WO2024032438A1

WO2024032438A1 - Secure access method and system for vehicle, and related apparatus

Info

Publication number: WO2024032438A1
Application number: PCT/CN2023/110724
Authority: WO
Inventors: 余舟毅; 侯林; 张作强
Original assignee: 华为技术有限公司
Priority date: 2022-08-08
Filing date: 2023-08-02
Publication date: 2024-02-15
Also published as: CN117579287A

Abstract

Disclosed in the present application are a secure access method and system for a vehicle, and a related apparatus. In the method, a diagnosis instrument and an ECU of a vehicle no longer hold the same key for secure access authentication, or, the diagnosis instrument no longer holds the key for secure access authentication, thereby reducing or eliminating the possibility of the diagnosis instrument leaking the key, improving the reliability of the diagnosis instrument and the ECU of the vehicle for performing secure access authentication, and improving the security of the vehicle.

Description

车辆安全访问方法、***及相关装置Vehicle security access methods, systems and related devices

本申请要求于2022年08月08日提交中国专利局、申请号为202210945002.2、申请名称为“车辆安全访问方法、***及相关装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the China Patent Office on August 8, 2022, with application number 202210945002.2 and the application name "Vehicle Security Access Method, System and Related Devices", the entire content of which is incorporated herein by reference. Applying.

技术领域Technical field

本申请涉及车联网领域，尤其涉及车辆安全访问方法、***及相关装置。This application relates to the field of Internet of Vehicles, and in particular to vehicle security access methods, systems and related devices.

背景技术Background technique

汽车故障诊断仪，简称诊断仪，是用于检测车辆故障的便携式智能车辆故障自检仪，用户可以利用它迅速地读取车辆电控***中的故障，并通过显示屏显示故障信息，迅速查明发生故障的部位及原因。Automobile fault diagnostic instrument, referred to as diagnostic instrument, is a portable intelligent vehicle fault self-diagnosis instrument used to detect vehicle faults. Users can use it to quickly read faults in the vehicle's electronic control system, and display fault information through the display screen to quickly check Identify the location and cause of the failure.

其中，统一诊断服务(Unified Diagnostic Services，UDS)作为诊断服务的规范化标准，是诊断仪为车辆电子控制单元(Electronic Control Unit，ECU)诊断过程中所使用的通信协议。具体地，在诊断过程中，诊断仪可以向车辆ECU发送请求，该请求中携带有UDS协议所定义的诊断服务，车辆ECU基于该诊断服务进行响应，其中，车辆ECU向诊断仪发送的响应中携带车辆ECU的诊断数据。Among them, Unified Diagnostic Services (UDS), as a standardized standard for diagnostic services, is the communication protocol used by diagnostic instruments in the diagnosis process of vehicle electronic control units (Electronic Control Unit, ECU). Specifically, during the diagnosis process, the diagnostic instrument can send a request to the vehicle ECU. The request carries the diagnostic service defined by the UDS protocol, and the vehicle ECU responds based on the diagnostic service. In the response sent by the vehicle ECU to the diagnostic instrument Carry diagnostic data of vehicle ECU.

总的来说，UDS协议提供了诊断服务的基本框架，通过UDS协议进行故障诊断，方便了生产线检测设备的开发，同时方便了售后维修保养和车联网的功能实现。In general, the UDS protocol provides a basic framework for diagnostic services. Fault diagnosis is performed through the UDS protocol, which facilitates the development of production line testing equipment, and also facilitates after-sales maintenance and vehicle networking functions.

发明内容Contents of the invention

本申请提供了车辆安全访问方法、***及相关装置，提高了诊断仪对车辆ECU进行诊断之前的安全访问认证的可靠性。This application provides vehicle safe access methods, systems and related devices, which improves the reliability of safe access authentication before the diagnostic instrument diagnoses the vehicle ECU.

第一方面，本申请实施例提供了一种车辆安全访问方法，该方法应用于包括第一ECU的车辆，车辆存储有在第一时段内临时有效的第一密钥，和，第一ECU的第二密钥，方法包括：车辆接收到第一设备发送的第一安全访问请求；车辆在第一时段内，使用第一密钥验证第一设备是否具备访问第一ECU的权限，只有存储有第一密钥的设备具备访问第一ECU的权限；车辆确定第一设备具备权限后，使用第二密钥执行车辆内部的认证过程；车辆向第一设备发送第一消息，第一消息用于指示车辆已通过对第一设备的验证；车辆接收到第一设备发送的第一诊断请求；响应于第一诊断请求，车辆向第一设备发送第一ECU的诊断数据。In a first aspect, embodiments of the present application provide a vehicle security access method, which method is applied to a vehicle including a first ECU. The vehicle stores a first key that is temporarily valid within a first period of time, and the first ECU's The second key, the method includes: the vehicle receives the first security access request sent by the first device; the vehicle uses the first key to verify whether the first device has the authority to access the first ECU within the first period. Only the stored The device with the first key has the authority to access the first ECU; after the vehicle determines that the first device has the authority, it uses the second key to perform the authentication process inside the vehicle; the vehicle sends a first message to the first device, and the first message is used to Indicates that the vehicle has passed the verification of the first device; the vehicle receives the first diagnosis request sent by the first device; in response to the first diagnosis request, the vehicle sends the diagnosis data of the first ECU to the first device.

实施第一方面提供的方法，用于诊断车辆ECU的诊断仪与ECU上持有不同的密钥用于进行安全访问认证，其中，诊断仪使用ECU临时密钥开展安全访问认证，ECU使用ECU密钥开展安全访问认证。这样，即使攻击方窃取到ECU上的ECU密钥，攻击方也无法假冒诊断仪开展安全访问认证，又或者，即使攻击方窃取到诊断仪上的ECU临时密钥，由于该ECU临时密钥为一段时间内有效的临时密钥，如果超过该有效时间，攻击者也无法通过诊断仪和ECU之间安全访问认证过程，降低了攻击者通过安全访问认证的可能性，提高了诊断仪和ECU进行安全访问认证的可靠性，增强了车辆的安全性。Implementing the method provided in the first aspect, the diagnostic instrument used to diagnose the vehicle ECU and the ECU hold different keys for secure access authentication. The diagnostic instrument uses the ECU temporary key to perform secure access authentication, and the ECU uses the ECU password. Key to carry out secure access authentication. In this way, even if the attacker steals the ECU key on the ECU, the attacker cannot impersonate the diagnostic instrument to perform secure access authentication, or even if the attacker steals the ECU temporary key on the diagnostic instrument, because the ECU temporary key is The temporary key is valid for a period of time. If the validity period exceeds, the attacker will not be able to pass the secure access authentication process between the diagnostic instrument and the ECU, which reduces the possibility of the attacker passing the secure access authentication and improves the security access authentication process between the diagnostic instrument and the ECU. The reliability of secure access authentication enhances vehicle security.

其中，诊断仪可以在请求访问ECU中的受控资源或需要对ECU进行故障诊断之前，发起安全访问认证，请求访问ECU中的受控资源或对ECU进行故障诊断。Among them, the diagnostic instrument can initiate security access authentication and request access to the controlled resources in the ECU or perform fault diagnosis on the ECU before requesting access to the controlled resources in the ECU or performing fault diagnosis on the ECU.

结合第一方面，在一种实施方式中，车辆使用第一密钥验证第一设备是否具备访问第一ECU的权限，具体包括：车辆生成第一种子，将第一种子发送给第一设备；车辆接收到第一设备使用第三密钥加密后的第一种子；车辆验证第三密钥加密后的第一种子，和，使用第一密钥加密后的第一种子，是否一致；在一致的情况下，第一设备具备访问第一ECU的权限。In conjunction with the first aspect, in one implementation, the vehicle uses the first key to verify whether the first device has the authority to access the first ECU, which specifically includes: the vehicle generates a first seed and sends the first seed to the first device; The vehicle receives the first seed encrypted by the first device using the third key; the vehicle verifies whether the first seed encrypted by the third key and the first seed encrypted by the first key are consistent; if they are consistent In this case, the first device has the authority to access the first ECU.

可以看出，当进行安全访问认证的双方在对种子进行加密使用了同一个约定的密钥，则该安全访问认证通过，这样可以避免攻击方伪造诊断仪窃取ECU的数据。It can be seen that when both parties performing security access authentication use the same agreed key to encrypt the seed, the security access authentication is passed. This can prevent the attacker from forging a diagnostic instrument to steal ECU data.

结合第一方面，在一种实施方式中，该车辆还包括KMS，车辆使用第一密钥验证第一设备是否具备访问第一ECU的权限，具体包括：车辆通过KMS生成第一种子，并通过KMS将第一种子发送给第一设备；通过KMS接收到第一设备使用第三密钥加密后的第一种子；通过KMS验证第三密钥加密后的第一种子，和，使用第一密钥加密后的第一种子，是否一致；在一致的情况下，第一设备具备访问第一ECU的权限。 In conjunction with the first aspect, in one implementation, the vehicle further includes a KMS, and the vehicle uses the first key to verify whether the first device has the authority to access the first ECU, specifically including: the vehicle generates the first seed through the KMS, and KMS sends the first seed to the first device; receives the first seed encrypted by the first device using the third key through KMS; verifies the first seed encrypted by the third key through KMS, and, uses the first key Whether the first seed encrypted by the key is consistent; if they are consistent, the first device has the authority to access the first ECU.

可以看出，在本申请实施例中，车辆中的车载KMS会干预诊断仪和ECU之间的安全访问认证过程，由车载KMS“假扮”ECU完成和诊断仪之间的安全访问认证，实现诊断仪和ECU上使用不同的密钥进行安全访问认证。It can be seen that in the embodiment of this application, the on-board KMS in the vehicle will intervene in the secure access authentication process between the diagnostic instrument and the ECU, and the on-board KMS "pretends" to complete the secure access authentication between the ECU and the diagnostic instrument to achieve diagnosis. Different keys are used on the instrument and ECU for secure access authentication.

结合第一方面，在一种实施方式中，第一密钥为制造车辆的部件的厂商管理和维护的服务器生成的密钥。In connection with the first aspect, in one embodiment, the first key is a key generated by a server managed and maintained by a manufacturer that manufactures components of the vehicle.

也就是说，该ECU临时密钥可以为可信的第三方生成的密钥，保证ECU临时密钥来源的可信度。In other words, the ECU temporary key can be a key generated by a trusted third party, ensuring the credibility of the source of the ECU temporary key.

结合第一方面，在一种实施方式中，车辆接收到第一设备发送的第一安全访问请求之前，该方法还包括：车辆接收到第一设备发送的授权文件，该授权文件包括：第一密钥，失效参数，根据第一密钥和失效参数确定的签名；其中，失效参数用于指示第一时段，签名表征授权文件中的第一密钥和失效参数由车辆信任的设备生成。In conjunction with the first aspect, in one implementation, before the vehicle receives the first secure access request sent by the first device, the method further includes: the vehicle receives an authorization file sent by the first device, the authorization file includes: a first The key, the invalidation parameter, and the signature determined based on the first key and the invalidation parameter; wherein the invalidation parameter is used to indicate the first period, and the signature represents that the first key and the invalidation parameter in the authorization file are generated by a device trusted by the vehicle.

车辆通过获取授权文件来获取ECU临时密钥，车辆可以通过校验授权文件中的签名，判断在诊断仪将授权文件发送给车辆的过程中，是否存在攻击者对该授权文件中的参数，例如ECU临时密钥、失效参数进行篡改，从而保障ECU临时密钥的可信度，进而保证车辆使用ECU临时密钥进行与诊断仪之间的安全访问认证过程的可信度。The vehicle obtains the ECU temporary key by obtaining the authorization file. The vehicle can verify the signature in the authorization file to determine whether there is an attacker's parameter in the authorization file when the diagnostic instrument sends the authorization file to the vehicle, such as The ECU temporary key and invalid parameters are tampered with to ensure the credibility of the ECU temporary key, thereby ensuring the credibility of the safe access authentication process between the vehicle and the diagnostic instrument using the ECU temporary key.

结合第一方面，在一种实施方式中，车辆接收到第一设备发送的授权文件之前，该方法还包括：车辆接收到第一设备发送的数字证书，数字证书表征第一设备为身份可信的设备；或者，车辆接收到第一设备发送的授权文件，具体包括：车辆通过UDS 2904服务接收到第一设备发送的授权文件，UDS 2904服务用于证明第一设备为身份可信的设备。In conjunction with the first aspect, in one implementation, before the vehicle receives the authorization file sent by the first device, the method further includes: the vehicle receives a digital certificate sent by the first device, and the digital certificate represents that the first device has a trusted identity. device; or, the vehicle receives the authorization file sent by the first device, which specifically includes: the vehicle receives the authorization file sent by the first device through the UDS 2904 service, and the UDS 2904 service is used to prove that the first device is a device with a trusted identity.

为了避免授权文件的发送方为攻击者，车辆可以在接收授权文件之前，先校验对方的身份，在确定对方为可信的诊断仪之后，再获取对方发送的授权文件。其中，诊断仪可以先通过向车辆发送数字证书来证明其身份，再发送授权文件，或者，诊断仪可以直接通可信的途径将授权文件发送给车辆。In order to prevent the sender of the authorization file from being an attacker, the vehicle can verify the identity of the other party before receiving the authorization file, and then obtain the authorization file sent by the other party after determining that the other party is a trusted diagnostic instrument. Among them, the diagnostic instrument can first prove its identity by sending a digital certificate to the vehicle, and then send the authorization file. Alternatively, the diagnostic instrument can directly send the authorization file to the vehicle through a trusted channel.

结合第一方面，在一种实施方式中，授权文件中还包括：车辆信息，车辆信息用于指示车辆，签名还根据车辆信息确定。In conjunction with the first aspect, in one implementation, the authorization file further includes: vehicle information, the vehicle information is used to indicate the vehicle, and the signature is also determined based on the vehicle information.

示例性地，该车辆信息可以为车辆的VIN码。授权文件还包括指示当前需要诊断的车辆的信息，可以避免攻击者将该ECU临时密钥用于开展和其他车辆的安全访问认证过程，提高安全访问认证的可靠性。For example, the vehicle information may be the VIN code of the vehicle. The authorization file also includes information indicating the vehicle currently requiring diagnosis, which can prevent attackers from using the ECU temporary key to carry out the security access authentication process with other vehicles and improve the reliability of security access authentication.

结合第一方面，在一种实施方式中，车辆还包括第二ECU，还存储有第二ECU的第四密钥，该方法还包括：车辆接收到第一设备发送的第二安全访问请求；车辆在第一时段内，使用第一密钥验证第一设备是否具备访问第二ECU的权限，只有存储有第一密钥的设备具备访问第二ECU的权限；车辆确定第一设备具备访问第二ECU权限后，使用第四密钥执行车辆内部的认证过程；车辆向第一设备发送第二消息，第二消息用于指示车辆已通过对第一设备的验证；车辆接收到第一设备发送的第二诊断请求；响应于第二诊断请求，车辆向第一设备发送第二ECU的诊断数据。In conjunction with the first aspect, in one implementation, the vehicle further includes a second ECU, and a fourth key of the second ECU is also stored. The method further includes: the vehicle receives a second security access request sent by the first device; During the first period, the vehicle uses the first key to verify whether the first device has the authority to access the second ECU. Only the device storing the first key has the authority to access the second ECU; the vehicle determines that the first device has the authority to access the second ECU. After the second ECU has permission, the fourth key is used to perform the authentication process inside the vehicle; the vehicle sends a second message to the first device, and the second message is used to indicate that the vehicle has passed the verification of the first device; the vehicle receives the message sent by the first device a second diagnostic request; in response to the second diagnostic request, the vehicle sends the diagnostic data of the second ECU to the first device.

也就是说，不同ECU进行安全访问认证时使用的ECU密钥不同，另外，诊断仪可以仅使用一个ECU临时密钥，完成诊断车辆中的不同ECU前的安全访问认证过程。这样，即使不同ECU的ECU密钥不同，诊断仪也不需要在对不同的ECU进行诊断时，频繁获取不同ECU使用的ECU密钥，有效解决了目前绝大多数的车辆对同一车型的同一类型的ECU使用相同ECU密钥时所产生的漏洞，即一个ECU的ECU密钥泄露，导致多辆车辆中的该类型的ECU的安全访问认证无效，并有效提高了在行业中推广“不同ECU使用不同ECU密钥”的可行性。In other words, different ECUs use different ECU keys for secure access authentication. In addition, the diagnostic tool can only use one ECU temporary key to complete the secure access authentication process before diagnosing different ECUs in the vehicle. In this way, even if the ECU keys of different ECUs are different, the diagnostic tool does not need to frequently obtain the ECU keys used by different ECUs when diagnosing different ECUs. This effectively solves the problem that most vehicles currently use the same type of the same model. The vulnerability that occurs when ECUs use the same ECU key, that is, the ECU key of one ECU is leaked, causing the security access authentication of that type of ECU in multiple vehicles to be invalid, and effectively improves the promotion of "different ECU use" in the industry Feasibility of "different ECU keys".

结合第一方面，在一种实施方式中，第一安全访问请求、第一消息、第一诊断请求、诊断数据，均按照统一诊断服务UDS协议中针对车辆的诊断服务的通信标准来发送。In conjunction with the first aspect, in one implementation, the first security access request, the first message, the first diagnosis request, and the diagnosis data are all sent according to the communication standard for vehicle diagnosis services in the Unified Diagnostic Service UDS protocol.

也就是说，上述诊断仪与车辆之间的交互消息，均是按照UDS协议的标准进行通信的。In other words, the interactive messages between the above diagnostic instrument and the vehicle are all communicated in accordance with the standards of the UDS protocol.

在一些实施例中，第一安全访问请求中可以携带有UDS协议的诊断服务标识SID，该诊断服务标识SID用于诊断仪向车辆发起的诊断服务，其中，第一安全访问请求中的该诊断服务标识SID为27，这时，该诊断仪向车辆发起的诊断服务为安全访问服务，该安全访问服务用于提供一种访问车辆中受控资源或进行故障诊断的途径。In some embodiments, the first secure access request may carry a diagnostic service identifier SID of the UDS protocol. The diagnostic service identifier SID is used for diagnostic services initiated by the diagnostic instrument to the vehicle, wherein the diagnostic service identifier in the first secure access request The service identifier SID is 27. At this time, the diagnostic service initiated by the diagnostic instrument to the vehicle is a secure access service. This secure access service is used to provide a way to access controlled resources in the vehicle or perform fault diagnosis.

第二方面，本申请实施例提供了一种车辆安全访问方法，该方法应用于包括第一ECU的车辆，车辆存储有第一ECU的第二密钥，方法包括：车辆接收到第一设备发送的第一诊断请求，第一设备为车辆信任的设备；车辆使用第二密钥执行车辆内部的安全访问认证过程；响应于第一诊断请求，车辆向第一设备发送第一ECU的诊断数据。In a second aspect, embodiments of the present application provide a vehicle security access method. The method is applied to a vehicle including a first ECU. The vehicle stores a second key of the first ECU. The method includes: the vehicle receives a message sent by the first device. The first diagnostic request, the first device is a device trusted by the vehicle; the vehicle uses the second key to perform a secure access authentication process inside the vehicle; in response to the first diagnostic request, the vehicle sends the diagnostic data of the first ECU to the first device.

实施第二方面提供的方法，诊断仪上不再持有用于进行安全访问认证的密钥，诊断仪直接向车辆证明其为可信任的诊断仪，并发起诊断请求，直接请求访问ECU中的资源，而车辆内部仍然按照先进行安全访问认证，再响应于诊断请求，将ECU的诊断数据发送给诊断仪的步骤进行执行。这样，不仅消除了诊断仪泄露用于安全访问认证的密钥的可能性，提高了诊断仪与ECU之间的安全访问认证的可靠性，还使得ECU仍然按照UDS协议的标准进行通信，使开发人员无需对ECU进行适配，这也是考虑到车辆中的不同ECU可能来源于不同的生成厂商，避免了开发人员与不同生产厂商进行协调更改ECU的配置的麻烦，增加了该方法在车辆上实施的可行性。Implementing the method provided in the second aspect, the diagnostic device no longer holds the key used for secure access authentication, and the diagnostic device directly proves to the vehicle It is a trusted diagnostic instrument and initiates a diagnostic request to directly request access to the resources in the ECU. However, the vehicle still follows the steps of first performing security access authentication and then responding to the diagnostic request to send the diagnostic data of the ECU to the diagnostic instrument. implement. In this way, it not only eliminates the possibility of the diagnostic instrument leaking the key used for secure access authentication, but also improves the reliability of the secure access authentication between the diagnostic instrument and the ECU. It also allows the ECU to still communicate in accordance with the standards of the UDS protocol, allowing developers to There is no need for personnel to adapt the ECU. This is also considering that different ECUs in the vehicle may come from different manufacturers. This avoids the trouble of developers coordinating with different manufacturers to change the configuration of the ECU, and increases the implementation of this method on the vehicle. feasibility.

结合第二方面，在一种实施方式中，车辆接收到第一设备发送的第一诊断请求之前，方法还包括：车辆接收到第一设备发送的数字证书，数字证书表征第一设备为身份可信的设备。Combined with the second aspect, in one implementation, before the vehicle receives the first diagnosis request sent by the first device, the method further includes: the vehicle receives a digital certificate sent by the first device, and the digital certificate represents that the first device is identifiable. letter equipment.

也就是说，车辆可以通过接受诊断仪发送的数字证书来确定诊断仪的身份是否可信，保证向车辆发起诊断的设备为可信的诊断仪，而不是攻击方。In other words, the vehicle can determine whether the identity of the diagnostic instrument is trustworthy by accepting the digital certificate sent by the diagnostic instrument, ensuring that the device that initiates diagnosis to the vehicle is a trusted diagnostic instrument and not an attacker.

结合第二方面，在一种实施方式中，第一诊断请求、诊断数据，均按照统一诊断服务UDS协议中针对车辆的诊断服务的通信标准来发送。Combined with the second aspect, in one implementation, the first diagnosis request and diagnosis data are sent in accordance with the communication standard for vehicle diagnosis services in the Unified Diagnostic Service UDS protocol.

结合第二方面，在一种实施方式中，车辆还包括第二ECU，车辆还存储有第二ECU的第四密钥，该方法还包括：车辆接收到第一设备发送的第二诊断请求，第一设备为车辆信任的设备；车辆使用第四密钥执行车辆内部的安全访问认证过程；响应于第二诊断请求，车辆向第一设备发送第二ECU的诊断数据。In conjunction with the second aspect, in one implementation, the vehicle further includes a second ECU, and the vehicle also stores a fourth key of the second ECU. The method further includes: the vehicle receives a second diagnosis request sent by the first device, The first device is a device trusted by the vehicle; the vehicle uses the fourth key to perform a secure access authentication process inside the vehicle; in response to the second diagnosis request, the vehicle sends the diagnosis data of the second ECU to the first device.

也就是说，不同ECU进行安全访问认证时使用的ECU密钥不同。由于诊断仪上不再持有用于安全访问认证的密钥，即时不同ECU的ECU密钥不同，诊断仪也不需要在对不同的ECU进行诊断时，频繁获取不同ECU使用的ECU密钥，有效解决了目前绝大多数的车辆对同一车型的同一类型的ECU使用相同ECU密钥时所产生的漏洞，即一个ECU的ECU密钥泄露，导致多辆车辆中的该类型的ECU的安全访问认证无效，并有效提高了在行业中推广“不同ECU使用不同ECU密钥”的可行性。In other words, different ECUs use different ECU keys for secure access authentication. Since the diagnostic instrument no longer holds the key used for secure access authentication, even if the ECU keys of different ECUs are different, the diagnostic instrument does not need to frequently obtain the ECU keys used by different ECUs when diagnosing different ECUs. Effectively solves the vulnerability that currently occurs when most vehicles use the same ECU key for the same type of ECU of the same model, that is, the ECU key of one ECU is leaked, resulting in secure access to that type of ECU in multiple vehicles. The certification is invalid and effectively improves the feasibility of promoting "different ECUs using different ECU keys" in the industry.

