CN110061989B - Data acquisition gateway full-isolation method - Google Patents

Data acquisition gateway full-isolation method Download PDF

Info

Publication number
CN110061989B
CN110061989B CN201910319489.1A CN201910319489A CN110061989B CN 110061989 B CN110061989 B CN 110061989B CN 201910319489 A CN201910319489 A CN 201910319489A CN 110061989 B CN110061989 B CN 110061989B
Authority
CN
China
Prior art keywords
data
encryption
module
encryption module
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910319489.1A
Other languages
Chinese (zh)
Other versions
CN110061989A (en
Inventor
纪丰伟
姜海
沈旭虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aerospace Cloud Network Data Research Institute Jiangsu Co ltd
Original Assignee
Aerospace Cloud Network Data Research Institute Jiangsu Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aerospace Cloud Network Data Research Institute Jiangsu Co ltd filed Critical Aerospace Cloud Network Data Research Institute Jiangsu Co ltd
Priority to CN201910319489.1A priority Critical patent/CN110061989B/en
Publication of CN110061989A publication Critical patent/CN110061989A/en
Application granted granted Critical
Publication of CN110061989B publication Critical patent/CN110061989B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a data acquisition gateway full-isolation method, which is characterized in that a data encryption module is added in a data acquisition terminal to encrypt uploaded data, and the data is decrypted on a big data platform by adopting special software to realize the transmission protection of the data; the encryption module is connected with the MCU and the communication module through a serial port; the following technical scheme design for encrypting and isolating industrial internet data acquisition comprises the following steps: the method comprises the following steps of designing an integral structure, designing hardware of an encryption module, designing a working mode of the encryption module, designing a cipher key and designing a management flow; the encryption isolation design of this scheme, because the data acquisition gateway uses the open source agreement, does not sacrifice original easy development, the characteristic of easy access, owing to use the encryption chip, data are actually with ciphertext state transmission in the network, it is effectual to keep secret, gives up the integral type design that has most adopted now, each system can design separately to standardized production is favorable to reduce cost.

