CN113472737B - Data processing method and device of edge equipment and electronic equipment - Google Patents

Data processing method and device of edge equipment and electronic equipment Download PDF

Info

Publication number
CN113472737B
CN113472737B CN202110529708.6A CN202110529708A CN113472737B CN 113472737 B CN113472737 B CN 113472737B CN 202110529708 A CN202110529708 A CN 202110529708A CN 113472737 B CN113472737 B CN 113472737B
Authority
CN
China
Prior art keywords
key
data
encrypted
processing
secure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110529708.6A
Other languages
Chinese (zh)
Other versions
CN113472737A (en
Inventor
李越
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Alibaba China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd filed Critical Alibaba China Co Ltd
Priority to CN202110529708.6A priority Critical patent/CN113472737B/en
Publication of CN113472737A publication Critical patent/CN113472737A/en
Application granted granted Critical
Publication of CN113472737B publication Critical patent/CN113472737B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a data processing method and device of edge equipment and electronic equipment, wherein the method comprises the following steps: acquiring an encrypted data packet issued by a manufacturing execution system and a first key encrypted by using a public key, wherein the encrypted data packet comprises secret data encrypted by using the first key; in the safety world of the edge equipment, decrypting the encrypted first key by using the private key, and decrypting the encrypted data packet by using the first key obtained by decryption to obtain secret data; and performing secure data processing on the secure data and transmitting the processing result to the non-secure world on the edge device. According to the embodiment of the invention, the secure world and the non-secure world are divided in the edge equipment, and the security isolation of the secret data processing is effectively realized by combining a double-layer encryption mechanism of the secret key and the secret data between the cloud manufacturing execution system, so that the leakage risk of the secret data is reduced.

Description

Data processing method and device of edge equipment and electronic equipment
Technical Field
The application relates to a data processing method and device of edge equipment and electronic equipment, and belongs to the technical field of computers.
Background
The C2M (Customer-to-manufacturing) technology is based on internet, big data, artificial intelligence, and automation, customization, energy saving, flexibility through a production line, uses a huge computer system to exchange data at any time, sets suppliers and production procedures according to the product order requirements of customers, and finally produces an industrialized customization mode of personalized products, which has been applied in various industries and fields.
In order to better meet the personalized demands of users, the production side needs to have the capability of quick change of single products, therefore, edge computing nodes (namely edge devices) for scheduling the respective processing devices are deployed in each workshop or production line which is close to the processing devices, so that quick processing, storage and transmission of production data are realized on the edge side.
However, in the above-mentioned C2M process, there may be some sensitive information in the product order and the production data, for example, some necessary user information or production processing data, etc., but in the prior art, there is no better information security protection measure for the edge device, so that leakage of the sensitive information is easy to cause.
Disclosure of Invention
The embodiment of the invention provides a data processing method and device of edge equipment and electronic equipment, so as to improve the safety of the edge equipment in the aspects of information transmission and use.
In order to achieve the above object, an embodiment of the present invention provides a data processing method for an edge device, including:
acquiring an encrypted data packet issued by a manufacturing execution system and a first secret key encrypted by using a public key, wherein the encrypted data packet comprises secret data encrypted by using the first secret key and used for processing products;
in the safety world of the edge equipment, decrypting the encrypted first key by using a private key corresponding to the public key, and decrypting the encrypted data packet by using the first key obtained by decryption to obtain the secret data;
and executing secret data processing on the secret data, and sending a processing result to a product processing application which is in butt joint with the processing equipment in the unsafe world on the edge equipment so as to perform product processing.
The embodiment of the invention also provides a data processing device of the edge equipment, which comprises:
the system comprises a data acquisition module, a public key generation module and a data processing module, wherein the data acquisition module is used for acquiring an encrypted data packet issued by a manufacturing execution system and a first key encrypted by the public key, and the encrypted data packet comprises secret data encrypted by the first key and used for processing products;
the decryption processing module is used for decrypting the encrypted first key by using a private key corresponding to the public key in the secure world of the edge equipment, decrypting the encrypted data packet by using the first key obtained by decryption, and obtaining the secret data;
and the secret processing module is used for executing secret data processing on the secret data and sending a processing result to a product processing application which is in butt joint with the processing equipment in the unsafe world on the edge equipment so as to process the product.
The embodiment of the invention also provides electronic equipment, which comprises:
a memory for storing a program;
and the processor is used for running the program stored in the memory to execute the data processing method of the edge equipment.
According to the data processing method and device for the edge equipment and the electronic equipment, the secure world and the non-secure world are divided in the edge equipment, and the secret key and secret data double-layer encryption mechanism between the cloud manufacturing execution system is combined, so that the secure isolation of the secret data processing can be effectively realized, and the leakage risk of the secret data is reduced.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
Fig. 1 is an application scenario schematic diagram of a data processing method of an edge device according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a system architecture of an edge device according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a secure communication mechanism for secure data according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an ID authentication mechanism of an edge device according to an embodiment of the present invention;
fig. 5 is a schematic flow chart of an edge device start-up verification process according to an embodiment of the present invention;
fig. 6 is a flow chart of a data processing method of an edge device according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a data processing apparatus of an edge device according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The technical scheme of the invention is further described by the following specific examples.
Fig. 1 is a schematic application scenario diagram of a data processing method of an edge device according to an embodiment of the present invention, where an MES (Manufacturing execution system ) may be disposed on a cloud or deployed on a computer in a cloud and a local office area in a hybrid cloud manner. The MES system in the cloud is connected with a plurality of edge devices in a production area through a firewall and a router, and the production area of a factory may have a plurality of workshops, as illustrated in the figure, each workshop is configured with one edge device for scheduling and executing production tasks on processing devices in the workshop. An office area is also configured at one side of the factory, and the office area can be used for monitoring edge equipment and processing equipment, or under the condition that the MES of the cloud can not be connected, the computer of the office area is used for controlling the edge equipment to execute production scheduling and processing operation.
Fig. 2 is a schematic diagram of a system architecture of an edge device according to an embodiment of the invention. Edge devices can be classified into Secure world (Secure world) and non-Secure world (Normal world) in system architecture. A trusted execution environment (Trusted Execution Envrionment, TEE for short) is provided in the secure world, in which a trusted operating system (Trust OS) is provided as an example, and applications running on the system are trusted applications (Trusted application, TA for short) for performing data processing requiring a higher level of security, which in embodiments of the present invention may include encryption and decryption of secure data, secure storage, signature/authentication processing of edge devices, and other data processing for sensitive information, such as data communication and transmission between the secure world and the non-secure world. Accordingly, a system operation environment (Rich Execution Environment, abbreviated as REE) is provided in the non-secure world, as shown in the figure, in which a Linux system is provided as an example, applications running on the system are user applications (client application, abbreviated as CA) which perform data processing with a low security level or without security, for example, encryption and decryption, secure storage, signature/authentication processing of an edge device, etc. for data with a low security level, wherein FOTA (Firmware Over-the-Air) is used for upgrading system Firmware of the edge device, sub-device management and device monitoring are used for managing and operating state monitoring of the edge device connected to various processing devices, secure communication is used for processing link-level secure data transmission with the cloud, and identity authentication is used for performing identity authentication of the edge device by interacting with the cloud, and data processing refers to other various processing involving communication with the cloud and data transmission with Ta of the secure world. In addition, the product processing application which is in butt joint with the processing equipment is also installed in the non-secure world and is used for controlling the processing equipment to execute product processing according to the data and the instructions issued by the manufacturing execution system, wherein after secret data issued by the manufacturing execution system is subjected to secret data processing in the secure world, a processing result is provided with only the corresponding product processing application so as to complete further product processing, and the product processing application cannot acquire the decryption process and the data processing process of the secret data, so that the security of the secret data is increased.
As shown in fig. 3, a schematic diagram of a secure communication mechanism for secret data according to an embodiment of the present invention is shown. As shown in the figure, the secret data of the MES system in the cloud is processed by a series of encryption and decryption mechanisms through the non-secure world of the edge device and the application in the secure world, and then is applied to production processing.
When the edge device is first operated, the edge device generates an asymmetric key of an encryption algorithm of an RSA (an asymmetric encryption algorithm) adopted in the example in the figure, stores the application private key of the application public key pair in the secure world, returns the application public key to the non-secure world, and sends the application public key to the MES system of the cloud, and then, in the process of executing the production process, the non-secure world can request secret data from the cloud MES.
When the MES needs to issue secret data, a random number generator is used to generate a symmetric key, which is shown as an example by AES (Advanced Encryption Standard ). Then, the MES encrypts the symmetric key with the application public key sent by the edge device on the one hand, and encrypts the secret data with the symmetric key on the other hand, to generate an encrypted data packet. Finally, the MES sends the encrypted data packet and the symmetric key encrypted by applying the public key to the non-secure world of the edge device.
The edge device transmits the two to the secure world, in the secure world, the symmetric key is obtained by decrypting the application private key, then the symmetric key is used for decrypting to obtain the secret data, finally according to the specific task to be executed, the processing result is provided to the CA application of the non-secure world according to the need through corresponding processing executed by the TA application, and the processing result data is the data which is already decrypted, wherein the processing result can be the non-secret data obtained by processing the data according to the secret data, such as processing instructions of converting processing size information into local equipment and the like. In the system, interaction with the MES is completed by an operating system or a CA application in the non-secure world, namely various data issued by the cloud MES can reach the non-secure world first, then the CA application in the non-secure world is used for direct interaction of TA applications or interaction between the operating systems, the data to be processed in the secure world is transferred to the secure world for processing, and a returned processing result is received, so that the symmetric key and the plaintext of the confidential data are not exposed in the network transmission and the non-secure world, and the confidential data is effectively protected.
Further, as a basic hardware security support, a SE (Secure Element) security chip is employed as a security carrier to store a device ID (identification information) and a key of an edge device for performing identity authentication, thereby preventing the device authentication information from being tampered with or counterfeited. In addition, based on the secret key safely stored by the SE safety chip, lightweight safety communication iTLS (lightweight transport layer safety protocol) of the Internet of things) can be established with the cloud and compatible with TLS (Transport Layer Security, safety transport layer protocol), and resource consumption of the IoT device is greatly reduced while safety communication is ensured.
Fig. 4 is a schematic diagram of an ID authentication mechanism of an edge device according to an embodiment of the present invention. In the embodiment of the invention, a cloud platform for providing MES service, a provider of SE security chips and edge equipment are involved in the whole authentication system. The device ID and the key for identity authentication are provided by a cloud platform for providing MES service, as shown in the figure, the ID authentication center is a server for providing the device ID and the key for identity authentication by the cloud platform, the device ID and the key for identity authentication are provided to the provider of the SE security chip through an authentication service relationship with the provider ID distribution center of the SE security chip, and are issued to a security line of the provider of the SE security chip for filling, so as to generate the SE security chip embedded with the device ID and the key for identity authentication, namely an ID security carrier shown in the figure, the SE security chip is embedded on an edge device of a processing factory for device identity authentication, and as shown in fig. 2, the content stored in the SE security chip can provide support for identity authentication for applications in REEs and TEEs. Furthermore, the device ID and key as mentioned above can also be used for link-level encrypted communications between the edge device and the cloud MES system.
For specific identity authentication processing, the IoT application (CA or TA application) on the edge device can be based on the ID security carrier, and communicate with the ID authentication center through the IoT server in the cloud (the server running the cloud MES system), and authentication is performed in a challenge/response manner, specifically, the edge device can initiate an authentication challenge to the ID authentication center based on its device ID, the ID authentication center returns random data to the edge device, the edge device uses a key stored in the SE security chip to encrypt and returns to the ID authentication center to perform authentication, and since both the device ID and the key for identity authentication are issued by the ID authentication center, the ID authentication center can perform identity authentication on the edge device.
In addition, in the aspect of basic system security, the embodiment of the invention adopts a chip supporting hardware security starting as a processor chip of the edge gateway device. Under the Linux platform, the system trusted security protection establishes a reliable security verification scheme step by step from BootRom (diskless start read-only memory interface). Fig. 5 is a schematic flow chart of an edge device start-up verification process according to an embodiment of the present invention. The method is characterized by comprising three stages in the whole, wherein the first stage is used for performing basic security start verification, starting a bottom system based on BootRom, starting a Trust OS through a Miniloader, performing verification, and simultaneously starting Uboot (a boot loader of an embedded system) for further starting a Linux system. In the embodiment of the invention, a Linux system is taken as an example, and the Uboot firstly judges whether a system Recovery mode (Recovery mode) is entered, if so, a recovery.img file is operated to recover the system, and if not, the Linux system is normally started and verified. And in the third stage, the file system is detected, and after the starting of the application operating system is finished, the file system (File System) is started and verified based on a random access disk (Ramdisk), so that the starting and verification of the whole system are finished, and the system is prevented from being tampered maliciously. The secure boot process of the system corresponds to the secure block diagram portion of the underlying system in fig. 2, wherein secure boot corresponds to the first stage of processing described above, kernel authentication corresponds to the authentication of the application operating system, i.e., the second stage of processing described above, and file system protection corresponds to the third stage of processing described above. JTAG (Joint Test Action Group ) protects the hardware circuitry and interfaces for detection inside the chip.
In addition, in the REE part in fig. 2, the operation conditions of the edge equipment and the processing equipment can be collected through the CA application in the aspect of equipment monitoring and reported to a cloud security operation platform, a security baseline and a protection strategy are generated based on behaviors, abnormal behaviors (including network behaviors, process behaviors and system objects) outside the baseline range are identified and blocked, and the risk identification and treatment capability is improved. And detecting security holes of the equipment, providing corresponding repair measures and suggestions, and preventing threat intrusion.
By the aid of the security system mechanism combining software and hardware, edge equipment can achieve effective data security isolation, so that secret data can be processed in a security environment, protection of the secret data is improved, and potential safety hazards such as tampering or attack of a system of the edge equipment can be prevented.
Fig. 6 is a schematic flow chart of a data processing method of an edge device according to an embodiment of the present invention, where the method may be applied to an edge device side to provide secure processing of confidential data, and the method may include:
s101: and acquiring an encrypted data packet issued by the manufacturing execution system and a first key encrypted by using a public key, wherein the encrypted data packet comprises secret data which is encrypted by using the first key and is used for processing products. The first key referred to here corresponds to the AES key in fig. 3, which is generated by the MES system in the cloud. The encrypted data packet and the encrypted first key issued by the MES system of the cloud end reach the unsafe world of the edge device, and then the unsafe world of the edge device sends the received data to the safe world of the edge device for further processing. The division of the secure world into the non-secure world and the functions performed by the parts may be referred to the previous exemplary description of fig. 2 and 3. The edge device may generate a public key and a private key in advance, where the public key is sent to the MES system of the cloud end to encrypt the first key, and the private key is stored in the secure world of the edge device and used to decrypt the encrypted first key.
S102: in the secure world of the edge device, the encrypted first key is decrypted by using a private key corresponding to the public key, and the encrypted data packet is decrypted by using the first key obtained by decryption, so as to obtain the secret data. Data transfer between the secure world and the non-secure world may be achieved through interaction of a TA application provided in the secure world and a CA application provided in the non-secure world, and may also be achieved through interaction of an operating system of the secure world and the non-secure world, and specifically, the operating system and the application examples may be described with reference to the foregoing example in fig. 2. Through the isolation division of the secure world and the non-secure world, decryption and data processing of the secure data are performed in the secure world with higher security level, so that exposure risk of the secure data is avoided.
S103: and executing secret data processing on the secret data, and sending a processing result to a product processing application which is in butt joint with the processing equipment in the unsafe world on the edge equipment so as to process the product. As described above, the data processing is performed on the secret data in the secure world on the edge device, so that the data exposure can be effectively prevented, and accordingly, the application requiring the processing of the secret data is installed in the secure world, that is, the TA application in the secure world, so that the data processing can be completed in the environment with a higher security level, and the processing result can be transmitted to the CA application in the non-secure world on the edge device. The processing result refers to the data which is already decrypted, and can be the non-secret data obtained after the data processing is performed, so that the CA application can further process the data. The CA application may include a product processing application that interfaces with the processing device, and is configured to control the processing device to perform product processing according to data and instructions issued by the manufacturing execution system, where after the secret data issued by the manufacturing execution system is processed in the secure world, the processing result is provided to only the corresponding product processing application to complete further product processing, and for the decryption process and the data processing process of the secret data, the product processing application is not known, so that the security of the secret data is increased.
It should be noted that, in the embodiment of the present invention, the definition of the secret data may be determined according to the actual needs, and accordingly, the TA applications and CA applications configured in the secure world and the non-secure world may also be adjusted according to the actual needs.
In addition, the embodiment of the invention also provides a processing flow of the safety start detection for the edge equipment, which specifically comprises the following steps:
s201: and starting a root bootstrap program, and starting and checking a trusted operating system corresponding to the secure world. The root boot program may be booted based on BootRom to verify that the trusted operating system in the secure world has been tampered with or has other security risks.
S202: and starting and checking an application operating system of the non-secure world and performing system check. After the starting and the checking of the trusted operating system are completed, a processing flow for starting and checking the application operating system in the unsafe world is entered, and the application operating system can be started based on Uboot.
S203: and starting and checking the file operating system. After the starting of the application operating system is completed, the file operating system can be started based on the Ramdisk, and the security check of the file operating system is performed.
After the system start and verification of the three phases are completed, the CA application and the TA application on the edge device can normally execute various transactions. For a detailed technical description of system security monitoring, reference may be made to the introduction of the example shown in fig. 5 above.
In addition, a security chip may be further disposed on the edge device, and the device ID and the key for authentication are stored in the security chip, and correspondingly, the method in the embodiment of the present invention may further include: the device ID and the key for authentication are used to perform an interactive process for authenticating the identity of the edge device with the manufacturing execution system and/or to perform link-level encrypted communication. As described above based on the example shown in fig. 4, by storing the device ID and the key for authentication by using the SE security chip, the identity verification of the edge device can be performed with the ID authentication center of the cloud in a challenge/response manner, and in addition, the device ID and the key for authentication can be used for link-level encrypted communication.
According to the data processing method of the edge device, the security world and the non-security world are divided in the edge device, and the security isolation of the secret data processing can be effectively realized by combining a double-layer encryption mechanism of the secret key and the secret data between the two manufacturing execution systems of the cloud, so that the leakage risk of the secret data is reduced.
As shown in fig. 7, which is a schematic structural diagram of a data processing apparatus of an edge device according to an embodiment of the present invention, the apparatus may be applied to a side of the edge device to provide secure processing of confidential data, and the apparatus may include:
the data obtaining module 11 is configured to obtain an encrypted data packet sent by the manufacturing execution system and a first key encrypted by using a public key, where the encrypted data packet includes secret data for product processing encrypted by using the first key. The first key referred to here corresponds to the AES key in fig. 3, which is generated by the MES system in the cloud. The encrypted data packet and the encrypted first key issued by the MES system of the cloud end reach the unsafe world of the edge device, and then the unsafe world of the edge device sends the received data to the safe world of the edge device for further processing. The division of the secure world into the non-secure world and the functions performed by the parts may be referred to the previous exemplary description of fig. 2 and 3. The edge device may generate a public key and a private key in advance, where the public key is sent to the MES system of the cloud end to encrypt the first key, and the private key is stored in the secure world of the edge device and used to decrypt the encrypted first key.
The decryption processing module 12 is configured to decrypt, in the secure world of the edge device, the encrypted first key using a private key corresponding to the public key, and decrypt the encrypted data packet using the first key obtained by decryption, to obtain the secret data. Data transfer between the secure world and the non-secure world may be achieved through interaction of a TA application provided in the secure world and a CA application provided in the non-secure world, and may also be achieved through interaction of an operating system of the secure world and the non-secure world, and specifically, the operating system and the application examples may be described with reference to the foregoing example in fig. 2. Through the isolation division of the secure world and the non-secure world, decryption and data processing of the secure data are performed in the secure world with higher security level, so that exposure risk of the secure data is avoided.
The secure processing module 13 is configured to perform secure data processing on the secure data, and send a processing result to a product processing application that interfaces with the processing device in the non-secure world on the edge device, so as to perform product processing. As described above, the data processing is performed on the secret data in the secure world on the edge device, so that the data exposure can be effectively prevented, and accordingly, the application requiring the processing of the secret data is installed in the secure world, that is, the TA application in the secure world, so that the data processing can be completed in the environment with a higher security level, and the processing result can be transmitted to the CA application in the non-secure world on the edge device. The processing result refers to the data which is already decrypted, and can be the non-secret data obtained after the data processing is performed, so that the CA application can further process the data. The CA application may include a product processing application that interfaces with the processing device, and is configured to control the processing device to perform product processing according to data and instructions issued by the manufacturing execution system, where after the secret data issued by the manufacturing execution system is processed in the secure world, the processing result is provided to only the corresponding product processing application to complete further product processing, and for the decryption process and the data processing process of the secret data, the product processing application is not known, so that the security of the secret data is increased.
It should be noted that, in the embodiment of the present invention, the definition of the secret data may be determined according to the actual needs, and accordingly, the TA applications and CA applications configured in the secure world and the non-secure world may also be adjusted according to the actual needs. In addition, in the embodiment of the present invention, a module for performing the process of the secure start detection of the edge device and a module for performing the interaction process of performing the identity authentication of the edge device with the manufacturing execution system and/or performing the link-level encrypted communication based on the device ID stored in the secure chip and the key for the identity authentication may be further included.
The above detailed description of the processing procedure, the detailed description of the technical principle and the detailed analysis of the technical effect are described in the foregoing embodiments, and are not repeated herein.
According to the data processing device of the edge device, the security world and the non-security world are divided in the edge device, and the security isolation of the secret data processing can be effectively realized by combining a double-layer encryption mechanism of the secret key and the secret data between the data processing device and the manufacturing execution system of the cloud, so that the leakage risk of the secret data is reduced.
In addition, the technical scheme of the embodiment of the invention can be applied to security scenes, the edge device can be arranged in an area needing security protection and connected with a plurality of IoT devices with camera shooting functions, such as cameras, and the like, and because the security protection has a plurality of secret data, such as privacy data and the like, the data can be transmitted to the cloud after encryption processing in the security world or stored in a local server or the like, or the secret data is stored in the security world after encryption processing in the security world, and is decrypted from the security world or further processed and then sent to the non-security world under the condition of actual security requirement. On the other hand, some secret information issued by the cloud security processing platform can be issued to the edge equipment in the same way as the method described above by adopting a multiple encryption mode, and decryption and secret data processing are performed in the secure world of the edge equipment, so that the isolation of the secret information from the external environment is ensured, and the leakage risk is avoided.
The foregoing embodiments describe the flow processing and device structures of the data processing method of the edge device, and the functions of the foregoing methods and devices may be implemented by an electronic device, as shown in fig. 8, which is a schematic structural diagram of the electronic device according to the embodiment of the present invention, and specifically includes: a memory 110 and a processor 120.
A memory 110 for storing a program.
In addition to the programs described above, the memory 110 may also be configured to store various other data to support operations on the electronic device. Examples of such data include instructions for any application or method operating on the electronic device, contact data, phonebook data, messages, pictures, videos, and the like.
The memory 110 may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
The processor 120 is coupled to the memory 110 and is configured to execute the program in the memory 110 to perform the operation steps of the data processing method of the edge device described in the foregoing embodiment.
Further, the processor 120 may also include various modules described in the foregoing embodiments to perform data processing of the edge device, and the memory 110 may be used, for example, to store data and/or output data required for the modules to perform operations.
The above detailed description of the processing procedure, the detailed description of the technical principle and the detailed analysis of the technical effect are described in the foregoing embodiments, and are not repeated herein.
Further, as shown, the electronic device may further include: communication component 130, power component 140, audio component 150, display 160, and other components. The drawing shows only a part of the components schematically, which does not mean that the electronic device comprises only the components shown in the drawing.
The communication component 130 is configured to facilitate communication between the electronic device and other devices in a wired or wireless manner. The electronic device may access a wireless network based on a communication standard, such as a WiFi,2G, 3G, 4G/LTE, 5G, or other mobile communication network, or a combination thereof. In one exemplary embodiment, the communication component 130 receives a broadcast signal or broadcast-related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component 130 further includes a Near Field Communication (NFC) module to facilitate short range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
A power supply assembly 140 provides power to the various components of the electronic device. Power supply components 140 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for electronic devices.
The audio component 150 is configured to output and/or input audio signals. For example, the audio component 150 includes a Microphone (MIC) configured to receive external audio signals when the electronic device is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signals may be further stored in the memory 110 or transmitted via the communication component 130. In some embodiments, the audio assembly 150 further includes a speaker for outputting audio signals.
The display 160 includes a screen, which may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may sense not only the boundary of a touch or sliding action, but also the duration and pressure associated with the touch or sliding operation.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a computer-readable storage medium. The program, when executed, performs steps including the method embodiments described above; and the aforementioned storage medium includes: various media that can store program code, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.

Claims (8)

1. A data processing method of an edge device, comprising:
acquiring an encrypted data packet issued by a manufacturing execution system and a first secret key encrypted by using a public key, wherein the encrypted data packet comprises secret data encrypted by using the first secret key and used for processing products;
in the safety world of the edge equipment, decrypting the encrypted first key by using a private key corresponding to the public key, and decrypting the encrypted data packet by using the first key obtained by decryption to obtain the secret data;
performing a secure data process on the secure data and transmitting the result of the process to a product processing application in the non-secure world on the edge device that interfaces with the processing device to perform a product processing process,
wherein the performing secure data processing on the secure data comprises:
according to the specific task executed, in the secure world, the corresponding processing is executed by the TA application, and the processing result is provided to the CA application in the non-secure world as needed, while the data whose result data has been decrypted is processed.
2. The method of claim 1, wherein obtaining the encrypted data packet issued by the manufacturing execution system and the first key encrypted using the public key comprises:
the non-secure world of the edge device receives the encrypted data packet and the encrypted first key issued by the manufacturing execution system and sends the encrypted data packet and the encrypted first key to the secure world of the edge device.
3. The method of claim 1, wherein the public key and private key are generated for an edge device, the public key being sent in advance to the manufacturing execution system, the private key being stored in the secure world.
4. The method of claim 1, further comprising performing the following security checks upon start-up of the edge device:
starting a root bootstrap program, and starting and checking a trusted operating system corresponding to the secure world;
starting and checking an application operating system of the unsafe world and performing system check;
and starting and checking the file operating system.
5. The method of claim 1, wherein a security chip is provided in the edge device, in which a device ID and a key for authentication are stored, the method further comprising:
and performing interactive processing of identity authentication of the edge equipment and/or link-level encrypted communication with the manufacturing execution system by using the equipment ID and the key for authentication.
6. A data processing apparatus of an edge device, comprising:
the system comprises a data acquisition module, a public key generation module and a data processing module, wherein the data acquisition module is used for acquiring an encrypted data packet issued by a manufacturing execution system and a first key encrypted by the public key, and the encrypted data packet comprises secret data encrypted by the first key and used for processing products;
the decryption processing module is used for decrypting the encrypted first key by using a private key corresponding to the public key in the secure world of the edge equipment, decrypting the encrypted data packet by using the first key obtained by decryption, and obtaining the secret data;
a secret processing module for executing secret data processing on the secret data and sending the processing result to a product processing application which is in butt joint with the processing equipment in the unsafe world on the edge equipment so as to process the product,
wherein the performing secure data processing on the secure data comprises:
according to the specific task executed, in the secure world, the corresponding processing is executed by the TA application, and the processing result is provided to the CA application in the non-secure world as needed, while the data whose result data has been decrypted is processed.
7. The apparatus of claim 6, wherein obtaining the encrypted data packet issued by the manufacturing execution system and the first key encrypted using the public key comprises:
the non-secure world of the edge device receives the encrypted data packet and the encrypted first key issued by the manufacturing execution system and sends the encrypted data packet and the encrypted first key to the secure world of the edge device.
8. An electronic device, comprising:
a memory for storing a program;
a processor for executing the program stored in the memory to perform the data processing method of the edge device according to any one of claims 1 to 5.
CN202110529708.6A 2021-05-14 2021-05-14 Data processing method and device of edge equipment and electronic equipment Active CN113472737B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110529708.6A CN113472737B (en) 2021-05-14 2021-05-14 Data processing method and device of edge equipment and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110529708.6A CN113472737B (en) 2021-05-14 2021-05-14 Data processing method and device of edge equipment and electronic equipment

Publications (2)

Publication Number Publication Date
CN113472737A CN113472737A (en) 2021-10-01
CN113472737B true CN113472737B (en) 2023-05-02

Family

ID=77870707

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110529708.6A Active CN113472737B (en) 2021-05-14 2021-05-14 Data processing method and device of edge equipment and electronic equipment

Country Status (1)

Country Link
CN (1) CN113472737B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116502240B (en) * 2023-06-29 2023-09-05 北华航天工业学院 Traceability analysis method for security hole of application software

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017001999A1 (en) * 2015-07-01 2017-01-05 Telefonaktiebolaget Lm Ericsson (Publ) Decrypting and decoding media assets through a secure data path
WO2020092542A1 (en) * 2018-11-02 2020-05-07 Intel Corporation Protection of initial non-access stratum protocol message in 5g systems
WO2020236891A1 (en) * 2019-05-21 2020-11-26 Schneider Electric USA, Inc. Establishing and maintaining secure device communication

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7778260B2 (en) * 1998-10-09 2010-08-17 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity in a computing environment
US7940932B2 (en) * 2004-04-08 2011-05-10 Texas Instruments Incorporated Methods, apparatus, and systems for securing SIM (subscriber identity module) personalization and other data on a first processor and secure communication of the SIM data to a second processor
JP2008508837A (en) * 2004-06-10 2008-03-21 ネットモーション ワイヤレス インコーポレイテッド Method and apparatus for providing mobile and other intermittent connectivity in a computer environment
CA2592713C (en) * 2007-06-22 2015-08-11 Dale Sabo Method and system for monitoring encrypted data transmissions
CN102025503B (en) * 2010-11-04 2014-04-16 曙光云计算技术有限公司 Data security implementation method in cluster environment and high-security cluster
CN102685148B (en) * 2012-05-31 2014-10-15 清华大学 Method for realizing secure network backup system under cloud storage environment
US9973346B2 (en) * 2015-12-08 2018-05-15 Honeywell International Inc. Apparatus and method for using a distributed systems architecture (DSA) in an internet of things (IOT) edge appliance
CN109802825A (en) * 2017-11-17 2019-05-24 深圳市金证科技股份有限公司 A kind of data encryption, the method for decryption, system and terminal device
CN108777677A (en) * 2018-05-18 2018-11-09 上海小蚁科技有限公司 cloud storage data security protection method and device, storage medium, camera, computing device
EP3798878B1 (en) * 2019-09-24 2022-11-09 Siemens Aktiengesellschaft System and method for secure execution of an automation program in a cloud computation environment
CN111800257A (en) * 2020-06-01 2020-10-20 青岛海尔智能技术研发有限公司 3D model encryption transmission method and decryption method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017001999A1 (en) * 2015-07-01 2017-01-05 Telefonaktiebolaget Lm Ericsson (Publ) Decrypting and decoding media assets through a secure data path
WO2020092542A1 (en) * 2018-11-02 2020-05-07 Intel Corporation Protection of initial non-access stratum protocol message in 5g systems
WO2020236891A1 (en) * 2019-05-21 2020-11-26 Schneider Electric USA, Inc. Establishing and maintaining secure device communication

Also Published As

Publication number Publication date
CN113472737A (en) 2021-10-01

Similar Documents

Publication Publication Date Title
US11509485B2 (en) Identity authentication method and system, and computing device
CN110492990B (en) Private key management method, device and system under block chain scene
EP3108613B1 (en) Method and apparatus for authenticating client credentials
US9935773B2 (en) Trusted platform module certification and attestation utilizing an anonymous key system
US9768951B2 (en) Symmetric keying and chain of trust
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
WO2015138246A1 (en) Symmetric keying and chain of trust
EP3087520A1 (en) Content protection for data as a service (daas)
US9600671B2 (en) Systems and methods for account recovery using a platform attestation credential
TW201824899A (en) Security routing system for use in IoT apparatus
US10045212B2 (en) Method and apparatus for providing provably secure user input/output
US20210211293A1 (en) Systems and methods for out-of-band authenticity verification of mobile applications
EP3720042B1 (en) Method and device for determining trust state of tpm, and storage medium
EP3221996B1 (en) Symmetric keying and chain of trust
CN113472737B (en) Data processing method and device of edge equipment and electronic equipment
CN117061105A (en) Data processing method and device, readable medium and electronic equipment
CN114389790A (en) Secure multi-party computing method and device
US11520771B2 (en) Measurement update method, apparatus, system, storage media, and computing device
CN116186724A (en) Data processing method, apparatus, device, storage medium, and program product
CN116954693A (en) State coordination method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant