CN115776405A - Embedded equipment terminal safety protection method, device and system for smart power grid - Google Patents
Embedded equipment terminal safety protection method, device and system for smart power grid Download PDFInfo
- Publication number
- CN115776405A CN115776405A CN202211503439.7A CN202211503439A CN115776405A CN 115776405 A CN115776405 A CN 115776405A CN 202211503439 A CN202211503439 A CN 202211503439A CN 115776405 A CN115776405 A CN 115776405A
- Authority
- CN
- China
- Prior art keywords
- data
- application program
- security
- trusted
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000012795 verification Methods 0.000 claims abstract description 44
- 230000003993 interaction Effects 0.000 claims description 3
- 238000005259 measurement Methods 0.000 abstract description 15
- 230000006870 function Effects 0.000 abstract description 10
- 238000013500 data storage Methods 0.000 abstract description 5
- 238000009434 installation Methods 0.000 description 16
- 230000008569 process Effects 0.000 description 12
- 230000000875 corresponding effect Effects 0.000 description 9
- 230000006399 behavior Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a smart grid-oriented embedded equipment terminal safety protection method, a device and a system, which adopt a set of omnibearing credibility measurement and safety protection scheme with the characteristics of a dual-system architecture and a star-type trust architecture, wherein the scheme comprises a threat model, and the model assumes that an attacker of an Internet of things terminal can master relevant information of an attack target in the following way; the integral scheme framework has the core idea that a trusted software base based on a TF card is constructed, and the functions of identity verification, integrity verification and data storage of the trusted software base are realized through encryption and decryption algorithm service in the TF card; signature verification based on the TF card mainly has the function of distinguishing different application programs, and the signature contains the identity identification information of an APP developer. The method is suitable for detecting illegal application packages in the terminal equipment of the smart power grid, has the capability of resisting malicious programs, simultaneously protects key data from stealing, and realizes safety protection under the 'object-object' interconnection scene of the smart power grid.
Description
Technical Field
The invention relates to the technical field of smart power grids, in particular to a method, a device and a system for protecting the terminal safety of embedded equipment facing a smart power grid.
Background
The intelligent power grid has the characteristic of open sharing, and various distributed devices coordinate, optimize and control. China currently advocates the construction of safe and intelligent smart power grids to meet global power demands in a way of being as intelligent and efficient as possible. However, with the gradual expansion of the scale of the smart grid, a large amount of internet of things devices are accessed, and because the data volume is continuously accumulated in the big data era, confidential information and sensitive data are continuously increased, and most of the terminal devices need to have an operating system to complete corresponding complex work.
Compared with the traditional internet, the security mechanism of the smart grid is not perfect, and the terminal device is gradually a new focus of lawless persons attack as an important role in the smart grid.
Disclosure of Invention
The invention provides a method, a device and a system for protecting the safety of an embedded equipment terminal facing a smart power grid, which are used for solving or at least partially solving the technical problem of insufficient safety protection of the embedded equipment terminal in the prior art.
In order to solve the technical problem, a first aspect of the present invention provides a smart grid-oriented embedded device terminal security protection method, including:
establishing a trusted software base based on a TF card, wherein the TF card is used as safety hardware, an encryption and decryption algorithm engine is arranged in the TF card and used for encrypting and decrypting data, and the trusted software base is used as a safety module and is provided with a trusted reference library;
and reading and writing data of each safety application program in the embedded equipment terminal based on the trusted reference library and the encryption and decryption algorithm engine.
In one embodiment, the reading of data of each security application in the embedded device terminal based on the trusted reference library and the encryption and decryption algorithm engine comprises:
when the safety application program reads data, calling the intermediate layer driver, and sending a data reading request to the safety module, wherein the data reading request carries the identity of the safety application program;
the security module carries out validity verification on the data reading request sent by the security application program, compares the identity information stored in the credible reference library with the identity identification of the security application program, carries out identity verification on the identity information,
if the validity verification and the identity verification both pass, checking whether a data record corresponding to the data reading request exists, if so, taking out data of the corresponding data record from a target position of the security hardware, wherein the corresponding data record is encrypted data, simultaneously sending the identity identification and the encrypted data of the application program to the security hardware, taking out a key for decrypting the encrypted data from a storage device by the security hardware, storing the key in an encryption mode, decrypting the encrypted key by an encryption and decryption algorithm engine to obtain an original key, decrypting the encrypted data by using the original key, and returning the decrypted data to the security application program.
In one embodiment, the writing of data to each secure application in the embedded device terminal is realized based on the trusted reference library and the encryption and decryption algorithm engine, and the writing of data to each secure application in the embedded device terminal includes:
when the security application program requests to write data, calling the intermediate layer driver to send a data writing request to the security application program, wherein the data writing request carries the identity of the security application program and the data to be written;
the intermediate layer driver performs identity authentication on the security application program based on the identity identifier, after the identity authentication is passed, the encryption and decryption algorithm engine is called, and the data to be written is encrypted in the security hardware of the encryption and decryption algorithm engine and then returned to the intermediate layer driver;
and storing the encrypted data to be written into the storage device by the middle layer driver.
In one embodiment, the method further includes performing integrity check on the embedded device terminal based on the TF card, including:
signing each APK file in the embedded equipment terminal to generate signature information;
and comparing the generated signature information based on the trusted reference library to measure the legal identity of the security application program or the APK and the integrity of the file.
In one embodiment, the method further comprises verifying the signature of the embedded device terminal by setting a trusted white list.
Based on the same inventive concept, the second aspect of the present invention provides an embedded device terminal security protection apparatus for a smart grid, comprising:
the trusted software base construction module is used for constructing a trusted software base based on the TF card, wherein the TF card is used as safety hardware, an encryption and decryption algorithm engine is arranged in the TF card and used for encrypting and decrypting data, and the trusted software base is used as a safety module and is provided with a trusted reference library;
and the data interaction module is used for reading and writing data of each safety application program in the embedded equipment terminal based on the trusted reference library and the encryption and decryption algorithm engine.
In one embodiment, the apparatus further comprises an integrity check module configured to:
signing each APK file in the embedded equipment terminal to generate signature information;
and comparing the generated signature information based on the credible reference library to measure the legal identity of the security application program or the APK and the integrity of the file.
In one embodiment, the apparatus further includes a signature verification module, configured to verify a signature of the embedded device terminal by setting a trusted white list.
Based on the same inventive concept, the third aspect of the present invention provides an embedded device terminal security protection system for a smart grid, including: the intelligent power grid-oriented embedded device terminal safety protection device and the embedded device terminal are as described in the second aspect.
Compared with the prior art, the invention has the advantages and beneficial technical effects as follows:
the invention provides a security protection method for an embedded device terminal facing an intelligent power grid, which is used for constructing a trusted software base based on a TF card and reading and writing data into each security application program in the embedded device terminal based on a trusted base library and an encryption and decryption algorithm engine. The security of the equipment terminal in the intelligent power grid is enhanced, the TF card is used as a trusted hardware platform, various malicious operations can be isolated, the system is ensured to be always in a trusted state, illegal application program packages in the intelligent power grid terminal equipment can be effectively detected, the malicious programs can be resisted, meanwhile, key data is protected from being stolen, and the security protection under the 'object-object' interconnection scene of the intelligent power grid is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is an integrated solution framework in an embodiment of the invention;
FIG. 2 is a flow chart of type APK verification in an embodiment of the present invention.
Detailed Description
The invention provides a security protection method for an embedded device terminal of a smart grid, which is a set of omnibearing credibility measurement and security protection scheme with the characteristics of a dual-system architecture and a star-type trust architecture. The dual-system architecture refers to a trusted computing 3.0 dual-system architecture running on the embedded mobile terminal, safe and trusted is achieved in a chip, and the star trust architecture refers to a star trust chain established from an on-chip memory storage area to an upper-layer embedded operating system. The safety protection scheme of the invention comprises three parts of a threat model, an integral scheme framework, an Andorid signature verification based on a TF card and the like: 1) The model assumes that an attacker of the terminal of the internet of things can master relevant information of an attack target in the following way, such as a system version number of target equipment, an installed application program list of a system, application program operation preference of an equipment user and the like; 2) The integral scheme framework has the core idea that a trusted software base based on a TF card is constructed, and the functions of identity verification, integrity verification and data storage of the trusted software base are realized through encryption and decryption algorithm services in the TF card; 3) The Andorid signature verification based on the TF card has the main function of distinguishing different application programs, and the signature comprises identity identification information of an APP developer. The method is suitable for detecting illegal application program packages in the terminal equipment of the smart power grid, has the capability of resisting malicious programs, simultaneously protects key data from stealing, and realizes safety protection under the scene of 'object-object' interconnection of the smart power grid.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
The embodiment of the invention provides a terminal safety protection method of an embedded device facing a smart grid, which comprises the following steps:
establishing a trusted software base based on a TF card, wherein the TF card is used as safety hardware, an encryption and decryption algorithm engine is arranged in the TF card and used for encrypting and decrypting data, and the trusted software base is used as a safety module and is provided with a trusted reference library;
and reading and writing data into each safety application program in the embedded equipment terminal based on the trusted reference library and the encryption and decryption algorithm engine.
Please refer to fig. 1, which is an overall scheme framework in the embodiment of the present invention; android terminal equipment is an embedded equipment terminal. Android terminal equipment is typical mobile terminal equipment in a smart power grid, and the safety of embedded terminal equipment is guaranteed to be an important basic stone for safety protection of the smart power grid at present.
The safety protection method is a set of omnibearing credibility measurement and safety protection scheme with the characteristics of a two-system architecture and a star-type trust architecture, and comprises a threat model, wherein the model assumes that an attacker of an Internet of things terminal can master relevant information of an attack target in the following modes, such as a system version number of target equipment, an installed application program list of a system, application program operation preference of an equipment user and the like; the integral scheme framework has the core idea that a trusted software base based on a TF card is constructed, and the functions of identity verification, integrity verification and data storage of the trusted software base are realized through encryption and decryption algorithm service in the TF card; signature verification based on the TF card mainly has the function of distinguishing different application programs, and the signature contains the identity identification information of an APP developer. The method is suitable for detecting illegal application program packages in the terminal equipment of the smart power grid, has the capability of resisting malicious programs, simultaneously protects key data from stealing, and realizes safety protection under the scene of 'object-object' interconnection of the smart power grid.
The threat model and overall scenario framework are described below:
1. threat model
The attack of an attacker intruder of the embedded terminal equipment of the energy Internet of things can occur when the equipment has user operation or when the equipment is not watched by people. The invention assumes that an attacker of the terminal of the internet of things can master relevant information of an attack target in the following way, such as a system version number of target equipment, an installed application program list of a system, application program operation preference of an equipment user and the like. The attacker then elaborates the intrusion plan based on the known information to correspond to the malicious program. The intrusion mode may be an installation package for directly transmitting malicious programs; providing a phishing link to trick a user to download a malicious program, or disguising the phishing link as a normal APK installation package and upgrading the installation package, wherein the APK installation package is transmitted to target equipment indirectly, and the user is waited to click an installation trigger; infecting the target equipment by means of mobile storage; and intercepting data information in or uploaded by a target system, and the like. The purpose of an attacker is to steal important data information or install some malicious software on target terminal equipment, further develop more attacks by taking the implanted malicious APP as a medium, and then give rights, steal information, paralyze a target system and infect more targets, so that normal and stable operation of the smart grid is prevented, and accidents in the network operation process are formed.
2. Integrated solution frame
The starting process of the mobile terminal in the smart power grid needs to be strictly controlled, after the mobile terminal is powered on, the bootstrap program starts the embedded system, codes with measurement functions are designed in the bootstrap program, the measurement codes are placed on the foremost part of the kernel codes, and the corresponding measurement values are stored in combination with the trusted security hardware and serve as the starting points of the whole trust chain. And performing credibility measurement on the Kernel by taking the trust root as a base in an IMA measurement mode, judging according to a measurement result, and if the Kernel is safe and credible, giving control right to the Kernel. And taking Kernel as the next node of the trust chain, starting from the Kernel, and completing further measurement on a trusted module and a layer application program in the middle layer of the system in an IMA measurement mode, thereby realizing a complete trust chain from a bootstrap program to a user mode application program. The Trusted module in the system middle layer mainly refers to a Trusted Software Stack (TSS), i.e., supporting Software on a Trusted computing platform, and the layer application refers to some system applications and network applications attached to the system middle layer, such as antivirus Software, firewall and other applications, so as to be different from the upper layer application.
It should be noted that the present invention adopts an integrity measurement mode of IMA to perform trusted measurement on Kernel. And after the Kernel code credibility measurement passes, taking Kernel as a second level on the trust chain, and still adopting an IMA mode to carry out subsequent measurement. The trusted module mainly refers to a TSS trusted software stack, and the layer application program mainly refers to some system applications and network applications between a bottom layer and an application layer. The Trusted module in the system middle layer mainly refers to a Trusted Software Stack (TSS), i.e., supporting Software on a Trusted computing platform, and the layer application refers to some system applications and network applications attached to the system middle layer, such as antivirus Software, firewall and other applications, so as to be different from the upper layer application.
In one embodiment, the reading of data of each security application in the embedded device terminal based on the trusted reference library and the encryption and decryption algorithm engine comprises:
when the safety application program reads data, calling the intermediate layer drive, and sending a data reading request to the safety module, wherein the data reading request carries the identity of the safety application program;
the security module carries out validity verification on the data reading request sent by the security application program, compares the identity information stored in the credible reference library with the identity identification of the security application program, carries out identity verification on the identity information,
if the validity verification and the identity verification both pass, checking whether a data record corresponding to the data reading request exists, if so, taking out data of the corresponding data record from a target position of the security hardware, wherein the corresponding data record is encrypted data, simultaneously sending the identity identification and the encrypted data of the application program to the security hardware, taking out a key for decrypting the encrypted data from a storage device by the security hardware, storing the key in an encryption mode, decrypting the encrypted key by an encryption and decryption algorithm engine to obtain an original key, decrypting the encrypted data by using the original key, and returning the decrypted data to the security application program.
In a specific implementation process, the target location of the secure hardware refers to a data storage area of the secure hardware, which is used for storing data requested by an application program, and the storage device is used for storing various data, including an encrypted application program key (i.e., a key used for decrypting data requested by the application program).
In one embodiment, the writing of data to each secure application in the embedded device terminal based on the trusted reference library and the encryption and decryption algorithm engine includes:
when the security application program requests to write data, calling the intermediate layer driver to send a data writing request to the security application program, wherein the data writing request carries the identity of the security application program and the data to be written;
the intermediate layer driver performs identity authentication on the security application program based on the identity identifier, after the identity authentication is passed, the encryption and decryption algorithm engine is called, and the data to be written is encrypted in the security hardware of the encryption and decryption algorithm engine and then returned to the intermediate layer driver;
and storing the encrypted data to be written into the storage device by the middle layer driver.
The above process describes a process in which the application program writes data to be written into the storage device, and in this way, it can be ensured that data existing in the storage device is always in an encrypted state, and that plaintext data cannot be easily acquired.
In one embodiment, the method further includes performing integrity check on the embedded device terminal based on the TF card, including:
signing each APK file in the embedded equipment terminal to generate signature information;
and comparing the generated signature information based on the credible reference library to measure the legal identity of the security application program or the APK and the integrity of the file.
Specifically, the core idea of the security design of the invention is to construct a trusted software base based on a TF card, and realize the functions of identity verification authentication, integrity verification and data storage of the trusted software base through encryption and decryption algorithm services in the TF card. The identity verification authentication and the integrity verification are realized by detecting the signature based on the new signature, the system signs each APK file of the Android, and the integrity verification module in the TF card compares the signature information, so that the legal identity and the file integrity of an application program or the APK in the system are measured. The data encryption storage is embodied in the form of a credible reference library and is mainly used for storing the measured reference value.
In one embodiment, the method further comprises verifying the signature of the embedded device terminal by setting a trusted white list.
Specifically, in order to distinguish unknown and known Android applications, prevent APKs which do not pass safety verification from being installed on a system and avoid accidents of other devices in an intelligent power grid caused by malicious software, the invention provides a signature implementation scheme based on a TF card. The signature is mainly used for distinguishing different Android applications, and the signature comprises identity identification information of an APP developer. Due to the requirement on higher safety in the smart grid scene, the signature verification is realized by adopting a white list similar to the firewall access rule. I.e. only programs that have and must pass the validation can be allowed to run, otherwise they are treated as unknown risk software programs, preventing their associated operations. According to the principle, the safety of the Android system is guaranteed.
In order to improve the efficiency of the signature verification process, the length of the encrypted information is required to be shortened before the asymmetric encryption algorithm is used for the information to be signed, so the embodiment of the invention uses the digest algorithm to generate the information to be signed into a fixed small-length value, which is also one reason for realizing the trusted protection of the trusted terminal equipment in the TF card. The embodiment of the invention specifically carries out the signature verification based on the TF card as follows:
reading in APP to be signed in a byte stream mode, copying the APP to a position designated by a TF card program, waiting for the TF card to complete an abstract algorithm, generating a corresponding result, and temporarily storing the generated result on a system in a txt text file mode. And then the TF card signs the simplified APP information, namely the digest information with the fixed length just generated is used as an input source of a following signature algorithm, and a signature reference value of the application can be obtained after the encryption of a private key in the algorithm. So far, the generation process of a new signature based on the TF card of an APP is completed.
When the TF card controls the application to capture the installation behavior of the APK file, signature verification is carried out on the application installation package, and only the application which passes the verification is allowed to be installed. If the signature of an application is tampered, the installation is prohibited and the user is prompted to fail in the installation. The APK signature verification includes two parts, that is, whether the APK signature is in a system white list is checked by taking a signature reference library initialized in advance as a reference, and if the APK signature is not in a trusted list (namely, the white list), the APK signature can be a file tampered by a third party.
After the monitoring service of the TF card control application is started, when an APK package is installed, an application program intercepts the behavior by using an interception mechanism, an APK path is obtained, the service of the TF card is called according to the path, then signature verification is carried out on the APK package by using a TF card trust root, APK signature information is obtained by using a signature verification algorithm based on binary content of the APK and is compared with APK signature information in a reference library, if the result is consistent, verification is passed, if the APK is tampered by a third party, signature comparison cannot be passed, verification fails, and installation is prohibited. Due to the same certificate, if the package names are different, two different applications can be found to exist at the same time when the installation is successful. The same package name is used for the same application, but the use certificates of the same application are different, so that the problem that the installation cannot be covered is caused. Thus, installation is only allowed to run if the package name and signature information are consistent.
Please refer to fig. 2, which is a flowchart illustrating authentication of an APK according to an embodiment of the present invention.
In the figure, the left flow is mainly to generate an SM3 digest according to an APK file, and the right flow is to perform signature operation on simplified APP information. The two are correlated, and after the SM3 digest is obtained through the left side, the digest information is used as an input source of a signature algorithm.
The system white list and the trusted white list have the same meaning, and refer to a software white list of an APK installation package preset in the system, and software in the white list is considered to be safe by the system. The filtering method comprises the following steps: and traversing in the white list to confirm whether the APK is listed in the white list (judging by traversing the white list and comparing the values of the items in the list, if the values are equal, the comparison is successful, otherwise, the comparison is failed). The APK behavior refers to a series of behaviors such as decompressing installation and the like based on APK generation when the system prepares to install APK, and the APK acquiring behavior in the figure refers to APK behavior generation, which is monitored and recorded by the TF card control application. The SM3 abstract is generated through a SM3 abstract algorithm of the secret number, and is also a result produced after the TF completes the abstract algorithm, and the SM3 abstract algorithm forms a national standard and is implemented according to a standard algorithm process.
The APK signature is obtained by executing a signature algorithm on the APK application installation package and is used for verifying whether the APK is in a system white list or not. And the SM3 digest is used for calculating the digest of the simplified application information to finally obtain a signature reference value.
In a specific example, in an Android Studio development environment, an adb tool can be used to connect experimental equipment, and then the situation of occupied system resources can be checked by using a top command according to the operation on a Linux system, wherein an object is a process running in the current system. The main purpose of using the command is to dynamically monitor the system resource allocation condition, and the command is characterized in that each process can be ordered and displayed aiming at the single system resource attribute, such as attributes of CPU, memory, disk IO and the like. In actual operation, the top command is used for checking the resource occupation condition, so that the proportion of the process occupying system resources is low, and the operation of other processes is not influenced.
In the development environment, the time consumption of signature verification is calculated by using functions such as the application starting time of the system, and the like, and a plurality of results are counted.
TABLE 1 Start-Up time (ms) for applications with and without verification
Example two
Based on the same inventive concept, the embodiment provides an embedded device terminal safety protection device facing a smart grid, which comprises:
the trusted software base construction module is used for constructing a trusted software base based on the TF card, wherein the TF card is used as safety hardware, an encryption and decryption algorithm engine is arranged in the TF card and used for encrypting and decrypting data, and the trusted software base is used as a safety module and is provided with a trusted reference library;
and the data interaction module is used for reading and writing data of each safety application program in the embedded equipment terminal based on the trusted reference library and the encryption and decryption algorithm engine.
In one embodiment, the system further comprises an integrity check module configured to:
signing each APK file in the embedded equipment terminal to generate signature information;
and comparing the generated signature information based on the credible reference library to measure the legal identity of the security application program or the APK and the integrity of the file.
In an implementation manner, the signature verification module is further included, and is configured to verify the signature of the embedded device terminal by setting a trusted white list.
Since the device described in the second embodiment of the present invention is a device used for implementing the method for protecting the terminal of the embedded device facing the smart grid in the first embodiment of the present invention, a person skilled in the art can understand the specific structure and deformation of the device based on the method described in the first embodiment of the present invention, and thus, the details are not described herein. All the devices adopted in the method in the first embodiment of the invention belong to the protection scope of the invention.
EXAMPLE III
Based on the same invention concept, the invention also provides an embedded equipment terminal safety protection system facing the intelligent power grid, which comprises: the intelligent power grid-oriented embedded equipment terminal safety protection device and the embedded equipment terminal are disclosed in the embodiment II.
Since the system described in the third embodiment of the present invention is a system used for implementing the method for protecting the terminal of the embedded device facing the smart grid in the first embodiment of the present invention, a person skilled in the art can understand the specific structure and deformation of the system based on the method described in the first embodiment of the present invention, and thus, details are not described herein. All systems adopted by the method of the first embodiment of the present invention belong to the protection scope of the present invention.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the embodiments of the present invention without departing from the spirit or scope of the embodiments of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to encompass these modifications and variations.
Claims (9)
1. The embedded equipment terminal safety protection method for the smart power grid is characterized by comprising the following steps:
establishing a trusted software base based on a TF card, wherein the TF card is used as safety hardware, an encryption and decryption algorithm engine is arranged in the TF card and used for encrypting and decrypting data, and the trusted software base is used as a safety module and is provided with a trusted reference library;
and reading and writing data into each safety application program in the embedded equipment terminal based on the trusted reference library and the encryption and decryption algorithm engine.
2. The smart grid-oriented embedded device terminal security protection method of claim 1, wherein reading data of each security application program in the embedded device terminal based on the trusted reference library and the encryption and decryption algorithm engine comprises:
when the safety application program reads data, calling the intermediate layer driver, and sending a data reading request to the safety module, wherein the data reading request carries the identity of the safety application program;
the security module carries out validity verification on the data reading request sent by the security application program, compares the identity information stored in the credible reference library with the identity identification of the security application program, carries out identity verification on the identity information,
if the validity verification and the identity verification both pass, checking whether a data record corresponding to the data reading request exists, if so, taking out data of the corresponding data record from a target position of the security hardware, wherein the corresponding data record is encrypted data, simultaneously sending the identity identification and the encrypted data of the application program to the security hardware, taking out a key for decrypting the encrypted data from a storage device by the security hardware, storing the key in an encryption mode, decrypting the encrypted key by an encryption and decryption algorithm engine to obtain an original key, decrypting the encrypted data by using the original key, and returning the decrypted data to the security application program.
3. The smart grid-oriented embedded device terminal security protection method of claim 1, wherein writing data into each security application in the embedded device terminal based on the trusted reference library and the encryption and decryption algorithm engine comprises:
when the security application program requests to write data, calling the intermediate layer driver to send a data writing request to the security application program, wherein the data writing request carries the identity of the security application program and the data to be written;
the intermediate layer driver performs identity authentication on the security application program based on the identity identifier, after the identity authentication is passed, the encryption and decryption algorithm engine is called, and the data to be written is encrypted in the security hardware of the encryption and decryption algorithm engine and then returned to the intermediate layer driver;
and storing the encrypted data to be written into the storage device by the middle layer driver.
4. The smart grid-oriented embedded device terminal security protection method as claimed in claim 1, wherein the method further comprises performing integrity check on the embedded device terminal based on the TF card, including:
signing each APK file in the embedded equipment terminal to generate signature information;
and comparing the generated signature information based on the trusted reference library to measure the legal identity of the security application program or the APK and the integrity of the file.
5. The smart grid-oriented embedded device terminal security protection method as claimed in claim 1, wherein the method further comprises verifying the signature of the embedded device terminal by setting a trusted white list.
6. Towards smart power grids's embedded equipment terminal safety device, its characterized in that includes:
the trusted software base construction module is used for constructing a trusted software base based on the TF card, wherein the TF card is used as safety hardware, an encryption and decryption algorithm engine is arranged in the TF card and used for encrypting and decrypting data, and the trusted software base is used as a safety module and is provided with a trusted reference library;
and the data interaction module is used for reading and writing data from and into each security application program in the embedded equipment terminal based on the trusted reference library and the encryption and decryption algorithm engine.
7. The smart grid-oriented embedded device terminal security protection apparatus of claim 6, further comprising an integrity check module configured to:
signing each APK file in the embedded equipment terminal to generate signature information;
and comparing the generated signature information based on the credible reference library to measure the legal identity of the security application program or the APK and the integrity of the file.
8. The smart grid-oriented embedded device terminal security protection apparatus as claimed in claim 6, further comprising a signature verification module for verifying the signature of the embedded device terminal by setting a trusted white list.
9. Embedded equipment terminal safety protection system towards smart power grids, its characterized in that includes: the smart grid-oriented embedded device terminal security protection device and the embedded device terminal of any one of claims 6 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211503439.7A CN115776405A (en) | 2022-11-28 | 2022-11-28 | Embedded equipment terminal safety protection method, device and system for smart power grid |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211503439.7A CN115776405A (en) | 2022-11-28 | 2022-11-28 | Embedded equipment terminal safety protection method, device and system for smart power grid |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115776405A true CN115776405A (en) | 2023-03-10 |
Family
ID=85390428
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211503439.7A Pending CN115776405A (en) | 2022-11-28 | 2022-11-28 | Embedded equipment terminal safety protection method, device and system for smart power grid |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115776405A (en) |
-
2022
- 2022-11-28 CN CN202211503439.7A patent/CN115776405A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109923548B (en) | Method, system and computer program product for implementing data protection by supervising process access to encrypted data | |
| US10333967B2 (en) | Method and system for dynamic platform security in a device operating system | |
| CN106815494B (en) | Method for realizing application program safety certification based on CPU time-space isolation mechanism | |
| CN108055133B (en) | Key security signature method based on block chain technology | |
| KR100996784B1 (en) | Saving and retrieving data based on public key encryption | |
| CN111723383B (en) | Data storage and verification method and device | |
| KR101067399B1 (en) | Saving and retrieving data based on symmetric key encryption | |
| KR101801567B1 (en) | Policy-based trusted inspection of rights managed content | |
| US8213618B2 (en) | Protecting content on client platforms | |
| CN106991298B (en) | Access method of application program to interface, authorization request method and device | |
| CN110348204B (en) | Code protection system, authentication method, authentication device, chip and electronic equipment | |
| JP2016158270A (en) | Validation of inclusion of platform within data center | |
| CN105260663A (en) | Secure storage service system and method based on TrustZone technology | |
| JPH1124919A (en) | Method and device for protecting application data in safe storage area | |
| JP2011243231A (en) | Capsulation of highly reliable platform module function by tcpa within server management co-processor subsystem | |
| CN106295350B (en) | identity verification method and device of trusted execution environment and terminal | |
| CN113726726B (en) | Electric power Internet of things credible immune system based on edge calculation and measurement method | |
| JP6951375B2 (en) | Information processing equipment, information processing methods and programs | |
| US7228432B2 (en) | Method and apparatus for providing security for a computer system | |
| CN112711752A (en) | Embedded equipment safety system | |
| CN117272286A (en) | TEE-based process dynamic integrity measurement method and system | |
| CN115062330B (en) | TPM-based intelligent password key password application interface implementation method | |
| CN108345804B (en) | Storage method and device in trusted computing environment | |
| US20240113898A1 (en) | Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity | |
| CN115357908A (en) | Network equipment kernel credibility measurement and automatic restoration method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20231227 Address after: 400015 No. three, No. 21, Zhongshan Road, Yuzhong District, Chongqing Applicant after: STATE GRID CHONGQING ELECTRIC POWER Co. Applicant after: Qijiang Power Supply Branch of State Grid Chongqing Electric Power Co. Address before: 401420 Building 1, No. 12-1, Binhe Avenue, Wenlong Street, Qijiang District, Chongqing Applicant before: Qijiang Power Supply Branch of State Grid Chongqing Electric Power Co. |
|
| TA01 | Transfer of patent application right |