结合第一方面或第二方面，在一种实施方式中，车辆还包括KMS，车辆使用第二密钥执行车辆内部的认证过程，具体包括：车辆通过KMS和第一ECU执行：In combination with the first aspect or the second aspect, in one implementation, the vehicle further includes a KMS, and the vehicle uses the second key to perform an authentication process inside the vehicle, which specifically includes: the vehicle performs through the KMS and the first ECU:

KMS发送第二安全访问请求给第一ECU；KMS sends the second security access request to the first ECU;

第一ECU生成第二种子，将第二种子发送给KMS；The first ECU generates the second seed and sends the second seed to the KMS;

KMS使用第二密钥加密第二种子，将使用第二密钥加密后的第二种子发送给第一ECU；KMS uses the second key to encrypt the second seed, and sends the second seed encrypted using the second key to the first ECU;

第一ECU验证，KMS使用第二密钥加密后的第二种子，和，第一ECU使用第二密钥加密后的种子，一致。The first ECU verifies that the second seed encrypted by KMS using the second key is consistent with the seed encrypted by the first ECU using the second key.

为了实现诊断仪和ECU不再使用相同的密钥进行安全访问认证，或者诊断仪不再持有用于安全访问认证的密钥，车辆中的车载KMS可以干预诊断仪和ECU之间的安全访问认证过程，使用ECU密钥完成和ECU之间的安全访问认证，这样，ECU也无需更改配置来适配本方案，这也是考虑到车辆中的不同ECU可能来源于不同的生成厂商，避免了开发人员与不同生产厂商进行协调更改ECU的配置的麻烦，增加了该方法在车辆上实施的可行性。In order to realize that the diagnostic instrument and the ECU no longer use the same key for secure access authentication, or the diagnostic instrument no longer holds the key for secure access authentication, the on-board KMS in the vehicle can intervene in the secure access between the diagnostic instrument and the ECU. During the authentication process, the ECU key is used to complete the secure access authentication with the ECU. In this way, the ECU does not need to change the configuration to adapt to this solution. This is also considering that different ECUs in the vehicle may come from different manufacturers, avoiding development The trouble of personnel coordinating with different manufacturers to change the configuration of the ECU increases the feasibility of implementing this method on the vehicle.

结合第一方面或第二方面，在一种实施方式中，第二密钥为车辆利用第一车辆密钥，生成得到的密钥，其中，不同车辆的车辆密钥不同。In conjunction with the first aspect or the second aspect, in one implementation, the second key is a key generated by the vehicle using the first vehicle key, wherein the vehicle keys of different vehicles are different.

也就是说，车辆可以通过一个车辆密钥派生出车内不同ECU的ECU密钥，且不同车辆的车辆密钥不同。由于车辆中各个ECU的ECU密钥都是通过车辆密钥派生得到的，如果车辆密钥泄露，则该车辆中所有ECU密钥都会泄露。因此，使不同车辆的车辆密钥不同，可以尽可能降低车辆密钥泄露所带来的影响。That is to say, the vehicle can derive ECU keys for different ECUs in the vehicle through one vehicle key, and the vehicle keys of different vehicles are different. Since the ECU keys of each ECU in the vehicle are derived from the vehicle key, if the vehicle key is leaked, all ECU keys in the vehicle will be leaked. Therefore, making the vehicle keys different for different vehicles can reduce the impact of vehicle key leakage as much as possible.

第三方面，本申请实施例提供了一种车辆安全访问方法，该方法应用于第一设备，方法包括：第一设备向车辆发送第一安全访问请求；在车辆在第一时段内，使用在第一时段内临时有效的第一密钥，验证第一设备具备访问车辆中的第一ECU的权限，并使用第二密钥执行车辆内部的认证过程的情况下，第一设备接收到车辆发送的第一消息，第一消息用于指示车辆已通过对第一设备的验证；第一设备向车辆发送第一诊断请求；第一设备接收到车辆发送的第一ECU的诊断数据。In the third aspect, embodiments of the present application provide a vehicle secure access method, which method is applied to a first device. The method includes: the first device sends a first secure access request to the vehicle; while the vehicle is in the first period, using The first key that is temporarily valid within the first period of time verifies that the first device has the authority to access the first ECU in the vehicle and uses the second key to perform the authentication process inside the vehicle. When the first device receives the information sent by the vehicle, The first message is used to indicate that the vehicle has passed the verification of the first device; the first device sends a first diagnostic request to the vehicle; the first device receives the diagnostic data of the first ECU sent by the vehicle.

实施第三方面提供的方法，诊断仪可以使用一个临时有效的密钥用于开展和ECU的安全访问认证过程，而车辆先使用该临时有效的密钥完成和诊断仪的安全访问认证，再使用ECU密钥开展和ECU的安全访问认证，使得诊断仪和ECU上无需持有相同的密钥。这样，即使攻击方窃取到ECU上的ECU密钥，攻击方也无法假冒诊断仪开展安全访问认证，又或者，即使攻击方窃取到诊断仪上的ECU临时密钥，由于该ECU临时密钥为一段时间内有效的临时密钥，如果超过该有效时间，攻击者也无法通过诊断仪和ECU之间安全访问认证过程，降低了攻击者通过安全访问认证的可能性，提高了诊断仪和ECU进行安全访问认证的可靠性，增强了车辆的安全性。Implementing the method provided in the third aspect, the diagnostic instrument can use a temporarily valid key to carry out the secure access authentication process with the ECU, and the vehicle first uses the temporarily valid key to complete the secure access authentication with the diagnostic instrument, and then uses ECU key implementation and ECU secure access authentication eliminate the need to hold the same key on the diagnostic instrument and the ECU. In this way, even if the attacker steals the ECU key on the ECU, the attacker cannot impersonate the diagnostic instrument to perform secure access authentication, or even if the attacker steals the ECU temporary key on the diagnostic instrument, because the ECU temporary key is The temporary key is valid for a period of time. If the validity period exceeds, the attacker will not be able to pass the secure access authentication process between the diagnostic instrument and the ECU, which reduces the possibility of the attacker passing the secure access authentication and improves the security access authentication process between the diagnostic instrument and the ECU. secure access Certified reliability enhances vehicle safety.

结合第三方面，在一种实施方式中，在车辆使用在第一时段内临时有效的第一密钥，验证第一设备具备访问车辆中的第一ECU的权限的过程中，该方法还包括：第一设备获取车辆生成的第一种子；第一设备使用第一密钥对第一种子进行加密；第一设备将第一密钥加密后的第一种子发送给车辆。In conjunction with the third aspect, in one implementation, in the process of the vehicle using the first key that is temporarily valid within the first period of time to verify that the first device has the authority to access the first ECU in the vehicle, the method further includes : The first device obtains the first seed generated by the vehicle; the first device uses the first key to encrypt the first seed; the first device sends the first seed encrypted with the first key to the vehicle.

结合第三方面，在一种实施方式中，第一设备向车辆发送第一安全访问请求之前，方法还包括：第一设备获取到第二设备发送的第一密钥，第二设备为制造车辆的部件的厂商管理和维护的服务器。Combined with the third aspect, in one implementation, before the first device sends the first secure access request to the vehicle, the method further includes: the first device obtains the first key sent by the second device, and the second device is a manufacturing vehicle The vendors of the components manage and maintain the servers.

也就是说，诊断仪可以通过官方可信的第三方设备中获取该ECU临时密钥，保证ECU临时密钥来源的可信度。In other words, the diagnostic tool can obtain the ECU temporary key from an official and trusted third-party device, ensuring the credibility of the source of the ECU temporary key.

结合第三方面，在一种实施方式中，第一设备获取到第二设备发送的第一密钥，具体包括：第一设备获取到第二设备发送的授权文件，该授权文件包括：第一密钥，失效参数，根据第一密钥和失效参数确定的签名；其中，失效参数用于指示第一时段，签名表征授权文件中的第一密钥和失效参数由第二设备生成。Combined with the third aspect, in an implementation manner, the first device obtains the first key sent by the second device, specifically including: the first device obtains an authorization file sent by the second device, the authorization file includes: a first The key, the expiration parameter, and the signature determined based on the first key and the expiration parameter; wherein the expiration parameter is used to indicate the first period, and the signature represents that the first key and the expiration parameter in the authorization file were generated by the second device.

诊断仪可以通过获取服务器发送的授权文件来获取ECU临时密钥，诊断仪通过校验授权文件中的签名可以判断在服务器将授权文件发送给诊断仪的过程中，是否存在攻击者对该授权文件中的参数，例如ECU临时密钥、失效参数进行篡改，从而保障ECU临时密钥的可信度，进而保证车辆使用ECU临时密钥进行与诊断仪之间的安全访问认证过程的可信度。The diagnostic instrument can obtain the ECU temporary key by obtaining the authorization file sent by the server. By verifying the signature in the authorization file, the diagnostic instrument can determine whether there is an attacker who has authorized the file when the server sends the authorization file to the diagnostic instrument. The parameters in the vehicle, such as the ECU temporary key and invalid parameters, are tampered with to ensure the credibility of the ECU temporary key, thereby ensuring the credibility of the secure access authentication process between the vehicle and the diagnostic instrument using the ECU temporary key.

结合第三方面，在一种实施方式中，第一设备获取到第二设备发送的授权文件之前，该方法还包括：第一设备将第一设备的数字证书发送给第二设备，数字证书用于证明第一设备为可信的设备。Combined with the third aspect, in one implementation, before the first device obtains the authorization file sent by the second device, the method further includes: the first device sends the digital certificate of the first device to the second device, and the digital certificate is To prove that the first device is a trusted device.

这样，可以避免服务器将授权文件发送给攻击方，避免攻击方窃取到ECU临时密钥。In this way, the server can be prevented from sending the authorization file to the attacker and the attacker can be prevented from stealing the ECU temporary key.

结合第三方面，在一种实施方式中，第一设备获取到第二设备发送的授权文件之后，方法还包括：第一设备将授权文件发送给车辆。Combined with the third aspect, in one implementation, after the first device obtains the authorization file sent by the second device, the method further includes: the first device sends the authorization file to the vehicle.

诊断仪将ECU临时密钥放在授权文件中，通过向车辆发送ECU临时密钥将ECU临时密钥传递给车辆，使得车辆可以通过校验授权文件中的签名来判断在诊断仪将授权文件发送给车辆的过程中，是否存在攻击者对该授权文件中的参数，例如ECU临时密钥、失效参数进行篡改，从而保障ECU临时密钥的可信度，进而保证车辆使用ECU临时密钥进行与诊断仪之间的安全访问认证过程的可信度。The diagnostic instrument places the ECU temporary key in the authorization file, and passes the ECU temporary key to the vehicle by sending the ECU temporary key to the vehicle, so that the vehicle can determine whether the diagnostic instrument has sent the authorization file by verifying the signature in the authorization file. During the process of providing the vehicle to the vehicle, is there an attacker who has tampered with the parameters in the authorization file, such as the ECU temporary key and invalid parameters, so as to ensure the credibility of the ECU temporary key and ensure that the vehicle uses the ECU temporary key to communicate with the vehicle? Trustworthiness of the secure access authentication process between diagnostic instruments.

结合第三方面，在一种实施方式中，第一设备将授权文件发送给车辆之前，该方法还包括：第一设备将数字证书发送给车辆，数字证书表征第一设备为身份可信的设备；或者，第一设备将授权文件发送给车辆，具体包括：第一设备通过UDS 2904服务将授权文件发送给车辆，UDS 2904服务用于证明第一设备为身份可信的设备。Combined with the third aspect, in one implementation, before the first device sends the authorization file to the vehicle, the method further includes: the first device sends a digital certificate to the vehicle, and the digital certificate represents the first device as a device with a trusted identity. ; Or, the first device sends the authorization file to the vehicle, which specifically includes: the first device sends the authorization file to the vehicle through the UDS 2904 service, and the UDS 2904 service is used to prove that the first device is a device with a trusted identity.

为了避免攻击者假冒诊断仪向车辆发送给ECU临时密钥，诊断仪可以在向车辆发送授权文件之前，证明其身份的可信度，或者，诊断仪通过可信的途径将授权文件发送给车辆。In order to prevent attackers from pretending to be a diagnostic tool and sending temporary keys to the ECU to the vehicle, the diagnostic tool can prove the credibility of its identity before sending the authorization file to the vehicle, or the diagnostic tool can send the authorization file to the vehicle through a trusted channel. .

结合第三方面，在一种实施方式中，授权文件中还包括：车辆信息，车辆信息用于指示车辆，签名还根据车辆信息确定。Combined with the third aspect, in one implementation, the authorization file further includes: vehicle information, the vehicle information is used to indicate the vehicle, and the signature is also determined based on the vehicle information.

示例性地，该车辆信息可以为车辆的VIN码。授权文件还包括指示当前需要诊断的车辆的信息，可以保证诊断仪仅对该授权文件所指示的车辆进行诊断，避免攻击方将该ECU临时密钥用于开展和其他车辆的安全访问认证过程，提高安全访问认证的可靠性。For example, the vehicle information may be the VIN code of the vehicle. The authorization file also includes information indicating the vehicle that currently needs to be diagnosed, which can ensure that the diagnostic instrument only diagnoses the vehicle indicated by the authorization file, preventing the attacker from using the ECU temporary key to carry out the security access authentication process with other vehicles. Improve the reliability of secure access authentication.

结合第三方面，在一种实施方式中，第一安全访问请求、第一消息、第一诊断请求、诊断数据，均按照统一诊断服务UDS协议中针对车辆的诊断服务的通信标准来发送。Combined with the third aspect, in one implementation, the first security access request, the first message, the first diagnosis request, and the diagnosis data are all sent in accordance with the communication standard for vehicle diagnosis services in the Unified Diagnostic Service UDS protocol.

第四方面，本申请实施例提供了一种车辆安全访问方法，该方法应用于第一设备，方法包括：第一设备向车辆认证第一设备的身份可信；第一设备向车辆发送第一诊断请求；在车辆使用第一ECU的第二密钥执行车辆内部的安全访问认证过程的情况下，第一设备获取到车辆发送的车辆中的第一ECU的诊断数据。In the fourth aspect, embodiments of the present application provide a vehicle secure access method, which method is applied to a first device. The method includes: the first device authenticates to the vehicle that the identity of the first device is trustworthy; the first device sends the first device to the vehicle. Diagnosis request: When the vehicle uses the second key of the first ECU to perform a secure access authentication process inside the vehicle, the first device obtains the diagnostic data of the first ECU in the vehicle sent by the vehicle.

实施第四方面提供的方法，诊断仪上不再持有用于进行安全访问认证的密钥，诊断仪直接向车辆证明其为可信任的诊断仪，并发起诊断请求，直接请求访问ECU中的资源，而车辆内部仍然按照先进行安全访问认证，再响应于诊断请求，将ECU的诊断数据发送给诊断仪的步骤进行执行。这样，不仅消除了诊断仪泄露用于安全访问认证的密钥的可能性，提高了诊断仪与ECU之间的安全访问认证的可靠性，还使得ECU仍然按照UDS协议的标准进行通信，使开发人员无需对ECU进行适配，这也是考虑到车辆中的不同ECU可能来源于不同的生成厂商，避免了开发人员与不同生产厂商进行协调更改ECU的配置的麻烦，增加了该方法在车辆上实施的可行性。Implementing the method provided in the fourth aspect, the diagnostic instrument no longer holds the key for secure access authentication. The diagnostic instrument directly proves to the vehicle that it is a trustworthy diagnostic instrument, and initiates a diagnostic request, directly requesting access to the ECU. resources, but the vehicle interior still follows the steps of first performing security access authentication, and then responding to the diagnostic request to send the diagnostic data of the ECU to the diagnostic instrument. In this way, not only does the diagnosis The possibility of the diagnostic instrument leaking the key used for secure access authentication improves the reliability of the secure access authentication between the diagnostic instrument and the ECU. It also allows the ECU to still communicate in accordance with the standards of the UDS protocol, so that developers do not need to perform maintenance on the ECU. Adaptation, this also takes into account that different ECUs in the vehicle may come from different manufacturers, avoiding the trouble of developers coordinating with different manufacturers to change the configuration of the ECU, and increasing the feasibility of implementing this method on the vehicle.

结合第四方面，在一种实施方式中，第一设备向车辆认证第一设备的身份可信，具体包括：第一设备向车辆发送数字证书，数字证书表征第一设备为身份可信的设备。Combined with the fourth aspect, in one implementation, the first device authenticates the identity of the first device to the vehicle, specifically including: the first device sends a digital certificate to the vehicle, and the digital certificate represents the first device as a device with a trusted identity. .

结合第四方面，在一种实施方式中，第一设备向车辆发送数字证书之前，该方法还包括：第一设备向第二设备发送数字证书；第一设备向车辆发送数字证书，具体包括：在第二设备根据数字证书确定第一设备身份可信的情况下，第一设备向车辆发送数字证书。With reference to the fourth aspect, in one implementation, before the first device sends the digital certificate to the vehicle, the method further includes: the first device sends the digital certificate to the second device; the first device sends the digital certificate to the vehicle, specifically including: When the second device determines that the identity of the first device is credible based on the digital certificate, the first device sends the digital certificate to the vehicle.

也就是说，诊断仪在向车辆发起诊断之前，需要先完成向服务器以及车辆的双重认证，尽可能保证诊断仪为可信的设备，避免攻击方窃取到ECU的诊断数据，尽可能保证车辆的安全。In other words, before the diagnostic instrument initiates diagnosis to the vehicle, it needs to complete dual authentication with the server and the vehicle to ensure that the diagnostic instrument is a trusted device as much as possible, to prevent the attacker from stealing the diagnostic data of the ECU, and to ensure the safety of the vehicle as much as possible. Safety.

结合第四方面，在一种实施方式中，第一诊断请求、诊断数据，均按照统一诊断服务UDS协议中针对车辆的诊断服务的通信标准来发送。Combined with the fourth aspect, in an implementation manner, the first diagnosis request and diagnosis data are sent according to the communication standard for vehicle diagnosis services in the Unified Diagnostic Service UDS protocol.

结合第三方面或第四方面，在一种实施方式中，第二密钥为车辆利用第一车辆密钥，生成得到的密钥，其中，不同车辆的车辆密钥不同。In conjunction with the third aspect or the fourth aspect, in an implementation manner, the second key is a key generated by the vehicle using the first vehicle key, wherein the vehicle keys of different vehicles are different.

第五方面，本申请实施例提供了一种车辆，包括存储器，一个或多个处理器，以及一个或多个程序；一个或多个处理器在执行一个或多个程序时，使得车辆实现如第一方面或第一方面的任意一种实施方式、第二方面或第二方面的任意一种实施方式所描述的方法。In a fifth aspect, embodiments of the present application provide a vehicle, including a memory, one or more processors, and one or more programs; when one or more processors execute one or more programs, the vehicle implements the following: The method described in the first aspect or any implementation of the first aspect, the second aspect or any implementation of the second aspect.

第六方面，本申请实施例提供了一种电子设备，包括存储器，一个或多个处理器，以及一个或多个程序；一个或多个处理器在执行一个或多个程序时，使得电子设备实现如第三方面或第三方面的任意一种实施方式、第四方面或第四方面的任意一种实施方式所描述的方法。In a sixth aspect, embodiments of the present application provide an electronic device, including a memory, one or more processors, and one or more programs; when one or more processors execute one or more programs, the electronic device Implement the method described in the third aspect or any one implementation manner of the third aspect, the fourth aspect or any one implementation manner of the fourth aspect.

第七方面，本申请实施例提供了一种通信***，***包括如第五方面的车辆和如第六方面的电子设备。In a seventh aspect, embodiments of the present application provide a communication system, which includes a vehicle as in the fifth aspect and an electronic device as in the sixth aspect.

第八方面，本申请实施例提供了一种计算机可读存储介质，包括指令，其特征在于，当指令在电子设备上运行时，使得电子设备执行如第一方面或第一方面的任意一种实施方式、第二方面或第二方面的任意一种实施方式、第三方面或第三方面的任意一种实施方式、第四方面或第四方面的任意一种实施方式所描述的方法。In an eighth aspect, embodiments of the present application provide a computer-readable storage medium, including instructions, which are characterized in that when the instructions are run on an electronic device, the electronic device causes the electronic device to execute the first aspect or any one of the first aspects. The method described in the embodiment, the second aspect or any implementation of the second aspect, the third aspect or any implementation of the third aspect, the fourth aspect or any implementation of the fourth aspect.

第九方面，本申请实施例提供了一种计算机程序产品，其特征在于，当计算机程序产品在计算机上运行时，使得计算机执行如第一方面或第一方面的任意一种实施方式、第二方面或第二方面的任意一种实施方式、第三方面或第三方面的任意一种实施方式、第四方面或第四方面的任意一种实施方式所描述的方法。In a ninth aspect, embodiments of the present application provide a computer program product, which is characterized in that, when the computer program product is run on a computer, it causes the computer to execute the first aspect or any one of the embodiments of the first aspect and the second aspect. The method described in the third aspect or any embodiment of the second aspect, the third aspect or any embodiment of the third aspect, the fourth aspect or any embodiment of the fourth aspect.

附图说明Description of drawings

图1为诊断仪和车辆ECU之间执行UDS27服务涉及到的流程示意图；Figure 1 is a schematic diagram of the process involved in executing the UDS27 service between the diagnostic instrument and the vehicle ECU;

图2为本申请实施例提供的通信***1000的示意图；Figure 2 is a schematic diagram of a communication system 1000 provided by an embodiment of the present application;

图3为本申请实施例提供的车辆安全访问方法中，生成ECU密钥所涉及到的一种流程示意图；Figure 3 is a schematic flowchart of generating an ECU key in the vehicle security access method provided by the embodiment of the present application;

图4为本申请实施例提供的车辆安全访问方法中，生成ECU密钥所涉及到的另一种流程示意图；Figure 4 is another schematic flow chart involved in generating an ECU key in the vehicle security access method provided by the embodiment of the present application;

图5为本申请实施例提供的车辆安全访问方法中，利用ECU密钥进行安全访问认证所涉及到的一种流程示意图；Figure 5 is a schematic flow chart involving the use of ECU keys for secure access authentication in the vehicle secure access method provided by the embodiment of the present application;

图6为本申请实施例提供的车辆安全访问方法中，利用ECU密钥进行安全访问认证所涉及到的另一种流程示意图；Figure 6 is another schematic flowchart involving the use of ECU keys for secure access authentication in the vehicle secure access method provided by the embodiment of the present application;

图7为本申请实施例提供的车辆300的结构示意图；Figure 7 is a schematic structural diagram of a vehicle 300 provided by an embodiment of the present application;

图8为本申请实施例提供的电子设备400的结构示意图。FIG. 8 is a schematic structural diagram of an electronic device 400 provided by an embodiment of the present application.

具体实施方式Detailed ways

下面将结合附图对本申请实施例中的技术方案进行清楚、详尽地描述。其中，在本申请实施例的描述中，除非另有说明，“/”表示或的意思，例如，A/B可以表示A或B；文本中的“和/或”仅仅是一种描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B这三种情况，另外，在本申请实施例的描述中，“多个”是指两个或多于两个。The technical solutions in the embodiments of the present application will be described clearly and in detail below with reference to the accompanying drawings. Among them, in the description of the embodiments of this application , unless otherwise stated, "/" means or, for example, A/B can mean A or B; the "and/or" in the text is just an association relationship describing the associated objects, indicating that there can be three types of A relationship, for example, A and/or B, can represent three situations: A exists alone, A and B exist simultaneously, and B exists alone. In addition, in the description of the embodiments of this application, "multiple" refers to two Or more than two.

以下，术语“第一”、“第二”仅用于描述目的，而不能理解为暗示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此，限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征，在本申请实施例的描述中，除非另有说明，“多个”的含义是两个或两个以上。Hereinafter, the terms “first” and “second” are used for descriptive purposes only and shall not be understood as implying or implying relative importance or implicitly specifying the quantity of indicated technical features. Therefore, the features defined as “first” and “second” may explicitly or implicitly include one or more of the features. In the description of the embodiments of this application, unless otherwise specified, “plurality” The meaning is two or more.

