Identification data encryption access method in nuclear power networked collaborative computing environment
Technical Field
The invention belongs to the technical field related to data information processing and nuclear power identification analysis system application in a nuclear power networked collaborative cloud computing platform, and particularly relates to an identification data encryption access method in a nuclear power networked collaborative computing environment.
Background
At present, cloud computing service deployment modes are divided into three types, namely public cloud, private cloud and hybrid cloud, wherein the hybrid cloud is a future development trend. The public cloud is the most mainstream and popular service mode at present, and can provide request service with good development and large scale for the public; the private cloud mainly provides cloud service for the interior of the enterprise and is positioned in the local area network, so that personnel in the enterprise can effectively manage data processing efficiency, safety and the like; the hybrid cloud is composed of two or more clouds, which have independence with each other but realize butt joint combination through standard or proprietary technology, and the private cloud capability of enterprises is expanded by utilizing public clouds to support dynamic, intelligent and elastic promotion of local services.
Cloud storage is one of specific embodiments of cloud computing technology, is not storage but service, and is correspondingly divided into three types, namely public cloud, private cloud and hybrid cloud. From the perspective of a service component, cloud storage refers to a set which can provide cloud computing services and is formed by a plurality of storage devices and servers through the internet, and is a service mode for mutual access between users and cloud services; from the perspective of service form, the cloud storage provides a user with a service for accessing cloud resources in real time, and due to the fact that the cloud storage is wide in application range and simple to operate, and is easy to expand and manage, more and more users and enterprises are favored.
When a user chooses to deploy a large amount of applications and data into the cloud computing platform, the cloud computing system becomes a cloud storage system accordingly. The cloud storage system has the advantages of high expansibility, high efficiency, low cost and the like, on one hand, a user can enjoy the convenience of cloud service by sending local storage data to the cloud server, and on the other hand, the cloud server for storing the data has the cloud security problem caused by malicious attack and even illegal acquisition of data information by irrelevant users due to the public access characteristic of the cloud server. Therefore, how to enable a user to enjoy the convenient and fast use of the cloud server without worrying about the security and confidentiality of data stored in the cloud end is a problem which needs to be solved urgently. Data encryption is an effective means for ensuring data privacy, and encryption methods with various functions and different safety strengths are researched and put into use at present, such as a symmetric encryption algorithm and an asymmetric encryption algorithm; in addition, while the security and the efficient search of the cloud-side data are ensured, the legal access right given to the relevant data by the user is very important in the data sharing process.
The cloud platform of the Shanghai nuclear power industry of the nuclear institute of technology and the cloud platform of the Shanghai supercomputing center are coupled and linked, supercomputing resources are brought into an integrated cloud resource system, different high-performance computing clusters under the environment of an enterprise private cloud and a public cloud are gradually integrated, a clear-hierarchy and dynamically-expanded simulation computing resource framework is further formed, a unified security access mechanism, massive simulation computing capacity and high-definition three-dimensional interaction experience are provided for users, and the domestic advanced cascading type, flexible and professional engineering computing hybrid cloud computing platform is realized.
The industrial internet identification analysis system is an infrastructure for constructing comprehensive interconnection of people, machines and objects, can realize comprehensive interconnection of industrial elements such as industrial design, research and development, production, sales and service, improves the cooperation efficiency, and promotes open flow and aggregation of industrial data. The Shanghai nuclear power institute creates a nuclear power industry networked collaborative design cloud platform integrated application based on an industrial internet identity resolution system, which integrates applications such as hardware equipment, virtual resource and resource management, office work, design, calculation, graphic processing and the like, by taking an identity resolution technology as a solution to an information island according to actual development requirements of enterprises per se and the target of establishing a digital research and development system and according to an industrial internet identity resolution integrated application architecture in the nuclear power industry, and gradually builds technical service capacities such as specialized tool collaboration, data sharing, knowledge transfer and the like of internet + nuclear power design.
Disclosure of Invention
In a nuclear power industry networked collaborative design cloud platform integrated with an identification analysis system, the invention provides an identification data encryption access method (shown in an attached figure 1) in a nuclear power networked collaborative computing environment, which comprises the following five main steps:
firstly, a professional simulation calculation engineer of the nuclear power equipment logs in a collaborative design management service platform based on a nuclear power identification analysis system to carry out daily work after passing enterprise security certification. When large-scale simulation analysis of the marked and coded nuclear power equipment is carried out, an engineer directly logs in the super-computation public cloud computing platform through the HPC comprehensive management sub-node in the enterprise with high performance.
And secondly, a simulation computing engineer calls a high-performance computing cluster to carry out large-scale simulation computing on the specific identified nuclear power equipment by using the super-computing public cloud computing platform to generate corresponding computing result data. And part of the non-core calculation result data of the identified nuclear power equipment is encrypted and then stored in the super-computing public cloud file server, and part of the core calculation result data is encrypted and then is transmitted back to the enterprise private cloud file server.
Thirdly, after passing enterprise security certification, a nuclear power equipment collaborative design engineer logs in a collaborative design management service platform based on a nuclear power identification analysis system to carry out daily work. And the collaborative design engineer sends a search request for specifying simulation calculation data related to the nuclear power equipment according to the nuclear power equipment identification analysis system.
Fourthly, after the nuclear power equipment identification verification and the engineer authority verification pass, the file server searches partial core computing result data in the enterprise private cloud storage and partial non-core computing result data in the super-computing public cloud storage.
And fifthly, after the two parts of encrypted files are decrypted and merged, transmitting the complete simulation calculation data which accord with the nuclear power equipment identification information back to the collaborative design management service platform for being used by a collaborative design engineer.
According to the method, the collaborative research and development work scene of post engineers in different departments in the nuclear power enterprise is surrounded, the collaborative research and development work of the nuclear power equipment in the hybrid cloud environment is carried out on the nuclear power industry networked collaborative design cloud platform based on the identification analysis system, the safe access mechanism of the calculation data of the identified nuclear power equipment in the hybrid cloud environment is realized through the data encryption and access control technology, the research and development design efficiency and the data information safety are improved, and the enterprise is facilitated to promote the collaborative design level of the complex nuclear power equipment.
Drawings
FIG. 1 is an explanatory view of the overall implementation principle of the present invention
FIG. 2 is a flow chart of an ultra-computing public cloud for use by an enterprise nuclear power platform
FIG. 3 is a flow chart of the process of computing data slicing, encrypting and storing
FIG. 4 is a flow chart of access read decryption for computing data
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, the present invention is further described in detail with reference to the accompanying drawings and detailed description:
(1) when nuclear power equipment simulation analysis needs to be carried out, a professional simulation computing engineer confirms the identity through an enterprise LDAP unified authentication mechanism, and logs in to enter a collaborative design management service platform based on a nuclear power identification analysis system to carry out daily work. In daily work, each nuclear power equipment part opened by a user on a collaborative design platform must have a definite identification code.
And starting an initialization algorithm INIT, and generating and outputting a public key PK and a system master key SK to a specified engineer by the enterprise private cloud storage server according to the specified nuclear power equipment identification attribute PA and the safety parameter SA.
(2) When large-scale simulation analysis of the identified and coded nuclear power equipment is carried out, an engineer further uses an HPC comprehensive management sub-node which is specially used for carrying out high-performance computing in an enterprise collaborative design platform, software and hardware computing resource lists of different disciplines and different categories, which can be provided by a public cloud of an external super-computing center, can be clearly browsed in the sub-node, and the engineer can select corresponding computing resource items according to actual simulation requirements (see the attached figure 2).
(3) After selecting the public cloud computing resource items, the simulation computing engineer can directly log in a public cloud computing platform of an external super computing center, and freely call a high-performance computing cluster to perform various large-scale simulation computing work such as structural analysis, fluid analysis, optimization analysis and the like of the identified nuclear power equipment by using the platform, wherein each nuclear power equipment analysis task generates a new computing task identification code when submitting computing, and generates corresponding computing result data after computing.
(4) The simulation computation engineer segments the obtained computation result data D into core key data D by using a data segmentation algorithm according to the obtained computation result data D1And non-core critical data D2. Core Key data D1After being transmitted to the enterprise private cloud storage server, the key ciphertext data SD is output based on the attribute control algorithm by combining the public key PK and the calculation operation identification JID to be encrypted1(ii) a Non-core critical data D2After the secret key pair D is transmitted to the super-computation public cloud storage server, a symmetric encryption key SEK is randomly selected in a key space and is subjected to D pair based on a searchable encryption algorithm2Encrypting and outputting non-key ciphertext data SD related to calculation operation identification JID2(see FIG. 3).
(5) When the nuclear power equipment collaborative design needs to be developed, a professional simulation computing engineer confirms the identity through an enterprise LDAP unified authentication mechanism, and logs in to enter a collaborative design management service platform based on a nuclear power identification analysis system to develop daily work. In daily work, engineers can open a specific nuclear power equipment part data index information base consistent with the designated identification coding information in the self-arranged work task by means of an identification analysis system on the collaborative design platform.
And starting a private key generation algorithm of the collaborative design engineer, and generating a private key UK of the collaborative design engineer according to the authority attribute UA of the engineer, the public key PK of the private cloud storage server and the system master key SK.
(6) Sixthly, when the collaborative design engineer needs to review/collate/review certain specific simulation calculation result data of a specific nuclear power equipment part, inquiring all calculation tasks with definite identification codes belonging to the nuclear power equipment part by means of the identification analysis system again, and sending a search request for searching relevant simulation calculation data matched with the nuclear power equipment part and the calculation task identification codes to the nuclear power collaborative design platform.
And the collaborative design engineer uses the private key UK and the to-be-searched computing task identifier JID' to send to the private cloud server, and uses a threshold generation algorithm to output a threshold value THRES.
(7) According to the search request, when the corresponding identification verification of the nuclear power equipment and the authority verification of the collaborative design engineer pass consistently, a file server in the nuclear power collaborative design platform searches for part of encrypted data corresponding to the simulation computing task conforming to the identification coding information in the enterprise private cloud storage and part of encrypted data corresponding to the simulation computing task conforming to the identification coding information in the super-computation public cloud storage respectively (see the attached figure 4).
Enterprise private cloud storage server passing threshold value THRES and key ciphertext data SD1And (6) carrying out verification. If the engineer attribute authority passes the verification and the search calculation task identifier is consistent with the encryption calculation task identifier, outputting the SD1And sending a threshold value THRES to a super computing public cloud storage server to download non-key ciphertext data SD consistent with the computing task identifier2。
(8) In enterprise private cloud storage, the two parts of encrypted data are decrypted and combined into a complete calculation result data file, and the complete calculation result data file is transmitted back to a temporary file space of specific nuclear power equipment parts in a nuclear power collaborative design management service platform for a collaborative design engineer to review. When the collaborative design engineer completes the rechecking/checking/reviewing work aiming at the nuclear power equipment parts and quits the nuclear power collaborative design cloud platform, various temporary files under the specific nuclear power equipment part file space are automatically destroyed.
Private cloud storage server for non-key ciphertext data SD by using symmetric encryption key SEK2Performs decryption to output uncore calculation data D2Using the private key UK of the collaborative design engineer to pair the key ciphertext data SD1Decrypting to output core computation data D1. And if the two corresponding calculation operation identifications JID are consistent, combining the two into a complete file and transmitting the complete file back to the nuclear power collaborative design platform for a collaborative design engineer to use.
The present invention relates to the field of the terminology as follows:
lightweight directory access protocol LDAP: this is an open, neutral, industry standard application protocol that provides access control and maintains directory information for distributed information via the IP protocol. One common use of LDAP is single sign-on, where a user may use the same password in multiple services, typically for logging-on to a company's internal website. The various software applications may no longer use a unique user management approach, but rather perform user authentication through such a unified authentication mechanism.
The core of the identification analysis system comprises three parts of identification codes, an identification analysis system, identification data services and the like: identification coding involves techniques for data structure definition, distribution and management of the coding format of an object; the system for analyzing the identification can inquire the network position or the related information of the target object according to the identification code, and can carry out uniqueness positioning and information inquiry on the target object; the identification data service can be used for carrying out industrial identification data management and networked data sharing by means of identification coding resources and an identification analysis system.
The symmetric encryption algorithm appears earlier and the system is more perfect, and is the only encryption form before the public key encryption algorithm appears. Symmetric encryption algorithms are still widely studied and used today, based on their own advantages. In the symmetric cryptosystem, a user encrypts and decrypts data using the same key. The two communication parties select the same key through negotiation, trust each other and ensure that the key is not leaked. The security of the symmetric cryptosystem is mainly determined by the privacy of the secret key and is not related to the encryption algorithm.
The public key encryption algorithm, public key cryptography proposes to separately process the encryption and decryption keys in the cryptosystem, the encryption key is a public key and is publicly transmitted on the network, and the decryption key is a private key and is kept by the user. The basic principle of public key cryptography is based on a one-way function, namely, a corresponding public key can be obtained by calculation by using a private key, but the public key can hardly be derived from the private key, so that the public key cryptography is safer than symmetric cryptography.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.