Description

Data acquisition gateway full-isolation method
Technical Field
The invention belongs to the technical field of data security isolation, and particularly relates to a full isolation method for a data acquisition gateway.
Background
The industrial data acquisition is to utilize the ubiquitous sensing technology to carry out real-time efficient acquisition and cloud convergence on element information of multi-source equipment, a heterogeneous system, an operation environment, people and the like. The industrial data acquisition corresponds to an edge layer in an industrial internet platform architecture. Different devices, systems and products are accessed through various communication means, large-range and deep-level industrial data are collected, protocol conversion and edge processing of heterogeneous data are carried out, and a data base of an industrial internet platform is constructed.
Currently, the industrial data acquisition industry supply side mainly has the following three types of enterprises:
the industrial automation enterprise mainly provides access equipment for industrial data acquisition from the core product capacity of the enterprise, and the access equipment is used as a source of industrial data acquisition, such as 15 siemens, porphyry, honeywell, safety control and the like;
secondly, industrial network service enterprises mainly provide supporting equipment and services such as industrial network protocol conversion, transmission, safety and the like for industrial data acquisition, and some enterprises are actively extending and developing from the original advantage field to the manufacturing field, such as China telecom, China Xingxi communication, Huawei and the like;
and thirdly, an industrial data acquisition solution enterprise mainly provides services such as industrial data acquisition solutions, system development, project implementation, system integration and the like, such as North self-service, Harmonious and Ming Jiang JiangZhi.
The industrial data acquisition architecture comprises three layers of equipment access, protocol conversion and edge data processing, wherein equipment or intelligent products are accessed downwards and are upwards butted with an industrial internet platform/industrial application system, as shown in figure 1.
As can be seen from fig. 1, data collection to data application necessarily passes through multiple hierarchical networks. Such as RS485/232, industrial Ethernet, CAN bus and other field level network interfaces faced by the equipment access layer; chip-level network interfaces such as UART, IIC and SPI facing protocol conversion and edge processing; and http, mqtt, S7 and other application layer network interfaces for transmitting data to the industrial internet platform/industrial application system. Therefore, the construction of the future industrial internet necessarily involves the deployment of a large number of data acquisition gateways or similar products, and as before, the industrial internet is an important node for data information circulation. What is different, the data acquisition gateway related to the industrial internet has new challenges of facing to numerous protocols, complex working conditions, high reliability requirements, difficult safety guarantee and the like.
State of the art many products have fully satisfied the existing needs in terms of the functionality to enable communication and data exchange. The main technical scheme comprises two types:
one is achieved by integrating ethernet communication components from products originally used for underlying industrial control. Like the SIMATIC controller of Siemens, the SIMATIC controller has been developed from S3 series to S7 series nowadays, has small volume, high speed, standardization, network communication capability, stronger function and higher reliability5. Taking S7-200Smart series as an example: the microprocessor, the integrated power supply, the input circuit and the output circuit are combined into a shell with a compact structure to form the Micro PLC with powerful functions. After downloading the user program, the CPU will contain the logic needed by the input and output devices in the monitoring application;
and secondly, integrating industrial control and data acquisition components by the product originally used for network communication. Such as the macro industrial router series and the industrial wireless DTU series, originally used for M2M (machine to machine communication), this field is one of the predecessors and the most important business links of the internet of things. The industrial wireless DTU is based on a GPRS data communication network, is a wireless terminal device which is specially used for converting serial port data into IP data or converting the IP data into the serial port data and transmitting the serial port data through the wireless communication network, and is widely applied to industries such as electric power, environmental monitoring, vehicle-mounted, water conservancy, meteorology, street lamp monitoring, heating power pipe networks, coal mines, oil fields and the like at present. The industrial router is an industrial router developed based on 3G/4G wireless communication, the design of wide voltage and electromagnetic compatibility is adopted, 4G, 3G and 2.5G network systems are supported, dual-mode dual cards are supported, a built-in 4G wireless WIFI module is supported, APN/VPDN private network access is supported, the industrial router provides a wireless long-distance data transmission function for users by utilizing a public 2G/3G/4G wireless network, the transmission rate is faster and more stable, 7 x 24h stably runs, the router can be more suitable for severe environments, remote management/maintenance/upgrading is realized, and the operation and maintenance cost of an enterprise is reduced. The method is widely applied to the industries of finance, media, traffic, vehicle-mounted, electric power, environmental protection, industrial automation, commercial chain and the like.
Firstly, the construction of the industrial internet is applied to the construction of an industrial large data platform, otherwise, network effect and innovative application cannot be formed. Secondly, in order to provide a large-scale application service of data as a platform, an open source protocol is necessarily used, otherwise, users and application developers pay huge learning cost in the face of numerous closed source/semi-closed source protocols, which obviously is not beneficial to the development of the platform. The existing INDIS industry big data platform uses the open source protocol (MQTT and RESTFUL).
But this causes data security problems because plaintext data using open source protocols is very easily recognized, captured, copied and tampered when transmitted over the internet.
Existing similar products solve the problem that the security risk generally uses a closed-source private Protocol, such as S7, PPI (both are siemens series), DDP (DTU DSC Protocol, DTU manufacturers such as macro-electricity and hankotai, generally defined by manufacturers), LoRa WAN (LoRa series), and the like, obviously, the advantages and disadvantages of the existing similar products are as described above, and the private Protocol belongs to the universal characteristic of the product to improve the user viscosity, and is not beneficial to the development of an industrial internet platform.
Further, since the nature of the private protocol is still plaintext data, and only the information of the closed source is asymmetric, a cracking product specially aiming at the private protocol appears in the market. The occurrence of cracked products can cause that the same protocol or related products in the same series face security risks, and the connection quantity of the industrial internet is considered to be one order of magnitude higher than that of the existing internet.7Exposure of the same agreement or series of related products to safety risks will result in an order of magnitude higher direct loss and hazard, which also excludes indirect loss and hazard.
In summary, the challenge encountered in the construction of the existing industrial internet is that the generality and the security cannot be considered under the existing framework. The mainstream solution is to sacrifice versatility to ensure security. Because the industrial internet is still in the initial construction stage so far, all the related enterprises in the industrial data acquisition industry are developing their own data exchange standards such as protocols and interfaces in order to take the market, and the universality is not seriously considered. However, the next stage development requirement of the industrial internet must be both universal and secure, as the previous mobile communication network development.
Disclosure of Invention
The invention aims to provide a data acquisition gateway full-isolation method to solve the problems in the background technology.
In order to achieve the purpose, the invention adopts the following technical scheme:
a data acquisition gateway full-isolation method is characterized in that a data encryption module is added in a data acquisition terminal to encrypt uploaded data, and the data is decrypted on a big data platform by adopting special software to realize data transmission protection; the encryption module is connected with the MCU and the communication module through a serial port; the following technical scheme design for encrypting and isolating industrial internet data acquisition comprises the following steps:
s1, designing an integral structure:
the data acquisition terminal collects enterprise data, sends the enterprise data to the GPRS transmission module through the MCU, and sends the enterprise data to the big data platform; enterprise data may face risks of stealing and leakage in the transmission process and needs confidentiality protection;
a data encryption module is added in the data acquisition terminal to encrypt the uploaded data, and the data is decrypted on a big data platform by adopting special software to realize the transmission protection of the data; the encryption module passes the serial port;
s2, designing hardware of an encryption module:
considering the area, power consumption and cost, the encryption module is realized by adopting a special algorithm SOC chip + standard interface; the main functions are realized by an algorithm chip, and the chip comprises a master control CPU, a cryptographic algorithm operation unit, a key storage unit, an interface module and the like; the standard interface realizes data interaction between the encryption module and the acquisition terminal and between the encryption module and the transmission module; in this way, the encryption module mainly comprises an algorithm chip and a matched device; the password SOC chip is additionally provided with two rows of 1 x 5 contact pins, the area of the module is within 2cmX2cm, the data encryption module adopts UART to communicate with the outside, the module needs to provide power supply from the outside, and the module adopts two single rows of contact pins 1 x 5 with the distance of 2.54 mm;
s3, the encryption module works in a mode that:
the encryption module can be designed into two different working modes in the terminal: serial mode and parallel mode:
serial mode:
in the serial mode, the encryption module is used as an independent unit to be connected in series on a data path; the MCU sends the acquired data to the encryption module, and the module encrypts and encapsulates the data and sends the data to the communication module for transmission; at the moment, the encryption module needs more work, and can set technical barriers and barriers for the conditions that a terminal manufacturer sends the enterprise data plaintext to other service platforms and the like; the data encryption module needs to do the following development work:
1) the cipher module-MCU interface is standardized; the method comprises the following steps that an MCU is used as a main device, a password module is used as a slave device, communication interfaces of the MCU and the cipher module are defined and realized in an AT instruction mode, and the main interfaces comprise network connection parameter configuration, a connection platform server side, data sending, time correction data requesting and the like;
2) realizing an encryption function; including key agreement, data encryption, etc.;
3) packaging an MQTT protocol; the MQTT client function is realized, the platform server is connected, and the encrypted load data is submitted to a GPRS module to be sent;
4) driving and data receiving and transmitting of the GPRS module; the driving GPRS module is connected with the cloud platform, sends data and receives timing data; in addition, the GPRS is used as a passive communication device driven by the cryptographic module, and if different device manufacturers select different wireless communication modules, the cryptographic modules need to be adapted and developed respectively;
parallel mode:
in the parallel mode, the encryption module is only used as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, the data packaging work is completed by the MCU, in the parallel mode, the encryption module only serves as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, and the data packaging work is completed by the MCU;
s4, cipher key design:
the cipher chip selected in the encryption module can provide algorithms of SM2, SM3, SM4 and the like of common national standards, can realize different encryption modes such as symmetric encryption, public key encryption and the like, and can realize different modes such as preset keys, key agreement and the like in key management; in order to simplify the user management process and improve the decryption efficiency of the large data platform end, a mode of symmetric encryption plus preset keys is adopted;
the encryption module adopts symmetric algorithm encryption, encryption keys are preset in the chip and are divided according to modules, and the encryption keys of different modules are different; the chip is added with safety protection measures, and the encryption key cannot be read from the outside; when the encryption module is produced and leaves a factory, internal key initialization is required to be completed, an ID and an encryption key are internally generated, and the encryption key and the ID are submitted to a decryption program of the big data platform for decrypting data; on a big data platform, the encryption keys of all encryption modules are encrypted and stored to prevent leakage;
the algorithm chip provides rich algorithm operation units, the embedded CPU can also modify the matching mode of the cipher key, and subsequently if the using mode of the cipher key needs to be modified, the required functions can be realized through software upgrading without changing hardware, so that the flexibility is improved;
s5, management flow design:
equipment production: the data acquisition terminal is mainly divided into an acquisition terminal and an encryption module, a standard interface is defined between the acquisition terminal and the encryption module, and the acquisition terminal and the encryption module are respectively generated by different manufacturers and respectively purchased; after the encryption module is produced, initialization operation is required, an equipment ID and an encryption key are generated, and the ID and the corresponding encryption key are submitted, encrypted and stored;
assembling equipment: the acquisition terminal and the encryption module are synthesized and then issued to a user manufacturer
Communication flow:
encryption module
(1) Powering on the equipment, and reading the equipment ID and the encryption key;
(2) the encryption module encrypts the appointed fixed plaintext data by using an encryption key to obtain data _ en;
(3) sending (ID, data _ en) as handshake data to the big data platform;
a big data platform:
(1) establishing connection with the terminal equipment;
(2) receiving handshake data (ID, ciphertext);
(3) according to the ID, obtaining an encryption key ciphertext of the encryption terminal, and decrypting to obtain plaintext data;
(4) decrypting the data _ en by using the encryption key to obtain data;
(5) comparing whether the data is appointed fixed data or not, and disconnecting if not; if so, a connection is established and subsequent data is decrypted using the encryption key.
Preferably, in S3, in the serial mode, the data encryption module needs to perform the following development work:
1) the cipher module-MCU interface is standardized; the method comprises the following steps that an MCU is used as a main device, a password module is used as a slave device, communication interfaces of the MCU and the cipher module are defined and realized in an AT instruction mode, and the main interfaces comprise network connection parameter configuration, a connection platform server side, data sending, time correction data requesting and the like;
2) realizing an encryption function; including key agreement, data encryption, etc.;
3) packaging an MQTT protocol; the MQTT client function is realized, the platform server is connected, and the encrypted load data is submitted to a GPRS module to be sent;
4) driving and data receiving and transmitting of the GPRS module; the driving GPRS module is connected with the cloud platform, sends data and receives timing data; in addition, GPRS is a passive communication device driven by a cryptographic module, and different device manufacturers need to respectively perform adaptation development on the cryptographic module if they select different wireless communication modules.
Preferably, in S3, in the parallel mode, the data encryption module needs to perform the following development work:
providing cipher service functions including key agreement, data encryption and the like for the MCU; the interface is standardized by AT command mode.
Preferably, in S3, the serial mode is compared with the parallel mode:
the serial design is equivalent to the function of the original equipment manufacturer to be migrated to the cryptographic module; for equipment manufacturers, the finished things are drawn to deliver the cryptographic module for development; for the platform, after the platform is originally connected with a manufacturer in an butt joint mode, the platform needs to be connected with a password equipment manufacturer in a butt joint mode for the second time; overall, the original equipment main MCU has the capability, is abandoned, needs the cryptographic module to increase the function, needs a high-end chip to be replaced, and increases the development and debugging of protocol communication.
The invention has the technical effects and advantages that: compared with the prior art, the data acquisition gateway full-isolation method provided by the invention has the following advantages:
1. the challenge encountered in the construction of the existing industrial internet is that the universality and the safety cannot be considered under the existing framework. The mainstream solution is to sacrifice versatility to ensure security; the encryption isolation design of the scheme solves the problems at the same time;
2. universality: because the data acquisition gateway uses an open source protocol, the original characteristics of easy development and easy access are not sacrificed;
3. safety: because of using the encryption chip, data is actually transmitted in a ciphertext state in a network, and the method has three advantages:
(1) even if the ciphertext is intercepted, the ciphertext is difficult to crack and is difficult to generate security vulnerabilities such as tampering and stealing;
(2) even if the ciphertext is cracked, because the encryption chip is a framework with one machine and one secret, the security loophole only exists in a single machine, the multiple machines in the same series and large range cannot be spread, and the potential safety hazard is relatively controllable;
(3) the ciphertext can be restored into the plaintext only by a corresponding decryption mechanism, so that if hidden passages such as a backdoor and the like are hidden in a communication system, the communication system is automatically disabled, and only a data destination with the corresponding decryption mechanism is deployed to obtain effective information;
4. and (3) standardization: the encryption chip uses universal interfaces such as UART and the like, so that the industrial data acquisition system design of data acquisition, data encryption and data transmission can be further adopted. The existing integrated design which is mostly adopted is abandoned, and each system can be designed independently and produced in a standardized way, so that the cost is reduced.
Drawings
FIG. 1 is a schematic diagram of a prior art industrial data acquisition architecture;
FIG. 2 is a schematic diagram of an industrial Internet data acquisition encryption isolation scheme of the present invention;
FIG. 3 is a schematic diagram of a data acquisition encryption isolation chip according to the present invention;
FIG. 4 is a schematic diagram of the physical dimensions of the data acquisition encryption isolation chip of the present invention;
FIG. 5 is a schematic diagram of the serial operating mode of the encryption isolation chip according to the present invention;
FIG. 6 is a schematic diagram of a parallel operation mode of the encryption isolation chip according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to fig. 2 to 6 in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. The specific embodiments described herein are merely illustrative of the invention and do not delimit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a data acquisition gateway full-isolation method, which is characterized in that a data encryption module is added in a data acquisition terminal to encrypt uploaded data, and the data is decrypted on a big data platform by adopting special software to realize the transmission protection of the data; the encryption module is connected with the MCU and the communication module through a serial port; the following technical scheme design for encrypting and isolating industrial internet data acquisition comprises the following steps:
s1, designing an integral structure:
the data acquisition terminal collects enterprise data, sends the enterprise data to the GPRS transmission module through the MCU, and sends the enterprise data to the big data platform; enterprise data may face risks of stealing and leakage in the transmission process and needs confidentiality protection;
a data encryption module is added in the data acquisition terminal to encrypt the uploaded data, and the data is decrypted on a big data platform by adopting special software to realize the transmission protection of the data; the encryption module is connected with the MCU and the communication module through a serial port, and the position in the acquisition terminal is shown in figure 2;
in the design of the encryption scheme, based on the principles of safety, usability and economy, the change of the original system is reduced as much as possible while the data safety is ensured, a standard interface is used, the implementation cost is controlled, and the application and popularization of the encryption scheme are facilitated;
s2, designing hardware of an encryption module:
considering the area, power consumption and cost, the encryption module is realized by adopting a special algorithm SOC chip + standard interface; the main functions are realized by an algorithm chip, and the chip comprises a master control CPU, a cryptographic algorithm operation unit, a key storage unit, an interface module and the like; the standard interface realizes data interaction between the encryption module and the acquisition terminal and between the encryption module and the transmission module; in this way, the encryption module mainly comprises an algorithm chip and a matched device, so that the design is simplified, the area is reduced, and the cost is reduced; the hardware block diagram of the encryption module is shown in fig. 3, the encryption SOC chip is additionally provided with two rows of 1 × 5 pins, and the module area is within 2cmX2 cm;
because the data encryption module adopts UART to communicate with the outside, the module needs to provide power supply from the outside, the module adopts two single row pins 1 x 5 with the distance of 2.54mm, and the interface provided by the module to the outside is shown as the following table:
the physical dimensions of the modules are shown in FIG. 4;
s3, the encryption module works in a mode that:
the encryption module can be designed into two different working modes in the terminal: a serial mode and a parallel mode;
3.1 Serial mode
In serial mode, the flow of data is as shown in FIG. 5;
in the serial mode, the encryption module is used as an independent unit to be connected in series on a data path; the MCU sends the acquired data to the encryption module, and the module encrypts and encapsulates the data and sends the data to the communication module for transmission; at the moment, the encryption module needs more work, and can set technical barriers and barriers for the conditions that a terminal manufacturer sends the enterprise data plaintext to other service platforms and the like;
pin 1 signal definition
Figure BDA0002034197640000091
Pin 2 signal definition
Figure BDA0002034197640000092
In the serial mode, the data encryption module needs to do the following development work:
1) the cipher module-MCU interface is standardized; the method comprises the following steps that an MCU is used as a main device, a password module is used as a slave device, communication interfaces of the MCU and the cipher module are defined and realized in an AT instruction mode, and the main interfaces comprise network connection parameter configuration, a connection platform server side, data sending, time correction data requesting and the like;
2) realizing an encryption function; including key agreement, data encryption, etc.;
3) packaging an MQTT protocol; the MQTT client function is realized, the platform server is connected, and the encrypted load data is submitted to a GPRS module to be sent;
4) driving and data receiving and transmitting of the GPRS module; the driving GPRS module is connected with the cloud platform, sends data and receives timing data; in addition, the GPRS is used as a passive communication device driven by the cryptographic module, and if different device manufacturers select different wireless communication modules, the cryptographic modules need to be adapted and developed respectively;
3.2 parallel mode
In the parallel mode, the encryption module is only used as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, and the data packaging work is completed by the MCU;
in the parallel mode, the flow of data is as shown in FIG. 6;
in the parallel mode, the encryption module is only used as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, and the data packaging work is completed by the MCU;
in the parallel mode, the data encryption module needs to do the following development work:
1) providing cipher service functions including key agreement, data encryption and the like for the MCU; standardizing an interface in an AT instruction mode;
3.3 two Module comparison
The serial design is equivalent to the function of the original equipment manufacturer to be migrated to the cryptographic module; for equipment manufacturers, the finished things are drawn to deliver the cryptographic module for development; for the platform, after the platform is originally connected with a manufacturer in an butt joint mode, the platform needs to be connected with a password equipment manufacturer in a butt joint mode for the second time; in the whole, the main MCU of the original equipment has the capability, is abandoned, and the cryptographic module increases the function, needs to replace a high-end chip and increases the development and debugging of protocol communication; therefore, the serial mode development workload is slightly more, and the cycle is slightly longer;
s4, cipher key design:
the cipher chip selected in the encryption module can provide algorithms of SM2, SM3, SM4 and the like of common national standards, can realize different encryption modes such as symmetric encryption, public key encryption and the like, and can realize different modes such as preset keys, key agreement and the like in key management; in order to simplify the user management process and improve the decryption efficiency of the large data platform end, a mode of symmetric encryption plus preset keys is adopted;
the encryption module adopts symmetric algorithm encryption, encryption keys are preset in the chip and are divided according to modules, and the encryption keys of different modules are different; the chip is added with safety protection measures, and the encryption key cannot be read from the outside; when the encryption module is produced and leaves a factory, internal key initialization is required to be completed, an ID and an encryption key are internally generated, and the encryption key and the ID are submitted to a decryption program of the big data platform for decrypting data; on a big data platform, the encryption keys of all encryption modules are encrypted and stored to prevent leakage;
the algorithm chip provides rich algorithm operation units, the embedded CPU can also modify the matching mode of the cipher key, and subsequently if the using mode of the cipher key needs to be modified, the required functions can be realized through software upgrading without changing hardware, so that the flexibility is improved;
s5, management flow design:
5.1 production by plants
The data acquisition terminal is mainly divided into an acquisition terminal and an encryption module, a standard interface is defined between the acquisition terminal and the encryption module, and the acquisition terminal and the encryption module are respectively generated by different manufacturers and respectively purchased;
after the encryption module is produced, initialization operation is required, an equipment ID and an encryption key are generated, and the ID and the corresponding encryption key are submitted, encrypted and stored;
5.2 Equipment Assembly
Synthesizing the acquisition terminal and the encryption module, and then issuing the synthesized acquisition terminal and the encryption module to a user manufacturer;
5.3 communication flow
1) Encryption module
(1) Powering on the equipment, and reading the equipment ID and the encryption key;
(2) the encryption module encrypts the appointed fixed plaintext data by using an encryption key to obtain data _ en;
(3) sending (ID, data _ en) as handshake data to the big data platform;
2) big data platform
(1) Establishing connection with the terminal equipment;
(2) receiving handshake data (ID, ciphertext);
(3) according to the ID, obtaining an encryption key ciphertext of the encryption terminal, and decrypting to obtain plaintext data;
(4) decrypting the data _ en by using the encryption key to obtain data;
(5) comparing whether the data is appointed fixed data or not, and disconnecting if not; if so, a connection is established and subsequent data is decrypted using the encryption key.
This scheme, the design of encryption chip: whether the data acquisition system works in a serial mode or a parallel mode, the encryption chip design can be considered as the data acquisition system adopts the encryption and server decryption modes of the data acquisition gateway, and the encryption of the data acquisition gateway is completed by a single module or chip;
physical size of the encryption chip: the original physical size of the module, and the scaling up and down. Defining and arranging pins;
encryption chip communication protocol: the communication flow, the protocol command and the internal algorithm are set.
There are two main alternatives, destructuring and deconstructioning.
Structuring: the encryption chip has complicated functions, and mainly has a communication transmission part after integration to become an encryption transmission unit, which is similar to a VPN (virtual private network) and a private line; or the forward data acquisition part is integrated to become an encryption immediate acquisition unit, similar to acquisition equipment using a private protocol; or the device is designed by integrating software and hardware completely to form a closed type safe acquisition unit.
And (3) texture reduction: the encryption chip function is simplified, for example, only the function of storing the key is undertaken, and the encryption algorithm is not deployed. Or some simple encryption algorithm may be used in order to provide part of the security features.
Therefore, the scheme is as follows:
1. the challenge encountered in the construction of the existing industrial internet is that the universality and the safety cannot be considered under the existing framework. The mainstream solution is to sacrifice versatility to ensure security; the encryption isolation design of the scheme solves the problems at the same time;
2. universality: because the data acquisition gateway uses an open source protocol, the original characteristics of easy development and easy access are not sacrificed;
3. safety: because of using the encryption chip, data is actually transmitted in a ciphertext state in a network, and the method has three advantages:
(1) even if the ciphertext is intercepted, the ciphertext is difficult to crack and is difficult to generate security vulnerabilities such as tampering and stealing;
(2) even if the ciphertext is cracked, because the encryption chip is a framework with one machine and one secret, the security loophole only exists in a single machine, the multiple machines in the same series and large range cannot be spread, and the potential safety hazard is relatively controllable;
(3) the ciphertext can be restored into the plaintext only by a corresponding decryption mechanism, so that if hidden passages such as a backdoor and the like are hidden in a communication system, the communication system is automatically disabled, and only a data destination with the corresponding decryption mechanism is deployed to obtain effective information;
4. and (3) standardization: the encryption chip uses universal interfaces such as UART and the like, so that the industrial data acquisition system design of data acquisition, data encryption and data transmission can be further adopted. The existing integrated design which is mostly adopted is abandoned, and each system can be designed independently and produced in a standardized way, so that the cost is reduced.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments or portions thereof without departing from the spirit and scope of the invention.

Claims (3)

1. A data acquisition gateway full-isolation method is characterized in that a data encryption module is added in a data acquisition terminal to encrypt uploaded data, and the data is decrypted on a big data platform by adopting special software to realize data transmission protection; the encryption module is connected with the MCU and the communication module through a serial port; the following technical scheme design for encrypting and isolating industrial internet data acquisition comprises the following steps:
s1, designing an integral structure:
the data acquisition terminal collects enterprise data, sends the enterprise data to the GPRS transmission module through the MCU, and sends the enterprise data to the big data platform; enterprise data may face risks of stealing and leakage in the transmission process and needs confidentiality protection;
a data encryption module is added in the data acquisition terminal to encrypt the uploaded data, and the data is decrypted on a big data platform by adopting special software to realize the transmission protection of the data; the encryption module passes the serial port;
s2, designing hardware of an encryption module:
considering the area, power consumption and cost, the encryption module is realized by adopting a special algorithm SOC chip + standard interface; the main functions are realized by an algorithm chip, and the chip comprises a master control CPU, a cryptographic algorithm operation unit, a key storage unit and an interface module; the standard interface realizes data interaction between the encryption module and the acquisition terminal and between the encryption module and the transmission module; in this way, the encryption module mainly comprises an algorithm chip and a matched device; the password SOC chip is additionally provided with two rows of 1 x 5 contact pins, the area of the module is within 2cmX2cm, the data encryption module adopts UART to communicate with the outside, the module needs to provide power supply from the outside, and the module adopts two single rows of contact pins 1 x 5 with the distance of 2.54 mm;
s3, the encryption module works in a mode that:
the encryption module can be designed into two different working modes in the terminal: serial mode and parallel mode:
serial mode:
in the serial mode, the encryption module is used as an independent unit to be connected in series on a data path; the MCU sends the acquired data to the encryption module, and the module encrypts and encapsulates the data and sends the data to the communication module for transmission; at the moment, the encryption module needs more work and can set technical barriers and barriers for terminal manufacturers to send enterprise data plaintext to other service platforms; the data encryption module needs to do the following development work:
1) the cipher module-MCU interface is standardized; the method comprises the following steps that an MCU is used as a main device, a password module is used as a slave device, communication interfaces of the MCU and the cipher module are defined and realized in an AT instruction mode, and the main interfaces comprise network connection parameter configuration, a connection platform server side, data sending and timing data requesting;
2) realizing an encryption function; key agreement and data encryption are included;
3) packaging an MQTT protocol; the MQTT client function is realized, the platform server is connected, and the encrypted load data is submitted to a GPRS module to be sent;
4) driving and data receiving and transmitting of the GPRS module; the driving GPRS module is connected with the cloud platform, sends data and receives timing data; in addition, the GPRS is used as a passive communication device driven by the cryptographic module, and if different device manufacturers select different wireless communication modules, the cryptographic modules need to be adapted and developed respectively;
parallel mode:
in the parallel mode, the encryption module is only used as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, the data packaging work is completed by the MCU, in the parallel mode, the encryption module only serves as a password operation part, the MCU encrypts data to be encrypted by the encryption module, reads the encrypted data, packages and transmits the encrypted data, the encryption module only completes encryption work, and the data packaging work is completed by the MCU;
s4, cipher key design:
the cipher chip selected in the encryption module can provide commonly used national standard SM2, SM3 and SM4 algorithms, different encryption modes of symmetric encryption and public key encryption can be realized, and different modes of key presetting and key negotiation can be realized in key management; in order to simplify the user management process and improve the decryption efficiency of the large data platform end, a mode of symmetric encryption plus preset keys is adopted;
the encryption module adopts symmetric algorithm encryption, encryption keys are preset in the chip and are divided according to modules, and the encryption keys of different modules are different; the chip is added with safety protection measures, and the encryption key cannot be read from the outside; when the encryption module is produced and leaves a factory, internal key initialization is required to be completed, an ID and an encryption key are internally generated, and the encryption key and the ID are submitted to a decryption program of the big data platform for decrypting data; on a big data platform, the encryption keys of all encryption modules are encrypted and stored to prevent leakage;
the algorithm chip provides rich algorithm operation units, the embedded CPU can also modify the matching mode of the cipher key, and subsequently if the using mode of the cipher key needs to be modified, the required functions can be realized through software upgrading without changing hardware, so that the flexibility is improved;
s5, management flow design:
equipment production: the data acquisition terminal is mainly divided into an acquisition terminal and an encryption module, a standard interface is defined between the acquisition terminal and the encryption module, and the acquisition terminal and the encryption module are respectively generated by different manufacturers and respectively purchased; after the encryption module is produced, initialization operation is required, an equipment ID and an encryption key are generated, and the ID and the corresponding encryption key are submitted, encrypted and stored;
assembling equipment: the acquisition terminal and the encryption module are synthesized and then issued to a user manufacturer
Communication flow:
encryption module
(1) Powering on the equipment, and reading the equipment ID and the encryption key;
(2) the encryption module encrypts the appointed fixed plaintext data by using an encryption key to obtain data _ en;
(3) sending (ID, data _ en) as handshake data to the big data platform;
a big data platform:
(1) establishing connection with the terminal equipment;
(2) receiving handshake data (ID, ciphertext);
(3) according to the ID, obtaining an encryption key ciphertext corresponding to the encryption terminal, and decrypting to obtain plaintext data;
(4) decrypting the data _ en by using the encryption key to obtain data;
(5) comparing whether the data is appointed fixed data or not, and disconnecting if not; if so, a connection is established and subsequent data is decrypted using the encryption key.
2. The data acquisition gateway full isolation method according to claim 1, wherein: in S3, in the serial mode, the data encryption module needs to do the following development work:
1) the cipher module-MCU interface is standardized; the method comprises the following steps that an MCU is used as a main device, a password module is used as a slave device, communication interfaces of the MCU and the cipher module are defined and realized in an AT instruction mode, and the main interfaces comprise network connection parameter configuration, a connection platform server side, data sending and timing data requesting;
2) realizing an encryption function; key agreement and data encryption are included;
3) packaging an MQTT protocol; the MQTT client function is realized, the platform server is connected, and the encrypted load data is submitted to a GPRS module to be sent;
4) driving and data receiving and transmitting of the GPRS module; the driving GPRS module is connected with the cloud platform, sends data and receives timing data; in addition, GPRS is a passive communication device driven by a cryptographic module, and different device manufacturers need to respectively perform adaptation development on the cryptographic module if they select different wireless communication modules.
3. The data acquisition gateway full isolation method according to claim 1, wherein: in S3, in the parallel mode, the data encryption module needs to do the following development work:
providing cipher service functions including key agreement and data encryption for MCU; the interface is standardized by AT command mode.
CN201910319489.1A 2019-04-19 2019-04-19 Data acquisition gateway full-isolation method Active CN110061989B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910319489.1A CN110061989B (en) 2019-04-19 2019-04-19 Data acquisition gateway full-isolation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910319489.1A CN110061989B (en) 2019-04-19 2019-04-19 Data acquisition gateway full-isolation method

Publications (2)

Publication Number Publication Date
CN110061989A CN110061989A (en) 2019-07-26
CN110061989B true CN110061989B (en) 2021-07-13

Family

ID=67319803

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910319489.1A Active CN110061989B (en) 2019-04-19 2019-04-19 Data acquisition gateway full-isolation method

Country Status (1)

Country Link
CN (1) CN110061989B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111064779A (en) * 2019-12-10 2020-04-24 北京国网富达科技发展有限责任公司 SF of transformer substation6Online monitoring device, method and system
CN111556093A (en) * 2020-03-27 2020-08-18 天津市普迅电力信息技术有限公司 Multifunctional edge Internet of things agent device for power grid information acquisition
CN111600705B (en) * 2020-05-14 2022-10-04 国网电力科学研究院有限公司 Isolation card based on auto-negotiation mechanism
CN114430417B (en) * 2020-10-16 2024-03-08 卡奥斯工业智能研究院(青岛)有限公司 Data storage and calling method and device of industrial Internet platform
CN113347172A (en) * 2021-05-28 2021-09-03 吉萨特自动化技术(上海)有限公司 Cloud digitization platform and using method thereof
CN115664841A (en) * 2022-11-14 2023-01-31 济南大学 Data acquisition system and method with network isolation and one-way encryption transmission functions

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1761209A (en) * 2004-04-27 2006-04-19 微软公司 System and methods for providing network quarantine
US7490332B2 (en) * 2003-04-04 2009-02-10 Sesma Systems, Inc. System and method for accessing ActiveX objects in a platform dependent environment from objects in a platform independent environment
CN103281377A (en) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 Cryptograph data storage and searching method for cloud
CN103873230A (en) * 2014-04-06 2014-06-18 汪风珍 Single-direction encryption-decryption technology

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050180337A1 (en) * 2004-01-20 2005-08-18 Roemerman Steven D. Monitoring and reporting system and method of operating the same
US20070091926A1 (en) * 2005-10-21 2007-04-26 Apostolopoulos John G Method for optimizing portions of data from a plurality of data streams at a transcoding node

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7490332B2 (en) * 2003-04-04 2009-02-10 Sesma Systems, Inc. System and method for accessing ActiveX objects in a platform dependent environment from objects in a platform independent environment
CN1761209A (en) * 2004-04-27 2006-04-19 微软公司 System and methods for providing network quarantine
CN103281377A (en) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 Cryptograph data storage and searching method for cloud
CN103873230A (en) * 2014-04-06 2014-06-18 汪风珍 Single-direction encryption-decryption technology

Also Published As

Publication number Publication date
CN110061989A (en) 2019-07-26

Similar Documents

Publication Publication Date Title
CN110061989B (en) Data acquisition gateway full-isolation method
CN106850611B (en) Cross-system Internet of things secure communication technology service platform method
CN110430014B (en) Hardware encryption gateway and encryption method for field bus channel encryption
CN105610706B (en) A kind of intelligent gateway platform of internet of things oriented control system
CN102280929B (en) System for information safety protection of electric power supervisory control and data acquisition (SCADA) system
CN107040459A (en) A kind of intelligent industrial secure cloud gateway device system and method
CN105099711B (en) A kind of small cipher machine and data ciphering method based on ZYNQ
CN102065125A (en) Method for realizing embedded secure socket layer virtual private network (SSL VPN)
CN102799121A (en) Remote cooking method based on Internet
CN103152183A (en) Electric modem switching device and method for mutual switching of electric signals and network signals
CN205304872U (en) Cloud control system towards remote terminal unit
CN111262823B (en) Security gateway and data processing method thereof
CN100559820C (en) A kind of dialing security gateway device
CN115079648A (en) Intelligent industrial control system
CN104468519B (en) A kind of embedded electric power security protection terminal encryption device
CN105553838A (en) ARM-based embedded gateway accessing PROFIBUS-DP to Wi-Fi and communication method thereof
CN205787791U (en) Network relay and network system
Lázaro et al. I2CSec: A secure serial Chip-to-Chip communication protocol
CN111541698B (en) Data acquisition system and data acquisition method based on power distribution
CN207083082U (en) A kind of electric power wireless communication terminal based on Micro USB interfaces
CN206226450U (en) A kind of distribution Tiny Encryption terminal
CN109831404A (en) A kind of instant communicating system and method for compatible multiple terminals
Kyusakov et al. Emerging energy management standards and technologies—Challenges and application prospects
CN215300665U (en) Real-time communication device for grid-connected operation of micro-grid
CN113014385B (en) Double-network-port hardware network data encryption system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant