端口用于订阅者登录与访问所述机制鉴权系统内部,记录每次服务访问的详细信息,包括车辆标识、访问时间、访问结果等,以便于追踪和审。The subscriber operation port is used for the subscriber to log in and access the internal authentication system of the mechanism, and record the detailed information of each service access, including vehicle identification, access time, access results, etc., for easy tracking and review.

本申请实施例的上述方案与现有技术相比,至少具有以下有益效果:Compared with the prior art, the above solution of the embodiment of the present application has at least the following beneficial effects:

本发明通过设置鉴权应用添加模块、白名单构建模块、缓存备份模块和双端控制模块,生成完善的机制鉴权系统,在进行使用时,通过使用白名单方式,对所有的服务发布者和订阅者都提供可选权限控制,通过单独增加一个应用设备负责鉴权操作,修改原来使用someip通信的静态库,在其订阅和发布中嵌入鉴权流程,通过将带有应用标识和所发布、订阅的服务信息一起构建白名单,当上电后,新增鉴权应用模块会优先启动并初始化白名单,进行一次流程执行操作,对车辆SOA服务及相应的分析结果进行管理、可视化和存储,有助于通过互联网云管控实现对车辆SOA服务进行机制鉴权操作,提高机制鉴权管理的智能化水平,同时缩短了整体的繁琐流程,方便对全局进行实时管理,确保不会发送恶意SOA信号危害车辆行驶,提高车辆网络安全防护能力,减少暴露点。The present invention generates a complete mechanism authentication system by setting an authentication application adding module, a whitelist building module, a cache backup module and a double-end control module. When in use, optional permission control is provided for all service publishers and subscribers by using a whitelist method. An application device is added separately to be responsible for the authentication operation, and the original static library using someip communication is modified, and the authentication process is embedded in its subscription and publication. A whitelist is constructed together with the application identifier and the published and subscribed service information. When powered on, the newly added authentication application module will be started first and the whitelist will be initialized, and a process execution operation will be performed to manage, visualize and store the vehicle SOA service and the corresponding analysis results, which is helpful to realize the mechanism authentication operation of the vehicle SOA service through the Internet cloud management and control, improve the intelligent level of the mechanism authentication management, shorten the overall cumbersome process, facilitate the real-time management of the whole situation, ensure that no malicious SOA signal is sent to endanger the vehicle driving, improve the vehicle network security protection capability, and reduce the exposure points.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1示出了一种车辆SOA服务鉴权机制的用例图;FIG1 shows a use case diagram of a vehicle SOA service authentication mechanism;

图2示出了一种车辆SOA服务鉴权机制的流程图。FIG2 shows a flow chart of a vehicle SOA service authentication mechanism.

具体实施方式Detailed ways

为了使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请作进一步地详细描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions and advantages of the present application clearer, the present application will be further described in detail below in conjunction with the accompanying drawings. Obviously, the described embodiments are only part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present application.

在本申请实施例中使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本申请。在本申请实施例和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义,“多种”一般包含至少两种。The terms used in the embodiments of the present application are only for the purpose of describing specific embodiments, and are not intended to limit the present application. The singular forms "a", "said" and "the" used in the embodiments of the present application and the appended claims are also intended to include plural forms, unless the context clearly indicates other meanings, and "multiple" generally includes at least two.

应当理解,本文中使用的术语“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。It should be understood that the term "and/or" used in this article is only a description of the association relationship of associated objects, indicating that there can be three relationships. For example, A and/or B can represent: A exists alone, A and B exist at the same time, and B exists alone. In addition, the character "/" in this article generally indicates that the associated objects before and after are in an "or" relationship.

应当理解,尽管在本申请实施例中可能采用术语第一、第二、第三等来描述,但这些描述不应限于这些术语。这些术语仅用来将描述区分开。例如,在不脱离本申请实施例范围的情况下,第一也可以被称为第二,类似地,第二也可以被称为第一。It should be understood that, although the terms first, second, third, etc. may be used to describe in the embodiments of the present application, these descriptions should not be limited to these terms. These terms are only used to distinguish the descriptions. For example, without departing from the scope of the embodiments of the present application, the first may also be referred to as the second, and similarly, the second may also be referred to as the first.

取决于语境,如在此所使用的词语“如果”、“若”可以被解释成为“在……时”或“当……时”或“响应于确定”或“响应于检测”。类似地,取决于语境,短语“如果确定”或“如果检测(陈述的条件或事件)”可以被解释成为“当确定时”或“响应于确定”或“当检测(陈述的条件或事件)时”或“响应于检测(陈述的条件或事件)”。As used herein, the words "if" and "if" may be interpreted as "at the time of" or "when" or "in response to determining" or "in response to detecting", depending on the context. Similarly, the phrases "if it is determined" or "if (stated condition or event) is detected" may be interpreted as "when it is determined" or "in response to determining" or "when detecting (stated condition or event)" or "in response to detecting (stated condition or event)", depending on the context.