UDS协议中定义了一系列诊断服务，诊断仪和车辆ECU可以通过指定的UDS服务，来规范通信过程中发送的指令和传输的数据。The UDS protocol defines a series of diagnostic services. The diagnostic instrument and the vehicle ECU can use the specified UDS service to standardize the instructions sent and the data transmitted during the communication process.

其中，UDS协议定义有一种安全访问服务，即UDS 27服务，该服务用于提供一种访问车辆中受控资源或进行故障诊断的途径。由于ECU中的有些数据或者ECU的故障诊断基于安全原因而受到保护，因此，在诊断仪读取ECU中的资源或在ECU上实行故障诊断之前，需要执行UDS 27服务来解除ECU上的保护限制。Among them, the UDS protocol defines a secure access service, the UDS 27 service, which is used to provide a way to access controlled resources in the vehicle or perform fault diagnosis. Since some data in the ECU or fault diagnosis of the ECU are protected for security reasons, before the diagnostic tool reads the resources in the ECU or performs fault diagnosis on the ECU, the UDS 27 service needs to be executed to lift the protection restrictions on the ECU. .

图1为诊断仪和车辆ECU之间执行UDS 27服务涉及到的流程示意图。Figure 1 is a schematic diagram of the process involved in executing the UDS 27 service between the diagnostic instrument and the vehicle ECU.

从图1可以看出，在诊断仪向车辆ECU发送安全访问请求后，诊断仪和车辆ECU分别对车辆ECU生成的一个种子进行加密，其中加密过程中，诊断仪和车辆ECU使用相同的ECU密钥，之后，诊断仪将加密后的种子发送给车辆ECU，如果车辆ECU判断得到接收到的加密后的种子与本地加密后的种子一致，则诊断仪通过安全访问的认证，车辆ECU为诊断仪提供安全访问的权限，之后，诊断仪即可访问车辆ECU上受限的资源或进行故障诊断。As can be seen from Figure 1, after the diagnostic tool sends a secure access request to the vehicle ECU, the diagnostic tool and the vehicle ECU respectively encrypt a seed generated by the vehicle ECU. During the encryption process, the diagnostic tool and the vehicle ECU use the same ECU password. After that, the diagnostic instrument sends the encrypted seed to the vehicle ECU. If the vehicle ECU determines that the received encrypted seed is consistent with the local encrypted seed, the diagnostic instrument passes the security access authentication, and the vehicle ECU is a diagnostic instrument. Provide secure access permissions, and then the diagnostic tool can access restricted resources on the vehicle ECU or perform fault diagnosis.

但是，由于诊断仪和车辆ECU使用相同的ECU密钥，如果诊断仪或者车辆ECU上的ECU密钥泄露，则会导致安全访问的认证形同虚设，攻击者可以轻松通过安全访问的认证，对车辆ECU展开攻击，例如，非法访问ECU中的资源，修改ECU的配置，刷写ECU的软件包等等，对车辆的安全造成影响。However, since the diagnostic tool and the vehicle ECU use the same ECU key, if the ECU key on the diagnostic tool or the vehicle ECU is leaked, the security access authentication will be ineffective. An attacker can easily pass the security access authentication and access the vehicle ECU. Attacks, such as illegally accessing resources in the ECU, modifying the ECU configuration, flashing the ECU software package, etc., will affect the safety of the vehicle.

因此，如何提高车辆ECU中的安全访问认证的可靠性，是目前亟待解决的问题。Therefore, how to improve the reliability of secure access authentication in vehicle ECU is an issue that needs to be solved urgently.

为了解决上述问题，本申请实施例提供了一种车辆安全访问方法，在该方法中，诊断仪和ECU上不再使用相同的密钥用于安全访问认证，具体地，针对需要诊断仪进行资源访问或故障诊断的目标ECU，诊断仪可以使用一个ECU临时密钥用于完成诊断仪与该目标ECU的安全访问认证，而车辆内部可以干预诊断仪和目标ECU的安全访问认证过程，使用ECU临时密钥完成和诊断仪的安全访问认证过程，判断诊断仪是否拥有访问资源或故障诊断的权限，在诊断仪通过安全访问认证后，再使用ECU密钥进行车辆内部的安全访问认证，在车辆内部的安全访问认证通过后，则ECU确定诊断仪拥有访问ECU的资源的权限，可以基于诊断仪的诊断请求，将ECU的诊断数据发送给该诊断仪。并且，该ECU临时密钥为一段时间有效的密钥，超过一段时间之后，该ECU临时密钥便无法用来进行安全访问认证。In order to solve the above problems, embodiments of the present application provide a vehicle secure access method. In this method, the same key is no longer used on the diagnostic instrument and the ECU for secure access authentication. Specifically, for resources that require the diagnostic instrument To access or diagnose the target ECU, the diagnostic tool can use an ECU temporary key to complete the secure access authentication process between the diagnostic tool and the target ECU, and the vehicle interior can intervene in the secure access authentication process between the diagnostic tool and the target ECU, using the ECU temporary key. The key completes the security access authentication process of the diagnostic instrument to determine whether the diagnostic instrument has the permission to access resources or fault diagnosis. After the diagnostic instrument passes the security access authentication, the ECU key is used for security access authentication inside the vehicle. Inside the vehicle After the security access authentication is passed, the ECU determines that the diagnostic instrument has the authority to access the resources of the ECU, and can send the diagnostic data of the ECU to the diagnostic instrument based on the diagnostic request of the diagnostic instrument. Moreover, the ECU temporary key is a key that is valid for a period of time. After a period of time, the ECU temporary key cannot be used for secure access authentication.

可以看出，ECU对诊断仪的安全访问认证同时使用到了ECU临时密钥以及ECU密钥，而诊断仪使用ECU临时密钥进行认证，即使攻击者窃取到ECU密钥，也没办法通过诊断仪和ECU之间的安全访问认证过程；另外，由于诊断仪上持有的ECU临时密钥具有时效性，即时攻击者窃取到该ECU临时密钥，如果超过时间，也无法通过诊断仪和ECU之间的安全访问认证过程。这样，降低了攻击者通过安全访问认证的可能性，提高了诊断仪和ECU进行安全访问认证的可靠性，增强了车辆的安全性。It can be seen that the ECU's secure access authentication to the diagnostic instrument uses both the ECU temporary key and the ECU key. The diagnostic instrument uses the ECU temporary key for authentication. Even if the attacker steals the ECU key, he cannot pass the diagnostic instrument. The secure access authentication process between the diagnostic instrument and the ECU; in addition, because the ECU temporary key held on the diagnostic instrument is time-sensitive, even if the attacker steals the ECU temporary key, if the time expires, he will not be able to communicate between the diagnostic instrument and the ECU. security access authentication process. In this way, the possibility of an attacker passing the security access authentication is reduced, the reliability of the diagnostic instrument and ECU for security access authentication is improved, and the safety of the vehicle is enhanced.

本申请实施例还提供了一种车辆安全访问方法，在该方法中，诊断仪上不再持有用于进行安全访问认证的密钥。具体地，诊断仪仅需要向车辆证明其为可信的设备，不再发起安全访问认证，直接向目标ECU发送诊断请求，而车辆内部会截获该诊断请求，仍先使用ECU密钥开展和目标ECU的安全访问认证，并在通过认证后再将该诊断请求传递给目标ECU，触发对目标ECU的资源访问或故障诊断。Embodiments of the present application also provide a vehicle secure access method, in which the diagnostic instrument no longer holds a key for secure access authentication. Specifically, the diagnostic instrument only needs to prove to the vehicle that it is a trusted device, and no longer initiates security access authentication, but directly sends a diagnostic request to the target ECU. The diagnostic request will be intercepted inside the vehicle, and the ECU key will still be used to carry out communication with the target. Secure access authentication of the ECU, and after passing the authentication, the diagnosis request is passed to the target ECU, triggering resource access or fault diagnosis of the target ECU.

可以看出，诊断仪上不再持有用于进行安全访问认证的密钥，消除了诊断仪泄露ECU密钥的可能性，提高了诊断仪和ECU进行安全访问认证的可靠性。It can be seen that the diagnostic instrument no longer holds the key for secure access authentication, which eliminates the possibility of the diagnostic instrument leaking the ECU key and improves the reliability of the diagnostic instrument and ECU for secure access authentication.

在上述两种车辆安全访问方法中，该目标ECU的ECU密钥为车辆使用车辆密钥派生得到的仅用于该目标ECU进行安全访问认证所使用的密钥，换句话说，该车辆中不同ECU使用的ECU密钥不同。In the above two vehicle security access methods, the ECU key of the target ECU is a key derived by the vehicle using the vehicle key and is only used for the target ECU for secure access authentication. In other words, different keys in the vehicle The ECU keys used by the ECU are different.

这样，车辆中不同ECU进行安全访问认证时所使用的ECU密钥不同，那么即使一个ECU的ECU密钥泄露，也不会影响到该车辆中其他ECU的安全访问认证过程。另外，由于诊断仪使用ECU临时密钥与车辆进行安全访问认证，那么即使不同ECU的ECU密钥不同，诊断仪也不需要在对不同的ECU进行诊断时，频繁获取不同ECU使用的ECU密钥，有效解决了目前绝大多数的车厂对同一车型的同一类型的ECU使用相同ECU密钥时所产生的漏洞，即一个ECU的ECU密钥泄露，导致多辆车辆中的该类型的ECU的安全访问认证无效，并有效提高了在行业中推广“不同ECU使用不同ECU密钥”的可行性。In this way, different ECUs in the vehicle use different ECU keys for secure access authentication. Even if the ECU key of one ECU is leaked, it will not affect the secure access authentication process of other ECUs in the vehicle. In addition, since the diagnostic tool uses the ECU temporary key and If the vehicle undergoes secure access authentication, even if the ECU keys of different ECUs are different, the diagnostic instrument does not need to frequently obtain the ECU keys used by different ECUs when diagnosing different ECUs, effectively solving the problem that most car manufacturers currently have. The vulnerability that occurs when the same type of ECU of the same model uses the same ECU key, that is, the ECU key of one ECU is leaked, causing the security access authentication of that type of ECU in multiple vehicles to be invalid, and effectively improves the efficiency in the industry. Promote the feasibility of "using different ECU keys for different ECUs".

进一步地，不同车辆的车辆密钥也可以不同。由于车辆中各个ECU的ECU密钥都是通过车辆密钥派生得到的，如果车辆密钥泄露，则该车辆中所有ECU密钥都会泄露。因此，使不同车辆的车辆密钥不同，可以尽可能降低车辆密钥泄露所带来的影响。Furthermore, the vehicle keys of different vehicles may also be different. Since the ECU keys of each ECU in the vehicle are derived from the vehicle key, if the vehicle key is leaked, all ECU keys in the vehicle will be leaked. Therefore, making the vehicle keys different for different vehicles can reduce the impact of vehicle key leakage as much as possible.

下面介绍本申请实施例提供的通信***1000。The communication system 1000 provided by the embodiment of the present application is introduced below.

图2为本申请实施例提供的通信***1000的示意图。如图2所示，通信***1000可包括：服务器100、诊断仪200、车辆300。其中：Figure 2 is a schematic diagram of a communication system 1000 provided by an embodiment of the present application. As shown in FIG. 2 , the communication system 1000 may include: a server 100 , a diagnostic instrument 200 , and a vehicle 300 . in:

服务器100可用于生成、管理和分发密钥。在本申请实施例中，该密钥可以包括：车辆密钥、ECU临时密钥、ECU密钥等等。其中，服务器100可以为车辆(例如车辆300)生成车辆密钥，将该车辆密钥发送给车辆300，该车辆密钥可用于派生得到ECU的ECU密钥，车辆300可以通过该ECU密钥进行车辆内部的ECU的安全访问认证。另外，服务器100还可以根据该车辆密钥派生得到ECU密钥，将该ECU密钥发送给车辆300。另外，服务器100可以为诊断仪(例如诊断仪200)生成ECU临时密钥，诊断仪200可以通过该ECU临时密钥进行车辆外部的ECU的安全访问认证。Server 100 can be used to generate, manage and distribute keys. In the embodiment of this application, the key may include: vehicle key, ECU temporary key, ECU key, etc. The server 100 can generate a vehicle key for the vehicle (for example, the vehicle 300), and send the vehicle key to the vehicle 300. The vehicle key can be used to derive the ECU key of the ECU, and the vehicle 300 can use the ECU key to perform Secure access authentication of ECUs inside the vehicle. In addition, the server 100 can also derive an ECU key based on the vehicle key, and send the ECU key to the vehicle 300 . In addition, the server 100 can generate an ECU temporary key for a diagnostic instrument (eg, the diagnostic instrument 200), and the diagnostic instrument 200 can use the ECU temporary key to perform secure access authentication of the ECU outside the vehicle.

其中，需要注意的是，该车辆外部的安全访问认证涉及安全访问认证过程中，诊断仪200和车辆之间的交互过程，车辆内部的安全访问认证涉及安全访问认证过程中，车辆内部功能模块之间的交互过程。具体可参见后续的方法流程，这里先不展开。Among them, it should be noted that the safe access authentication outside the vehicle involves the interaction process between the diagnostic instrument 200 and the vehicle during the safe access authentication process, and the safe access authentication inside the vehicle involves the internal functional modules of the vehicle during the safe access authentication process. interaction process between. For details, please refer to the subsequent method process, which will not be discussed here.

诊断仪200可用于访问车辆中的资源，检测车辆的故障。具体地，诊断仪200用于访问车辆中的ECU的资源，检测ECU的故障。在本申请实施例中，诊断仪200可用于获取服务器100发送的ECU临时密钥，将该ECU临时密钥发送给车辆300，另外，诊断仪200还可用于向车辆300发送安全访问请求，利用ECU临时密钥，进行车辆外部的安全访问认证。The diagnostic instrument 200 can be used to access resources in the vehicle and detect vehicle faults. Specifically, the diagnostic instrument 200 is used to access the resources of the ECU in the vehicle and detect faults of the ECU. In the embodiment of the present application, the diagnostic instrument 200 can be used to obtain the ECU temporary key sent by the server 100, and send the ECU temporary key to the vehicle 300. In addition, the diagnostic instrument 200 can also be used to send a secure access request to the vehicle 300, using ECU temporary key for secure access authentication outside the vehicle.

车辆300作为诊断仪诊断的对象，可以根据诊断仪发送的诊断请求，返回该诊断请求所请求的诊断数据，并在诊断之前，完成和诊断仪的安全访问认证。在本申请实施例中，车辆300可用于获取或生成车辆密钥，并根据车辆密钥生成ECU的ECU密钥，获取诊断仪200发送的ECU临时密钥，使用给ECU临时密钥完成和诊断仪200的车辆外部的安全访问认证，使用ECU密钥完成车辆内部的安全访问认证，以及在安全访问的认证通过时，将该认证通过的指示信息发送给诊断仪200。As the object of diagnosis by the diagnostic instrument, the vehicle 300 can return the diagnostic data requested by the diagnostic request according to the diagnostic request sent by the diagnostic instrument, and complete the security access authentication with the diagnostic instrument before diagnosis. In the embodiment of the present application, the vehicle 300 can be used to obtain or generate a vehicle key, generate an ECU key for the ECU based on the vehicle key, obtain the ECU temporary key sent by the diagnostic instrument 200, and use the ECU temporary key to complete and diagnose The instrument 200 performs secure access authentication outside the vehicle, uses the ECU key to complete the secure access authentication inside the vehicle, and when the authentication of the secure access passes, sends indication information indicating that the authentication has passed to the diagnostic instrument 200 .

本申请实施例不限制通信***1000中各设备之间的通信连接方式。具体地，该通信连接可以是有线连接、无线连接。其中，该无线连接可以是高保真无线通信(wireless fidelity，Wi-Fi)连接、蓝牙连接、红外线连接、NFC连接、ZigBee连接等近距离连接，也可以是远距离连接，远距离连接包括但不限于基于2G，3G，4G，5G以及后续标准协议的移动网络的远距离连接。例如，服务器100可以通过无线连接的方式将ECU临时密钥发送给诊断仪200。又例如，诊断仪200可以通过有线连接的方式与车辆300进行通信，示例性地，诊断仪200可以通过有线连接车辆300的车载自动诊断***(On Board Diagnostics，OBD)端口，与车辆300进行通信。The embodiments of the present application do not limit the communication connection methods between the devices in the communication system 1000. Specifically, the communication connection may be a wired connection or a wireless connection. Among them, the wireless connection can be a high-fidelity wireless communication (wireless fidelity, Wi-Fi) connection, a Bluetooth connection, an infrared connection, an NFC connection, a ZigBee connection and other short-range connections, or it can be a long-distance connection, and the long-distance connection includes but does not Limited to long-distance connections based on mobile networks based on 2G, 3G, 4G, 5G and subsequent standard protocols. For example, the server 100 may send the ECU temporary key to the diagnostic instrument 200 through a wireless connection. For another example, the diagnostic instrument 200 can communicate with the vehicle 300 through a wired connection. For example, the diagnostic instrument 200 can communicate with the vehicle 300 through a wired connection to an on-board automatic diagnosis system (On Board Diagnostics, OBD) port of the vehicle 300. .

另外，需要注意的是，本申请实施例中提及的服务器，例如服务器100，可以是一个服务器，也可以是指多个服务器组成的服务器集群。例如，服务器100可以为多个服务器通过分布式架构部署的服务器集群，集群中可以包括云计算服务器、内容分发网络(Content Delivery Network，CDN)服务器、网络时间协议(Network Time Protocol，NTP)、域名解析***(Domain Name System，DNS)服务器等等中的一个或者多个。其中，各个服务器之间可以相互协调，共同完成计算、数据存储、通信等功能。为了方便描述，本申请实施例中将单个服务器、分布式服务器、服务器集群等统称为服务器。在本申请实施例中，服务器100可以为多个服务器通过分布式架构部署的服务器集群，这多个服务器隶属于原始设备制造商(original equipment manufacturer，OEM)，共同组成原始设备制造商的密钥管理***(key management system，KMS)。In addition, it should be noted that the server mentioned in the embodiment of this application, such as the server 100, may be one server or a server cluster composed of multiple servers. For example, the server 100 can be a server cluster in which multiple servers are deployed through a distributed architecture. The cluster can include a cloud computing server, a content delivery network (Content Delivery Network, CDN) server, a Network Time Protocol (Network Time Protocol, NTP), a domain name One or more of the Domain Name System (DNS) servers, etc. Among them, various servers can coordinate with each other to jointly complete functions such as computing, data storage, and communication. For convenience of description, in the embodiments of this application, a single server, a distributed server, a server cluster, etc. are collectively referred to as servers. In this embodiment of the present application, the server 100 can be a server cluster deployed by multiple servers through a distributed architecture. These multiple servers belong to the original equipment manufacturer (original equipment manufacturer, OEM) and together form the original equipment manufacturer's key. Management system (key management system, KMS).

本申请实施例提供的车辆安全访问方法用于实现诊断仪在对车辆进行故障诊断或资源访问之前的安全访问认证，总的来说，该车辆安全访问方法主要包括：车辆获取ECU用于安全访问认证的ECU密钥，以及诊断仪与车辆进行安全访问认证两个部分，下面分别以两个阶段分别描述车辆管理方法的详细过程。The vehicle safe access method provided by the embodiment of this application is used to implement safe access authentication of the diagnostic instrument before performing fault diagnosis or resource access on the vehicle. In general, the vehicle safe access method mainly includes: the vehicle obtains the ECU for safe access. The two parts are the certified ECU key and the secure access authentication between the diagnostic instrument and the vehicle. The detailed process of the vehicle management method is described in two stages below.

阶段一：生成ECU密钥 Phase 1: Generate ECU key

在本申请实施例中，ECU密钥由车辆中的车辆密钥派生得到，在本申请实施例中，该车辆密钥可以由车辆生成也可以由服务器生成。In the embodiment of the present application, the ECU key is derived from the vehicle key in the vehicle. In the embodiment of the present application, the vehicle key may be generated by the vehicle or by the server.

图3为本申请实施例提供的车辆安全访问方法中，生成ECU密钥所涉及到的一种流程示意图，图4为本申请实施例提供的车辆安全访问方法中，生成ECU密钥所涉及到的另一种流程示意图。Figure 3 is a schematic flowchart of the process involved in generating an ECU key in the vehicle security access method provided by the embodiment of the present application. Figure 4 is the process involved in generating the ECU key in the vehicle security access method provided by the embodiment of the application. Another flow diagram of.

其中，图3示出了车辆密钥由服务器100生成时，服务器100和车辆300的涉及的交互过程，图4示出了车辆密钥由车辆300生成时，服务器100和车辆300涉及的交互过程。Among them, Figure 3 shows the interaction process involved between the server 100 and the vehicle 300 when the vehicle key is generated by the server 100. Figure 4 shows the interaction process involved between the server 100 and the vehicle 300 when the vehicle key is generated by the vehicle 300. .

另外，图3和图4所示的交互过程主要涉及到车辆300中的两个功能模块：车载KMS，ECU。其中，车载KMS用于生成和管理车辆中的密钥，车辆300中可以包括一个或多个ECU，示例性地，图3和图4以ECU1为例，该ECU1可以为车辆300中的任意一个ECU，在本申请实施例中，该ECU1可以是指诊断仪200需要诊断的目标ECU。In addition, the interaction process shown in Figures 3 and 4 mainly involves two functional modules in the vehicle 300: the vehicle KMS and the ECU. Among them, the vehicle KMS is used to generate and manage keys in the vehicle. The vehicle 300 may include one or more ECUs. For example, Figures 3 and 4 take ECU1 as an example. The ECU1 can be any one of the vehicles 300 ECU, in the embodiment of the present application, the ECU1 may refer to the target ECU that the diagnostic instrument 200 needs to diagnose.

如图3所示，阶段一主要包括：As shown in Figure 3, phase one mainly includes:

S101.服务器100为车辆300生成车辆密钥。S101. The server 100 generates a vehicle key for the vehicle 300.

具体地，服务器100可以使用密码算法生成一个随机数，将该随机数作为车辆300的车辆密钥。Specifically, the server 100 may use a cryptographic algorithm to generate a random number, and use the random number as the vehicle key of the vehicle 300 .

进一步地，当涉及多辆车时，服务器100可以为每一辆车生成不同的车辆密钥，即不同车辆的车辆密钥不同。例如，假设还存在车辆400，服务器100可以为车辆300生成车辆300的车辆密钥1，为车辆400生成车辆400的车辆密钥2。Further, when multiple vehicles are involved, the server 100 can generate different vehicle keys for each vehicle, that is, the vehicle keys of different vehicles are different. For example, assuming that vehicle 400 also exists, the server 100 may generate vehicle key 1 of vehicle 300 for vehicle 300 and vehicle key 2 of vehicle 400 for vehicle 400.

另外，服务器100在生成车辆密钥之后，可以将车辆密钥与该车辆的车辆识别代码(Vehicle Identification Number，VIN)进行绑定，换句话说，将该车辆的车辆密钥与VIN码存放在一起。其中，该VIN码相当于车辆的身份证号，它根据国家车辆管理标准确定，包含了车辆的生产厂家、年代、车型、车身型式及代码、发动机代码及组装地点等等信息。或者，还可以理解的是，将该车辆密钥与该车辆的VIN码进行绑定可以是指将该车辆密钥作为VIN码的一部分。这样，将车辆密钥与车辆的VIN码进行绑定即可将车辆密钥以车辆为单位进行管理，将不同车辆的车辆密钥进行区分。In addition, after generating the vehicle key, the server 100 can bind the vehicle key with the vehicle identification number (VIN) of the vehicle. In other words, store the vehicle key and VIN code of the vehicle in Together. Among them, the VIN code is equivalent to the vehicle's ID number. It is determined according to the national vehicle management standards and includes the vehicle's manufacturer, age, model, body type and code, engine code, assembly location and other information. Alternatively, it can also be understood that binding the vehicle key with the VIN code of the vehicle may refer to using the vehicle key as part of the VIN code. In this way, by binding the vehicle key with the vehicle's VIN code, the vehicle key can be managed on a vehicle-by-vehicle basis, and the vehicle keys of different vehicles can be distinguished.

在本申请实施例中，服务器100为制造车辆的部件的厂商管理和维护的服务器，服务器100还可以被称为第二设备。In this embodiment of the present application, the server 100 is a server managed and maintained by a manufacturer that manufactures vehicle components. The server 100 may also be called a second device.

S102.服务器100将车辆密钥发送给车辆300中的车载KMS。S102. The server 100 sends the vehicle key to the vehicle KMS in the vehicle 300.

服务器100将车辆密钥发送给车辆300，具体地，服务器100将车辆密钥发送给车辆300中的车载KMS。相应的，车辆300可以接收到服务器100发送的车辆密钥。The server 100 sends the vehicle key to the vehicle 300. Specifically, the server 100 sends the vehicle key to the on-board KMS in the vehicle 300. Correspondingly, the vehicle 300 can receive the vehicle key sent by the server 100.

进一步地，当车辆密钥与VIN码绑定时，服务器100可以在向车辆300发送车辆300的VIN码时，将该车辆300的车辆密钥一起发送给车辆300。Further, when the vehicle key is bound to the VIN code, the server 100 may send the vehicle key of the vehicle 300 to the vehicle 300 when sending the VIN code of the vehicle 300 to the vehicle 300 .

另外，当涉及多辆车时，服务器100可以将不同车辆的车辆密钥发送给相应的车辆，例如，服务器100将车辆300的车辆密钥1发送给车辆300，将车辆400的车辆密钥2发送给车辆400。In addition, when multiple vehicles are involved, the server 100 can send the vehicle keys of different vehicles to the corresponding vehicles. For example, the server 100 sends the vehicle key 1 of the vehicle 300 to the vehicle 300 and the vehicle key 2 of the vehicle 400. Sent to vehicle 400.

S103.车辆300中的车载KMS利用车辆密钥，生成ECU1的ECU密钥。S103. The vehicle-mounted KMS in vehicle 300 uses the vehicle key to generate the ECU key of ECU1.

车辆300利用车辆密钥，生成ECU1的ECU密钥。具体地，车辆300可以通过车载KMS，利用车辆密钥，生成ECU1的ECU密钥。Vehicle 300 uses the vehicle key to generate the ECU key of ECU1. Specifically, the vehicle 300 can use the vehicle key to generate the ECU key of the ECU1 through the vehicle KMS.

示例性地，车辆300可以利用密钥派生函数(key derivation function，KDF)或基于HMAC的KDF(即HKDF)，从车辆密钥中派生出密钥，将该派生得到的密钥作为ECU1的ECU密钥。其中，该ECU密钥用于在执行车辆内部的安全访问认证时，对种子进行加密，具体可参见后续阶段二的详细过程。For example, the vehicle 300 may use a key derivation function (KDF) or HMAC-based KDF (ie, HKDF) to derive a key from the vehicle key, and use the derived key as the ECU of ECU1 key. Among them, the ECU key is used to encrypt the seed when performing secure access authentication inside the vehicle. For details, please refer to the detailed process of subsequent stage two.

进一步地，对于车辆300中的多个ECU，车辆300可以从该车辆密钥中派生出多个密钥，将这多个密钥分别作为多个ECU的ECU密钥。例如，车辆300中的车载KMS从车辆密钥中派生得到ECU1的ECU密钥，以及ECU2的ECU密钥。Further, for multiple ECUs in the vehicle 300, the vehicle 300 may derive multiple keys from the vehicle key, and use the multiple keys as ECU keys for the multiple ECUs. For example, the on-board KMS in vehicle 300 derives the ECU key of ECU1 and the ECU key of ECU2 from the vehicle key.

在一些实施例中，ECU密钥可以包括一个或多个密钥。示例性地，ECU密钥可以包括两个密钥：ECU2701密钥和ECU 2709密钥。其中，ECU2701密钥用于在安全访问认证时使用，ECU2709密钥用于在ECU执行软件包刷写时使用。本申请实施例对ECU密钥的数量不作限制。In some embodiments, the ECU key may include one or more keys. Exemplarily, the ECU key may include two keys: the ECU2701 key and the ECU2709 key. Among them, the ECU2701 key is used for secure access authentication, and the ECU2709 key is used when the ECU performs software package flashing. The embodiment of the present application does not limit the number of ECU keys.

在本申请实施例中，车辆300利用车辆密钥可以生成多个ECU的ECU密钥，例如存在第一ECU和第二ECU，第一ECU的ECU密钥还可以被称为第二密钥，第二ECU的ECU密钥还可以被称为第四密钥，示例性地，ECU1可以被称为第一ECU。 In this embodiment of the present application, the vehicle 300 can use the vehicle key to generate ECU keys for multiple ECUs. For example, there is a first ECU and a second ECU, and the ECU key of the first ECU can also be called a second key. The ECU key of the second ECU may also be called a fourth key, and for example, ECU1 may be called the first ECU.

S104.车辆300中的车载KMS将ECU1的ECU密钥发送给ECU1。S104. The vehicle-mounted KMS in vehicle 300 sends the ECU key of ECU1 to ECU1.

对于车辆300中的多个ECU，车辆300可以通过车载KMS，将分别为多个ECU派生的ECU密钥分别发送给相应的ECU。例如，当车载KMS生成了ECU1和ECU2的ECU密钥，车载KMS可以将ECU1的ECU密钥发送给ECU1，将ECU2的ECU密钥发送给ECU2。For multiple ECUs in the vehicle 300, the vehicle 300 can send the ECU keys respectively derived for the multiple ECUs to the corresponding ECUs through the on-board KMS. For example, when the on-board KMS generates the ECU keys of ECU1 and ECU2, the on-board KMS can send the ECU key of ECU1 to ECU1 and the ECU key of ECU2 to ECU2.

应理解，上述步骤S101-S104可以在车辆300的整车产线阶段执行，也就是说，在车辆未投入给用户驾驶之前，服务器可以提前将车辆密钥预置在车辆中，车辆再从该车辆密钥中派生出车辆中各个ECU在安全访问认证阶段所需的ECU密钥。It should be understood that the above steps S101-S104 can be executed at the vehicle production line stage of the vehicle 300. That is to say, before the vehicle is put into use for users to drive, the server can preset the vehicle key in the vehicle in advance, and the vehicle can then obtain the key from the vehicle. The ECU keys required by each ECU in the vehicle during the secure access authentication phase are derived from the vehicle key.

S105.服务器100利用车辆密钥，生成ECU1的ECU密钥。S105. The server 100 uses the vehicle key to generate the ECU key of ECU1.

类似与步骤S103，服务器100也可以利用KDF或HKDF等密钥派生算法，从车辆密钥中派生出ECU密钥。Similar to step S103, the server 100 may also use a key derivation algorithm such as KDF or HKDF to derive the ECU key from the vehicle key.

在一些实施例中，服务器100可以在诊断仪200需要对ECU1进行故障诊断或资源访问时，使用密钥派生算法，从车辆密钥中派生出ECU1的ECU密钥。之后，服务器100再将该ECU密钥发送给车辆300(图3中未示出)，以便ECU1使用该ECU密钥完成车辆内部的安全访问认证。In some embodiments, the server 100 may use a key derivation algorithm to derive the ECU key of the ECU1 from the vehicle key when the diagnostic instrument 200 needs to perform fault diagnosis or resource access to the ECU1. Afterwards, the server 100 sends the ECU key to the vehicle 300 (not shown in FIG. 3 ), so that the ECU 1 uses the ECU key to complete the safe access authentication inside the vehicle.

这样，车辆300无需利用车辆密钥，生成ECU1的ECU密钥，直接通过服务器100获取到该ECU1在安全访问认证阶段所需的ECU密钥。In this way, the vehicle 300 does not need to use the vehicle key to generate the ECU key of the ECU1, and directly obtains the ECU key required by the ECU1 in the secure access authentication phase through the server 100.

可以理解的是，步骤S105适用于诊断仪200仅针对车辆300的单个ECU进行诊断时执行，这时步骤S103-S104为可选的步骤，车辆300可以直接通过服务器100获取ECU的ECU密钥，或者，车辆300也可以提前生成多个ECU在诊断时所需的ECU密钥，这时，步骤S105为可选的步骤，车辆300可以自行生成多个ECU的ECU密钥。另外，需要注意的是，步骤S103和S105中，服务器100和车辆300使用的密钥派生算法相同。It can be understood that step S105 is suitable for execution when the diagnostic instrument 200 only diagnoses a single ECU of the vehicle 300. In this case, steps S103-S104 are optional steps. The vehicle 300 can directly obtain the ECU key of the ECU through the server 100. Alternatively, the vehicle 300 may generate ECU keys required for diagnosis of multiple ECUs in advance. In this case, step S105 is an optional step, and the vehicle 300 may generate ECU keys for multiple ECUs by itself. In addition, it should be noted that in steps S103 and S105, the key derivation algorithm used by the server 100 and the vehicle 300 is the same.

如图4所示，阶段一主要包括：As shown in Figure 4, phase one mainly includes:

S201.车辆300中的车载KMS生成车辆300的车辆密钥。S201. The vehicle-mounted KMS in the vehicle 300 generates the vehicle key of the vehicle 300.

S202.车辆300中的车载KMS将车辆密钥发送给服务器100。S202. The vehicle-mounted KMS in the vehicle 300 sends the vehicle key to the server 100.

S203.车辆300中的车载KMS利用车辆密钥，生成ECU1的ECU密钥。S203. The vehicle-mounted KMS in vehicle 300 uses the vehicle key to generate the ECU key of ECU1.

S204.车辆300中的车载KMS将ECU1的ECU密钥发送给ECU1。S204. The vehicle-mounted KMS in vehicle 300 sends the ECU key of ECU1 to ECU1.

S205.服务器100利用车辆密钥，生成ECU1的ECU密钥。S205. The server 100 uses the vehicle key to generate the ECU key of ECU1.

其中，结合图3所示的步骤S101-S105，从步骤S201-S205可以看出，步骤S203-S205和图3所示的步骤S103-S105相同，步骤S201-S202和图3所示的步骤S101-S102类似，不同之处在于图4所示的步骤S201-S202中，车辆密钥由车辆300生成，具体地，由车辆300中的车载KMS生成，并且，由车辆300将该车辆密钥发送给服务器100，而图3所示的步骤S101-S102中，车辆密钥由服务器100生成，且由服务器100将车辆密钥发送给车辆300。Among them, combined with steps S101-S105 shown in Figure 3, it can be seen from steps S201-S205 that steps S203-S205 are the same as steps S103-S105 shown in Figure 3, and steps S201-S202 are the same as step S101 shown in Figure 3. -S102 is similar, except that in steps S201-S202 shown in Figure 4, the vehicle key is generated by the vehicle 300, specifically, by the on-board KMS in the vehicle 300, and the vehicle key is sent by the vehicle 300 to the server 100, and in steps S101-S102 shown in FIG. 3, the vehicle key is generated by the server 100, and the server 100 sends the vehicle key to the vehicle 300.

应理解，在步骤S201-S202中，车辆300将车辆密钥发送给服务器100后，服务器100可以将该车辆密钥与车辆300的VIN码绑定。另外，当涉及多辆车时，服务器100可以接收到多个车辆生成的车辆密钥，例如，服务器100接收到车辆300发送的车辆300的车辆密钥，以及车辆400发送的车辆400的车辆密钥。It should be understood that in steps S201-S202, after the vehicle 300 sends the vehicle key to the server 100, the server 100 can bind the vehicle key with the VIN code of the vehicle 300. In addition, when multiple vehicles are involved, the server 100 may receive vehicle keys generated by multiple vehicles. For example, the server 100 receives the vehicle key of vehicle 300 sent by vehicle 300 and the vehicle key of vehicle 400 sent by vehicle 400. key.

另外，步骤S202和步骤S205，或，步骤S203和步骤S204为可选的步骤，本申请实施例不限制步骤S202在步骤S201、S203、S204中的执行顺序。具体关于步骤S201-S205中未展开描述的内容可以参考前述步骤S101-S105的相关内容，这里不再赘述。In addition, step S202 and step S205, or step S203 and step S204 are optional steps, and the embodiment of the present application does not limit the execution order of step S202 among steps S201, S203, and S204. For specific content that is not described in steps S201-S205, please refer to the relevant content of the foregoing steps S101-S105, which will not be described again here.

阶段二：利用ECU密钥进行安全访问认证Phase 2: Using ECU keys for secure access authentication

在本申请实施例中，为了避免诊断仪或ECU上的ECU密钥泄露导致安全访问认证过程失效，可以通过两种方式：诊断仪和ECU上不再使用相同的密钥用于安全访问认证，或者，诊断仪上不再持有用于进行安全访问认证的密钥，来提高安全访问认证的可靠性。In the embodiment of this application, in order to avoid the leakage of the ECU key on the diagnostic instrument or ECU causing the security access authentication process to fail, two methods can be used: the same key is no longer used on the diagnostic instrument and the ECU for secure access authentication, Alternatively, the diagnostic instrument no longer holds the key used for secure access authentication to improve the reliability of secure access authentication.

图5为本申请实施例提供的车辆安全访问方法中，利用ECU密钥进行安全访问认证所涉及到的一种流程示意图，图6为本申请实施例提供的车辆安全访问方法中，利用ECU密钥进行安全访问认证所涉及到的另一种流程示意图。Figure 5 is a schematic flowchart of using an ECU key for secure access authentication in the vehicle secure access method provided by an embodiment of the present application. Figure 6 is a schematic diagram of a process using the ECU key in the vehicle secure access method provided by an embodiment of the present application. Another process diagram involved in secure access authentication using keys.

其中，图5示出了诊断仪200与车辆300中的ECU1不使用相同的密钥进行安全访问认证时，服务器100、诊断仪200以及车辆300之间的交互过程。图6示出了诊断仪200上不再持有用于安全访问认证的密钥时，服务器100、诊断仪200以及车辆300之间的交互过程。5 shows the interaction process between the server 100, the diagnostic instrument 200 and the vehicle 300 when the diagnostic instrument 200 and the ECU 1 in the vehicle 300 do not use the same key for secure access authentication. FIG. 6 shows that the diagnostic tool 200 no longer holds the The key is the interaction process between the server 100, the diagnostic device 200 and the vehicle 300.

如图5所示，阶段二主要包括：As shown in Figure 5, phase two mainly includes:

S301.服务器100与诊断仪200完成诊断仪认证。S301. The server 100 and the diagnostic device 200 complete the diagnostic device authentication.

诊断仪200可以在需要对车辆300中的ECU，例如ECU1，进行故障诊断或资源访问时，或者，需要获取服务器100生成的ECU临时密钥时，触发向服务器100进行认证。示例性地，诊断仪200可以在接收到用户触发诊断车辆的操作后，触发对车辆300，例如车辆300中的一个或多个ECU进行故障诊断。The diagnostic instrument 200 may trigger authentication to the server 100 when it is necessary to conduct fault diagnosis or resource access to the ECU in the vehicle 300 , such as ECU 1 , or when it is necessary to obtain the ECU temporary key generated by the server 100 . For example, the diagnostic instrument 200 may trigger fault diagnosis on the vehicle 300 , for example, one or more ECUs in the vehicle 300 after receiving a user's operation to trigger the diagnosis of the vehicle.

服务器100与诊断仪200进行诊断仪认证是为了向服务器100证明诊断仪200是合法的，避免攻击者假扮诊断仪200与服务器100通信，非法窃取服务器100中的数据，例如ECU临时密钥。The diagnostic instrument authentication between the server 100 and the diagnostic instrument 200 is to prove to the server 100 that the diagnostic instrument 200 is legitimate and to prevent attackers from pretending to be the diagnostic instrument 200 to communicate with the server 100 and illegally steal data in the server 100, such as ECU temporary keys.

具体地，诊断仪200可以通过向服务器100发送诊断仪200的数字证书来完成诊断仪认证，证明诊断仪200的合法性。其中，该数字证书为可信的第三方，例如公钥基础设施(Public Key Infrastructure，PKI)中的证书颁发机构(Certificate Authority，CA)颁发给诊断仪200的用于证明其身份可信的电子凭证。Specifically, the diagnostic instrument 200 can complete the diagnostic instrument authentication by sending the digital certificate of the diagnostic instrument 200 to the server 100 to prove the legitimacy of the diagnostic instrument 200 . Among them, the digital certificate is an electronic certificate issued to the diagnostic instrument 200 by a trusted third party, such as a Certificate Authority (CA) in the Public Key Infrastructure (PKI), to prove that its identity is trustworthy. certificate.

进一步地，诊断仪200可以基于传输层安全性协议(Transport Layer Security，TLS)与服务器100进行通信，完成诊断仪认证。该TLS协议是一种安全协议，用于为设备之间的通信提供安全及数据完整性的保障。这样，诊断仪200基于TLS协议传输诊断仪200的数字证书，可以避免第三方窃听及篡改该数字证书，保证该诊断仪认证阶段的可信度。Further, the diagnostic instrument 200 can communicate with the server 100 based on Transport Layer Security (TLS) to complete the diagnostic instrument authentication. The TLS protocol is a security protocol used to provide security and data integrity protection for communications between devices. In this way, the diagnostic instrument 200 transmits the digital certificate of the diagnostic instrument 200 based on the TLS protocol, which can prevent a third party from eavesdropping and tampering with the digital certificate, and ensures the credibility of the diagnostic instrument during the authentication phase.

在本申请实施例中，诊断仪还可以被称为第一设备。In the embodiment of this application, the diagnostic instrument may also be called the first device.

S302.服务器100生成ECU临时密钥。S302. The server 100 generates an ECU temporary key.

该ECU临时密钥用于诊断仪200进行和车辆300的安全访问认证时，对种子进行加密。示例性地，服务器100可以通过PKI生成该ECU临时密钥。The ECU temporary key is used to encrypt the seed when the diagnostic instrument 200 performs security access authentication with the vehicle 300 . For example, the server 100 can generate the ECU temporary key through PKI.

应理解，该ECU临时密钥不同于ECU密钥，且该ECU临时密钥具有时效性，ECU临时密钥仅在一段时间内有效。这样，可以尽可能的避免攻击方窃取该ECU临时密钥后，假冒诊断仪200对车辆300展开攻击。It should be understood that the ECU temporary key is different from the ECU key, and the ECU temporary key is time-sensitive, and the ECU temporary key is only valid for a period of time. In this way, the attacker can be prevented as much as possible from stealing the ECU temporary key and then using the fake diagnostic instrument 200 to launch an attack on the vehicle 300 .

另外，该ECU临时密钥可以仅对诊断仪200诊断ECU1有效，这时，诊断仪200只能将该ECU临时密钥用在ECU1的安全认证过程中。In addition, the ECU temporary key may only be valid for the diagnostic instrument 200 to diagnose ECU1. In this case, the diagnostic instrument 200 can only use the ECU temporary key in the security authentication process of ECU1.

优选地，该ECU临时密钥对诊断仪200诊断该车辆300中的任意一个ECU都有效，这时，在该ECU临时密钥的有效期内，诊断仪200可以将该ECU临时密钥用在车辆300中的任意一个ECU的安全认证中。这样，当诊断仪200需要诊断车辆300中的多个ECU时，诊断仪200无需频繁从服务器100获取多个ECU临时密钥，或者，频繁与不同的ECU进行安全访问认证。Preferably, the ECU temporary key is valid for the diagnostic tool 200 to diagnose any ECU in the vehicle 300. In this case, within the validity period of the ECU temporary key, the diagnostic tool 200 can use the ECU temporary key in the vehicle. Any one of the 300 ECUs is undergoing safety certification. In this way, when the diagnostic instrument 200 needs to diagnose multiple ECUs in the vehicle 300, the diagnostic instrument 200 does not need to frequently obtain multiple ECU temporary keys from the server 100, or frequently perform security access authentication with different ECUs.

其中，服务器100可以在诊断仪认证通过后，生成该ECU临时密钥。The server 100 can generate the ECU temporary key after the diagnostic instrument is authenticated.

在本申请实施例中，ECU临时密钥还可以被称为第一密钥。In the embodiment of this application, the ECU temporary key may also be called the first key.

S303.服务器100在认证通过后，将ECU临时密钥发送给诊断仪200。S303. After passing the authentication, the server 100 sends the ECU temporary key to the diagnostic instrument 200.

服务器100将ECU临时密钥发送给诊断仪200，相应的，诊断仪200接收到服务器100发送的ECU临时密钥。The server 100 sends the ECU temporary key to the diagnostic instrument 200. Correspondingly, the diagnostic instrument 200 receives the ECU temporary key sent by the server 100.

进一步地，为了避免第三方篡改该ECU临时密钥，服务器100可以将该ECU临时密钥存放在授权文件中，在认证通过后，将该携带该ECU临时密钥的授权文件发送给诊断仪200。服务器100可以通过该授权文件中的其他参数来证明该ECU临时密钥的合法性。这时，步骤S303更改为服务器100在认证通过后，将授权文件发送给诊断仪200。Further, in order to prevent a third party from tampering with the ECU temporary key, the server 100 can store the ECU temporary key in an authorization file, and after passing the authentication, send the authorization file carrying the ECU temporary key to the diagnostic instrument 200 . The server 100 can prove the legitimacy of the ECU temporary key through other parameters in the authorization file. At this time, step S303 is changed to the server 100 sending the authorization file to the diagnostic instrument 200 after passing the authentication.

其中，该授权文件中可以包括：ECU临时密钥、失效参数以及签名。失效参数用于指示该ECU临时密钥的有效时间，该签名可以为服务器100使用私钥，对ECU临时密钥和失效参数进行数字签名，得到的签名。该签名用于证明该ECU临时密钥和失效参数的合法性，即该ECU临时密钥和失效参数为来源为服务器100，且未被第三方篡改。Among them, the authorization file may include: ECU temporary key, invalidation parameters and signature. The expiration parameter is used to indicate the validity time of the ECU temporary key. The signature can be a signature obtained by the server 100 using the private key to digitally sign the ECU temporary key and the expiration parameter. The signature is used to prove the legitimacy of the ECU temporary key and invalid parameters, that is, the ECU temporary key and invalid parameters originate from the server 100 and have not been tampered with by a third party.

可选地，授权文件中还可以包括以下一项或多项参数：车辆信息、公钥。这时，该授权文件中的签名可以为对ECU临时密钥以及上述一项或多项参数，进行数字签名，得到的签名。其中，车辆信息用于指示诊断仪诊断的目标车辆，示例性地，该车辆信息可以为车辆300的VIN码。公钥为用于对授权文件中的签名进行解签所需的公钥，该公钥与服务器100签名使用的私钥为一对密钥对。具体实现中，在诊断仪200获取到该授权文件之后，使用ECU临时密钥之前，诊断仪200可以使用该公钥对该签名进行认证，来判断该ECU临时密钥的合法性。 Optionally, the authorization file may also include one or more of the following parameters: vehicle information, public key. At this time, the signature in the authorization file can be a signature obtained by digitally signing the ECU temporary key and one or more of the above parameters. The vehicle information is used to indicate the target vehicle diagnosed by the diagnostic instrument. For example, the vehicle information may be the VIN code of the vehicle 300 . The public key is the public key required to decrypt the signature in the authorization file, and the public key and the private key used for signature by the server 100 form a key pair. In a specific implementation, after the diagnostic instrument 200 obtains the authorization file and before using the ECU temporary key, the diagnostic instrument 200 can use the public key to authenticate the signature to determine the legitimacy of the ECU temporary key.

需要注意的是，将车辆信息放置在授权文件中，可以避免攻击方将其他车辆中的ECU密钥用来认证本车辆中的ECU的安全访问过程，提高ECU的安全访问认证的可靠性。It should be noted that placing vehicle information in the authorization file can prevent attackers from using ECU keys in other vehicles to authenticate the secure access process of the ECU in this vehicle, and improve the reliability of ECU secure access authentication.

可以理解的是，用于校验授权文件中的签名的公钥也可以提前预置在诊断仪200中，本申请实施例对诊断仪200获取该公钥的方式不作限制。另外，授权文件中还可以包括其他参数，本申请实施例对此不作限制。It can be understood that the public key used to verify the signature in the authorization file can also be preset in the diagnostic instrument 200 in advance. The embodiment of the present application does not limit the way in which the diagnostic instrument 200 obtains the public key. In addition, the authorization file may also include other parameters, which are not limited in the embodiments of this application.

S304.诊断仪200在车辆300确定诊断仪200合法的情况下，将ECU临时密钥发送给车辆300中的车载KMS。S304. When the vehicle 300 determines that the diagnostic instrument 200 is legal, the diagnostic instrument 200 sends the ECU temporary key to the on-board KMS in the vehicle 300.

诊断仪200在车辆300确定诊断仪200合法的情况下，将ECU临时密钥发送给车辆300，具体地，发送给车辆300中的车载KMS。相应的，车辆300在确定诊断仪200合法的情况下，接收到诊断仪200发送的ECU临时密钥。When the vehicle 300 determines that the diagnostic instrument 200 is legal, the diagnostic instrument 200 sends the ECU temporary key to the vehicle 300 , specifically, to the on-board KMS in the vehicle 300 . Correspondingly, when the vehicle 300 determines that the diagnostic device 200 is legal, it receives the ECU temporary key sent by the diagnostic device 200 .

其中，诊断仪200在车辆300确定诊断仪200合法的情况下，将ECU临时密钥发送给车辆300，可以避免攻击者假冒诊断仪200将伪造的ECU临时密钥发送给车辆300。Among them, the diagnostic instrument 200 sends the ECU temporary key to the vehicle 300 when the vehicle 300 determines that the diagnostic instrument 200 is legitimate. This can prevent an attacker from pretending to be the diagnostic instrument 200 and sending a forged ECU temporary key to the vehicle 300.

诊断仪200可以通过以下两种方式将ECU临时密钥发送给车辆300：The diagnostic instrument 200 can send the ECU temporary key to the vehicle 300 in the following two ways:

1)先认证，后发送ECU临时密钥1) Authentication first, then sending ECU temporary key

诊断仪200可以先向车辆300证明其合法性，再向车辆300发送ECU临时密钥。The diagnostic instrument 200 can first prove its legitimacy to the vehicle 300, and then send the ECU temporary key to the vehicle 300.

示例性地，诊断仪200可以基于UDS协议中的29服务，以下简称为UDS 29服务，向车辆300证明诊断仪200的合法性，之后，再基于UDS 38服务，将ECU临时密钥发送给车辆300。其中，UDS 29服务，为UDS协议中定义的用于向对方证明身份的服务。例如，诊断仪200可以通过UDS 29服务，利用诊断仪200中预置的数字证书，例如OEM证书，进行认证，UDS 38服务为UDS协议中定义的用于传递文件的服务。For example, the diagnostic instrument 200 can prove the legitimacy of the diagnostic instrument 200 to the vehicle 300 based on the 29 service in the UDS protocol, hereinafter referred to as the UDS 29 service, and then send the ECU temporary key to the vehicle based on the UDS 38 service. 300. Among them, UDS 29 service is a service defined in the UDS protocol for proving identity to the other party. For example, the diagnostic instrument 200 can perform authentication using a digital certificate preset in the diagnostic instrument 200, such as an OEM certificate, through the UDS 29 service, which is a service defined in the UDS protocol for delivering files.

2)通过可信的途径发送ECU临时密钥2) Send the ECU temporary key through a trusted channel

诊断仪200直接通过可信的途径将ECU临时密钥发送给车辆300。The diagnostic instrument 200 directly sends the ECU temporary key to the vehicle 300 through a trusted channel.

示例性地，诊断仪200可以基于UDS 29服务中的04子服务，以下简称为UDS 29 04服务，将ECU临时密钥发送给车辆300。其中，UDS 29 04服务为UDS协议中定义的用于将代表身份的文件发送给对方的服务，一般地，该文件为诊断仪200的数字证书，在本申请实施例中，诊断仪200可以将ECU临时密钥作为代表身份的文件发送给车辆300。For example, the diagnostic instrument 200 may send the ECU temporary key to the vehicle 300 based on the 04 subservice in the UDS 29 service, hereinafter referred to as the UDS 29 04 service. Among them, the UDS 29 04 service is a service defined in the UDS protocol for sending a file representing an identity to the other party. Generally, the file is a digital certificate of the diagnostic instrument 200. In the embodiment of this application, the diagnostic instrument 200 can send The ECU temporary key is sent to the vehicle 300 as a file representing the identity.

可以理解的是，诊断仪200还可以通过其他方式，实现在能够证明其身份的同时，将ECU临时密钥发送给车辆300，例如，诊断仪200和车辆300双方预定一个随机数，如果车辆300接收到的诊断仪200发送给的随机数为双方约定的随机数，则确定诊断仪200为可信设备，或者，诊断仪200利用私钥对ECU临时密钥加密后发送给车辆300等等，本申请实施例对诊断仪200发送ECU临时密钥的方式不作限制。It can be understood that the diagnostic instrument 200 can also use other methods to send the ECU temporary key to the vehicle 300 while being able to prove its identity. For example, both the diagnostic instrument 200 and the vehicle 300 predetermine a random number. If the vehicle 300 If the received random number sent by the diagnostic instrument 200 is the random number agreed upon by both parties, the diagnostic instrument 200 is determined to be a trusted device, or the diagnostic instrument 200 uses the private key to encrypt the ECU temporary key and sends it to the vehicle 300, etc. The embodiment of the present application does not limit the way in which the diagnostic instrument 200 sends the ECU temporary key.

另外，需要注意的是，当服务器100通过向诊断仪200发送携带ECU临时密钥的授权文件，将ECU临时密钥发送给诊断仪200，诊断仪200在向车辆300发送ECU临时密钥时，也可以直接将携带该ECU临时密钥的授权文件发送给车辆300，这时，步骤S305则为诊断仪200将授权文件发送给车辆300中的车载KMS，且诊断仪200可以通过先认证后发送授权文件或通过可信的途径发送授权文件的方式来避免授权文件的发送方为攻击者，通过发送授权文件将ECU临时密钥传递给车辆，可以避免攻击者篡改ECU临时密钥或失效参数等等。并且，在车辆300获取到该授权文件后，使用该ECU临时密钥之前，也会通过授权文件中的签名来校验授权文件的合法性。具体关于授权文件的描述可以参见前述步骤S304中的相关内容，这里不再赘述。In addition, it should be noted that when the server 100 sends the ECU temporary key to the diagnostic instrument 200 by sending the authorization file carrying the ECU temporary key to the diagnostic instrument 200, and when the diagnostic instrument 200 sends the ECU temporary key to the vehicle 300, The authorization file carrying the ECU temporary key can also be directly sent to the vehicle 300. At this time, step S305 is for the diagnostic instrument 200 to send the authorization file to the vehicle KMS in the vehicle 300, and the diagnostic instrument 200 can authenticate first and then send. Authorize the file or send the authorization file through a trusted channel to prevent the sender of the authorization file from being an attacker. By sending the authorization file to pass the ECU temporary key to the vehicle, you can prevent the attacker from tampering with the ECU temporary key or invalid parameters, etc. wait. Moreover, after the vehicle 300 obtains the authorization file, before using the ECU temporary key, the legality of the authorization file will also be verified through the signature in the authorization file. For a specific description of the authorization file, please refer to the relevant content in the aforementioned step S304, which will not be described again here.

S305.诊断仪200将安全访问请求发送给车辆300中的车载KMS。S305. The diagnostic instrument 200 sends the security access request to the on-board KMS in the vehicle 300.

诊断仪200将安全访问请求(Security Access Request)发送给车辆300，具体地，发送给车辆300中的车载KMS，相应的，车辆300接收到诊断仪200发送给的安全访问请求。The diagnostic instrument 200 sends a Security Access Request (Security Access Request) to the vehicle 300, specifically, to the on-board KMS in the vehicle 300. Correspondingly, the vehicle 300 receives the Security Access Request sent by the diagnostic instrument 200.

其中，诊断仪200基于UDS协议向车辆300发送安全访问请求，该安全访问请求中可以携带有UDS协议的诊断服务标识(service identifier，SID)，该SID用于指示诊断仪200向车辆300发起的诊断服务。在本申请实施例中，该SID为27。这时，诊断仪200向车辆300发起的诊断服务为安全访问服务，即UDS27服务，该服务用于提供一种访问车辆中受控资源或进行故障诊断的途径。具体地，该安全访问请求用于请求获取访问车辆300中的ECU1的资源，或对ECU1进行故障诊断的权限。 The diagnostic instrument 200 sends a secure access request to the vehicle 300 based on the UDS protocol. The secure access request may carry a diagnostic service identifier (SID) of the UDS protocol. The SID is used to instruct the diagnostic instrument 200 to initiate a security access request to the vehicle 300 . Diagnostic Services. In the embodiment of this application, the SID is 27. At this time, the diagnostic service initiated by the diagnostic instrument 200 to the vehicle 300 is a secure access service, that is, the UDS27 service. This service is used to provide a way to access controlled resources in the vehicle or perform fault diagnosis. Specifically, the security access request is used to request permission to access resources of the ECU 1 in the vehicle 300 or to perform fault diagnosis on the ECU 1 .

应理解，诊断仪200并不直接将安全访问请求发送给车辆300中的车载KMS，诊断仪200原本是将该安全访问请求发送给车辆300中的ECU1，在实际实现过程中，是由车载KMS截获诊断仪200与ECU1之间交互的数据，由车载KMS作为诊断仪200与ECU1通信的“桥梁”。因此，车载KMS会中途截获诊断仪200向ECU1发送的USD 27服务的报文，即安全访问请求，并利用ECU临时密钥完成和诊断仪200的安全访问认证，具体可参见下面描述的步骤S306-S311。It should be understood that the diagnostic instrument 200 does not directly send the security access request to the on-board KMS in the vehicle 300. The diagnostic instrument 200 originally sends the security access request to the ECU1 in the vehicle 300. In the actual implementation process, the on-board KMS The interactive data between the diagnostic instrument 200 and ECU1 is intercepted, and the vehicle-mounted KMS serves as a "bridge" for communication between the diagnostic instrument 200 and ECU1. Therefore, the vehicle-mounted KMS will intercept the USD 27 service message sent by the diagnostic instrument 200 to ECU1, that is, the secure access request, and use the ECU temporary key to complete the secure access authentication with the diagnostic instrument 200. For details, please refer to step S306 described below. -S311.

在本申请实施例中，该针对ECU1(例如第一ECU)的安全访问请求还可以被称为第一安全访问请求，另外，针对ECU2(例如第二ECU)的安全访问请求还可以被称为第三安全访问请求，该第一安全访问请求用于请求访问ECU1，该第三安全访问请求用于请求访问ECU2。In the embodiment of the present application, the security access request directed to ECU1 (for example, the first ECU) may also be called a first security access request. In addition, the security access request directed to ECU2 (for example, the second ECU) may also be called A third security access request, the first security access request is used to request access to ECU1, and the third security access request is used to request access to ECU2.

S306.车辆300中的车载KMS生成种子。S306. The on-vehicle KMS in the vehicle 300 generates a seed.

响应于诊断仪200发送的安全访问请求，车辆300生成种子(Send)，具体地，车辆300可以通过车载KMS生成种子。其中，该种子可以为车载KMS生成的一个随机数。In response to the security access request sent by the diagnostic instrument 200, the vehicle 300 generates a seed (Send). Specifically, the vehicle 300 can generate a seed through the on-board KMS. Among them, the seed can be a random number generated by the on-board KMS.

在本申请实施例中，该种子还可以被称为第一种子。In the embodiment of this application, the seed may also be called the first seed.

S307.车辆300中的车载KMS将种子发送给诊断仪200。S307. The on-board KMS in the vehicle 300 sends the seed to the diagnostic instrument 200.

车辆300将种子发送给诊断仪200，具体地，车辆300中的车载KMS将种子发送给诊断仪200，相应的，诊断仪200接收到车辆300发送的种子。The vehicle 300 sends the seeds to the diagnostic instrument 200. Specifically, the on-board KMS in the vehicle 300 sends the seeds to the diagnostic instrument 200. Correspondingly, the diagnostic instrument 200 receives the seeds sent by the vehicle 300.

S308.诊断仪200利用ECU临时密钥对种子进行加密。S308. The diagnostic instrument 200 uses the ECU temporary key to encrypt the seed.

其中，在UDS协议中，对种子进行加密得到的密文可以称为钥匙(Security Key)。Among them, in the UDS protocol, the ciphertext obtained by encrypting the seed can be called the key (Security Key).

S309.车辆300中的车载KMS利用ECU临时密钥对种子进行加密。S309. The on-board KMS in the vehicle 300 uses the ECU temporary key to encrypt the seed.

步骤S308和步骤S309指出，诊断仪200和车辆300都利用其预先获取的ECU临时密钥对种子进行加密。其中，需要注意的是，诊断仪200和车辆300使用相同的密钥算法，通过ECU临时密钥对种子进行加密。该相同的密钥算法可以为诊断仪200和车辆300提前约定的算法，包括：数据加密标准(Data Encryption Standard，DES)、国际数据加密算法(International Data Encryption Algorithm，IDEA)、高级加密标准(Advanced Encryption Standard，AES)等等，例如，诊断仪200可以在认证通过后，与车辆300约定该密钥算法，或者，该密钥算法为开发人员手动导入到诊断仪200和车辆300中的算法，本申请实施例对诊断仪200和车辆300获取该密钥算法的方式以及时机不作限制。Steps S308 and S309 indicate that both the diagnostic instrument 200 and the vehicle 300 encrypt the seed using the ECU temporary key obtained in advance. Among them, it should be noted that the diagnostic instrument 200 and the vehicle 300 use the same key algorithm to encrypt the seed through the ECU temporary key. The same key algorithm can be an algorithm agreed in advance between the diagnostic instrument 200 and the vehicle 300, including: Data Encryption Standard (Data Encryption Standard, DES), International Data Encryption Algorithm (IDEA), Advanced Encryption Standard (Advanced Encryption Standard, AES), etc., for example, the diagnostic instrument 200 can agree on the key algorithm with the vehicle 300 after passing the authentication, or the key algorithm is an algorithm manually imported into the diagnostic instrument 200 and the vehicle 300 by the developer. The embodiment of the present application does not limit the method and timing for the diagnostic instrument 200 and the vehicle 300 to obtain the key algorithm.

由于ECU临时密钥仅在一段时间，例如第一时段内有效，因此，诊断仪200和车辆300是在该第一时段内利用ECU临时密钥对种子进行加密，否则，超过该第一时段，该ECU临时密钥失效，从而尽可能降低该ECU临时密钥泄露所带来的危害。Since the ECU temporary key is only valid for a period of time, such as the first period, the diagnostic instrument 200 and the vehicle 300 use the ECU temporary key to encrypt the seed within the first period. Otherwise, beyond the first period, The ECU temporary key becomes invalid, thereby minimizing the harm caused by the leakage of the ECU temporary key.

S310.诊断仪200将加密后的种子发送给车辆300中的车载KMS。S310. The diagnostic instrument 200 sends the encrypted seed to the on-board KMS in the vehicle 300.

诊断仪200将加密后的种子发送给车辆300，具体地，发送给车辆300中的车载KMS，相应的，车辆300接收到诊断仪200发送的加密后的种子。The diagnostic instrument 200 sends the encrypted seed to the vehicle 300, specifically, to the on-board KMS in the vehicle 300. Correspondingly, the vehicle 300 receives the encrypted seed sent by the diagnostic instrument 200.

应理解，诊断仪200在将加密后的种子发送给车辆300时，并不感知该加密后的种子的接收方。诊断仪200原本是将该加密后的种子发送给ECU1，车载KMS会在诊断仪200发送加密后的种子后，截获该加密后的种子。It should be understood that when the diagnostic instrument 200 sends the encrypted seed to the vehicle 300, it does not perceive the recipient of the encrypted seed. The diagnostic instrument 200 originally sent the encrypted seed to the ECU 1 , and the vehicle-mounted KMS will intercept the encrypted seed after the diagnostic instrument 200 sends the encrypted seed.

S311.车辆300中的车载KMS判断接收到的加密后的种子与本地加密后的种子是否一致。S311. The vehicle-mounted KMS in the vehicle 300 determines whether the received encrypted seed is consistent with the local encrypted seed.

车辆300判断接收到的加密后的种子(例如利用第三密钥加密后的第一种子)与本地加密后的种子(例如第一密钥加密后的第一种子)是否一致，具体地，车辆300可以通过车载KMS判断接收到的加密后的种子与本地加密后的种子是否一致。这样，车载KMS可以通过判断接收到的加密后的种子与本地加密后的种子来确定诊断仪200是否拥有访问ECU(例如ECU1)的资源或对ECU进行故障诊断的权限。The vehicle 300 determines whether the received encrypted seed (for example, the first seed encrypted with the third key) is consistent with the local encrypted seed (for example, the first seed encrypted with the first key). Specifically, the vehicle 300 300 can determine whether the received encrypted seed is consistent with the local encrypted seed through the on-board KMS. In this way, the vehicle-mounted KMS can determine whether the diagnostic instrument 200 has the resources to access the ECU (for example, ECU1) or the authority to perform fault diagnosis on the ECU by judging the received encrypted seed and the local encrypted seed.

本地加密后的种子可以是指车辆300中的车载KMS加密后的种子。The local encrypted seed may refer to the encrypted seed of the on-board KMS in the vehicle 300 .

S312.在一致的情况下，车辆300中的车载KMS将安全访问请求发送给ECU1。S312. In the case of consistency, the on-board KMS in vehicle 300 sends the security access request to ECU1.

在一致的情况下，则说明车载KMS确定诊断仪200拥有访问ECU(例如ECU1)的资源或对ECU进行故障诊断的权限，即具备访问ECU1的权限。 If they are consistent, it means that the vehicle-mounted KMS determines that the diagnostic instrument 200 has the authority to access the resources of the ECU (for example, ECU1) or perform fault diagnosis on the ECU, that is, it has the authority to access ECU1.

车辆300通过车载KMS将安全访问请求发送给车辆300中的ECU1。类似于步骤S305中提及的安全访问请求，该安全访问请求用于诊断仪200请求获取访问车辆300中的ECU1的资源，或对ECU1进行故障诊断的权限。具体关于该安全访问请求的描述可以参见步骤S305中关于安全访问请求的描述，这里不再赘述。The vehicle 300 sends the security access request to the ECU1 in the vehicle 300 through the on-board KMS. Similar to the security access request mentioned in step S305 , this security access request is used for the diagnostic instrument 200 to request permission to access resources of the ECU 1 in the vehicle 300 or to perform fault diagnosis on the ECU 1 . For a specific description of the security access request, please refer to the description of the security access request in step S305, which will not be described again here.

应理解，ECU1不感知安全访问请求的发送方，仍按照现有的诊断仪和ECU之间的诊断流程，根据安全访问请求生成并发送种子，利用ECU密钥对种子进行加密等等，具体可参见后续步骤S313-S319。这是考虑到车辆中可能包括多个生产厂商生产的ECU，实施本申请实施例提供的车辆安全访问方法无需对ECU进行适配，避免了开发人员与不同生产厂商进行协调更改ECU的配置的麻烦，增加了该方法在车辆上实施的可行性。It should be understood that ECU1 is not aware of the sender of the secure access request. It still generates and sends seeds according to the secure access request according to the existing diagnostic process between the diagnostic instrument and the ECU, and uses the ECU key to encrypt the seeds. Specifically, See subsequent steps S313-S319. This is considering that the vehicle may include ECUs produced by multiple manufacturers. Implementing the vehicle security access method provided by the embodiment of the present application does not require adaptation of the ECU, avoiding the trouble of developers coordinating with different manufacturers to change the configuration of the ECU. , increasing the feasibility of implementing this method on vehicles.

在本申请实施例中，车辆KMS向ECU1发送的安全访问请求还可以被称为第二安全访问请求。In this embodiment of the present application, the security access request sent by the vehicle KMS to the ECU1 may also be called a second security access request.

S313.车辆300中的ECU1生成种子。S313. ECU1 in vehicle 300 generates a seed.

响应于车载KMS发送的安全访问请求，ECU1生成种子(Send)，其中，该种子可以为ECU1生成的一个随机数。In response to the security access request sent by the vehicle-mounted KMS, ECU1 generates a seed (Send), where the seed can be a random number generated by ECU1.

在本申请实施例中，该种子还可以被称为第二种子。In this embodiment of the present application, this seed may also be called a second seed.

S314.车辆300中的ECU1将种子发送给车载KMS。S314. ECU1 in vehicle 300 sends the seed to the vehicle KMS.

应理解，车辆300中的ECU1原本是将种子发送给诊断仪200，车载KMS会中途截获ECU1向诊断仪200发送的种子，因此，使得ECU1将种子发送给车载KMS。It should be understood that the ECU1 in the vehicle 300 originally sends the seed to the diagnostic device 200, and the on-board KMS will intercept the seed sent by the ECU1 to the diagnostic device 200, thus causing the ECU1 to send the seed to the on-board KMS.

S315.车辆300中的车载KMS利用ECU密钥对种子进行加密。S315. The on-board KMS in the vehicle 300 uses the ECU key to encrypt the seed.

S316.车辆300中的ECU1利用ECU密钥对种子进行加密。S316. ECU1 in vehicle 300 encrypts the seed using the ECU key.

类似于步骤S308-S309，车辆300中的车载KMS和ECU1也是利用相同的密钥算法对种子进行加密，不同的是，步骤S308-S309提及的加密是利用ECU临时密钥进行加密，而步骤S315-S316提及的加密是利用ECU密钥进行加密。Similar to steps S308-S309, the onboard KMS and ECU1 in the vehicle 300 also use the same key algorithm to encrypt the seed. The difference is that the encryption mentioned in steps S308-S309 is encrypted using the ECU temporary key, while the The encryption mentioned in S315-S316 is encrypted using the ECU key.

另外，车载KMS和ECU1使用的密钥算法与上述步骤S308-S309中，诊断仪200和车辆300使用的密钥算法可以相同，也可以不同，本申请实施例对此不作限制。In addition, the key algorithm used by the vehicle-mounted KMS and ECU 1 may be the same as or different from the key algorithm used by the diagnostic instrument 200 and the vehicle 300 in the above steps S308-S309, and the embodiment of the present application does not limit this.

S317.车辆300中的车载KMS将加密后的种子发送给ECU1。S317. The on-board KMS in vehicle 300 sends the encrypted seed to ECU1.

车载KMS将加密后的种子发送给ECU1，相应的，ECU1接收到车载KMS发送的加密后的种子。The vehicle-mounted KMS sends the encrypted seed to ECU1, and accordingly, ECU1 receives the encrypted seed sent by the vehicle-mounted KMS.

S318.车辆300中的ECU1判断接收到的加密后的种子与本地加密后的种子是否一致。S318. The ECU 1 in the vehicle 300 determines whether the received encrypted seed is consistent with the local encrypted seed.

其中，本地加密后的种子可以是指ECU1加密后的种子。Among them, the local encrypted seed may refer to the encrypted seed of ECU1.

S319.在一致的情况下，车辆300中的ECU1将安全访问的认证通过的指示信息发送给诊断仪200。S319. In the case of consistency, the ECU 1 in the vehicle 300 sends the instruction information indicating that the security access authentication has passed to the diagnostic instrument 200.

在一致的情况下，则说明ECU1确定诊断仪200拥有访问ECU(例如ECU1)的资源或对ECU进行故障诊断的权限。If they are consistent, it means that ECU1 determines that the diagnostic tool 200 has the authority to access the resources of the ECU (for example, ECU1) or perform fault diagnosis on the ECU.

车辆300中的ECU1将安全访问的认证通过的指示信息(例如第一消息)发送给诊断仪200，则说明车辆300确定诊断仪200拥有访问ECU1的受控资源或诊断ECU1的权限。之后，诊断仪200可以访问ECU1上的受控资源或者对ECU1进行故障诊断。The ECU 1 in the vehicle 300 sends the indication information (for example, the first message) indicating that the security access authentication has passed to the diagnostic device 200 , indicating that the vehicle 300 determines that the diagnostic device 200 has the authority to access the controlled resources of the ECU 1 or to diagnose the ECU 1 . Afterwards, the diagnostic instrument 200 can access the controlled resources on the ECU1 or perform fault diagnosis on the ECU1.

其中，车辆300中的ECU1可以直接将该指示信息发送给诊断仪200，也可以是车载KMS截获ECU1发送的指示信息，由车载KMS转发给诊断仪200。The ECU 1 in the vehicle 300 can directly send the instruction information to the diagnostic instrument 200 , or the vehicle-mounted KMS can intercept the instruction information sent by the ECU 1 and forward it to the diagnostic instrument 200 by the vehicle-mounted KMS.

S320.诊断仪200将诊断请求发送给车辆300中的ECU1。S320. The diagnostic instrument 200 sends the diagnosis request to the ECU1 in the vehicle 300.

在诊断仪200完成安全访问的认证之后，诊断仪200可以向目标ECU，即ECU1发起诊断，其中，该诊断请求用于触发访问ECU1中的资源，或对ECU1触发故障诊断，换句话说，该诊断请求用于请求获取ECU1中的诊断数据。After the diagnostic instrument 200 completes the authentication of the security access, the diagnostic instrument 200 can initiate diagnosis to the target ECU, that is, ECU1, where the diagnosis request is used to trigger access to resources in ECU1 or trigger fault diagnosis for ECU1. In other words, the diagnosis request The diagnostic request is used to request the diagnostic data in ECU1.

类似于安全访问请求，该诊断请求中可以携带用UDS协议的诊断服务标识SID，该诊断服务标识SID 用于诊断仪向车辆发起的诊断服务，ECU1可以根据该SID来确定诊断仪200具体发动的诊断服务，进而返回相应诊断服务所需的诊断数据。Similar to the security access request, the diagnostic request can carry the diagnostic service identifier SID using the UDS protocol. The diagnostic service identifier SID For the diagnostic service initiated by the diagnostic instrument to the vehicle, the ECU 1 can determine the specific diagnostic service initiated by the diagnostic instrument 200 based on the SID, and then return the diagnostic data required for the corresponding diagnostic service.

另外，需要注意的是，诊断仪200可以直接将诊断请求发送给ECU1，也可以是车载KMS截获该诊断请求，由车载KMS发送给ECU1。In addition, it should be noted that the diagnostic instrument 200 can directly send the diagnosis request to ECU1, or the vehicle-mounted KMS can intercept the diagnosis request and send it to ECU1 by the vehicle-mounted KMS.

在本申请实施例中，该针对ECU1的诊断请求还可以被称为第一诊断请求，针对ECU2的诊断请求还可以被称为第二诊断请求，该第一诊断请求用于请求获取ECU1的诊断数据，该第二诊断请求用于请求获取ECU2的诊断数据。In the embodiment of the present application, the diagnosis request for ECU1 may also be called a first diagnosis request, and the diagnosis request for ECU2 may also be called a second diagnosis request. The first diagnosis request is used to request to obtain the diagnosis of ECU1 Data, this second diagnostic request is used to request to obtain diagnostic data of ECU2.

S321.车辆300中的ECU1将诊断数据发送给诊断仪200。S321. The ECU 1 in the vehicle 300 sends the diagnostic data to the diagnostic instrument 200.

响应于该诊断请求，ECU1查找该诊断请求所请求的诊断数据，并将该诊断数据发送给诊断仪200。In response to the diagnosis request, the ECU 1 searches for the diagnosis data requested by the diagnosis request and sends the diagnosis data to the diagnostic instrument 200 .

其中，车辆300中的ECU1可以直接将诊断数据发送给诊断仪200，也可以是车载KMS截获ECU1发送的诊断数据，由车载KMS转发给诊断仪200。Among them, the ECU1 in the vehicle 300 can directly send the diagnostic data to the diagnostic instrument 200, or the vehicle-mounted KMS can intercept the diagnostic data sent by the ECU1, and the vehicle-mounted KMS can forward it to the diagnostic instrument 200.

另外，从图5可以看出，步骤S305-S311为上述提及的车辆外部的安全访问认证过程，步骤S312-S318为上述提及的车辆内部的安全访问认证过程。在车辆外部的安全访问认证过程中，诊断仪200与车辆300使用ECU临时密钥进行认证，在车辆内部的安全访问认证过程中，车辆300中的车载KMS和ECU1使用ECU密钥进行认证。In addition, it can be seen from Figure 5 that steps S305-S311 are the above-mentioned safe access authentication process outside the vehicle, and steps S312-S318 are the above-mentioned safe access authentication process inside the vehicle. During the safe access authentication process outside the vehicle, the diagnostic instrument 200 and the vehicle 300 use the ECU temporary key for authentication. During the safe access authentication process inside the vehicle, the on-board KMS and ECU 1 in the vehicle 300 use the ECU key for authentication.

应理解，上述诊断仪200与车辆300之间交互的内容，例如安全访问请求、通过认证的指示信息、诊断请求、诊断数据等等，均可以通过UDS协议的通信标准进行交互。It should be understood that the above-mentioned interaction content between the diagnostic instrument 200 and the vehicle 300, such as security access requests, certified instruction information, diagnosis requests, diagnosis data, etc., can all be exchanged through the communication standard of the UDS protocol.

可以看出，通过车载KMS干预诊断仪与ECU之间的安全访问的认证过程，使得诊断仪和ECU上持有不同的密钥，尽可能地降低密钥泄露后所带来的影响。It can be seen that the on-board KMS intervenes in the authentication process of secure access between the diagnostic instrument and the ECU, so that the diagnostic instrument and the ECU hold different keys, thereby minimizing the impact of key leakage.

另外，除了图5所示的流程图所描述的诊断仪和ECU上不再使用相同的密钥用于安全访问认证外，诊断仪上也可以不再持有用于安全访问认证的密钥，这时，诊断仪不再通过UDS 27服务向诊断仪发起安全访问请求，而是直接发起诊断请求，也就是说车辆外部不再进行安全访问认证，但保留车辆内部的安全访问认证，具体可参见下面关于图6所示的流程图的描述。In addition, in addition to no longer using the same key for secure access authentication on the diagnostic instrument and the ECU as described in the flow chart shown in Figure 5, the diagnostic instrument may no longer hold the key for secure access authentication. At this time, the diagnostic instrument no longer initiates a security access request to the diagnostic instrument through the UDS 27 service, but directly initiates a diagnosis request. That is to say, the security access authentication is no longer performed outside the vehicle, but the security access authentication inside the vehicle is retained. For details, see The following is a description of the flowchart shown in Figure 6.

如图6所示，阶段二主要包括：As shown in Figure 6, phase two mainly includes:

S401.服务器100与诊断仪200完成诊断仪认证。S401. The server 100 and the diagnostic device 200 complete the diagnostic device authentication.

在诊断仪200对车辆300进行诊断之前，诊断仪200需要先向服务器100认证，证明其身份的合法性。Before the diagnostic instrument 200 diagnoses the vehicle 300, the diagnostic instrument 200 needs to authenticate to the server 100 to prove the legitimacy of its identity.

其中，诊断仪200可以通过向服务器100发送诊断仪200的数字证书来完成诊断仪认证，证明诊断仪200的合法性。具体关于该认证过程可以前述步骤S301中的相关内容，这里不再赘述。Among them, the diagnostic instrument 200 can complete the diagnostic instrument authentication by sending the digital certificate of the diagnostic instrument 200 to the server 100 to prove the legitimacy of the diagnostic instrument 200. The specific content of the authentication process can be found in the aforementioned step S301, and will not be described again here.

另外，服务器100确定诊断仪200合法之后，可以向诊断仪200发送认证通过的指示信息，以便诊断仪200在向车辆300进行认证。In addition, after the server 100 determines that the diagnostic device 200 is legal, it may send authentication-passed instruction information to the diagnostic device 200 so that the diagnostic device 200 authenticates the vehicle 300 .

可以理解的是，步骤S401为可选的步骤，诊断仪200可以直接在通过车辆300对诊断仪的认证后，触发诊断，本申请实施例对此不做限制。It can be understood that step S401 is an optional step, and the diagnostic instrument 200 can directly trigger the diagnosis after the vehicle 300 authenticates the diagnostic instrument, and the embodiment of the present application does not limit this.

S402.诊断仪200与车辆300中的车载KMS完成诊断仪认证。S402. The diagnostic device 200 and the on-board KMS in the vehicle 300 complete the diagnostic device certification.

在诊断仪200通过与服务器100的诊断仪认证之后，诊断仪200可以再向车辆300认证，证明其身份的合法性。After the diagnostic device 200 passes the diagnostic device authentication with the server 100, the diagnostic device 200 can authenticate to the vehicle 300 again to prove the legitimacy of its identity.

类似与步骤S401，诊断仪200可以通过向车辆300发送诊断仪200的数字证书来完成诊断仪认证，证明诊断仪200的合法性。Similar to step S401, the diagnostic device 200 can complete the diagnostic device authentication by sending the digital certificate of the diagnostic device 200 to the vehicle 300 to prove the legitimacy of the diagnostic device 200.

另外，在车辆300确定诊断仪200合法后，可以向诊断仪200发送认证通过的指示信息。In addition, after the vehicle 300 determines that the diagnostic device 200 is legal, it may send authentication-passed instruction information to the diagnostic device 200 .

S403.认证通过后，诊断仪200将诊断请求发送给车辆300中的车载KMS。S403. After the authentication is passed, the diagnostic device 200 sends the diagnostic request to the on-board KMS in the vehicle 300.

在诊断仪200与服务器100的认证以及诊断仪200与车辆300的认证通过之后，诊断仪200可以向车辆300发送诊断请求，该诊断请求用于请求获取ECU1的诊断数据。After the authentication between the diagnostic instrument 200 and the server 100 and the authentication between the diagnostic instrument 200 and the vehicle 300 are passed, the diagnostic instrument 200 may send a diagnostic request to the vehicle 300 , where the diagnostic request is used to request to obtain diagnostic data of the ECU 1 .

应理解，诊断仪200原本是将该诊断请求发送给ECU1，车载KMS会中途截获诊断仪200向ECU1发送的诊断请求，因此，在认证通过后，诊断仪200具体是将诊断请求发送给车载KMS。It should be understood that the diagnostic instrument 200 originally sent the diagnostic request to ECU1. The on-board KMS will intercept the diagnostic request sent by the diagnostic instrument 200 to ECU1 midway. Therefore, after the authentication is passed, the diagnostic instrument 200 specifically sends the diagnostic request to the on-board KMS. .

对比前述步骤S305-S311可以看出，步骤S403中，诊断仪200跳过UDS 27服务，直接向ECU1发起诊断服务，请求获取ECU1的诊断数据。这样，诊断仪200上不再持有用于安全访问认证的密钥，消除了诊断仪泄露ECU密钥的隐患。Comparing the aforementioned steps S305 to S311, it can be seen that in step S403, the diagnostic instrument 200 skips the UDS 27 service, directly initiates a diagnostic service to ECU1, and requests to obtain the diagnostic data of ECU1. In this way, the diagnostic instrument 200 no longer holds the key for secure access authentication, eliminating the need for The diagnostic tool may leak the ECU key.

S404.车辆300中的车载KMS将安全访问请求发送给ECU1。S404. The vehicle-mounted KMS in vehicle 300 sends the security access request to ECU1.

车载KMS在获取到诊断请求之后，向ECU1发送安全访问请求。该安全访问请求用于请求获取种子。具体关于该安全访问请求的描述可以参考前述步骤S305或S312的相关内容，这里不再赘述。After obtaining the diagnostic request, the vehicle-mounted KMS sends a security access request to ECU1. This secure access request is used to request a torrent. For a specific description of the security access request, please refer to the relevant content of the aforementioned step S305 or S312, which will not be described again here.

可以看出，车载KMS仍保留诊断之前的安全访问认证过程，使得ECU1仍然按照先认证后诊断的步骤运行，这样无需更改ECU的配置，增加了该方案在车辆上实施的可行性。It can be seen that the on-board KMS still retains the secure access authentication process before diagnosis, so that ECU1 still operates according to the steps of first authentication and then diagnosis. This eliminates the need to change the ECU configuration and increases the feasibility of implementing this solution on the vehicle.

S405.车辆300中的ECU1生成种子。S405. ECU1 in vehicle 300 generates a seed.

S406.车辆300中的ECU1将种子发送给车载KMS。S406. ECU1 in vehicle 300 sends the seed to the vehicle KMS.

S407.车辆300中的车载KMS利用ECU密钥对种子进行加密。S407. The on-board KMS in the vehicle 300 uses the ECU key to encrypt the seed.

S408.车辆300中的ECU1利用ECU密钥对种子进行加密。S408. ECU1 in vehicle 300 encrypts the seed using the ECU key.

S409.车辆300中的车载KMS将加密后的种子发送给ECU1。S409. The on-board KMS in vehicle 300 sends the encrypted seed to ECU1.

S410.车辆300中的ECU1判断接收到的加密后的种子与本地加密后的种子是否一致。S410. The ECU 1 in the vehicle 300 determines whether the received encrypted seed is consistent with the local encrypted seed.

应理解，步骤S405-S410与前述步骤S313-S318相同，可以对应参考，这里不再赘述。It should be understood that steps S405-S410 are the same as the aforementioned steps S313-S318, and may be referenced accordingly, and will not be described again here.

S411.在一致的情况下，车辆300中的ECU1将安全访问的认证通过的指示信息发送给车载KMS。S411. In the case of consistency, the ECU 1 in the vehicle 300 sends the instruction information indicating that the security access authentication has passed to the vehicle-mounted KMS.

应理解，ECU1原本是将安全访问的认证通过的指示信息发送给诊断仪200，车载KMS可以在中途截获该指示信息，使得ECU1将安全访问的认证通过的指示信息发送给车载KMS。It should be understood that the ECU 1 originally sends the instruction information indicating that the security access authentication is passed to the diagnostic instrument 200. The vehicle-mounted KMS can intercept the instruction information midway, so that the ECU1 sends the instruction information that the security access authentication is passed to the vehicle-mounted KMS.

S412.车辆300中的车载KMS将诊断请求发送给ECU1。S412. The vehicle-mounted KMS in vehicle 300 sends the diagnosis request to ECU1.

在车载KMS获知安全访问的认证通过之后，车载KMS可以将诊断仪200发送的诊断请求发送给ECU1。After the vehicle-mounted KMS learns that the security access authentication is passed, the vehicle-mounted KMS can send the diagnosis request sent by the diagnostic instrument 200 to the ECU 1 .

S413.车辆300中的ECU1将诊断数据发送给诊断仪200。S413. The ECU 1 in the vehicle 300 sends the diagnostic data to the diagnostic instrument 200 .

应理解，上述图6所示的步骤中未提及的内容或未展开的描述可以参考图5所示的流程图，这里不再赘述。It should be understood that content not mentioned or undescribed in the above-mentioned steps shown in FIG. 6 can be referred to the flow chart shown in FIG. 5 , and will not be described again here.

总的来说，诊断仪可以在通过向服务器以及车辆的双重认证后，直接向车辆中的目标ECU发起诊断请求，而车辆内部会先使用ECU密钥完成安全访问认证，在认证通过后再响应于该诊断请求，将诊断数据发送给诊断仪。这样，诊断仪不再持有用于安全访问认证的密钥，消除了诊断仪泄露密钥的可能，提高了诊断仪和ECU进行安全访问认证的可靠性，增强了车辆的安全性。In general, the diagnostic tool can directly initiate a diagnostic request to the target ECU in the vehicle after passing dual authentication with the server and the vehicle. The vehicle will first use the ECU key to complete the security access authentication, and then respond after the authentication is passed. In response to the diagnostic request, the diagnostic data is sent to the diagnostic instrument. In this way, the diagnostic instrument no longer holds the key for secure access authentication, eliminating the possibility of the diagnostic instrument leaking the key, improving the reliability of the diagnostic instrument and ECU for secure access authentication, and enhancing vehicle security.

图7为本申请实施例提供的车辆300的结构示意图。FIG. 7 is a schematic structural diagram of a vehicle 300 provided by an embodiment of the present application.

如图7所示，车辆300包括：控制器局域网络(controller area network，CAN)总线11、多个电子控制单元(electronic control unit，ECU)、发动机13、车载盒子(telematics box，T-box)14、变速器15、行车记录仪16、防抱死***(antilock brake system，ABS)17、传感器***18、摄像***19，麦克风20，等等。As shown in Figure 7, the vehicle 300 includes: a controller area network (CAN) bus 11, multiple electronic control units (ECUs), an engine 13, and a vehicle box (telematics box, T-box) 14. Transmission 15. Driving recorder 16. Antilock brake system (ABS) 17. Sensor system 18. Camera system 19. Microphone 20, etc.

CAN总线11是支持分布式控制或实时控制的串行通信网络，用于连接车辆300的各个部件。在CAN总线11上的任何部件都可以监听到CAN总线11上传输的所有数据。CAN总线11传输的帧可以包含数据帧、远程帧、错误帧、过载帧，不同的帧传输不同类型的数据。在本申请实施例中，CAN总线11可用于传输各个部件在基于语音指令的控制方法中涉及到的数据，该方法的具体实现可参考后文方法实施例的详细描述。The CAN bus 11 is a serial communication network that supports distributed control or real-time control and is used to connect various components of the vehicle 300 . Any component on the CAN bus 11 can monitor all data transmitted on the CAN bus 11. The frames transmitted by CAN bus 11 can include data frames, remote frames, error frames, and overload frames. Different frames transmit different types of data. In the embodiment of the present application, the CAN bus 11 can be used to transmit data involved in various components in the control method based on voice instructions. For the specific implementation of this method, please refer to the detailed description of the method embodiment below.

不限于CAN总线11，在其他一些实施例中，车辆300的各个部件还可以通过其他方式来连接及通信。如，各个部件还可以通过车载以太网(ethernet)局域互联网络(local interconnect network，LIN)总线、FlexRay及常用车载网络***(media oriented systems，MOST)总线等等通信，本申请实施例对此不做限制。以下实施例以各个部件通过CAN总线11通信进行说明。Not limited to the CAN bus 11, in some other embodiments, various components of the vehicle 300 can also be connected and communicated through other methods. For example, each component can also communicate through the vehicle Ethernet (ethernet) local interconnect network (LIN) bus, FlexRay and common vehicle network system (media oriented systems, MOST) bus, etc., the embodiments of this application are No restrictions. The following embodiments are described based on the communication of various components through the CAN bus 11.

ECU相当于车辆300的处理器或大脑，用于根据从CAN总线11上获取的指令或者根据用户输入的操作，指示对应的部件执行相应的动作。ECU可以由安全芯片、微处理器((microcontroller unit，MCU)、随机存取存储器(random access memory，RAM)、只读存储器(random-only memory，ROM)、输入/输出接口(I/O)、模拟/数字转换器(A/D转换器)以及输入、输出、整形、驱动等大规模集成电路组成。The ECU is equivalent to the processor or brain of the vehicle 300 and is used to instruct corresponding components to perform corresponding actions according to instructions obtained from the CAN bus 11 or according to operations input by the user. ECU can be composed of security chip, microprocessor (microcontroller unit, MCU), random Machine access memory (random access memory, RAM), read-only memory (random-only memory, ROM), input/output interface (I/O), analog/digital converter (A/D converter), and input and output , shaping, driving and other large-scale integrated circuits.

ECU的种类繁多，不同种类的ECU可以用于实现不同的功能。There are many types of ECUs, and different types of ECUs can be used to implement different functions.

在本申请实施例中，ECU还可以存储有车辆300中的其他功能模块，例如车载KMS生成的ECU密钥。另外，ECU作为诊断仪，例如诊断仪200诊断的对象，可以基于UDS协议与诊断仪200进行通信，完成和诊断仪200的安全访问认证过程，并在认证通过后，基于诊断仪200发送的诊断请求，将诊断数据发送给诊断仪200。In this embodiment of the present application, the ECU may also store other functional modules in the vehicle 300, such as the ECU key generated by the vehicle KMS. In addition, the ECU, as a diagnostic instrument, such as the diagnostic object of the diagnostic instrument 200, can communicate with the diagnostic instrument 200 based on the UDS protocol, complete the security access authentication process with the diagnostic instrument 200, and after passing the authentication, based on the diagnosis sent by the diagnostic instrument 200 Request to send diagnostic data to the diagnostic instrument 200.

车辆300中的多个ECU例如可包括：发动机ECU121，车载盒子(telematics box，T-box)的ECU122，变速器ECU123，行车记录仪ECU124，防抱死***(antilock brake system，ABS)ECU 125等。The multiple ECUs in the vehicle 300 may include, for example: an engine ECU 121, a telematics box (T-box) ECU 122, a transmission ECU 123, a driving recorder ECU 124, an anti-lock brake system (antilock brake system, ABS) ECU 125, etc.

发动机ECU121用于管理发动机，协调发动机的各个功能，例如可用于启动发动机、关闭发动机等等。发动机是为车辆300提供动力的装置。发动机是将某一种形式的能量转换为机械能的机器。车辆300可用于将液体或气体燃烧的化学能，或者将电能转化为机械能并对外输出动力。发动机组成部分可以包括曲柄连杆机构和配气机构两大机构，以及冷却、润滑、点火、能量供给、启动***等五大***。发动机的主要部件有气缸体、气缸盖、活塞、活塞销、连杆、曲轴、飞轮等。The engine ECU121 is used to manage the engine and coordinate various functions of the engine. For example, it can be used to start the engine, shut down the engine, etc. The engine is the device that powers vehicle 300 . An engine is a machine that converts some form of energy into mechanical energy. The vehicle 300 may be used to burn chemical energy of liquid or gas, or convert electrical energy into mechanical energy and output power to the outside. The engine components can include two major mechanisms, the crank connecting rod mechanism and the valve mechanism, as well as five major systems including cooling, lubrication, ignition, energy supply, and starting system. The main components of the engine include cylinder block, cylinder head, piston, piston pin, connecting rod, crankshaft, flywheel, etc.

T-box ECU122用于管理T-box14。T-box ECU122 is used to manage T-box14.

T-box14主要负责和互联网通信，为车辆300提供远程通讯接口，提供包括导航、娱乐、行车数据采集、行驶轨迹记录、车辆故障监控、车辆远程查询和控制(如开闭锁、空调控制、车窗控制、发动机扭矩限制、发动机启停、调整座椅，查询电池电量、油量、车门状态等)、驾驶行为分析、无线热点分享、道路救援、异常提醒等服务。T-box14 is mainly responsible for communicating with the Internet, providing a remote communication interface for the vehicle 300, including navigation, entertainment, driving data collection, driving trajectory recording, vehicle fault monitoring, vehicle remote query and control (such as opening and closing, air conditioning control, window Control, engine torque limit, engine start and stop, adjust seats, check battery power, fuel level, door status, etc.), driving behavior analysis, wireless hotspot sharing, roadside assistance, abnormality reminder and other services.

T-box14可用于和汽车远程服务提供商(telematics service provider，TSP)以及用户(如驾驶员)侧电子设备通信，实现电子设备上的车辆状态显示与控制。当用户通过电子设备上的车辆管理应用发送控制命令后，TSP会发出请求指令到T-box14，T-box14在获取到控制命令后，通过CAN总线发送控制报文并实现对车辆300的控制，最后反馈操作结果到用户侧电子设备上的车辆管理应用上。也就是说，T-box14通过CAN总线11读取到的数据，例如车况报告、行车报告、油耗统计、违章查询、位置轨迹、驾驶行为等数据，可以通过网络将传输到TSP后台***，由TSP后台***转发给用户侧的电子设备，以供用户查看。T-box14 can be used to communicate with car telematics service provider (TSP) and user (such as driver) side electronic devices to realize vehicle status display and control on electronic devices. When the user sends a control command through the vehicle management application on the electronic device, the TSP will send a request command to T-box14. After obtaining the control command, T-box14 sends a control message through the CAN bus and controls the vehicle 300. Finally, the operation results are fed back to the vehicle management application on the user-side electronic device. In other words, the data read by T-box14 through CAN bus 11, such as vehicle condition reports, driving reports, fuel consumption statistics, violation inquiries, location tracks, driving behavior and other data, can be transmitted to the TSP backend system through the network, and the TSP The background system forwards it to the electronic device on the user side for viewing by the user.

T-box14具体可包括通信模块和显示屏。T-box14 may specifically include a communication module and a display screen.

其中，通信模块可用于提供无线通信功能，支持车辆300通过无线局域网(wireless local area networks，WLAN)(如无线保真(wireless fidelity，Wi-Fi)网络)，蓝牙(bluetooth，BT)，全球导航卫星***(global navigation satellite system，GNSS)，调频(frequency modulation，FM)，近距离无线通信技术(near field communication，NFC)，红外技术(infrared，IR)、超宽带(ultra-wideband，UWB)等无线通信技术和其他设备通信。通信模块还可用于提供移动通信功能，支持车辆300通过全球移动通讯***(global system for mobile communications，GSM)、通用移动通信***(universal Mobile telecommunications system，UMTS)、宽带码分多址(wideband code division multiple access，WCDMA)，时分码分多址(time-division code division multiple access，TD-SCDMA)，长期演进(long term evolution，LTE)，5G以及未来出现的6G等通信技术和其他设备通信。Among them, the communication module can be used to provide wireless communication functions to support the vehicle 300 through wireless local area networks (WLAN) (such as wireless fidelity (Wi-Fi) network), Bluetooth (bluetooth, BT), global navigation Satellite system (global navigation satellite system, GNSS), frequency modulation (frequency modulation, FM), near field communication technology (near field communication, NFC), infrared technology (infrared, IR), ultra-wideband (UWB), etc. Wireless communication technology communicates with other devices. The communication module can also be used to provide mobile communication functions to support the vehicle 300 through the global system for mobile communications (GSM), universal mobile telecommunications system (UMTS), wideband code division multiple access (wideband code division) multiple access (WCDMA), time-division code division multiple access (TD-SCDMA), long term evolution (LTE), 5G and 6G and other communication technologies that will appear in the future and communicate with other devices.

通信模块可以通过基于蜂窝网络的车辆与万物(vehicle to everything，V2X)通信技术(cellular V2X，C-V2X)和其他设备如服务器、用户侧电子设备等建立连接并通信。C-V2X例如可包括基于长期演进(long term evolution，LTE)的V2X(LTE-V2X)、5G-V2X等。The communication module can establish connections and communicate with other devices such as servers and user-side electronic devices through vehicle to everything (V2X) communication technology (cellular V2X, C-V2X) based on cellular networks. C-V2X may include, for example, V2X based on long term evolution (LTE) (LTE-V2X), 5G-V2X, etc.

在一些实施例中，通信模块可用于实现车辆300和服务器，例如服务器100之间的通信，将车辆300中的车辆密钥发送给服务器100，或者，接收服务器100发送的车辆密钥等等。In some embodiments, the communication module may be used to implement communication between the vehicle 300 and a server, such as the server 100, to send the vehicle key in the vehicle 300 to the server 100, or to receive the vehicle key sent by the server 100, and so on.

显示屏用于为驾驶员提供可视化的界面。车辆300中可包括一个或多个显示屏，例如可包括设置于驾驶座前方的车载显示屏，设置于座椅上方的用于显示周边情况的显示屏，还可包括将信息投射到风窗玻璃上的抬头数字显示仪(head up display，HUD)等等。The display screen is used to provide a visual interface to the driver. The vehicle 300 may include one or more display screens, for example, it may include a vehicle-mounted display screen disposed in front of the driver's seat, a display screen disposed above the seat for displaying surrounding conditions, and may also include projecting information onto the windshield. Head-up digital display (HUD) on the computer, etc.

T-box14也可以被称为车机***、远程信息处理器、车辆网关等等，本申请实施例对此不作限制。T-box 14 may also be called a vehicle-machine system, a telematics processor, a vehicle gateway, etc., and the embodiments of this application do not limit this.

变速器ECU123用于管理变速器。The transmission ECU123 is used to manage the transmission.

变速器15可以用来改变发动机的转速和转矩的机构，它能固定或分档改变输出轴和输入轴传动比。变速器15组成部分可以包含变速传动机构、操纵机构以及动力输出机构等。变速传动机构的主要作用是改变转矩和转速的数值和方向；操纵机构的主要作用是控制传动机构，实现变速器传动比的变换，即实现换档，以达到变速变矩。 The transmission 15 can be used to change the engine speed and torque. It can fix or change the output shaft and input shaft transmission ratios in stages. The components of the transmission 15 may include a transmission mechanism, a control mechanism, a power output mechanism, etc. The main function of the speed change transmission mechanism is to change the value and direction of torque and rotational speed; the main function of the control mechanism is to control the transmission mechanism to realize the transformation of the transmission ratio, that is, to achieve gear shifting, in order to achieve variable speed and torque.

行车记录仪ECU124用于管理行车记录仪16。The driving recorder ECU 124 is used to manage the driving recorder 16 .

行车记录仪16组成部分可以包括主机、车速传感器、数据分析软件等。行车记录仪16是指记录车辆行驶途中的影像及声音包括行车时间、速度、所在位置等相关资讯的仪器。在本申请实施例中，当车辆行驶时，车速传感器采集到车轮转速，并将车速信息通过CAN总线发送给行车记录仪16。The driving recorder 16 components may include a host computer, a vehicle speed sensor, data analysis software, etc. The driving recorder 16 refers to an instrument that records the images and sounds of the vehicle during driving, including driving time, speed, location and other related information. In the embodiment of the present application, when the vehicle is driving, the vehicle speed sensor collects the wheel speed and sends the vehicle speed information to the driving recorder 16 through the CAN bus.

ABS ECU125用于管理ABS17。ABS ECU125 is used to manage ABS17.

ABS17是在车辆制动时，自动控制制动器制动力的大小，使车轮不被抱死，处于边滚边滑的状态，以保证车轮与地面的附着力为最大值。在制动过程中，电子控制装置根据车轮转速传感器输入的车轮转速信号判定有车轮趋于抱死时，ABS就进入防抱死制动压力调节过程。ABS17 automatically controls the braking force of the brake when the vehicle is braking, so that the wheels are not locked and are in a rolling and sliding state to ensure the maximum adhesion between the wheels and the ground. During the braking process, when the electronic control device determines that a wheel tends to lock based on the wheel speed signal input by the wheel speed sensor, the ABS will enter the anti-lock brake pressure adjustment process.

传感器***18可包括：加速度传感器、车速传感器、震动传感器、陀螺仪传感器、雷达传感器，信号发射器，信号接收器等等。加速度传感器及车速传感器用于检测车辆300的速度。震动传感器可以设置在座位下方、安全带、椅背、操作面板、气囊或其他位置，用于检测车辆300是否被碰撞以及用户所在位置。陀螺仪传感器可以用于确定车辆300的运动姿态。雷达传感器可包括激光雷达、超声波雷达、毫米波雷达等。雷达传感器用于发射电磁波对目标进行照射并接收其回波，由此获得目标至电磁波发射点的距离、距离变化率(径向速度)、方位、高度等信息，从而识别车辆300附近的其他车辆、行人或路障等。信号发射器和信号接收器用于收发信号，该信号可用于检测用户所在位置，该信号例如可以是超声波、毫米波、激光等。The sensor system 18 may include: an acceleration sensor, a vehicle speed sensor, a vibration sensor, a gyroscope sensor, a radar sensor, a signal transmitter, a signal receiver, etc. The acceleration sensor and the vehicle speed sensor are used to detect the speed of the vehicle 300 . The shock sensor can be disposed under the seat, on the seat belt, on the seat back, on the operating panel, on the airbag or in other locations to detect whether the vehicle 300 is collided and where the user is. A gyro sensor may be used to determine the motion attitude of vehicle 300 . Radar sensors can include lidar, ultrasonic radar, millimeter wave radar, etc. The radar sensor is used to emit electromagnetic waves to illuminate the target and receive its echo, thereby obtaining information such as the distance from the target to the electromagnetic wave emission point, distance change rate (radial velocity), orientation, altitude, etc., thereby identifying other vehicles near the vehicle 300 , pedestrians or roadblocks, etc. The signal transmitter and signal receiver are used to send and receive signals. The signals can be used to detect the location of the user. The signals can be, for example, ultrasonic waves, millimeter waves, lasers, etc.

摄像***19可包括多个摄像头，摄像头用于捕获静态图像或视频。摄像***19中的摄像头可以设置在车前、车后、侧边、车内等位置，便于实现辅助驾驶、行车记录、全景环视、车内监控等功能。Camera system 19 may include multiple cameras for capturing still images or video. The cameras in the camera system 19 can be set in front, behind, side, or inside the car to facilitate functions such as assisted driving, driving recording, panoramic view, and in-car monitoring.

传感器***18、摄像***19可用于检测周边环境，便于车辆300做出相应的决策来应对环境变化，例如可用于自动驾驶阶段完成对周边环境进行关注的任务。The sensor system 18 and the camera system 19 can be used to detect the surrounding environment to facilitate the vehicle 300 to make corresponding decisions to respond to environmental changes. For example, they can be used to complete the task of paying attention to the surrounding environment during the autonomous driving phase.

麦克风20，也称“话筒”，“传声器”，用于将声音信号转换为电信号。当拨打电话或输出语音指令时，用户可以通过人嘴靠近麦克风20发声，将声音信号输入到麦克风20。车辆300可以设置至少一个麦克风20。在另一些实施例中，车辆300可以设置两个麦克风20，除了采集声音信号，还可以实现降噪功能。在另一些实施例中，车辆300还可以设置三个，四个或更多麦克风20，形成麦克风阵列，实现采集声音信号，降噪，还可以识别声音来源，实现定向录音功能等。Microphone 20, also called "microphone" or "microphone", is used to convert sound signals into electrical signals. When making a call or outputting a voice command, the user can speak close to the microphone 20 with the human mouth and input the sound signal to the microphone 20 . The vehicle 300 may be provided with at least one microphone 20 . In other embodiments, the vehicle 300 may be provided with two microphones 20, which in addition to collecting sound signals, may also implement a noise reduction function. In other embodiments, the vehicle 300 can also be equipped with three, four or more microphones 20 to form a microphone array to collect sound signals, reduce noise, identify sound sources, and implement directional recording functions, etc.

此外，车辆300还可以包括多个接口，例如USB接口，RS-232接口、RS485接口等等，可外接摄像头、麦克风、耳机以及用户侧电子设备。In addition, the vehicle 300 may also include multiple interfaces, such as a USB interface, an RS-232 interface, an RS485 interface, etc., and may be connected to external cameras, microphones, headphones, and user-side electronic devices.

在本申请实施例中，麦克风20可用于检测用户输入的语音指令。传感器***18、摄像***19、T-box14等可用于获取输入该语音指令的用户的角色信息。车辆300中各个部件获取用户的角色信息的方式，可参考后续方法实施例中的相关描述。T-box ECU122可用于根据该角色信息判断当前该用户是否具备该语音指令对应的权限，仅在具备权限的情况下，T-box ECU122才调度车辆300中的相应部件来响应该语音指令。In this embodiment of the present application, the microphone 20 may be used to detect voice instructions input by the user. The sensor system 18, the camera system 19, the T-box 14, etc. can be used to obtain the character information of the user who inputs the voice command. For the manner in which each component in the vehicle 300 obtains the user's role information, please refer to the relevant descriptions in subsequent method embodiments. The T-box ECU 122 can be used to determine whether the current user has the permission corresponding to the voice command based on the role information. Only if the user has the permission, the T-box ECU 122 dispatches the corresponding components in the vehicle 300 to respond to the voice command.

可以理解的是，本申请实施例示意的结构并不构成对车辆***的具体限定。本申请实施例对电子控制单元ECU的数量不作限制。车辆300可以包括比图示更多或更少的部件，或者组合某些部件，或者拆分某些部件，或者不同的部件布置。图示的部件可以以硬件，软件或软件和硬件的组合实现。It can be understood that the structure illustrated in the embodiment of the present application does not constitute a specific limitation on the vehicle system. The embodiment of the present application does not limit the number of electronic control units ECU. Vehicle 300 may include more or fewer components than illustrated, some components combined, some components separated, or different component arrangements. The components illustrated may be implemented in hardware, software, or a combination of software and hardware.

例如，车辆300还可包括单独的存储器、电池、车灯、雨刷、仪表盘、音响、车载终端(transmission control unit，TCU)、辅助控制单元(auxiliary control unit，ACU)、智能进入及启动***(passive entry passive start，PEPS)、车载单元(on board unit，OBU)、车身控制模块(body control module，BCM)、充电接口等等。For example, the vehicle 300 may also include a separate memory, battery, lights, wipers, instrument panel, audio, vehicle terminal (transmission control unit, TCU), auxiliary control unit (auxiliary control unit, ACU), intelligent entry and starting system ( Passive entry passive start (PEPS), on-board unit (OBU), body control module (BCM), charging interface, etc.

另外，需要注意的是，车辆300中的车载KMS(图中未示出)用于监听并拦截诊断仪和ECU之间通信的数据，向诊断仪或ECU发送数据，实现和诊断仪、ECU之间的安全访问认证。例如，车载KMS可以拦截诊断仪200向ECU1发送的安全访问请求，并基于该安全访问请求与诊断仪200进行安全访问认证，在认证通过后，再将安全访问请求发送给ECU1，再与ECU1进行安全访问认证等等。应理解，本申请实施例提及的车载KMS可以为车辆300中的用于实现以上功能的单个硬件设备，也可以为用于实现以上功能的硬件集群、芯片***等等，本申请实施例对此不作限制。In addition, it should be noted that the on-board KMS (not shown in the figure) in the vehicle 300 is used to monitor and intercept the communication data between the diagnostic instrument and the ECU, send data to the diagnostic instrument or ECU, and realize the communication between the diagnostic instrument and the ECU. security access authentication between. For example, the vehicle-mounted KMS can intercept the security access request sent by the diagnostic instrument 200 to ECU1, and perform security access authentication with the diagnostic instrument 200 based on the security access request. After passing the authentication, the vehicle KMS can then send the security access request to ECU1, and then communicate with ECU1. Security access authentication and more. It should be understood that the vehicle-mounted KMS mentioned in the embodiments of this application can be a single hardware device in the vehicle 300 for realizing the above functions, or it can also be a hardware cluster, a chip system, etc. for realizing the above functions. The embodiments of this application are for This is not a limitation.

如图8所示，电子设备400可以包括：一个或多个处理器201、存储器202、通信接口203、发射器205、接收器206、耦合器207和天线208。这些部件可通过总线204或者其他方式连接，图8以通过总线连接为例。其中：As shown in FIG. 8 , the electronic device 400 may include: one or more processors 201 , memory 202 , communication interface 203 , transmitter 205 , receiver 206 , coupler 207 and antenna 208 . These components can be connected through the bus 204 or other ways. Figure 8 takes the connection through the bus as an example. in:

通信接口203可用于电子设备400与其他通信设备。具体的，通信接口203可以是3G通信接口、长期演进(LTE)(4G)通信接口、5G通信接口、WLAN通信接口、WAN通信接口等等。不限于无线通信接口，电子设备400还可以配置有线的通信接口203来支持有线通信，例如当电子设备400为诊断仪时，电子设备400与车辆之间可以通过有线连接进行通信。The communication interface 203 can be used with the electronic device 400 and other communication devices. Specifically, the communication interface 203 may be a 3G communication interface, a long-distance Phase Evolution (LTE) (4G) communication interface, 5G communication interface, WLAN communication interface, WAN communication interface, etc. Not limited to wireless communication interfaces, the electronic device 400 can also be configured with a wired communication interface 203 to support wired communication. For example, when the electronic device 400 is a diagnostic instrument, the electronic device 400 and the vehicle can communicate through a wired connection.

在本申请的一些实施例中，发射器205和接收器206可看作一个无线调制解调器。发射器205可用于对处理器201输出的信号进行发射处理。接收器206可用于接收信号。在电子设备400中，发射器205和接收器206的数量均可以是一个或者多个。天线208可用于将传输线中的电磁能转换成自由空间中的电磁波，或者将自由空间中的电磁波转换成传输线中的电磁能。耦合器207可用于将移动通信号分成多路，分配给多个的接收器206。可理解的，电子设备400的天线208可以实现为大规模天线阵列。In some embodiments of the present application, transmitter 205 and receiver 206 may be viewed as a wireless modem. The transmitter 205 can be used to transmit the signal output by the processor 201. Receiver 206 may be used to receive signals. In the electronic device 400, the number of the transmitter 205 and the receiver 206 may be one or more. Antenna 208 may be used to convert electromagnetic energy in the transmission line into electromagnetic waves in free space, or to convert electromagnetic waves in free space into electromagnetic energy in the transmission line. The coupler 207 can be used to split the mobile communication signal into multiple channels and distribute them to multiple receivers 206 . It can be understood that the antenna 208 of the electronic device 400 can be implemented as a large-scale antenna array.

存储器202与处理器201耦合，用于存储各种软件程序和/或多组指令。具体的，存储器202可包括高速随机存取的存储器，并且也可包括非易失性存储器，例如一个或多个磁盘存储设备、闪存设备或其他非易失性固态存储设备。Memory 202 is coupled to processor 201 for storing various software programs and/or sets of instructions. Specifically, the memory 202 may include high-speed random access memory, and may also include non-volatile memory, such as one or more disk storage devices, flash memory devices or other non-volatile solid-state storage devices.

存储器202可以存储操作***(下述简称***)，例如uCOS、VxWorks、RTLinux等嵌入式操作***。The memory 202 can store an operating system (hereinafter referred to as the system), such as uCOS, VxWorks, RTLinux and other embedded operating systems.

本申请实施例中，处理器201可用于读取和执行计算机可读指令。In this embodiment of the present application, the processor 201 may be used to read and execute computer-readable instructions.

在本申请实施例中，当电子设备400为服务器100时：In this embodiment of the present application, when the electronic device 400 is the server 100:

处理器201可用于根据密钥算法生成密钥，包括：车辆密钥、ECU临时密钥等等，根据密钥派生算法，从车辆密钥中派生出ECU密钥。The processor 201 can be used to generate keys according to a key algorithm, including: vehicle keys, ECU temporary keys, etc., and derive the ECU key from the vehicle key according to the key derivation algorithm.

发射器205可用于发送车辆密钥，或ECU临时密钥等等。The transmitter 205 can be used to send vehicle keys, or ECU temporary keys, etc.

接收器206可用于接收车辆密钥，或诊断仪的数字证书等等。The receiver 206 may be used to receive a vehicle key, a digital certificate of the diagnostic instrument, or the like.

存储器202可用于存储密钥算法、密钥派生算法，以及车辆密钥、ECU临时密钥等等。The memory 202 may be used to store key algorithms, key derivation algorithms, as well as vehicle keys, ECU temporary keys, and the like.

在本申请实施例中，当电子设备400为诊断仪200时：In this embodiment of the present application, when the electronic device 400 is the diagnostic instrument 200:

处理器201可用于利用ECU临时密钥对种子进行加密。The processor 201 can be used to encrypt the seed using the ECU temporary key.

发射器205可用于发送安全访问请求或诊断请求，以及加密后的种子等等。The transmitter 205 may be used to send secure access requests or diagnostic requests, encrypted seeds, and so on.

接收器206可用于接收种子、安全访问的认证通过的知识信息以及诊断数据等等。The receiver 206 may be configured to receive seeds, authenticated knowledge information for secure access, diagnostic data, and the like.

存储器202可用于存储密钥算法、车辆的诊断数据等等。Memory 202 may be used to store key algorithms, diagnostic data for the vehicle, and the like.

另外，当电子设备400为诊断仪200时，电子设备400还可以包括显示屏，该显示屏用于显示车辆的故障信息。In addition, when the electronic device 400 is the diagnostic instrument 200, the electronic device 400 may also include a display screen, which is used to display vehicle fault information.

具体关于服务器100以及诊断仪200中未提及的部分可以参见前述内容，这里不再赘述。For details about the unmentioned parts of the server 100 and the diagnostic instrument 200, please refer to the foregoing content and will not be described again here.

应理解，上述方法实施例中的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。结合本申请实施例所公开的方法步骤可以直接体现为硬件处理器执行完成，或者用处理器中的硬件及软件模块组合执行完成。It should be understood that each step in the above method embodiment can be completed by an integrated logic circuit of hardware in the processor or instructions in the form of software. The method steps disclosed in conjunction with the embodiments of this application can be directly implemented by a hardware processor, or executed by a combination of hardware and software modules in the processor.

本申请还提供一种电子设备，该电子设备可以包括：存储器和处理器。其中，存储器可用于存储计算机程序；处理器可用于调用所述存储器中的计算机程序，以使得该电子设备执行上述任意一个实施例中服务器100、诊断仪200或车辆300执行的方法。This application also provides an electronic device, which may include a memory and a processor. The memory can be used to store computer programs; the processor can be used to call the computer program in the memory, so that the electronic device executes the method executed by the server 100, the diagnostic instrument 200 or the vehicle 300 in any of the above embodiments.

本申请还提供了一种芯片***，所述芯片***包括至少一个处理器，用于实现上述任一个实施例中服务器100、诊断仪200或车辆300执行的方法中所涉及的功能。This application also provides a chip system, which includes at least one processor for implementing the functions involved in the method performed by the server 100, the diagnostic instrument 200, or the vehicle 300 in any of the above embodiments.

在一种可能的设计中，所述芯片***还包括存储器，所述存储器用于保存程序指令和数据，存储器位于处理器之内或处理器之外。In a possible design, the chip system further includes a memory, the memory is used to store program instructions and data, and the memory is located within the processor or outside the processor.

该芯片***可以由芯片构成，也可以包含芯片和其他分立器件。The chip system can be composed of chips or include chips and other discrete devices.

可选地，该芯片***中的处理器可以为一个或多个。该处理器可以通过硬件实现也可以通过软件实现。当通过硬件实现时，该处理器可以是逻辑电路、集成电路等。当通过软件实现时，该处理器可以是一个通用处理器，通过读取存储器中存储的软件代码来实现。Optionally, there may be one or more processors in the chip system. The processor can be implemented in hardware or software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in memory.

可选地，该芯片***中的存储器也可以为一个或多个。该存储器可以与处理器集成在一起，也可以和处理器分离设置，本申请实施例并不限定。示例性地，存储器可以是非瞬时性处理器，例如只读存储器ROM，其可以与处理器集成在同一块芯片上，也可以分别设置在不同的芯片上，本申请实施例对存储器的类型，以及存储器与处理器的设置方式不作具体限定。Optionally, there may be one or more memories in the chip system. The memory may be integrated with the processor or may be provided separately from the processor, which is not limited by the embodiments of the present application. For example, the memory may be a non-transient processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be separately provided on different chips. The embodiments of this application vary on the type of memory, and The arrangement of the memory and processor is not specifically limited.

示例性地，该芯片***可以是现场可编程门阵列(field programmable gate array，FPGA)，可以是专用集成芯片(application specific integrated circuit，ASIC)，还可以是***芯片(system on chip，SoC)，还可以是中央处理器(central processor unit，CPU)，还可以是网络处理器(network processor，NP)，还可以是数字信号处理电路(digital signal processor，DSP)，还可以是微控制器(micro controller unit，MCU)，还可以是可编程控制器(programmable logic device，PLD)或其他集成芯片。For example, the chip system can be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), or a system on chip (SoC). OK So it can be a central processor unit (CPU), a network processor (NP), a digital signal processor (DSP), or a microcontroller Unit, MCU), can also be a programmable logic device (PLD) or other integrated chip.

本申请还提供一种计算机程序产品，所述计算机程序产品包括：计算机程序(也可以称为代码，或指令)，当所述计算机程序被运行时，使得计算机执行上述任一个实施例中服务器100、诊断仪200或车辆300任意一个执行的方法。The present application also provides a computer program product. The computer program product includes: a computer program (which may also be called a code, or an instruction). When the computer program is run, it causes the computer to execute the server 100 in any of the above embodiments. , the method executed by any one of the diagnostic instrument 200 or the vehicle 300.

本申请还提供一种计算机可读存储介质，所述计算机可读存储介质存储有计算机程序(也可以称为代码，或指令)。当所述计算机程序被运行时，使得计算机执行上述任一个实施例中服务器100、诊断仪200或车辆300任意一个执行的方法。This application also provides a computer-readable storage medium that stores a computer program (which may also be called a code, or an instruction). When the computer program is run, the computer is caused to execute the method executed by any one of the server 100 , the diagnostic instrument 200 or the vehicle 300 in any of the above embodiments.

应理解，本申请实施例中的处理器可以是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法实施例的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器、数字信号处理器(digital signal processor，DSP)、专用集成电路(AP 800plication specific integrated circuit，ASIC)、现场可编程门阵列(field programmable gate array，FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器，闪存、只读存储器，可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器，处理器读取存储器中的信息，结合其硬件完成上述方法的步骤。It should be understood that the processor in the embodiment of the present application may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method embodiment can be completed through an integrated logic circuit of hardware in the processor or instructions in the form of software. The above-mentioned processor can be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (AP 800plication specific integrated circuit, ASIC), a field programmable gate array (field programmable gate array, FPGA) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. Each method, step and logical block diagram disclosed in the embodiment of this application can be implemented or executed. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc. The steps of the method disclosed in conjunction with the embodiments of the present application can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module can be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other mature storage media in this field. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.

另外，本申请实施例还提供一种装置。该装置具体可以是组件或模块，该装置可包括相连的一个或多个处理器和存储器。其中，存储器用于存储计算机程序。当该计算机程序被一个或多个处理器执行时，使得装置执行上述各方法实施例中的方法。In addition, the embodiment of the present application also provides a device. The device may specifically be a component or module, and the device may include one or more connected processors and memories. Among them, memory is used to store computer programs. When the computer program is executed by one or more processors, the device is caused to execute the methods in each of the above method embodiments.

其中，本申请实施例提供的装置、计算机可读存储介质、计算机程序产品或芯片均用于执行上文所提供的对应的方法。因此，其所能达到的有益效果可参考上文所提供的对应的方法中的有益效果，此处不再赘述。Among them, the devices, computer-readable storage media, computer program products or chips provided by the embodiments of the present application are all used to execute the corresponding methods provided above. Therefore, the beneficial effects it can achieve can be referred to the beneficial effects in the corresponding methods provided above, and will not be described again here.

本申请的各实施方式可以任意进行组合，以实现不同的技术效果。The various embodiments of the present application can be combined arbitrarily to achieve different technical effects.

在上述实施例中，可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时，全部或部分地产生按照本申请所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中，或者从一个计算机可读存储介质向另一个计算机可读存储介质传输，例如，所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线)或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质，(例如，软盘、硬盘、磁带)、光介质(例如，DVD)、或者半导体介质(例如固态硬盘(solid state disk，SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in this application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center through wired (such as coaxial cable, optical fiber, digital subscriber line) or wireless (such as infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more available media integrated. The available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media (eg, solid state disk (SSD)), etc.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程，该流程可以由计算机程序来指令相关的硬件完成，该程序可存储于计算机可读取存储介质中，该程序在执行时，可包括如上述各方法实施例的流程。而前述的存储介质包括：ROM或随机存储记忆体RAM、磁碟或者光盘等各种可存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments are implemented. This process can be completed by instructing relevant hardware through a computer program. The program can be stored in a computer-readable storage medium. When the program is executed, , may include the processes of the above method embodiments. The aforementioned storage media include: ROM, random access memory (RAM), magnetic disks, optical disks and other media that can store program codes.

总之，以上所述仅为本发明技术方案的实施例而已，并非用于限定本发明的保护范围。凡根据本发明的揭露，所作的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。 In short, the above descriptions are only examples of the technical solutions of the present invention and are not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made based on the disclosure of the present invention shall be included in the protection scope of the present invention.

Claims

一种车辆安全访问方法，其特征在于，所述方法应用于包括第一ECU的车辆，所述车辆存储有在第一时段内临时有效的第一密钥，和，所述第一ECU的第二密钥，所述方法包括：A vehicle security access method, characterized in that the method is applied to a vehicle including a first ECU, the vehicle stores a first key that is temporarily valid within a first period of time, and, the first key of the first ECU is Two keys, the method includes:

所述车辆接收到第一设备发送的第一安全访问请求；The vehicle receives the first security access request sent by the first device;

所述车辆在所述第一时段内，使用所述第一密钥验证所述第一设备是否具备访问所述第一ECU的权限，只有存储有所述第一密钥的设备具备访问所述第一ECU的权限；During the first period of time, the vehicle uses the first key to verify whether the first device has the authority to access the first ECU. Only the device storing the first key has the authority to access the first ECU. The authority of the first ECU;

所述车辆确定所述第一设备具备所述权限后，使用所述第二密钥执行所述车辆内部的认证过程；After the vehicle determines that the first device has the authority, it uses the second key to perform an authentication process inside the vehicle;

所述车辆向所述第一设备发送第一消息，所述第一消息用于指示所述车辆已通过对所述第一设备的验证；The vehicle sends a first message to the first device, the first message being used to indicate that the vehicle has passed the verification of the first device;

所述车辆接收到所述第一设备发送的第一诊断请求；The vehicle receives the first diagnosis request sent by the first device;

响应于所述第一诊断请求，所述车辆向所述第一设备发送所述第一ECU的诊断数据。In response to the first diagnostic request, the vehicle sends diagnostic data of the first ECU to the first device.
根据权利要求1所述的方法，其特征在于，所述车辆使用所述第一密钥验证所述第一设备是否具备访问所述第一ECU的权限，具体包括：The method of claim 1, wherein the vehicle uses the first key to verify whether the first device has the authority to access the first ECU, specifically including:

所述车辆生成第一种子，将所述第一种子发送给所述第一设备；The vehicle generates a first seed and sends the first seed to the first device;

所述车辆接收到所述第一设备使用第三密钥加密后的所述第一种子；The vehicle receives the first seed encrypted by the first device using a third key;

所述车辆验证所述第三密钥加密后的所述第一种子，和，使用所述第一密钥加密后的所述第一种子，是否一致；在一致的情况下，所述第一设备具备访问所述第一ECU的权限。The vehicle verifies whether the first seed encrypted with the third key and the first seed encrypted with the first key are consistent; if they are consistent, the first seed The device has the authority to access the first ECU.
根据权利要求2所述的方法，其特征在于，所述车辆还包括KMS，所述车辆使用所述第一密钥验证所述第一设备是否具备访问所述第一ECU的权限，具体包括：The method of claim 2, wherein the vehicle further includes a KMS, and the vehicle uses the first key to verify whether the first device has the authority to access the first ECU, specifically including:

所述车辆通过所述KMS生成第一种子，并通过所述KMS将所述第一种子发送给所述第一设备；The vehicle generates a first seed through the KMS, and sends the first seed to the first device through the KMS;

通过所述KMS接收到所述第一设备使用第三密钥加密后的所述第一种子；The first seed encrypted by the first device using a third key is received through the KMS;

通过所述KMS验证所述第三密钥加密后的所述第一种子，和，使用所述第一密钥加密后的所述第一种子，是否一致；在一致的情况下，所述第一设备具备访问所述第一ECU的权限。Use the KMS to verify whether the first seed encrypted with the third key and the first seed encrypted with the first key are consistent; if they are consistent, the first seed A device has permission to access the first ECU.
根据权利要求1-3任一项所述的方法，其特征在于，所述第一密钥为制造所述车辆的部件的厂商管理和维护的服务器生成的密钥。The method according to any one of claims 1 to 3, characterized in that the first key is a key generated by a server managed and maintained by a manufacturer that manufactures components of the vehicle.
根据权利要求1-4任一项所述的方法，其特征在于，所述车辆接收到第一设备发送的第一安全访问请求之前，所述方法还包括：The method according to any one of claims 1 to 4, characterized in that before the vehicle receives the first security access request sent by the first device, the method further includes:

所述车辆接收到所述第一设备发送的授权文件，所述授权文件包括：所述第一密钥，失效参数，根据所述第一密钥和所述失效参数确定的签名；其中，所述失效参数用于指示所述第一时段，所述签名表征所述授权文件中的所述第一密钥和失效参数由所述车辆信任的设备生成。The vehicle receives the authorization file sent by the first device. The authorization file includes: the first key, an invalidation parameter, and a signature determined according to the first key and the invalidation parameter; wherein, the The invalidation parameter is used to indicate the first period, and the signature represents that the first key and the invalidation parameter in the authorization file are generated by a device trusted by the vehicle.
根据权利要求5所述的方法，其特征在于，The method according to claim 5, characterized in that:

所述车辆接收到所述第一设备发送的授权文件之前，所述方法还包括：Before the vehicle receives the authorization file sent by the first device, the method further includes:

所述车辆接收到所述第一设备发送的数字证书，所述数字证书表征所述第一设备为身份可信的设备；The vehicle receives the digital certificate sent by the first device, and the digital certificate represents the first device as a device with a trusted identity;

或者，or,

所述车辆接收到所述第一设备发送的授权文件，具体包括：The vehicle receives the authorization file sent by the first device, which specifically includes:

所述车辆通过UDS 2904服务接收到所述第一设备发送的所述授权文件，所述UDS 2904服务用于证明所述第一设备为身份可信的设备。The vehicle receives the authorization file sent by the first device through the UDS 2904 service, which is used to prove that the first device is a device with a trusted identity.
根据权利要求5或6所述的方法，其特征在于，所述授权文件中还包括：车辆信息，所述车辆信息用于指示所述车辆，所述签名还根据所述车辆信息确定。The method according to claim 5 or 6, characterized in that the authorization file further includes: vehicle information, the vehicle information is used to indicate the vehicle, and the signature is also determined based on the vehicle information.
根据权利要求1-7任一项所述的方法，其特征在于，所述车辆还包括第二ECU，所述还存储有所述第二ECU的第四密钥，所述方法还包括：The method according to any one of claims 1 to 7, characterized in that the vehicle further includes a second ECU, and the fourth key of the second ECU is also stored, and the method further includes:

所述车辆接收到所述第一设备发送的第三安全访问请求； The vehicle receives a third security access request sent by the first device;

所述车辆在所述第一时段内，使用所述第一密钥验证所述第一设备是否具备访问所述第二ECU的权限，只有存储有所述第一密钥的设备具备访问所述第二ECU的权限；During the first period, the vehicle uses the first key to verify whether the first device has the authority to access the second ECU. Only the device storing the first key has the authority to access the second ECU. The authority of the second ECU;

所述车辆确定所述第一设备具备所述访问所述第二ECU权限后，使用所述第四密钥执行所述车辆内部的认证过程；After the vehicle determines that the first device has the permission to access the second ECU, it uses the fourth key to perform an authentication process inside the vehicle;

所述车辆向所述第一设备发送第二消息，所述第二消息用于指示所述车辆已通过对所述第一设备的验证；The vehicle sends a second message to the first device, the second message being used to indicate that the vehicle has passed the verification of the first device;

所述车辆接收到所述第一设备发送的第二诊断请求；The vehicle receives a second diagnosis request sent by the first device;

响应于所述第二诊断请求，所述车辆向所述第一设备发送所述第二ECU的诊断数据。In response to the second diagnostic request, the vehicle sends diagnostic data of the second ECU to the first device.
一种车辆安全访问方法，其特征在于，所述方法应用于包括第一ECU的车辆，所述车辆存储有所述第一ECU的第二密钥，所述方法包括：A vehicle security access method, characterized in that the method is applied to a vehicle including a first ECU, and the vehicle stores a second key of the first ECU, and the method includes:

所述车辆接收到第一设备发送的第一诊断请求，所述第一设备为所述车辆信任的设备；The vehicle receives a first diagnosis request sent by a first device, and the first device is a device trusted by the vehicle;

所述车辆使用所述第二密钥执行所述车辆内部的安全访问认证过程；The vehicle uses the second key to perform a secure access authentication process inside the vehicle;

响应于所述第一诊断请求，所述车辆向所述第一设备发送所述第一ECU的诊断数据。In response to the first diagnostic request, the vehicle sends diagnostic data of the first ECU to the first device.
根据权利要求9所述的方法，其特征在于，所述车辆接收到第一设备发送的第一诊断请求之前，所述方法还包括：The method according to claim 9, characterized in that before the vehicle receives the first diagnosis request sent by the first device, the method further includes:

所述车辆接收到所述第一设备发送的数字证书，所述数字证书表征所述第一设备为身份可信的设备。The vehicle receives the digital certificate sent by the first device, and the digital certificate represents the first device as a device with a trusted identity.
根据权利要求9或10所述的方法，其特征在于，所述车辆还包括第二ECU，所述车辆还存储有所述第二ECU的第四密钥，所述方法还包括：The method according to claim 9 or 10, characterized in that the vehicle further includes a second ECU, and the vehicle also stores a fourth key of the second ECU, and the method further includes:

所述车辆接收到第一设备发送的第二诊断请求，所述第一设备为所述车辆信任的设备；The vehicle receives a second diagnosis request sent by a first device, and the first device is a device trusted by the vehicle;

所述车辆使用所述第四密钥执行所述车辆内部的安全访问认证过程；The vehicle uses the fourth key to perform a secure access authentication process inside the vehicle;

响应于所述第二诊断请求，所述车辆向所述第一设备发送所述第二ECU的诊断数据。In response to the second diagnostic request, the vehicle sends diagnostic data of the second ECU to the first device.
根据权利要求1-11任一项所述的方法，其特征在于，所述车辆还包括KMS，所述车辆使用所述第二密钥执行所述车辆内部的认证过程，具体包括：The method according to any one of claims 1 to 11, characterized in that the vehicle further includes a KMS, and the vehicle uses the second key to perform an authentication process inside the vehicle, specifically including:

所述车辆通过所述KMS和所述第一ECU执行：The vehicle executes through the KMS and the first ECU:

所述KMS发送第二安全访问请求给所述第一ECU；The KMS sends a second security access request to the first ECU;

所述第一ECU生成第二种子，将所述第二种子发送给所述KMS；The first ECU generates a second seed and sends the second seed to the KMS;

所述KMS使用所述第二密钥加密所述第二种子，将使用所述第二密钥加密后的所述第二种子发送给所述第一ECU；The KMS uses the second key to encrypt the second seed, and sends the second seed encrypted using the second key to the first ECU;

所述第一ECU验证，所述KMS使用所述第二密钥加密后的所述第二种子，和，所述第一ECU使用所述第二密钥加密后的所述种子，一致。The first ECU verifies that the second seed encrypted by the KMS using the second key is consistent with the seed encrypted by the first ECU using the second key.
根据权利要求1-12任一项所述的方法，其特征在于，所述第二密钥为所述车辆利用第一车辆密钥，生成得到的密钥，其中，不同车辆的车辆密钥不同。The method according to any one of claims 1 to 12, characterized in that the second key is a key generated by the vehicle using the first vehicle key, wherein the vehicle keys of different vehicles are different. .
一种车辆安全访问方法，其特征在于，所述方法应用于第一设备，所述方法包括：A vehicle security access method, characterized in that the method is applied to a first device, and the method includes:

所述第一设备向车辆发送第一安全访问请求；The first device sends a first security access request to the vehicle;

在所述车辆在第一时段内，使用在所述第一时段内临时有效的第一密钥，验证所述第一设备具备访问所述车辆中的第一ECU的权限，并使用第二密钥执行所述车辆内部的认证过程的情况下，所述第一设备接收到所述车辆发送的第一消息，所述第一消息用于指示所述车辆已通过对所述第一设备的验证；When the vehicle is in the first period, use the first key that is temporarily valid during the first period to verify that the first device has the authority to access the first ECU in the vehicle, and use the second password to verify that the first device has the authority to access the first ECU in the vehicle. When the key is used to perform the authentication process inside the vehicle, the first device receives the first message sent by the vehicle, and the first message is used to indicate that the vehicle has passed the verification of the first device. ;

所述第一设备向所述车辆发送第一诊断请求；The first device sends a first diagnosis request to the vehicle;

所述第一设备接收到所述车辆发送的所述第一ECU的诊断数据。The first device receives the diagnostic data of the first ECU sent by the vehicle.
根据权利要求14所述的方法，其特征在于，在所述车辆使用在所述第一时段内临时有效的第一密钥，验证所述第一设备具备访问所述车辆中的第一ECU的权限的过程中，所述方法还包括：The method of claim 14, wherein the vehicle uses a first key that is temporarily valid within the first period of time to verify that the first device has the ability to access the first ECU in the vehicle. In the process of granting permissions, the method also includes:

所述第一设备获取所述车辆生成的第一种子； The first device obtains the first seed generated by the vehicle;

所述第一设备使用所述第一密钥对所述第一种子进行加密；the first device encrypts the first seed using the first key;

所述第一设备将所述第一密钥加密后的所述第一种子发送给所述车辆。The first device sends the first seed encrypted with the first key to the vehicle.
根据权利要求14或15所述的方法，其特征在于，所述第一设备向车辆发送第一安全访问请求之前，所述方法还包括：The method according to claim 14 or 15, characterized in that before the first device sends the first security access request to the vehicle, the method further includes:

所述第一设备获取到第二设备发送的所述第一密钥，所述第二设备为制造所述车辆的部件的厂商管理和维护的服务器。The first device obtains the first key sent by a second device, and the second device is a server managed and maintained by a manufacturer that manufactures components of the vehicle.
根据权利要求16所述的方法，其特征在于，所述第一设备获取到第二设备发送的所述第一密钥，具体包括：The method according to claim 16, characterized in that the first device obtains the first key sent by the second device, specifically including:

所述第一设备获取到所述第二设备发送的授权文件，所述授权文件包括：所述第一密钥，失效参数，根据所述第一密钥和所述失效参数确定的签名；其中，所述失效参数用于指示所述第一时段，所述签名表征所述授权文件中的所述第一密钥和失效参数由所述第二设备生成。The first device obtains the authorization file sent by the second device. The authorization file includes: the first key, an invalidation parameter, and a signature determined according to the first key and the invalidation parameter; wherein , the invalidation parameter is used to indicate the first period, and the signature represents that the first key and the invalidation parameter in the authorization file are generated by the second device.
根据权利要求17所述的方法，其特征在于，所述第一设备获取到所述第二设备发送的授权文件之后，所述方法还包括：The method according to claim 17, characterized in that after the first device obtains the authorization file sent by the second device, the method further includes:

所述第一设备将所述授权文件发送给所述车辆。The first device sends the authorization file to the vehicle.
根据权利要求18所述的方法，其特征在于，所述第一设备将所述授权文件发送给所述车辆之前，所述方法还包括：The method according to claim 18, characterized in that before the first device sends the authorization file to the vehicle, the method further includes:

所述第一设备将数字证书发送给所述车辆，所述数字证书表征所述第一设备为身份可信的设备；The first device sends a digital certificate to the vehicle, and the digital certificate represents the first device as a device with a trusted identity;

或者，or,

所述第一设备将所述授权文件发送给所述车辆，具体包括：The first device sends the authorization file to the vehicle, specifically including:

所述第一设备通过UDS 2904服务将所述授权文件发送给所述车辆，所述UDS 2904服务用于证明所述第一设备为身份可信的设备。The first device sends the authorization file to the vehicle through the UDS 2904 service, which is used to prove that the first device is a device with a trusted identity.
根据权利要求17-19任一项所述的方法，其特征在于，所述授权文件中还包括：车辆信息，所述车辆信息用于指示所述车辆，所述签名还根据所述车辆信息确定。The method according to any one of claims 17 to 19, characterized in that the authorization file further includes: vehicle information, the vehicle information is used to indicate the vehicle, and the signature is also determined based on the vehicle information. .
一种车辆安全访问方法，其特征在于，所述方法应用于第一设备，所述方法包括：A vehicle security access method, characterized in that the method is applied to a first device, and the method includes:

所述第一设备向车辆认证所述第一设备的身份可信；The first device authenticates to the vehicle that the identity of the first device is trustworthy;

所述第一设备向所述车辆发送第一诊断请求；The first device sends a first diagnosis request to the vehicle;

在所述车辆使用第一ECU的第二密钥执行所述车辆内部的安全访问认证过程的情况下，所述第一设备获取到所述车辆发送的所述车辆中的所述第一ECU的诊断数据。In the case where the vehicle uses the second key of the first ECU to perform a secure access authentication process inside the vehicle, the first device obtains the key of the first ECU in the vehicle sent by the vehicle. Diagnostic data.
根据权利要求21所述的方法，其特征在于，所述第一设备向车辆认证所述第一设备的身份可信，具体包括：The method of claim 21, wherein the first device authenticates to the vehicle that the identity of the first device is trustworthy, specifically including:

所述第一设备向所述车辆发送数字证书，所述数字证书表征所述第一设备为身份可信的设备。The first device sends a digital certificate to the vehicle, and the digital certificate represents the first device as a device with a trusted identity.
根据权利要求22所述的方法，其特征在于，所述第一设备向所述车辆发送数字证书之前，所述方法还包括：The method according to claim 22, characterized in that before the first device sends the digital certificate to the vehicle, the method further includes:

所述第一设备向第二设备发送所述数字证书；The first device sends the digital certificate to the second device;

所述第一设备向所述车辆发送数字证书，具体包括：The first device sends a digital certificate to the vehicle, specifically including:

在所述第二设备根据所述数字证书确定所述第一设备身份可信的情况下，所述第一设备向所述车辆发送所述数字证书。When the second device determines that the identity of the first device is credible based on the digital certificate, the first device sends the digital certificate to the vehicle.
根据权利要求14-23任一项所述的方法，其特征在于，所述第二密钥为所述车辆利用第一车辆密钥，生成得到的密钥，其中，不同车辆的车辆密钥不同。 The method according to any one of claims 14 to 23, characterized in that the second key is a key generated by the vehicle using the first vehicle key, wherein the vehicle keys of different vehicles are different. .
一种车辆，其特征在于，包括存储器，一个或多个处理器，以及一个或多个程序；所述一个或多个处理器在执行所述一个或多个程序时，使得所述车辆实现如权利要求1至13任一项所述的方法。A vehicle, characterized in that it includes a memory, one or more processors, and one or more programs; when the one or more processors execute the one or more programs, the vehicle implements the following: The method of any one of claims 1 to 13.
一种电子设备，其特征在于，包括存储器，一个或多个处理器，以及一个或多个程序；所述一个或多个处理器在执行所述一个或多个程序时，使得所述电子设备实现如权利要求14至24任一项所述的方法。An electronic device, characterized in that it includes a memory, one or more processors, and one or more programs; when the one or more processors execute the one or more programs, the electronic device causes the electronic device to Implement the method as claimed in any one of claims 14 to 24.
一种通信***，其特征在于，所述***包括如权利要求25所述的车辆和如权利要求26所述的电子设备。A communication system, characterized in that the system includes the vehicle as claimed in claim 25 and the electronic device as claimed in claim 26.
一种计算机可读存储介质，包括指令，其特征在于，当所述指令在电子设备上运行时，使得所述电子设备执行如权利要求1至13，或，14至24任一项所述的方法。 A computer-readable storage medium comprising instructions, characterized in that when the instructions are run on an electronic device, the electronic device is caused to execute the method described in any one of claims 1 to 13, or 14 to 24. method.