A kind of safety protecting method being directed to industrial data transmission of internet of things
Technical field
The invention belongs to industrial Internet of Things information security fields, and in particular to one kind is directed to industrial data transmission of internet of things
Safety protecting method, this method is logical to protect mainly for security risk existing for industrial Internet of things system data transfer layer
The visual angle for believing process safety is starting point, i.e., the authentication in communication process between the confidentiality and terminal device of data.It is right
In the common communication protocol of industrial Internet of things system, encrypted transmission is carried out to its communication process;Communication between terminal device is adopted
With authentication, guarantee that data transfer layer provides safe and accurate data transport service.
Background technique
Internet of Things rapidly develops, and starts to be applied to every field, wherein most fast, the widest in area vertical field of spreading speed
Just in industry.The application scenarios of industrial Internet of Things are also extremely abundant, and sensor, robot, automation equipment etc. are more next
More equipment link together.Industrial Internet of Things regards the height combination of industrial automation system and Internet of things system as,
The technologies such as internet, cloud computing and sensing are introduced in its development process, and complete industrial production system, industrial monitoring
The fusion of system and industrial management system, analysis and processing result according to data center to industrial data, can substantially mention
High yield quality and industrial production efficiency, and production management cost is effectively reduced.
Control device with industrial technology of Internet of things mechanical floor in the extensive use of industrial circle, industrial control system will lead to
The interaction that open network realizes information and data is crossed, and management level can be subjected to seamless merge with the information of market layer.So
And more and more open networking connection is so that industrial control system, networked devices and industrial cloud platform are subject to invade, to work
Industry environment brings shutdown, production disruption, loss of assets etc. to threaten.
The transport network layer of data transfer layer and general Internet of Things in industrial Internet of Things is consistent, and is a fusion
Sensing network, mobile network and internet Open Network, usually build its communication network according to international standard or professional standard
Network, such as Wi-Fi, bluetooth, the short-range wireless communication technique of RFID, ZigBee, traditional mobile network, internet, low function
It consumes wide area network etc. and MQTT agreement is all kinds of Internet of Things communication protocols of representative, be the data processing of industry spot and distal end
Center has erected data transmission channel.
Communication protocol used by industrial Internet of things system does not have special regulation, and the producer being typically different has respective
Standard.Different Internet of Things communication protocols have uncertain risk, it is possible to which its encryption measures is more complete, it is also possible to basic
With regard to without carrying out any encryption.If the internet of things product used, the communication protocol used is not only simple but also is plaintext transmission, that
Attacker once intrudes into Internet of things system local area network, so that it may easily be intercepted using the methods of Network Sniffing very much logical
Letter data.Communication protocol does not encrypt, and attacker can easily detect data content, and can distort, data falsification
The content of packet, or by way of man-in-the-middle attack, the control instruction of mistake is sent, may cause industrial equipment can not be normal
Operating.
It is mainly the safety for ensureing data transmission in communication process for data transfer layer, including communication terminal device
Authentication and data confidentiality.To guarantee that data transfer layer provides safe and accurate data transport service, defence data are stolen
It takes and man-in-the-middle attack needs to add its communication process for the communication protocol that most of industrial Internet of things system uses
Close transmission, and trusted identity certification is carried out to the terminal device for using related protocol to access.Simultaneously in view of industrial Internet of Things host
The data shape to be transmitted, a large amount of stream data, under the premise of considering to transmit safety, it is also desirable to guarantee the reality of data transmission
Shi Xing.
Summary of the invention
The purpose of the present invention is proposing a kind of safety protecting method for the data transmission security of industrial Internet of Things, for protecting
Demonstrate,prove the communication procedure data of equipment and distal end safety in industrial Internet of Things, with solve data theft in data transmission procedure and
Man-in-the-middle attack.
To realize the foregoing purpose present invention, the following technical solution is employed:
A kind of safety protecting method being directed to industrial data transmission of internet of things, comprising the following steps:
(1) the tunneling stack on the transport protocol of existing industrial Internet of Things, forms identity authentication protocol specification;
(2) four data interactions are carried out between clients and servers, it is exchanged by client and server agreement
Data and algorithm in journey generate identical session code key, carry out the identity validation of both sides, complete between client and server
Communication handshake;
(3) after communication handshake success, digital certificate and corresponding digital certificate authentication flow decision client by encryption
Whether end is legitimate device.
Further, the protocol stack described in step (1) includes that the encryption encapsulation encapsulated on Transmission Control Protocol and IP agreement is held
Handball Association's view, Modify password specification protocol, alarm agreement, marginal layer to cloud transport protocol and encryption encapsulation record protocol.
Further, the encryption encapsulation Handshake Protocol includes but is not limited to the safety of Transport Layer Security and network layer
Agreement, and combine Modify password specification protocol, alarm agreement client and server are authenticated, encryption data while
Maintaining data integrity.
Further, the marginal layer includes but is not limited to MQTT agreement to cloud transport protocol, for describing work
Industry communicates particularity.
Further, four data interactions described in step (2) are respectively client request, server response, client
End is responded, server is finally responded,
Client request is that user end to server sends connection request, which is communication encryption request, including client
The information such as cryptographic protocol version, Encryption Algorithm external member and the compression method that can be compatible with are held, are determined specifically to adopt by server
With the combination of cryptographic protocol and algorithm, while the request further includes the random number that a client generates;
Server response is that server responds the client request of first stage, and server can be sent to client
Message has determined the cryptographic protocol version, Encryption Algorithm external member and server digital certificate used within the message, simultaneously should
It further include the random number generated by server in message;
It is that client responds the server response of second stage that client, which is responded, and client demonstrate,proves server number
Book carry out validity checking, if the digital certificate be not it is legal, client will directly disconnect or to user send out
The warning for sending a server not trusted;If certificate has passed through legal verifying, client can generate again one be used for after
The continuous random number for generating session code key, and the random number is encrypted using the server public key in server digital certificate,
Then message is sent to server, includes that the random number of encryption, coding change notice and client is shaken hands knot in the message
Shu Tongzhi;
Server, which is finally responded, responds the client of phase III for server, and server receives client
The random number encrypted in the message is decrypted using privacy key after response, is then generated using aforementioned three phases
Three generating random number application data transfer phase used in session code key, then to client send message, the message
Change confirmation and server handshaking end notification including coding.
Further, the digital certificate described in step (3) includes client public key relevant information, informative abstract and number label
Name, client public key relevant information is generated by Hash Encryption Algorithm, while being carried out by certification authorities personal key algorithm
Encryption generates digital signature.
Further, the digital certificate authentication process described in step (3) the following steps are included:
(3.1) after communication handshake success, client calculates the Information Ontology for needing to be sent to server using Hash encryption
Method generates informative abstract, while client encrypts informative abstract using client private key, generates digital signature;
(3.2) Information Ontology and digital signature are sent jointly to server by client;
(3.3) after server receives message, digital signature is taken out, digital signature is decrypted using client public key,
Obtain informative abstract;
(3.4) server obtains informative abstract using Hash Encryption Algorithm to the Information Ontology received again, the letter that will be obtained
The informative abstract that breath abstract is obtained with step (3.3) compares, if the two is consistent, determines that the client is legal sets
It is standby;If the two is inconsistent, determine that the client is illegality equipment.
Compared with prior art, the invention has the advantages that and technical effect:
(1) safety protecting method for being directed to industrial data transmission of internet of things passes through authentication and communication encryption one
Determine degree and solves security risk in the data transmission of existing industrial Internet of Things;
(2) authentication passes through the protocol stack and client and server that encapsulate on existing Internet of Things transport protocol
Communication handshake process the characteristics of realizing, having fully considered existing industrial data transmission of internet of things, existing work can not changed
On the basis of industry Internet of Things transport protocol, protocol specification needed for authentication can be formed by encapsulation;
(3) communication encryption carries out the data of transmission by digital certificate and corresponding digital certificate authentication process
Encryption, to guarantee the safety of data.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects, features and advantages of the invention can
It is clearer and more comprehensible, it is special below to lift preferred embodiment, and cooperate attached drawing, detailed description are as follows.
Detailed description of the invention
Fig. 1 is the protocol stack that the present invention is directed to industrial data transmission of internet of things encryption.
Fig. 2 is the client of communication process of the present invention and the handshake procedure of server.
Fig. 3 is composition of the present invention for the digital certificate of communication encryption.
Fig. 4 is use digital certificate authentication process of the invention.
[appended drawing reference]
11 be encryption encapsulation Handshake Protocol, and 12 be Modify password specification protocol, and 13 be alarm agreement, and 14 be marginal layer to cloud
Transport protocol is held, 15 be encryption encapsulation record protocol, and 16 be Transmission Control Protocol, and 17 be IP agreement;
21 be client, and 22 be server, and 23 be client request, and 24 be server response, and 25 respond for client, 26
It is finally responded for server;
31 be digital certificate, and 32 be client public key relevant information, and 33 be informative abstract, and 34 be digital signature, and 35 be Hash
Encryption Algorithm, 36 be certification authorities personal key algorithm;
41 be Information Ontology, and 42 be client private key, and 43 be client public key, and 44 be legitimate device, and 45 be illegality equipment.
Specific embodiment
The working principle that present invention be described in more detail with reference to the accompanying drawings and embodiments.
Safety protecting method proposed by the present invention is realized by identification authentication mode and communication encryption mode and is directed to industry
The security protection of data transmission of internet of things.
The identification authentication mode is the client and service of the protocol stack and communication process by special transmission encryption
The communication handshake process realization of device, specifically: protocol stack shown in FIG. 1 is encapsulated on the transport protocol of existing industrial Internet of Things,
Identity authentication protocol specification is formed, then uses four data interactions shown in Fig. 2 between a client and a server, respectively
Client request, server response, client are responded, server is finally responded, exchanged by client and server agreement
Data and algorithm generate identical session code key in journey, carry out the identity validation of both sides, complete between client and server
Communication handshake.
Referring to Fig. 1, being directed to the protocol stack of industrial data transmission of internet of things encryption for the present invention.Existing industry Internet of Things
Transport protocol be the transport protocol for depending on TCP as mainstream, can be with by package application layer data on the level of the transport layer
On the basis of not modifying bottom transport protocol, guarantee is brought to transport protocol.The protocol stack purport of transmission encryption of the present invention
It is effectively encrypted in the transport protocol to existing industrial Internet of Things, is mainly included in Transmission Control Protocol 16 and IP agreement 17 and encapsulates
Encryption encapsulation Handshake Protocol 11, Modify password specification protocol 12, alarm agreement 13, marginal layer to cloud transport protocol 14 and
Encryption encapsulation record protocol 15.
The encryption encapsulation Handshake Protocol 11 includes but is not limited to the safety association of Transport Layer Security (TLS) and network layer
It discusses (IPSec), and Modify password specification protocol 12, alarm agreement 13 is combined to authenticate to user and server, encrypt number
According to while maintaining data integrity.The marginal layer describes work to cloud transport protocol 14, including but not limited to MQTT agreement
Industry communicates particularity.The encryption encapsulation record protocol 15 is mainly used as encryption encapsulation Handshake Protocol 11, Modify password specification association
The record of view 12 and alarm agreement 13, realizes the complete and traceable of cryptographic protocol.The Transmission Control Protocol 16 and IP agreement 17 are
Existing conventional TCP and IP agreement.
Referring to Fig. 2, for the client of communication process of the present invention and the handshake procedure of server.In the hand shaking stage,
Client 21 issues connection request to server 22 first, and then both sides will do it some information exchanges, and according to these data
Identical session code key is generated with algorithm, creates secure connection between client 21 and server 22;After the completion of shaking hands, client
Coded communication is carried out using session code key between 21 and server 22, data sender adds information using dialogue code key
Close, data receiver is also decrypted ciphertext data with same session code key.The hand shaking stage includes four data
Interactive process:
First stage is client request 23, i.e., client 21 sends connection request to server 22, which is communication
CIPHERING REQUEST contains the information such as cryptographic protocol version, Encryption Algorithm external member and the compression method that client 21 can be compatible with,
The combination for specifically using cryptographic protocol and algorithm is determined by server 22, while the request further includes that a client 21 is raw
At random number;
Second stage is server response 24, i.e. server 22 responds the client request of first stage, is serviced
Device 22 can send message to client 21, be determined that the protocol version used (should be with the agreement version of client within the message
Originally unanimously), Encryption Algorithm external member and server digital certificate, while further including one in the message and being generated by server 22
Random number;
Phase III is that client responds 25, i.e. client 21 responds the server response of second stage, client
End can to the digital certificate of server 22 carry out validity checking, if the certificate be not it is legal, client 21 will be direct
It disconnects or sends the not trusted warning of a server 22 to user;If certificate has passed through legal verifying, client
End 21 can generate one for being subsequently generated the random number of session code key again, and use the server in server digital certificate
Public key encrypts the random number, then sends message to server 22, includes random number, the coding of encryption in the message
End notification that change notifies and client is shaken hands;
Fourth stage is that server finally responds 26, i.e. server 22 responds the client of phase III,
Server 22 receives client and responds 25, the random number encrypted in the message is decrypted using privacy key, then
It is generated using three random numbers (being generated in first three stage) using session code key used in data transfer phase, then to client
End 21 sends message, which includes that coding changes confirmation and server handshaking end notification.
The communication encryption mode is completed by the digital certificate of encryption and corresponding digital certificate authentication process, thus
Guarantee the encrypted transmission of industrial data.
Referring to Fig. 3, the composition for the present invention for the digital certificate of communication encryption, is using signature algorithm in part
Hold the digital certificate that can be used to after being digitally signed as trusting relationship intermediary.The digital certificate 31 mainly includes user
Public key relevant information 32, informative abstract 33 and digital signature 34, relationship are as follows: client public key relevant information 32 is encrypted by Hash
Algorithm 35 generates, while carrying out encryption by certification authorities personal key algorithm 36 and generating digital signature 34.
Referring to Fig. 4, using digital certificate authentication process for of the invention.Client and server is in communication handshake success
Later, 21 pairs of the client Information Ontologies 41 for needing to be sent to server 22 use Hash Encryption Algorithm 35, generate informative abstract
33, while client 21 uses client private key 42, encrypts to informative abstract 33, generates digital signature 34;Then client
Digital signature 34 and Information Ontology 41 are sent jointly to server 22 by end 21;After server 22 receives message, take out therein
Digital signature 34 is decrypted digital signature 34 using client public key 43, obtains the informative abstract 33 of Information Ontology;Service
Device 22 again to the Information Ontology 41 received itself use Hash Encryption Algorithm 35, by obtained informative abstract with it is obtained in the previous step
Informative abstract compares, if the two is consistent, determines that the client 21 is legitimate device 44, is otherwise illegality equipment 45.
Finally, it is stated that the above examples are only used to illustrate the technical scheme of the present invention and are not limiting, this field is common
Other modifications or equivalent replacement that technical staff makes technical solution of the present invention, without departing from technical solution of the present invention
Design and range, be intended to be within the scope of the claims of the invention.