还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的商品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种商品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的商品或者装置中还存在另外的相同要素。It should also be noted that the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a product or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such product or device. In the absence of more restrictions, the elements defined by the sentence "comprises a ..." do not exclude the presence of other identical elements in the product or device including the elements.

特别需要说明的是,在说明书中存在的符号和/或数字,如果在附图说明中未被标记的,均不是附图标记。It should be particularly noted that any symbols and/or numbers in the specification that are not marked in the accompanying drawings are not drawing marks.

下面结合附图详细说明本申请的可选实施例。The optional embodiments of the present application are described in detail below with reference to the accompanying drawings.

对本申请提供的实施例,即一种车辆SOA服务鉴权机制的实施例。The embodiment provided in this application is an embodiment of a vehicle SOA service authentication mechanism.

如图1、图2所示,本具体实施方式采用以下技术方案:As shown in Figures 1 and 2, this specific implementation adopts the following technical solutions:

一种车辆SOA服务鉴权机制,包括以下具体步骤:A vehicle SOA service authentication mechanism includes the following specific steps:

S1、生成机制鉴权系统,通过使用白名单方式,对所有的服务发布者和订阅者都提供可选权限控制;S1. Generate a mechanism authentication system that provides optional permission control for all service publishers and subscribers by using a whitelist approach;

S2、单独增加一个应用设备负责鉴权操作,修改原来使用someip通信的静态库,在其订阅和发布中嵌入鉴权流程;S2. Add a separate application device to be responsible for authentication operations, modify the static library that originally uses someip communication, and embed the authentication process in its subscription and publication;

S3、基于someip协议配置SOA服务和订阅SOA服务都需要提前申请,会将带有应用标识和所发布、订阅的服务信息一起构建白名单,当上电后,新增鉴权应用模块会优先启动并初始化白名单,进行一次流程执行操作。S3. Both configuring SOA services and subscribing to SOA services based on the someip protocol need to be applied for in advance. A whitelist will be constructed with the application identifier and the published and subscribed service information. After power-on, the newly added authentication application module will be started first and the whitelist will be initialized to perform a process execution operation.

在本实施例中,步骤S3中当优先启动并初始化白名单策略后,其他SOA服务使用者进行服务发布或者订阅时,需要先通过鉴权应用获取权限,通过才被允许,不通过会返回给具体服务错误码信息。In this embodiment, after the whitelist policy is preferentially started and initialized in step S3, other SOA service users need to obtain permission through the authentication application before publishing or subscribing to services. If they pass, they will be allowed. If they fail, a specific service error code will be returned.

在本实施例中,步骤S2中的someip通信的静态库包括:In this embodiment, the static library of someip communication in step S2 includes:

libsomeip;libsomeip;

libsomeip-xtf;libsomeip-xtf;

libsomeip-rtp。libsomeip-rtp.

在本实施例中,步骤S1中的权限包括访问权限、服务权限、安全权限、管理权限和审计权限。In this embodiment, the permissions in step S1 include access permissions, service permissions, security permissions, management permissions, and audit permissions.

在本实施例中,所述访问权限用于读取与提交相关服务提供的车辆数据,所述服务权限用于针对特定的服务进行授权,包括定位服务、导航服务、驾驶辅助服务,所述安全权限用于使用数字签名技术对数据进行验证和防篡改,所述管理权限用于管理和配置访问策略、安全策略,所述审计权限用于查看审计日志,包括自身的访问日志和其他车辆或服务的访问日志。In this embodiment, the access rights are used to read and submit vehicle data provided by related services, the service rights are used to authorize specific services, including positioning services, navigation services, and driving assistance services, the security rights are used to verify and prevent tampering of data using digital signature technology, the management rights are used to manage and configure access policies and security policies, and the audit rights are used to view audit logs, including their own access logs and access logs of other vehicles or services.

在本实施例中,所述机制鉴权系统包括鉴权应用添加模块、白名单构建模块、缓存备份模块和双端控制模块,所述鉴权应用添加模块的输出端与白名单构建模块的输入端通讯连接,所述白名单构建模块的输出端与缓存备份模块的输入端通讯连接,所述缓存备份模块的输出端与双端控制模块的输入端通讯连接。In this embodiment, the mechanism authentication system includes an authentication application adding module, a whitelist building module, a cache backup module and a dual-end control module, the output end of the authentication application adding module is communicatively connected to the input end of the whitelist building module, the output end of the whitelist building module is communicatively connected to the input end of the cache backup module, and the output end of the cache backup module is communicatively connected to the input end of the dual-end control module.

在本实施例中,所述鉴权应用添加模块包括应用添加单元、鉴权应用单元和嵌入管理单元,所述应用添加单元的输出端与鉴权应用单元的输入端通讯连接,所述鉴权应用单元和嵌入管理单元双向通讯连接,所述鉴权应用单元的输出端与白名单构建模块的输入端通讯连接;所述应用添加单元用于对所有的服务发布者和订阅者提供可选权限控制,制定详细的访问策略,确保车辆只能被访问其被授权的服务,可选权限的内容可预先进行设定、编辑;所述鉴权应用单元用于修改原来使用someip通信的静态库,在其订阅和发布中进行应用鉴权;所述嵌入管理单元集成于所述鉴权应用单元内部,所述嵌入管理单元用于在其订阅和发布中嵌入鉴权流程,对整个流程进行实时监管处理。In this embodiment, the authentication application adding module includes an application adding unit, an authentication application unit and an embedded management unit. The output end of the application adding unit is communicatively connected to the input end of the authentication application unit, the authentication application unit and the embedded management unit are bidirectionally communicatively connected, and the output end of the authentication application unit is communicatively connected to the input end of the whitelist construction module; the application adding unit is used to provide optional permission control for all service publishers and subscribers, formulate detailed access policies, ensure that vehicles can only access their authorized services, and the content of optional permissions can be set and edited in advance; the authentication application unit is used to modify the static library that originally used someip communication, and perform application authentication in its subscription and publication; the embedded management unit is integrated inside the authentication application unit, and the embedded management unit is used to embed the authentication process in its subscription and publication, and perform real-time supervision and processing of the entire process.

在本实施例中,所述白名单构建模块包括白名单更新单元、白名单管理模型和白名单加密单元,所述白名单管理模型的输出端与白名单更新单元的输入端通讯连接,所述白名单更新单元和白名单管理模型均与白名单加密单元双向通讯连接,所述白名单更新单元的输出端与缓存备份模块的输入端通讯连接;所述白名单更新单元用于对实时更新的白名单模型进行数据同步与更新,将带有应用标识和所发布、订阅的服务信息一起构建白名单,会优先启动并初始化白名单,进行一次流程执行操作;所述白名单管理模型用于对每一次鉴权时机制进行模型生成,进行不断更新与管理;所述白名单加密单元用于通过使用HTTPS协议,确保服务请求和响应在传输过程加密,防止白名单信息泄漏。In this embodiment, the whitelist construction module includes a whitelist update unit, a whitelist management model and a whitelist encryption unit. The output end of the whitelist management model is communicatively connected to the input end of the whitelist update unit. The whitelist update unit and the whitelist management model are both bidirectionally communicatively connected to the whitelist encryption unit. The output end of the whitelist update unit is communicatively connected to the input end of the cache backup module. The whitelist update unit is used to synchronize and update the data of the real-time updated whitelist model, build a whitelist with the application identifier and the published and subscribed service information, and preferentially start and initialize the whitelist to perform a process execution operation. The whitelist management model is used to generate a model for the mechanism at each authentication, and continuously update and manage it. The whitelist encryption unit is used to ensure that service requests and responses are encrypted during the transmission process by using the HTTPS protocol to prevent leakage of whitelist information.

在本实施例中,所述缓存备份模块包括内部缓存单元和数据备份单元,所述发布者操作端口和订阅者操作端口双向通讯连接;所述内部缓存单元的输出端与数据备份单元的输入端通讯连接,所述内部缓存单元的输出端与双端控制模块的输入端通讯连接;所述内部缓存单元用于通过减少周期内和鉴权应用设备的交互,达到减少频繁申请和鉴权静态库有缓存机制;所述数据备份单元用于对接收的全部数据进行备份处理。In this embodiment, the cache backup module includes an internal cache unit and a data backup unit, and the publisher operation port and the subscriber operation port are bidirectionally connected; the output end of the internal cache unit is communicatively connected to the input end of the data backup unit, and the output end of the internal cache unit is communicatively connected to the input end of the double-end control module; the internal cache unit is used to reduce the interaction with the authentication application device within the cycle, thereby reducing frequent applications and the authentication static library has a cache mechanism; the data backup unit is used to back up all received data.

在本实施例中,所述双端控制模块包括发布者操作端口和订阅者操作端口,所述发布者操作端口用于发布者登录与访问所述机制鉴权系统内部,允许根据实时情况调整和更新,制定细粒度的访问策略,以确保只有授权的车辆能够执行特定的操作;所述订阅者操作端口用于订阅者登录与访问所述机制鉴权系统内部,记录每次服务访问的详细信息,包括车辆标识、访问时间、访问结果等,以便于追踪和审。In this embodiment, the dual-end control module includes a publisher operation port and a subscriber operation port. The publisher operation port is used for the publisher to log in and access the internal part of the mechanism authentication system, allowing adjustment and update according to real-time conditions, and formulating fine-grained access policies to ensure that only authorized vehicles can perform specific operations; the subscriber operation port is used for the subscriber to log in and access the internal part of the mechanism authentication system, recording detailed information of each service access, including vehicle identification, access time, access results, etc., for easy tracking and review.

实施例1Example 1

当机制鉴权系统连接到车辆SOA服务管理中:When the mechanism authentication system is connected to the vehicle SOA service management:

S1、车辆发布人员和车辆订阅人员对所需设备进行逐一检测,启动机制鉴权系统,应用添加单元通过使用白名单方式,对所有的服务发布者和订阅者都提供可选权限控制,权限包括访问权限、服务权限、安全权限、管理权限和审计权限,访问权限读取与提交相关服务提供的车辆数据,服务权限针对特定的服务进行授权,包括定位服务、导航服务、驾驶辅助服务,安全权限使用数字签名技术对数据进行验证和防篡改,管理权限管理和配置访问策略、安全策略,所述审计权限用于查看审计日志,包括自身的访问日志和其他车辆或服务的访问日志;S1. Vehicle publishers and vehicle subscribers check the required equipment one by one, start the mechanism authentication system, and the application adding unit provides optional permission control for all service publishers and subscribers by using a whitelist. The permissions include access rights, service rights, security rights, management rights, and audit rights. Access rights read and submit vehicle data provided by related services. Service rights are authorized for specific services, including positioning services, navigation services, and driving assistance services. Security rights use digital signature technology to verify and prevent tampering of data. Management rights manage and configure access policies and security policies. The audit rights are used to view audit logs, including their own access logs and access logs of other vehicles or services.

S2、单独增加一个应用设备负责鉴权操作,鉴权应用单元修改原来使用someip通信的静态库,在其订阅和发布中进行应用鉴权,嵌入管理单元在其订阅和发布中嵌入鉴权流程,对整个流程进行实时监管处理,在其订阅和发布中嵌入鉴权流程;S2. Add an application device to be responsible for the authentication operation. The authentication application unit modifies the static library that originally uses someip communication, performs application authentication in its subscription and publication, and embeds the authentication process in its subscription and publication by the embedded management unit. The entire process is supervised in real time, and the authentication process is embedded in its subscription and publication.

S3、基于someip协议配置SOA服务和订阅SOA服务都需要提前申请,白名单管理模型对每一次鉴权时机制进行模型生成,进行不断更新与管理,白名单更新单元对实时更新的白名单模型进行数据同步与更新,会将带有应用标识和所发布、订阅的服务信息一起构建白名单,当上电后,新增鉴权应用模块会优先启动并初始化白名单,其他SOA服务使用者进行服务发布或者订阅时,需要先通过鉴权应用获取权限,通过才被允许,不通过会返回给具体服务错误码信息,进行一次流程执行操作,白名单加密单元通过使用HTTPS协议,确保服务请求和响应在传输过程加密,防止白名单信息泄漏,缓存单元通过减少周期内和鉴权应用设备的交互,达到减少频繁申请和鉴权静态库有缓存机制,数据备份单元对接受的全部数据进行备份处理。S3. Both SOA service configuration and SOA service subscription based on someip protocol need to be applied in advance. The whitelist management model generates a model for each authentication mechanism, and continuously updates and manages it. The whitelist update unit synchronizes and updates the real-time updated whitelist model, and builds a whitelist with the application identifier and the published and subscribed service information. When powered on, the newly added authentication application module will be started first and initialize the whitelist. When other SOA service users publish or subscribe to services, they need to obtain permissions through the authentication application first. Only if they pass will they be allowed. If they fail, the specific service error code information will be returned to perform a process execution operation. The whitelist encryption unit uses the HTTPS protocol to ensure that service requests and responses are encrypted during transmission to prevent whitelist information leakage. The cache unit reduces the interaction with the authentication application device within the cycle to reduce frequent applications and the authentication static library has a cache mechanism. The data backup unit backs up all received data.

可选权限内容表格如下:The table of optional permissions is as follows:

someip通信的静态库内容表格如下:The static library content table of someip communication is as follows:

实施例2Example 2

当机制鉴权系统连接到面容身份数据管理中:When the mechanism authentication system is connected to the facial identity data management:

S1、面容身份数据发布人员对所需设备进行逐一检测,启动机制鉴权系统,应用添加单元通过使用白名单方式,对所有的服务发布者和订阅者都提供可选权限控制,权限包括访问权限、服务权限、安全权限、管理权限和审计权限,访问权限读取与提交相关服务提供的车辆数据,服务权限针对特定的服务进行授权,包括定位服务、导航服务、驾驶辅助服务,安全权限使用数字签名技术对数据进行验证和防篡改,管理权限管理和配置访问策略、安全策略,所述审计权限用于查看审计日志,包括自身的访问日志和其他车辆或服务的访问日志;S1. The person who publishes the facial identity data detects the required devices one by one and starts the mechanism authentication system. The application adding unit provides optional permission control for all service publishers and subscribers by using the whitelist method. The permissions include access permission, service permission, security permission, management permission and audit permission. The access permission reads and submits the vehicle data provided by the relevant services. The service permission is authorized for specific services, including positioning services, navigation services, and driving assistance services. The security permission uses digital signature technology to verify and prevent tampering of the data. The management permission manages and configures the access policy and security policy. The audit permission is used to view the audit log, including its own access log and the access log of other vehicles or services.

S2、面容身份数据发布人员单独增加一个应用设备负责鉴权操作,鉴权应用单元修改原来使用someip通信的静态库,在其订阅和发布中进行应用鉴权,嵌入管理单元在其订阅和发布中嵌入鉴权流程,对面容身份数据认证整个流程进行实时监管处理,在其订阅和发布中嵌入鉴权流程;S2. The person who publishes facial identity data adds an application device to be responsible for the authentication operation. The authentication application unit modifies the static library that originally uses someip communication, performs application authentication in its subscription and publication, and the embedded management unit embeds the authentication process in its subscription and publication, performs real-time supervision and processing on the entire process of facial identity data authentication, and embeds the authentication process in its subscription and publication;

S3、白名单管理模型对每一次鉴权时机制进行模型生成,进行不断更新与管理,白名单更新单元对实时更新的白名单模型进行数据同步与更新,会将带有应用标识和所发布、订阅的服务信息一起构建白名单,当上电后,新增鉴权应用模块会优先启动并初始化白名单,其他使用者进行面容身份数据认证发布或者订阅时,需要先通过鉴权应用获取权限,通过才被允许,不通过会返回给具体服务错误码信息,进行一次流程执行操作,白名单加密单元通过使用HTTPS协议,确保服务请求和响应在传输过程加密,防止白名单信息泄漏,缓存单元通过减少周期内和鉴权应用设备的交互,达到减少频繁申请和鉴权静态库有缓存机制,数据备份单元对接受的全部数据进行备份处理。S3. The whitelist management model generates a model for each authentication mechanism, and continuously updates and manages it. The whitelist update unit synchronizes and updates the real-time updated whitelist model, and builds a whitelist with the application identifier and the published and subscribed service information. When powered on, the newly added authentication application module will be started first and the whitelist will be initialized. When other users publish or subscribe to facial identity data authentication, they need to obtain permission through the authentication application first. If they pass, they will be allowed. If they fail, the specific service error code information will be returned to perform a process execution operation. The whitelist encryption unit uses the HTTPS protocol to ensure that service requests and responses are encrypted during transmission to prevent whitelist information leakage. The cache unit reduces the interaction with the authentication application device within the cycle to reduce frequent applications and the authentication static library has a cache mechanism. The data backup unit backs up all received data.

具体的:specific:

在实际的应用中,具有多个双端控制模块,分别与鉴权应用添加模块、白名单构建模块、缓存备份模块进行配合使用,多个双端控制模块分别位于不同的地理位置,车辆发布人员和车辆订阅人员对所需设备进行逐一检测,启动机制鉴权系统,应用添加单元通过使用白名单方式,对所有的服务发布者和订阅者都提供可选权限控制,权限包括访问权限、服务权限、安全权限、管理权限和审计权限,访问权限读取与提交相关服务提供的车辆数据,服务权限针对特定的服务进行授权,包括定位服务、导航服务、驾驶辅助服务,安全权限使用数字签名技术对数据进行验证和防篡改,管理权限管理和配置访问策略、安全策略,所述审计权限用于查看审计日志,包括自身的访问日志和其他车辆或服务的访问日志;单独增加一个应用设备负责鉴权操作,鉴权应用单元修改原来使用someip通信的静态库,在其订阅和发布中进行应用鉴权,嵌入管理单元在其订阅和发布中嵌入鉴权流程,对整个流程进行实时监管处理,在其订阅和发布中嵌入鉴权流程;基于someip协议配置SOA服务和订阅SOA服务都需要提前申请,白名单管理模型对每一次鉴权时机制进行模型生成,进行不断更新与管理,白名单更新单元对实时更新的白名单模型进行数据同步与更新,会将带有应用标识和所发布、订阅的服务信息一起构建白名单,当上电后,新增鉴权应用模块会优先启动并初始化白名单,其他SOA服务使用者进行服务发布或者订阅时,需要先通过鉴权应用获取权限,通过才被允许,不通过会返回给具体服务错误码信息,进行一次流程执行操作,白名单加密单元通过使用HTTPS协议,确保服务请求和响应在传输过程加密,防止白名单信息泄漏,缓存单元通过减少周期内和鉴权应用设备的交互,达到减少频繁申请和鉴权静态库有缓存机制,数据备份单元对接收的全部数据进行备份处理,本发明通过设置鉴权应用添加模块、白名单构建模块、缓存备份模块和双端控制模块,生成完善的机制鉴权系统,在进行使用时,通过使用白名单方式,对所有的服务发布者和订阅者都提供可选权限控制,通过单独增加一个应用设备负责鉴权操作,修改原来使用someip通信的静态库,在其订阅和发布中嵌入鉴权流程,通过将带有应用标识和所发布、订阅的服务信息一起构建白名单,当上电后,新增鉴权应用模块会优先启动并初始化白名单,进行一次流程执行操作,对车辆SOA服务及相应的分析结果进行管理、可视化和存储,有助于通过互联网云管控实现对车辆SOA服务进行机制鉴权操作,提高机制鉴权管理的智能化水平,同时缩短了整体的繁琐流程,方便对全局进行实时管理,确保不会发送恶意SOA信号危害车辆行驶,提高车辆网络安全防护能力,减少暴露点。In actual applications, there are multiple double-end control modules, which are used in conjunction with the authentication application adding module, the whitelist building module, and the cache backup module. The multiple double-end control modules are located in different geographical locations. The vehicle publisher and the vehicle subscriber detect the required equipment one by one and start the mechanism authentication system. The application adding unit provides optional permission control for all service publishers and subscribers by using the whitelist method. The permissions include access permissions, service permissions, security permissions, management permissions, and audit permissions. Access permissions read and submit vehicle data provided by related services. Service permissions are authorized for specific services, including positioning services, navigation services, and driving assistance services. Security permissions use digital signature technology to verify and tamper-proof data. Management permissions manage and configure access policies and security policies. The audit authority is used to view audit logs, including its own access logs and the access logs of other vehicles or services; a separate application device is added to be responsible for authentication operations, the authentication application unit modifies the static library that originally used someip communication, and performs application authentication in its subscription and publication, and the embedded management unit embeds the authentication process in its subscription and publication, and performs real-time supervision and processing on the entire process, and embeds the authentication process in its subscription and publication; both the configuration of SOA services and the subscription of SOA services based on the someip protocol need to be applied in advance, the whitelist management model generates a model for each authentication mechanism, and continuously updates and manages it, the whitelist update unit synchronizes and updates the real-time updated whitelist model, and will build a whitelist with the application identifier and the published and subscribed service information. When powered on, the new The authentication application module will be started first and the whitelist will be initialized. When other SOA service users publish or subscribe to services, they need to obtain permissions through the authentication application first. Only if they pass will they be allowed. If they fail, an error code will be returned to the specific service to perform a process execution operation. The whitelist encryption unit uses the HTTPS protocol to ensure that service requests and responses are encrypted during the transmission process to prevent whitelist information leakage. The cache unit reduces the interaction with the authentication application device within the cycle to reduce frequent applications and the authentication static library has a cache mechanism. The data backup unit backs up all received data. The present invention generates a complete mechanism authentication system by setting an authentication application adding module, a whitelist building module, a cache backup module and a dual-end control module. When in use, all services are backed up by using the whitelist method. Both publishers and subscribers provide optional permission control. By adding a separate application device to be responsible for authentication operations, modifying the original static library that uses someip communication, embedding the authentication process in its subscription and publication, and building a whitelist with application identification and published and subscribed service information, when powered on, the newly added authentication application module will be started first and initialize the whitelist, perform a process execution operation, manage, visualize and store the vehicle SOA service and the corresponding analysis results, which helps to realize the mechanism authentication operation of the vehicle SOA service through Internet cloud management and control, improve the intelligence level of mechanism authentication management, shorten the overall cumbersome process, facilitate real-time management of the global situation, ensure that malicious SOA signals are not sent to endanger vehicle driving, improve vehicle network security protection capabilities, and reduce exposure points.

本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的模块及方法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art will appreciate that the modules and method steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professional and technical personnel can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of the present invention.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的装置、设备和模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the above-described devices, equipment and modules can refer to the corresponding processes in the aforementioned method embodiments and will not be repeated here.

在本申请所提供的几个实施例中,应该理解到,所揭露的设备、系统和方法,可以通过其它的方式实现。In several embodiments provided in this application, it should be understood that the disclosed devices, systems and methods may be implemented in other ways.

例如,以上所描述的系统实施例仅仅是示意性的;For example, the system embodiments described above are merely illustrative;

例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块或单元可以结合或者可以集成到另一个装置,或一些特征可以忽略,或不执行。For example, the division of the modules is only a logical function division, and there may be other division methods in actual implementation, such as multiple modules or units can be combined or integrated into another device, or some features can be ignored or not executed.

另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或设备的间接耦合或通信连接,可以是电性,机械或其它的形式。Another point is that the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or equipment, which may be electrical, mechanical or other forms.

所述作为鉴权应用添加、白名单构建、缓存备份和双端控制的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The modules for adding authentication applications, building a whitelist, backing up cache, and controlling both ends may or may not be physically separated, and the components displayed as modules may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本发明各个实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中。In addition, each functional module in each embodiment of the present invention may be integrated into one processing module, or each module may exist physically separately, or two or more modules may be integrated into one module.

所述功能如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储服务器、随机存取存储服务器、磁碟或者光盘等各种可以存储程序指令的介质。If the functions are implemented in the form of software function modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art or the part of the technical solution, can be embodied in the form of a software product. The computer software product is stored in a storage medium, including several instructions for a computer device (which can be a personal computer, server, or network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only storage server, random access storage server, disk or optical disk, and other media that can store program instructions.

另外,还需要说明的是,本案中各技术特征的组合方式并不限本案权利要求中所记载的组合方式或是具体实施例所记载的组合方式,本案所记载的所有技术特征可以以任何方式进行自由组合或结合,除非相互之间产生矛盾。In addition, it should be noted that the combination of the various technical features in this case is not limited to the combination described in the claims of this case or the combination described in the specific embodiments. All technical features recorded in this case can be freely combined or combined in any way unless there is a contradiction between them.

需要注意的是,以上列举的仅为本发明的具体实施例,显然本发明不限于以上实施例,随之有着许多的类似变化。本领域的技术人员如果从本发明公开的内容直接导出或联想到的所有变形,均应属于本发明的保护范围。It should be noted that the above examples are only specific embodiments of the present invention. Obviously, the present invention is not limited to the above examples, and there are many similar variations. All variations that can be directly derived or associated with the contents disclosed by those skilled in the art should fall within the protection scope of the present invention.

以上仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。The above are only preferred embodiments of the present invention and are not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present invention should be included in the scope of protection of the present invention. The above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit them. Although the present application has been described in detail with reference to the aforementioned embodiments, a person of ordinary skill in the art should understand that the technical solutions described in the aforementioned embodiments can still be modified, or some of the technical features can be equivalently replaced. These modifications or replacements do not deviate the essence of the corresponding technical solutions from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (10)

1. The vehicle SOA service authentication mechanism is characterized by comprising the following specific steps:
s1, a generation mechanism authentication system provides selectable rights control for all service publishers and subscribers by using a white list mode;
S2, an application device is added separately to take charge of authentication operation, a static library which is originally communicated by someip is modified, and an authentication flow is embedded in subscription and release of the static library;
S3, configuring the SOA service and subscribing the SOA service based on someip protocols, applying in advance, constructing a white list together with the application identifier and the published and subscribed service information, and after powering on, preferentially starting and initializing the white list by the newly added authentication application module to perform one-time flow execution operation.
2. The vehicle SOA service authentication mechanism as claimed in claim 1, wherein: in step S3, after the white list policy is preferentially started and initialized, when other SOA service users perform service publishing or subscribing, the authority needs to be acquired through the authentication application, and the authority is allowed only after the authority passes, and the authority does not pass and returns to the specific service error code information.
3. The vehicle SOA service authentication mechanism as claimed in claim 1, wherein: the static library for someip communications in step S2 includes: libsomeip; libsomeip-xtf; libsomeip-rtp.
4. The vehicle SOA service authentication mechanism as claimed in claim 1, wherein: the rights in step S1 include access rights, service rights, security rights, management rights, and audit rights.
5. The vehicle SOA service authentication mechanism as claimed in claim 4, wherein: the access rights are used for reading vehicle data provided by related service, the service rights are used for authorizing specific service, including positioning service, navigation service and driving auxiliary service, the safety rights are used for verifying and tamper-proofing the data by using digital signature technology, the management rights are used for managing and configuring access strategies and safety strategies, and the audit rights are used for checking audit logs, including access logs of the vehicle and access logs of other vehicles or services.
6. The vehicle SOA service authentication mechanism as claimed in claim 1, wherein: the mechanism authentication system comprises an authentication application adding module, a white list constructing module, a cache backup module and a double-end control module, wherein the output end of the authentication application adding module is in communication connection with the input end of the white list constructing module, the output end of the white list constructing module is in communication connection with the input end of the cache backup module, and the output end of the cache backup module is in communication connection with the input end of the double-end control module.
7. The vehicle SOA service authentication mechanism as claimed in claim 6, wherein:
The authentication application adding module comprises an application adding unit, an authentication application unit and an embedded management unit;
The application adding unit is used for providing optional rights control for all service publishers and subscribers, and making detailed access strategies to ensure that the vehicle can only access the authorized services;
The authentication application unit is used for modifying the static library which is originally communicated by someip, and carrying out application authentication in subscription and release;
The embedded management unit is integrated inside the authentication application unit and is used for embedding an authentication process in subscription and release of the authentication process and performing real-time supervision processing on the whole process.
8. The vehicle SOA service authentication mechanism as claimed in claim 6, wherein:
The white list construction module comprises a white list updating unit, a white list management model and a white list encryption unit;
The white list updating unit is used for carrying out data synchronization and updating on the white list model updated in real time, constructing a white list together with the application identifier and the published and subscribed service information, and preferentially starting and initializing the white list to carry out one-time flow execution operation;
the white list management model is used for generating a model for each authentication mechanism and continuously updating and managing the model;
the white list encryption unit is used for ensuring that service requests and responses are encrypted in the transmission process by using an HTTPS protocol, and preventing white list information from being leaked.
9. The vehicle SOA service authentication mechanism as claimed in claim 6, wherein:
The cache backup module comprises an internal cache unit and a data backup unit;
The internal caching unit is used for reducing frequent application and caching mechanism of the authentication static library by reducing interaction between the internal caching unit and the authentication application equipment in a period;
The data backup unit is used for carrying out backup processing on all received data.
10. The vehicle SOA service authentication mechanism as claimed in claim 6, wherein:
the double-end control module comprises a publisher operation port and a subscriber operation port;
The publisher operation port is used for a publisher to log in and access the inside of the mechanism authentication system, and allows adjustment and update according to real-time conditions;
the subscriber operation port is used for logging in and accessing the inside of the mechanism authentication system by the subscriber and recording the detailed information of each service access.
CN202410023560.2A 2024-01-08 2024-01-08 Vehicle SOA service authentication mechanism Pending CN117978454A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410023560.2A CN117978454A (en) 2024-01-08 2024-01-08 Vehicle SOA service authentication mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410023560.2A CN117978454A (en) 2024-01-08 2024-01-08 Vehicle SOA service authentication mechanism

Publications (1)

Publication Number Publication Date
CN117978454A true CN117978454A (en) 2024-05-03

Family

ID=90860630

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410023560.2A Pending CN117978454A (en) 2024-01-08 2024-01-08 Vehicle SOA service authentication mechanism

Country Status (1)

Country Link
CN (1) CN117978454A (en)

Similar Documents

Publication Publication Date Title
US7971232B2 (en) Setting group policy by device ownership
CN101689989B (en) Method and device for creating and validating cryptographically secured documents
US20070113266A1 (en) Operating system independent data management
CN115552441A (en) Low Trust Privileged Access Management
CN111797430B (en) Data verification method, device, server and storage medium
CN108351922B (en) Method, system, and medium for applying rights management policies to protected files
JP2003228519A (en) Method and architecture for providing pervasive security for digital asset
JP2003228520A (en) Method and system for offline access to secured electronic data
JP2003500722A (en) Information protection method and device
CN110555293A (en) Method, apparatus, electronic device and computer readable medium for protecting data
CN111414612A (en) Security protection method and device for operating system mirror image and electronic equipment
WO2022066775A1 (en) Encrypted file control
CN114065183A (en) Authority control method and device, electronic equipment and storage medium
CN116781359A (en) Portal security design method using network isolation and cryptograph
CN104104650A (en) Data file visit method and terminal equipment
CN116249113A (en) Verification authorization method and device for virtual image of meta-universe, electronic equipment and storage medium
US20070079364A1 (en) Directory-secured packages for authentication of software installation
CN113420306B (en) Resource sharing method, device, computing equipment and computer readable storage medium
CN112101945A (en) Method and system for supervising block chain content
CN105516056B (en) encrypted file protection system and protection method thereof
CN117978454A (en) Vehicle SOA service authentication mechanism
CN115333797A (en) Evaluation method, system and computer storage medium for charging pile system
CN113127823A (en) Method, system and medium for managing local serial port login and authority
CN112417464B (en) Cloud computing digital right protection method and device
US20240242284A1 (en) Steganographic asset validation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination