WO2022110688A1

WO2022110688A1 - Field bus-based data transmission method and system, and field bus-based identity verification method and system

Info

Publication number: WO2022110688A1
Application number: PCT/CN2021/094641
Authority: WO
Inventors: 仇建喜; 刘吉辉; 陈涛; 孙业辉; 董峰; 钱康; 曾嘉俊
Original assignee: 上海电气风电集团股份有限公司
Priority date: 2020-11-25
Filing date: 2021-05-19
Publication date: 2022-06-02
Also published as: CN112468493A

Abstract

Disclosed in the present invention are a field bus-based data transmission method and system, a field bus-based identity verification method and system, a device, and a medium. The data transmission method comprises: generating master station identity plaintext data; encrypting the master station identity plaintext data to generate master station identity ciphertext data; and sending the master station identity ciphertext data to a slave station. In the present invention, on the basis of original communication data of a master station and the slave station, the master station identity plaintext data is independently generated and encrypted for identity verification between the master station and the slave station, after the slave station receives the encrypted data sent by the master station, the master station can obtain a permission of normal communication with the slave station only after the data is successfully decrypted and verified, and since the independently generated master station identity plaintext data occupies a small space for working data, the security of data transmission between the master station and the slave station is greatly improved on the premise of not influencing the normal communication efficiency between the master station and the slave station.

Description

Fieldbus-based data transmission method, identification method and system

This application claims the priority of Chinese patent application 2020113428978 with an application date of 2020/11/25. This application cites the full text of the above Chinese patent application.

technical field

The invention relates to the technical field of digital security, in particular to a field bus-based data transmission method, an identification method, a system, equipment and a medium.

Background technique

Fieldbus is widely used in industrial control systems with the characteristics of distribution, openness, interconnection, high reliability and low cost. For example, in wind farm control systems, fieldbuses are usually used to achieve the Control, monitoring and communication between the station-level monitoring center and the fan unit. In the general industrial control system based on field bus, it has the characteristics of slow data processing speed and high real-time requirements.

Figure 1 shows a schematic diagram of the (SupervisoryControlAndDataAcquisition detection control and data acquisition) system architecture. The SCADA system is a distributed remote computer control system, which is mainly used to measure and control equipment with a wide distribution range and monitor its production process. As shown in Figure 1, the wind farm and the site-level centralized monitoring center, the site-level centralized monitoring center and the headquarters-level remote monitoring center can communicate with each other through the field bus between the master station and the slave station to transmit data.

However, the protocol standard of the fieldbus is open, and the communication between the master station and the slave station equipment is in plain text, and the identity of the master and slave stations may be disguised, and then data will be stolen, tampered, disguised as legal information, etc. The safe operation of the system poses a very big threat. Figure 2 shows the schematic diagram of the fieldbus system architecture of the industrial control system, in which the listener/destroyer may disguise as a slave node or disguise as the master to destroy the normal transmission between the master and the slave. However, the existing data transmission methods are difficult to ensure safe data transmission between the master station and the slave station.

SUMMARY OF THE INVENTION

The technical problem to be solved by the present invention is to overcome the defect in the prior art that it is difficult to ensure the safety of data transmission between the master station and the slave station when performing data transmission through the field bus, and to provide a method that can improve the data transmission between the master station and the slave station. Fieldbus-based identification method, data transmission method, system, device and medium for security.

The present invention solves the above-mentioned technical problems through the following technical solutions:

The present invention provides a data transmission method based on a field bus. The data transmission method is applied in the master station, and the data transmission method includes:

Generate master station identity plaintext data;

Encrypting the master station identity plaintext data to generate master station identity ciphertext data, and the master station identity ciphertext data is used for the slave station to authenticate the master station;

Send the master station identity ciphertext data to the slave station.

Preferably, in the step of encrypting the master station identity plaintext data to generate the master station identity ciphertext data, the position of each character in the master station identity plaintext data is rearranged by preset coding rules to generate the master station identity. Encrypted data.

Preferably, the master station identity plaintext data includes the target master station identifier.

Preferably, after the step of sending the master station identity ciphertext data to the slave station, the step further includes:

Receive the slave station identity ciphertext data sent by the slave station;

decrypting the slave identity ciphertext data to generate slave identity plaintext data;

Determine whether the plaintext data of the identity of the slave is consistent with the plaintext data of the preset slave, and if so, confirm that the identity verification of the slave is successful;

The master station identity plaintext data includes a master station random code, the slave station identity plaintext data includes the target master station identifier and the master station random code, and the preset slave station plaintext data includes a preset master station identifier and the target master station identifier sent in the step of sending the master station identity ciphertext data to the slave station;

When the target master station identifier matches the preset master station identifier and the master station random code matches the target master station identifier sent in the step of sending the master station identity ciphertext data to the slave station When , it is determined that the plaintext data of the slave station identity is consistent with the preset plaintext data of the slave station.

Preferably, the master station identity plaintext data further includes a target slave station identifier, and the preset slave station plaintext data further includes a preset slave station identifier;

The judging that the plaintext data of the slave station identity is consistent with the preset plaintext data of the slave station further includes: the target slave station identifier is consistent with the preset slave station identifier.

Preferably, the target slave station identifier is also used for the slave station to authenticate the master station.

Preferably, before the step of generating the master station identity plaintext data, the step further includes: randomly generating a target slave station identifier, and the target slave station identifier updated in the slave station is used for the master station to pair the target slave station identifier. The slave is authenticated.

Preferably, the step of sending the master station identity ciphertext data to the slave station is performed multiple times.

Preferably, the step of receiving the slave station identity ciphertext data sent by the slave station includes: receiving the slave station identity ciphertext data sent by the slave station multiple times, and counting the number of times the data is inconsistent in the data received multiple times. , judging whether the number of times is greater than the first preset number of times, if so, generating slave station identity error information, if not, executing the step of decrypting the slave station identity ciphertext data to obtain the slave station identity plaintext data.

Preferably, the step of receiving the slave station identity ciphertext data sent by the slave station includes:

Determine whether the slave station identity ciphertext data sent by the slave station is received within the range of the first time threshold, if not, generate the slave station processing timeout information, if so, decrypt the slave station identity ciphertext data to generate the slave station identity ciphertext data. Station identity plaintext data.

Preferably, the steps of generating the master station identity plaintext data, encrypting the master station identity plaintext data to generate the master station identity ciphertext data and sending the master station identity ciphertext data to the slave station are periodically performed.

Preferably, the receiving of the slave station identity ciphertext data sent by the slave station, the decrypting of the slave station identity ciphertext data to generate the slave station identity plaintext data, and the execution of judging the target master are periodically performed. The step of judging whether the station identifier is consistent with the preset master station identifier, and after the first step of confirming that the identity verification of the slave station is successful, if the clear text data of the identity of the slave station is determined and the preset slave station is executed. In the step of whether the identity data is consistent, if the judgment result is no, it is confirmed that the identity verification of the slave station fails.

Preferably, the master station includes a master station authority token. When the master station authority token is the first identifier, the master station has the authority to execute the data transmission method. When the token is the second identifier, the master station does not have the authority to execute the data transmission method;

The step of generating the master station identity plaintext data further includes the step of: setting the master station authority token as the first identifier;

The step of sending the master station identity ciphertext data to the slave station further includes: setting the master station authority token as a second identifier.

The present invention also provides a field bus-based identification method, the identification method is applied to the slave station, and the identification method includes:

Receive the master station identity ciphertext data sent by the master station;

Decrypt the master station identity ciphertext data to obtain the master station identity plaintext data;

It is judged whether the master station identity plaintext data is consistent with the preset master station identity data, and if so, it is confirmed that the identity verification of the master station is successful.

Preferably, in the step of decrypting the identity ciphertext data, the position of each character in the master station identity ciphertext data is restored by the preset anti-encoding rule corresponding to the preset encoding rule to generate the master station identity plaintext. data.

Preferably, the master station identity plaintext data includes a target master station identifier, the preset master station identity data includes a preset master station identifier, when the master station identity plaintext data and the preset master station identity When the data match, it is determined that the target master station identifier matches the preset master station identifier.

Preferably, the identity plaintext data of the master station further includes a random code of the master station, and the random code of the master station is used for the master station to perform the identity verification of the slave station, and the confirmation of the identity verification of the master station. After successful steps also include:

Generate slave station identity plaintext data according to the target master station identifier and the master station random code, and the slave station identity plaintext data is used for the master station to authenticate the slave station;

encrypting the slave station identity plaintext data to generate slave station identity ciphertext data;

Send the slave station identity ciphertext data to the master station.

Preferably, the master station identity plaintext data further includes a target slave station identifier, and in the step of generating the slave station identity plaintext data according to the target master station identifier and the master station random code: The master station identifier, the target slave station identifier and the master station random code generate slave station identity plaintext data.

Preferably, the preset slave station identity data further includes a preset slave station identifier, and the judging that the target master station identifier is consistent with the preset master station identifier further includes:

It is judged that the target slave station identifier is consistent with the preset slave station identifier.

Preferably, before the step of generating the identity plaintext data of the slave station, it further comprises: updating the target slave station identifier according to the self identifier of the slave station, and the updated target slave station identifier is used for all The master station authenticates the slave station.

Preferably, the step of receiving the master station identity ciphertext data sent by the master station includes: receiving the master station identity ciphertext data sent by the master station multiple times, and judging whether there is a first one in the multiple received data. If the data of the preset number of times is inconsistent with other data, if yes, generate the master station identity error message, if not, execute the step of decrypting the master station identity ciphertext data to obtain the master station identity plaintext data.

Preferably, in the step of sending the slave station identity ciphertext data to the master station: sending the slave station identity ciphertext data to the master station multiple times.

Preferably, after the step of sending the slave station identity ciphertext data to the master station includes:

Determine whether the master station identity ciphertext data sent by the master station is received within the second time threshold range, and if not, generate master station processing timeout information.

Preferably, periodically perform receiving the master station identity ciphertext data sent by the master station, decrypting the master station identity ciphertext data to obtain the master station identity plaintext data and judging whether the master station identity plaintext data is the same as the preset plaintext data. Consistent steps, and after the first confirmation that the identity verification of the master station is successful, allow to receive and process the working data sent by the master station, and after the first step of confirming that the identity verification of the master station is successful, If in the step of judging whether the master station identity plaintext data is consistent with the preset master station identity data, if the judging result is no, it is confirmed that the identity verification of the master station fails.

Preferably, the steps of generating the slave station identity plaintext data, encrypting the slave station identity plaintext data to generate the slave station identity ciphertext data, and sending the slave station identity ciphertext data to the master station are periodically performed.

Preferably, the slave station includes a slave station authority token, and when the slave station authority token is the second identifier, the slave station has the authority to execute the identification method, and when the slave station authority token is the second identifier When the slave station authority token is the first identifier, the slave station does not have the authority to execute the identification method;

The step of generating the slave station identity plaintext data further includes the step of: setting the slave station authority token as a second identifier;

The step of sending the slave station identity ciphertext data to the slave station further includes: setting the slave station authority token as a first identifier.

The invention also provides a field bus-based data transmission system, the data transmission system is applied in the master station, and the data transmission system includes: a master station identity data generation module, a master station identity data encryption module and a master station identity data sending module;

The master station identity data generation module is used to generate the master station identity plaintext data;

Described master station identity data encryption module and is used for encrypting described master station identity plaintext data to generate master station identity ciphertext data, and described master station identity ciphertext data is used for slave station to carry out identity verification to described master station;

The master station identity data sending module is configured to send the master station identity ciphertext data to the slave station.

The invention also provides a field bus-based identity recognition system, the identity recognition system is applied to the slave station, and the identity recognition system includes: a master station identity data receiving module, a master station identity data decryption module and a master station identity Data judgment module;

The master station identity data receiving module is used for receiving the master station identity ciphertext data sent by the master station;

The master station identity data decryption module is used to decrypt the master station identity ciphertext data to obtain the master station identity plaintext data;

The master station identity data verification module is used for judging whether the master station identity plaintext data is consistent with the preset master station identity data, and if so, confirming that the master station's identity verification is successful.

The present invention also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of the above-mentioned data transmission method and identity recognition method.

The positive improvement effect of the present invention is: in the present invention, on the basis of the original communication data between the master station and the slave station, the master station identity plaintext data is separately generated and the data is encrypted for identification between the master station and the slave station. Verification, after the slave station receives the encrypted data sent by the master station, only after the data decryption is successful and the data verification is successful, the master station can obtain the authority to communicate with the slave station normally, because the master station identity plaintext data generated separately For working data, the data occupies a small space. Therefore, the security of data transmission between the master and slave stations is greatly increased without affecting the normal communication efficiency between the master station and the slave station.

Description of drawings

Figure 1 is a schematic diagram of the system architecture of the SCADA system.

Figure 2 is a schematic diagram of the field bus system architecture of the industrial control system.

FIG. 3 is a flowchart of a field bus-based identification method according to Embodiment 1 of the present invention.

FIG. 4 is a schematic diagram of the format of the master station identity plaintext data in Embodiment 1. FIG.

FIG. 5 is a flowchart of an implementation manner of step 104 in Embodiment 1. As shown in FIG.

FIG. 6 is a flowchart of a field bus-based identification method according to Embodiment 2 of the present invention.

FIG. 7 is a schematic flowchart of a fieldbus-based identification method in a specific scenario of Embodiment 2. FIG.

FIG. 8 is a schematic block diagram of a field bus-based identification system according to Embodiment 3 of the present invention.

FIG. 9 is a schematic block diagram of a field bus-based identification system according to Embodiment 4 of the present invention.

FIG. 10 is a schematic diagram of a module of an electronic device according to Embodiment 5 of the present invention.

Detailed ways

The present invention is further described below by means of examples, but the present invention is not limited to the scope of the described examples.

Example 1

This embodiment provides a data transmission method based on a field bus. The data transmission method is applied in the master station. As shown in FIG. 3 , the data transmission method includes:

Step 101 , generating the master station identity plaintext data.

Among them, the master station identity plaintext data is data different from other data (herein referred to as working data), and the master station identity plaintext data is independently extracted data for the slave station to authenticate the master station.

In this embodiment, the master station identity plaintext data has multiple implementation manners. In one implementation manner, the master station identity plaintext data includes the target master station identifier, and in another implementation manner, the master station identity plaintext data includes the target station identifier. The master station identifier and the target slave station identifier. In an implementation manner, the master station identity plaintext data includes the master station identifier and the master station random code. In an implementation manner, the master station identity plaintext data includes the target master station. Identifier, target slave station identifier and master station random code. In an implementation manner, the master station identity plaintext data includes the target slave station identifier, and in an implementation manner, the master station identity plaintext data includes the master station random code. .

In order to facilitate the description of this embodiment, the following description will be given by taking a mode in which the master station identity plaintext data includes a target master station identifier, a target slave station identifier and a random code of the master station as an example. Figure 4 shows a format diagram of the master station identity plaintext data under a specific embodiment, specifically, the master station identity plaintext data includes the target master station identifier B01, and its data length is X bit (bit); The slave station identifier B02, the data length is Y bits; the master station random code B03, the data length is Z bits. According to the number of master stations and slave stations of the fieldbus and the requirements of different applications, the data lengths of X, Y and Z can be set arbitrarily. The length of the identity plaintext data is X+Y+Z=(4+4+8)bit=16bit.

Among them, the target master station identifier B01 is the data agreed between the master station and the slave station, and the master station random code B03 is randomly generated data. In the first scenario, the target slave station identifier B02 is the agreed data between the master station and the slave station, and is mutually stored in the master station and the slave station; in the second scenario, the target slave station identifier B02 is randomly generated. data.

It should be understood that the implementation manner of the master station identity plaintext data is not limited to the above manner, which can be selected according to the actual situation.

In this embodiment, a variety of implementation manners of the master station identity plaintext data are provided, which can be selected according to actual conditions in actual operation. The setting manner of the master station plaintext data in this embodiment has wide applicability.

In this embodiment, the master station can randomly generate the target slave station identifier, which improves the generation speed of identity plaintext data, and further improves the efficiency of the data transmission method in this embodiment. According to the pre-appointment of the station, the target slave station identifier is generated for the slave station to further verify the identity of the master station, thereby further improving the security of data transmission between the master and slave stations.

Step 102: Encrypt the master station identity plaintext data to generate the master station identity ciphertext data.

Among them, a variety of ways can be used to encrypt the master station identity plaintext data, for example, the encryption algorithm in the prior art can be used to encrypt the master station plaintext data, such as DES (Data Encryption Standard Algorithm), 3DES (Triple Data Encryption Standard Algorithm), IDEA (International Data Encryption Algorithm), AES (Auxiliary Encoder System Algorithm), RC (Rivest Code an encryption algorithm) and other symmetric encryption algorithms or RSA (a public key encryption algorithm), DSA (Digital Signature Algorithm), Diffie - Asymmetric encryption algorithms such as Hellman (a method of ensuring the safe passage of shared keys across insecure networks).

However, because the processors of the master station and the slave station are mostly embedded chips with a main frequency of 100 MHz, their computing processing capabilities are limited, and the execution cycle of all tasks is generally about 1 to 20 milliseconds, including processing data acquisition, data calculation, Data communication, sequential logic, control algorithm and fault protection and other more complex work have high real-time requirements. The communication speed of the field bus device of the industrial control system is generally 100kbit/s (kilobits per second) ~ 12Mbit/s, and it is generally required to complete the communication data processing between the master and slave stations within a task cycle.

As for the communication data encryption algorithm with high confidentiality, whether it is the aforementioned symmetric encryption algorithm or asymmetric encryption algorithm, the amount of calculation required is very large, and currently it is mostly used in occasions where the real-time requirement of communication data is not high. If the above-mentioned encryption algorithm is used to complete the data encryption and decryption of communication authentication within the embedded chip task cycle of 1 to 20 milliseconds, it will occupy a lot of time resources of the embedded chip, resulting in that the execution of all tasks cannot be completed within the execution cycle. In the end, it seriously affects the real-time performance of the communication, monitoring, sequential logic and control between the master station and the slave station based on the field bus of the industrial control system, and cannot meet the control requirements of the fan unit.

Therefore, in this embodiment, a preset encoding rule with a relatively simple amount of calculation is preferentially selected to encrypt the plaintext data of the master station to overcome the defects of large amount of calculation and time-consuming calculation, and at the same time to improve the security of data transmission, ensure the safety of data transmission. Real-time, wherein the preset coding rules are used to rearrange the positions of each character in the master station identity plaintext data to generate the master station identity ciphertext data. For example, each character in the random code of the master station can be inserted into the respective characters of the target master station identifier and the target slave station identifier to change the positional relationship between the characters in the master station identity plaintext data. For another example, the sequence of each character in the identifier of the target master station, the identifier of the target slave station and the random code of the master station may be disrupted. It should be understood that the above-mentioned preset coding rules are only used as an example, and should not be a limitation to this embodiment. In practice, there may be other ways to rearrange the positions of each character in the master station identity plaintext data to generate the master station identity password. text data.

Since in the prior art, the communication between the master station and the slave station is in plain text, it is easy for the saboteur to masquerade as the slave station that the master station needs to communicate with to receive the data sent by the master station to monitor and steal the data. . In this embodiment, by setting separate master station identity plaintext data and encrypting the identity plaintext data, the slave station can continue to receive and parse the work sent by the master station only after decrypting the master station identity ciphertext data and the decryption is successful. data, thereby improving the security of communication between the master station and the slave station.

In this embodiment, the identity plaintext data of the master station can be encrypted through a simple preset coding rule, thereby not only improving the security of the communication process between the master station and the slave station, but also ensuring the communication process between the master station and the slave station. real-time. Moreover, in this embodiment, the master station identity plaintext data setting rules are simple, the data length is small, and the required resources are limited, so the processing of working data will not be affected while ensuring the security of the master-slave communication process.

Step 103: Send the master station identity ciphertext data to the slave station.

The master station can either broadcast the master station identity ciphertext data to all slave stations by broadcasting, or send the master station identity ciphertext data to the corresponding slave stations by one-to-one broadcasting.

In a specific implementation, in order to avoid the failure of sending the master station identity ciphertext data due to objective reasons such as communication failures and network congestion, in this embodiment, step 103 includes sending the master station identity ciphertext data multiple times. To the slave station, the sending times can be set according to actual needs, such as 10 times.

In this embodiment, on the basis of the original communication data between the master station and the slave station, the master station identity plaintext data is separately generated and encrypted for identity verification between the master station and the slave station, and the slave station receives the master station. After the encrypted data sent by the station, the master station can obtain the authority to communicate with the slave station normally only after the data is decrypted successfully and the data is verified successfully. Occupy small space, therefore, under the premise of not affecting the normal communication efficiency between the master station and the slave station, the security of data transmission between the master and slave stations is greatly increased.

In this embodiment, the identity ciphertext data of the master station can be sent to the slave stations for many times, thereby avoiding the failure of authentication between the master and slave stations due to network reasons, and further enhancing the security of data communication between the master and slave stations.

Since data communication is a mutual process, in a specific implementation manner, the master station can also receive the identity ciphertext data sent by the slave station to verify the identity of the slave station. Specifically, as shown in Figure 2, the steps Post-103 can also include:

Step 104: Receive the slave station identity ciphertext data sent by the slave station.

The method for receiving the slave station identity ciphertext data may refer to the method for receiving the master station identity ciphertext data sent by the master station in step 201 in Embodiment 2 below, which will not be repeated here.

Step 105: Decrypt the ciphertext data of the slave station identity to generate the plaintext data of the slave station identity.

The method for decrypting the ciphertext data of the identity of the slave station by the slave station may refer to the method of decrypting the ciphertext data of the identity of the master station in step 202 in Embodiment 2, which will not be repeated here.

Step 106 , determine whether the plaintext data of the slave station identity is consistent with the preset slave station identity data, if yes, go to step 107 , if not, go to step 108 .

Step 107: Confirm that the identity verification of the slave is successful.

Step 108: Confirm that the authentication of the slave station fails.

Specifically, when the master station ciphertext data sent by the master station to the slave station in step 103 only includes the encrypted target master station identity identifier, the specific verification method in step 106 is to determine whether the target master station identifier is the same as the preset identifier. If the identity data of the master station is consistent, if yes, go to step 107, if not, go to step 108.

When the master station ciphertext data sent by the master station to the slave station in step 103 includes the encrypted target master station identity identifier and the target slave station identifier, the specific verification method in step 106 is to determine whether the target master station identifier is the same as the target master station identifier. The preset master station identity data is consistent, and it is judged whether the target slave station identifier is consistent with the preset slave station identity data.

When the master station ciphertext data sent by the master station to the slave station in step 103 includes the encrypted target master station identity identifier and the master station random code, the specific verification method in step 106 is to determine whether the target master station identifier is the same as the predetermined one. It is assumed that the identity data of the master station is consistent, and it is judged whether the master station random code obtained after decryption is consistent with the master station random code generated in step 101, if the judgment results of both are yes, then execute step 107, if not, execute step 107 Step 108.

When the master station ciphertext data sent by the master station to the slave station in step 103 includes the encrypted target master station identity identifier, the target slave station identifier and the master station random code, the specific verification method in step 106 is to judge the target master station. Whether the station identifier is consistent with the preset master station identity data, determine whether the target slave station identifier is consistent with the preset slave station identity data, and determine whether the master station random code obtained after decryption is the same as the master station random code generated in step 101. If the result of the three judgments is yes, then go to step 107; if not, go to step 108.

In this embodiment, if the decryption is not successful in step 105, or if the plaintext data of the slave station identity in step 106 is inconsistent with the preset slave station identity data, the slave station is considered to be an unsafe master station, and the communication between the master station and the slave station is prohibited. Communication, you can further generate slave station authentication error information and prompt relevant personnel to deal with it.

In this embodiment, the master station can verify the slave station only through the target master station identifier obtained after decryption, which improves the verification speed and enhances the security of data transmission between the master and slave stations. In this embodiment, the master station can further verify the slave station through the target slave station identifier obtained after decryption, thereby further improving the security of data transmission between the master and slave stations. In this embodiment, the master station may further verify the slave station through the random code of the master station that is randomly generated before the master station, thereby further increasing the reliability and security of data transmission between the master and slave stations.

In a specific implementation manner, as shown in FIG. 5 , in order to improve the efficiency of identity verification between the master station and the slave station, step 104 may specifically include:

Step 1041: Determine whether the slave station identity ciphertext data sent by the slave station is received within the first time threshold range, if not, go to step 1042, if yes, go to step 105.

Step 1042: Generate slave processing timeout information.

In this embodiment, if the master station does not receive the slave station identity ciphertext data sent by the slave station within the range of the first time threshold, it generates slave station processing timeout information, which can be used to remind relevant personnel to process, so as to strengthen the Communication security and at the same time guarantee the efficiency of authentication between master and slave stations.

In a specific embodiment, the master station authority token may also be preset in the master station. When the master station authority token is the first identifier, the master station has the authority to execute the data transmission method. When the token is the second identifier, the master station does not have the authority to execute the data transmission method, and at the same time or before the generation of the master station identity plaintext data in step 101, it may further include the step of setting the master station authority token as the first identifier .

Likewise, the step of setting the master station authority token as the second identifier may be further included at the same time as or before the sending of the master station identity plaintext data in step 103 .

Similarly, the step 104 of receiving the slave station identity ciphertext data may further include the step of setting the master station authority token as the first identifier.

In this embodiment, the operation authority of the master station can be modified by modifying the authority token of the master station. It should be understood that at the same time, only one of the master station and the slave station has the operation authority. By modifying the authority token, the master station can be avoided. The station and the slave station process the identity data of the master station and the slave station at the same time to ensure the synchronization of the identity-related data in the master station and the slave station, and further ensure that the identification process between the master station and the slave station can be carried out effectively.

In a specific implementation manner, in order to continuously ensure the security of data transmission between the master and slave stations, steps 101 to 108 may be performed periodically, and within a preset time range, such as 24 hours, 48 hours, etc., the third Once the verification in step 106 confirms that the identity verification of the slave is successful, the data transmission authority of the slave is enabled, that is, the master is allowed to receive the working data sent by the corresponding slave and the master is allowed to further process the working data sent by the slave. .

When steps 101 to 108 are executed in the subsequent cycle, if in the verification process of step 106, the identity verification of the slave station fails, the data transmission authority of the slave station is closed, that is, the master station is forbidden to receive and process the transmission from the slave station. work data.

It should be understood that, in this embodiment, the ciphertext data of the slave station may be decrypted in multiple cycles in subsequent cycles. For example, only 10% of the data is decrypted in the second cycle, and then 10% of the data is decrypted in the third cycle. 20% of the data, and then decrypt 20% of the data in the fourth cycle. In the process of decrypting the data, the normal data processing between the master station and the slave station is still maintained. In one scenario, when the slave station ciphertext data After the overall decryption is completed, the decrypted plaintext data of the slave station is verified. In another scenario, segmental verification can also be performed in the process of decrypting the slave station ciphertext data. 10 out of 10. In the first scenario, if the overall verification of the plaintext data of the slave fails, it is considered that the authentication of the slave fails. In the second scenario, when the decrypted part of the data fails to be verified, it is considered that the slave The authentication of the station failed.

In this embodiment, after the identity verification of the slave station is successful for the first time, the data transmission authority of the slave station is enabled. After the data transmission authority of the slave station to the master station is enabled, the slave station can continue to send working data to the master station. During this period, the data transmission authority of the slave station will be closed only when the authentication of the slave station fails in the verification process of the subsequent cycle. In this way, it can be guaranteed that after the first verification is successful, The normal data transmission between the master station and the slave station is not affected, that is, the efficiency and real-time performance of normal data transmission will not be affected while ensuring the security of data transmission.

Example 2

This embodiment provides a field bus-based identification method. The identification method is applied to a slave station. As shown in FIG. 6 , the identification method includes:

Step 201: Receive the master station identity ciphertext data sent by the master station.

Wherein, the master station identity ciphertext data received in step 201 is the data sent by the master station in step 103 in Embodiment 1.

In a specific implementation manner, in step 201, the master station identity ciphertext data sent by the master station may be received multiple times, and it is determined whether there is a first preset number of data in the multiple received data that is inconsistent with other data If yes, generate the master station identity error message, if not, go to step 202. After the identity error information is generated, the relevant personnel can be reminded to check the network situation through the information, so as to avoid affecting the identity verification between the master and slave stations due to network reasons.

The first preset number of times can be set according to the actual situation. Specifically, the first preset number of times can be set in proportion to the number of times sent in step 103 in Embodiment 1. For example, the first preset number of times can be set to 1 -0.7*The number of times of the above-mentioned sending, the coefficient 0.7 here is just for illustration, and the specific setting can be arbitrarily selected according to the actual situation, such as 0.6, 0.8, 0.9 and so on.

In this embodiment, by receiving the identity ciphertext data of the master station multiple times, and judging whether the identity ciphertext data received multiple times are consistent, the authentication failure between the master and slave stations due to network reasons is avoided, and the communication between the master and slave stations is further strengthened. security of data communication between them.

Step 202: Decrypt the master station identity ciphertext data to obtain the master station identity plaintext data.

Wherein, a decryption method corresponding to the encryption method in step 102 in Embodiment 1 is used to decrypt the master station identity ciphertext data. For example, when the preset encoding rule is used in step 102 to rearrange the position of each character in the master station identity plaintext data to generate master station identity ciphertext data, step 202 adopts the preset reverse encoding corresponding to the preset encoding rule The encoding rule restores the position of each character in the master station identity ciphertext data to generate the master station identity plaintext data.

For the master station identity plaintext data, reference may be made to the master station identity plaintext data generated in step 101 in Embodiment 1, which will not be repeated here.

Step 203: Determine whether the master station identity plaintext data is consistent with the preset master station identity data, if yes, go to step 204, if not, go to step 205.

Step 204: Confirm that the identity verification of the master station is successful.

Step 205: Confirm that the identity verification of the master station fails, and the process ends.

In this embodiment, after confirming that the identity verification of the master station is successful in step 204, the slave station can be allowed to receive and parse the working data sent by the corresponding master station. In other words, the corresponding master station thus obtains the authority to conduct data communication with the slave station. .

In this embodiment, if the decryption is not successful in step 202, or the master station identity plaintext data in step 203 is inconsistent with the preset master station identity data, the master station is considered to be an unsafe master station, and the communication between the master station and the slave station is prohibited. Communication, you can further generate the master station authentication error message and prompt the relevant personnel to deal with it.

Specifically, in this embodiment, when the target slave station identifier B02 is randomly generated data, step 203 may specifically determine whether the target master station identifier is consistent with the preset master station identity data, and if so, execute step 204, if If not, step 205 is executed.

When the target slave station identifier B02 is the data agreed between the master station and the slave station, then step 203 specifically can judge whether the target slave station identifier is consistent with the preset master station identity data while judging whether the target slave station identifier is consistent with the preset master station identity data. The preset identity data of the slave stations are consistent. If the above judgment results are all yes, then step 204 is executed, and if any one of the judgment results is negative, step 205 is executed.

In this embodiment, the slave station can only verify the master station through the target master station identifier obtained after decryption, which improves the verification speed and enhances the security of data transmission between the master and slave stations. In this embodiment, the slave station can further verify the master station through the target slave station identifier obtained after decryption, thereby further improving the security of data transmission between the master and slave stations.

Since data communication is a mutual process, in a specific implementation manner, the slave station can generate slave station identity ciphertext data for the master station to verify the identity of the slave station. Specifically, after

steps

204 and 205, Can further include:

Step 206: Generate the slave station identity plaintext data.

Among them, the plaintext data of the identity of the slave is data different from other data (referred to as working data in the text), and the plaintext data of the identity of the slave is the data extracted independently and used for the identity verification of the slave by the master.

Among them, the slave station identity plaintext data has various implementation manners, and the specific implementation manner may refer to the implementation manner of the master station plaintext data in Embodiment 1, which will not be repeated here.

In order to facilitate the description of this embodiment, the following description takes the way in which the slave station identity plaintext data includes the target master station identifier, the target slave station identifier and the master station random code as an example. Specifically, in this embodiment, according to the slave station identifier The target master station identifier received by the master station, the target slave station identifier and the master station random code received from the master station are used to generate the slave station identity plaintext data.

In a specific implementation manner, when the target slave station identifier in the master station identity plaintext data in Embodiment 1 is the target slave station identifier pre-agreed with the slave station, the target slave station identifier received from the master station can be Target Slave Identifier to generate Slave Identity clear text data.

In another specific implementation, when the target slave station identifier in the master station identity plaintext data in Example 1 is a randomly generated target slave station identifier, here the target slave station identifier is updated by the self identifier of the slave station Slave identifier, and generate slave identity plaintext data according to the updated target slave identifier.

In this embodiment, according to the difference of the master station's identity plaintext data sent by the master station, various implementations of the slave station's identity plaintext data are provided, which can be selected according to the actual situation in actual operation. The way the data is set up has broad applicability.

In this embodiment, in the case where the target slave station identifier is randomly generated and the target slave station identifier is generated according to a pre-agreed agreement, the slave station plaintext data for verifying the identity of the slave station can be generated, thereby improving the identity recognition in this embodiment. At the same time of the applicability of the method, the security of data transmission between the master and slave stations is improved.

Step 207: Encrypt the slave station identity plaintext data to generate the slave station identity ciphertext data.

Wherein, the method for encrypting the plaintext data of the identity of the slave station refers to the method for encrypting the plaintext data of the identity of the master station in step 102 in Embodiment 1, which will not be repeated here.

Step 208: Send the slave station identity ciphertext data to the master station.

The method for sending the ciphertext data of the identity of the slave may refer to the method for sending the ciphertext data of the identity of the master in step 103 in Embodiment 1, which will not be repeated here.

In a specific implementation manner, the slave station may also preset a slave station authority token. When the slave station authority token is the second identifier, the slave station has the authority to execute the identification method. When the card is the first identifier, the slave station does not have the authority to execute the identification method, and at the same time or before receiving the master station identity plaintext data in step 201, it may further include setting the slave station authority token as the second identification. character steps.

Likewise, the step 208 of receiving the master station identity ciphertext data may further include a step of setting the slave station authority token as the second identifier.

In this embodiment, the operation authority of the slave station can be modified by modifying the authority token of the slave station. At the same time, only one of the master station and the slave station has the operation authority. By modifying the authority token, the master station and the slave station can be avoided. At the same time, the slave station processes the identity data of the master station and the slave station identity data to ensure the synchronization of the identity-related data between the master station and the slave station, and further ensure that the identification process between the master and slave stations can be carried out effectively.

In a specific implementation manner, in order to ensure the security of data transmission between the master and slave stations, steps 201 to 208 may be performed periodically, and within a preset time range, such as 24 hours, 48 hours, etc., the first After the verification of step 203 confirms that the identity verification of the master station is successful, the data transmission authority of the master station is opened, that is, the slave station is allowed to receive the working data sent by the corresponding master station and the slave station is allowed to further process the working data sent by the master station. .

When steps 201 to 208 are executed in the subsequent cycle, if in the verification process of step 203, after it is confirmed that the identity verification of the master station fails, the data transmission authority of the slave station is closed, that is, the slave station is prohibited from receiving and processing the transmission of the master station. work data.

It should be understood that, in this embodiment, the master station ciphertext data may be decrypted in multiple cycles in subsequent cycles. For example, only 10 percent of the data is decrypted in the second cycle, and 10 percent of the data is decrypted in the third cycle. Of the 20 percent of the data, decrypt 20 percent of the data in the fourth cycle. In the process of decrypting the data, the normal data processing between the master station and the slave station is still maintained. In one scenario, when the master station ciphertext After the data is decrypted as a whole, the decrypted plaintext data of the master station is verified. In another scenario, segmental verification can also be performed during the process of decrypting the master station ciphertext data. For example, 10% decryption means verification. 10 percent. In the first scenario, if the overall verification of the master station's plaintext data fails, it is considered that the master station's identity verification fails. In the second scenario, when the decrypted partial data verification fails, it is considered that the master The authentication of the station failed.

In this embodiment, after the identity verification of the master station is successful for the first time, the data transmission authority of the master station is enabled. After the data transmission authority of the master station to the slave station is enabled, the master station can continue to send working data to the slave station. , during this period, the data transmission authority of the master station will be closed only when the authentication of the master station fails in the verification process of the subsequent cycle. In this way, it can be guaranteed that after the first verification is successful, The normal data transmission between the master station and the slave station is not affected, that is, the efficiency of normal data transmission will not be affected while ensuring the security of data transmission.

In order to better understand the identity recognition method in this embodiment, the following describes this embodiment through a specific scenario:

As shown in Figure 7, after the hardware of the master station and the slave station is completed and the communication between the master station and the slave station is successfully established, the identity of the master station is verified through steps 201 to 205. If the judgment result of whether the verification is valid is yes, then the authentication timer is +1. It should be understood that the default value of the authentication timer can be preset according to actual needs. The first identity verification operation of the station, specifically, steps 202 and 203 are executed, and then the result of the completion of the first identity verification operation is judged. If the judgment result is yes, it is further judged whether the first identity verification is passed, and if the first identity verification operation is completed If the judgment result is no, the process ends. There may be network or other faults. At this time, relevant personnel can be notified for processing.

If the result of whether the first authentication is passed is yes, then the authentication timer is cleared and the first authentication flag is set to 1. After that, other tasks can be performed, such as receiving and parsing the working data transmitted by the master station. It should be understood that each time If the interval is preset time, it will return again to determine whether the first authentication flag is valid or not, and the round-robin verification has been carried out.

After +1 is added to the authentication timer, it can be further judged whether the authentication timer has reached the upper limit. If not, the result of the authentication is considered to continue to be valid, and other tasks can be further performed. If the authentication timer has reached the upper limit The judgment result of the limit value is yes, then step 201-step 205 can be performed again to perform the identity verification operation on the master and slave stations. In this embodiment, the slave station verifies the identity of the master station. Through, in the process of verifying the identity of the master station in the subsequent cycle (that is, when the judgment result of whether the authentication operation is completed is no), the slave station can still perform other tasks for normal data communication. When the judgment result of whether the operation is completed is yes, it is further judged whether the non-first-time authentication has passed. If so, it is considered that the master has passed the authentication, the authentication timer is cleared, and the slave can continue to perform other tasks. If it is not the first time The result of whether the authentication is passed is no, then an authentication error is reported and the communication is interrupted.

It should be understood that, for the verification process of the master station to the slave station, reference may be made to the above-mentioned verification process of the slave station to the master station, which will not be repeated here.

Example 3

This embodiment provides a data transmission system based on a field bus. The data transmission system is applied to the master station. As shown in FIG. 8 , the data transmission system includes: a master station identity data generation module 301 and a master station identity data encryption module 302 and the master station identity data sending module 303.

The master station identity data generating module 301 is used to generate the master station identity plaintext data.

In order to facilitate the description of this embodiment, the following description will be given by taking the way in which the master station identity plaintext data includes the target master station identifier, the target slave station identifier and the master station random code as an example. FIG. 4 shows a format diagram of the master station identity plaintext data in a specific implementation manner. Specifically, for the specific master station identity plaintext data format, refer to the format of the master station plaintext data in Embodiment 1, and here is the No longer.

In this embodiment, the master station identity data generation module 301 can randomly generate the target slave station identifier, which improves the generation speed of the identity plaintext data and further improves the efficiency of the data transmission system in this embodiment. The station identity data generating module 301 can generate a target slave station identifier for the slave station to further verify the identity of the master station through the pre-appointment between the master station and the slave station, thereby further improving the security of data transmission between the master station and the slave station.

The master station identity data encryption module 302 is used for encrypting the master station identity plaintext data to generate the master station identity ciphertext data.

Among them, the master station identity data encryption module 302 can use various methods to encrypt the master station identity plaintext data, for example, the encryption algorithm in the prior art can be used to encrypt the master station plaintext data, such as DES, 3DES, IDEA, AES, RC, etc. Symmetric encryption algorithm or asymmetric encryption algorithm such as RSA, DSA, Diffie-Hellman, etc.

Therefore, in this embodiment, the master station identity data encryption module 302 preferentially selects a preset encoding rule with a relatively simple amount of calculation to encrypt the plaintext data of the master station to overcome the defects of large amount of calculation and time-consuming calculation, thereby improving the security of data transmission. At the same time, the real-time nature of data transmission is ensured, wherein the preset encoding rules are used to rearrange the positions of each character in the master station identity plaintext data to generate the master station identity ciphertext data. For example, each character in the random code of the master station can be inserted into the respective characters of the target master station identifier and the target slave station identifier to change the positional relationship between the characters in the master station identity plaintext data. For another example, the sequence of each character in the identifier of the target master station, the identifier of the target slave station and the random code of the master station may be disrupted. It should be understood that the above-mentioned preset coding rules are only used for illustration, and should not be a limitation to this embodiment. In practice, there may be other ways to rearrange the position of each character in the master station identity plaintext data to generate the master station identity password. text data.

Since in the prior art, the communication between the master station and the slave station is in plain text, it is easy for the saboteur to masquerade as the slave station that the master station needs to communicate with to receive the data sent by the master station to monitor and steal the data. . In this embodiment, the master station plaintext data generation module sets separate master station identity plaintext data, and the master station identity data encryption module 302 encrypts the identity plaintext data, and the slave station only decrypts the master station identity ciphertext data and Only after the decryption is successful, can the working data sent by the master station be continued to be received and analyzed, thereby improving the security of the communication between the master station and the slave station.

In this embodiment, the master station identity data encryption module 302 can encrypt the master station identity plaintext data through a simple preset encoding rule, thereby not only improving the security of the communication process between the master station and the slave station, but also ensuring the master station The real-time nature of the communication process with the slaves. And in this embodiment, the master station identity data generation module 301 has simple rules for setting the master station identity plaintext data, the data length is small, and the required resources are limited, so while ensuring the security of the master-slave communication process, it will not affect the work processing of data.

The master station identity data sending module 303 is used for sending the master station identity ciphertext data to the slave station.

The master station identity data sending module 303 can either broadcast the master station identity ciphertext data to all the slave stations by broadcasting, or send the master station identity ciphertext data to the corresponding slave stations by one-to-one broadcasting.

In a specific implementation manner, in order to avoid the failure of sending the master station identity ciphertext data due to objective reasons such as communication failures, network congestion, etc., in this embodiment, the master station identity data sending module 303 is used to send multiple times The master station identity ciphertext data is sent to the slave station, and the number of times of sending can be set according to actual needs, such as 10 times.

In this embodiment, on the basis of the original communication data between the master station and the slave station, the master station identity data generation module 301 separately generates the master station identity plaintext data and encrypts the data through the master station identity data encryption module 302 to It is used for authentication between the master and slave stations. After the slave station receives the encrypted data sent by the master station, only after the data decryption is successful and the data verification is successful, the master station can obtain the permission to communicate with the slave station normally. Since the separately generated master station identity plaintext data occupies a small space for the working data, it greatly increases the data transmission between the master station and the slave station without affecting the normal communication efficiency between the master station and the slave station. security.

In this embodiment, the master station identity data sending module 303 can send the master station identity ciphertext data to the slave stations for many times, so as to avoid the failure of identity verification between the master and slave stations due to network reasons, and further strengthen the data between the master and slave stations. communication security.

Since data communication is a mutual process, in a specific implementation manner, the master station can also receive the identity ciphertext data sent by the slave station to verify the identity of the slave station. Specifically, the data transmission system further includes a slave station. The station identity data receiving module 305, the slave station identity data decryption module 306 and the slave station identity data verification module 307, the master station identity data sending module 303 is also used to send the master station identity ciphertext data to the slave station The slave station identity data receiving module 305 is called.

The slave station identity data receiving module 305 is configured to receive the slave station identity ciphertext data sent by the slave station, wherein, the way that the slave station identity data receiving module 305 receives the slave station identity ciphertext data may refer to the following embodiment 4. The manner in which the master station identity data receiving module 405 receives the master station identity ciphertext data sent by the master station will not be repeated here.

The slave station identity data decryption module 306 is used to decrypt the slave station identity ciphertext data to generate the slave station identity plaintext data, wherein the slave station identity data decryption module 306 decrypts the slave station identity ciphertext data. The method for decrypting the master station identity ciphertext data in the master station identity data decryption module 406 in step 4 will not be repeated here.

The slave station identity data verification module 307 is used to judge whether the slave station identity plaintext data is consistent with the preset slave station plaintext data, if so, confirm that the slave station's identity verification is successful; Authentication failed.

Specifically, when the master station ciphertext data sent by the master station identity data sending module 303 to the slave station only includes the encrypted target master station identity identifier, the specific verification method of the slave station identity data verification module 307 is to determine the target master station identifier Whether the character is consistent with the preset master station identity data, if so, confirm that the identity verification of the slave station is successful, if not, confirm that the identity verification of the slave station fails.

When the master station ciphertext data sent by the master station identity data sending module 303 to the slave station includes the encrypted target master station identity identifier and the target slave station identifier, the specific verification method of the slave station identity data verification module 307 is to judge the target master station Whether the station identifier is consistent with the preset master station identity data, and judge whether the target slave station identifier is consistent with the preset slave station identity data, if both judgment results are yes, confirm that the identity verification of the slave station is successful , if not, confirm that the authentication of the slave has failed.

When the master station ciphertext data sent by the master station identity data sending module 303 to the slave station includes the encrypted target master station identity identifier, the target slave station identifier and the master station random code, the slave station identity data verification module 307 specifically verifies The method is to judge whether the target master station identifier is consistent with the preset master station identity data, judge whether the target slave station identifier is consistent with the preset slave station identity data, and judge whether the master station random code obtained after decryption is generated with the master station identity data. Whether the random code of the master station generated by the module 301 is consistent, if the three judgment results are all yes, it confirms that the identity verification of the slave station is successful; if not, it confirms that the identity verification of the slave station fails.

In this embodiment, if the slave station identity data decryption module 306 fails to decrypt successfully, or if the slave station identity data verification module 307 judges that the slave station identity plaintext data is inconsistent with the preset slave station identity data, it is considered that the slave station is an unsafe master station, The communication between the master station and the slave station is prohibited, and the slave station authentication error message can be further generated to prompt the relevant personnel to deal with it.

In this embodiment, the slave station identity data decryption module 306 can only verify the slave station through the target master station identifier obtained after decryption, which improves the verification speed and enhances the security of data transmission between the master and slave stations. In this embodiment, the slave station identity data decryption module 306 can further verify the slave station through the target slave station identifier obtained after decryption, thereby further improving the security of data transmission between the master and slave stations. In this embodiment, the slave station identity data decryption module 306 may further verify the slave station through the randomly generated master station random code previously sent by the master station, thereby further increasing the reliability and reliability of data transmission between the master and slave stations. safety.

In a specific implementation manner, in order to improve the efficiency of identity verification between the master station and the slave station, the slave station identity data receiving module 305 is further configured to determine whether the slave station has received the data sent by the slave station within the first time threshold range. The ciphertext data of the slave station identity, if not, generate the slave station processing timeout information, if so, call the slave station identity data decryption module 306.

In this embodiment, if the slave station identity data receiving module does not receive the slave station identity ciphertext data sent by the slave station within the range of the first time threshold, it generates slave station processing timeout information, which can be used to remind relevant personnel to process , so as to strengthen the communication security while ensuring the efficiency of authentication between master and slave stations.

In a specific implementation manner, the master station authority token may also be preset in the master station. When the master station authority token is the first identifier, the master station has the authority to execute the data transmission system. When the card is the second identifier, the master station does not have the authority to execute the data transmission system, and the data transmission system also includes the master station authority modification module 308, which is performed at the same time or before the master station identity data generation module 301 generates the master station identity plaintext data. The master authority modification module 308 may be further invoked to set the master authority token to the first identifier.

Likewise, the master authority modification module 308 may be further invoked to set the master authority token as the second identifier while or before the master station identity data sending module 303 sends the master station identity plaintext data.

Similarly, when the slave station identity data receiving module 305 receives the slave station identity ciphertext data, it may further call the master station authority modification module 308 to set the master station authority token as the first identifier.

In this embodiment, the master station authority modification module 308 can modify the operation authority of the master station by modifying the master station authority token. It should be understood that at the same time, only one of the master station and the slave station has the operation authority. The modification can prevent the master station and the slave station from processing the identity data of the master station and the slave station at the same time, ensure the synchronization of the identity-related data in the master station and the slave station, and further ensure the identity recognition between the master and slave stations. The process can be carried out efficiently.

In a specific embodiment, in order to continuously ensure the security of data transmission between the master and slave stations, the master station identity data generation module 301, the master station identity data encryption module 302, the master station identity data transmission module 303, The master station identity data judgment module 304 , the slave station identity data receiving module 305 , the slave station identity data decryption module 306 , the slave station identity data verification module 307 and the master station authority modification module 308 . And within the preset time range, such as 24 hours, 48 hours, etc., after the slave station identity data verification module 307 confirms the success of the slave station's identity verification for the first time after verification, it opens the data transmission authority of the slave station, that is, allows the master station Receive the work data sent by the corresponding slave station and allow the master station to further process the work data sent by the slave station.

In the subsequent cycle, if the authentication of the slave station fails, the data transmission authority of the slave station is closed, that is, the master station is prohibited from receiving and processing the working data sent by the slave station.

It should be understood that in this embodiment, the slave station identity data decryption module 306 may decrypt the slave station ciphertext data in multiple cycles in the following cycles. For example, in the second cycle, only 10% of the data is decrypted. In the third cycle, 20% of the data is decrypted, and in the fourth cycle, 20% of the data is decrypted. During the process of decrypting the data, the normal data processing between the master station and the slave station is still maintained. In one scenario , when the slave station identity data decryption module 306 completes the overall decryption of the slave station ciphertext data, the slave station identity data verification module 307 verifies the decrypted slave station plaintext data. In another scenario, the slave station identity data verification The module 307 may also perform segment verification in the process of decrypting the slave station ciphertext data by the slave station identity data decryption module 306, for example, decrypting 10% means verifying 10%. In the first scenario, if the overall verification of the slave station's plaintext data fails, the slave station identity data verification module 307 considers that the slave station's identity verification fails. In the second scenario, the slave station's identity data verification module 307 will When the decrypted part of the data fails to be authenticated, it is considered that the authentication of the slave fails.

In this embodiment, the identity data verification module 307 of the slave station enables the data transmission authority of the slave station after the first successful identity verification of the slave station. After the data transmission authority of the slave station to the master station is enabled, the slave station can Continuously send working data to the master station. During this period, only when the slave station identity data verification module 307 fails to authenticate the slave station in the verification process of the subsequent cycle, the slave station's data transmission authority will be closed. In this way, it can be ensured that after the first verification is successful, the normal data transmission between the master station and the slave station will not be affected, that is, the efficiency and real-time performance of normal data transmission will not be affected while ensuring the security of data transmission. .

Example 4

This embodiment provides a field bus-based identification system. The identification system is applied to a slave station. As shown in FIG. 9, the identification system includes: a master station identification data receiving module 405, a master station identification data decryption The module 406 and the master station identity data judgment module 304.

The master station identity data receiving module 405 is configured to receive the master station identity ciphertext data sent by the master station.

Wherein, the master station identity ciphertext data received by the master station identity data receiving module 405 is the data sent by the master station identity data sending module 303 in the third embodiment.

In a specific implementation manner, the master station identity data receiving module 405 can receive the master station identity ciphertext data sent by the master station for many times, and the identity recognition system can also include the master station identity data judging module 304, which is used to judge the number of Whether there is a situation in which the data of the first preset number of times is inconsistent with other data in the data received next time, if yes, generate a master station identity error message, if not, call the master station identity data decryption module 406 . After the identity data receiving module 405 of the master station generates the identity error information, it can remind relevant personnel to check the network condition through the information, so as to avoid the influence of the identity verification between the master and slave stations due to network reasons.

The first preset number of times can be set according to the actual situation. Specifically, the first preset number of times can be set in proportion to the number of times sent by the master station identity data sending module 303 in Embodiment 3. For example, the first preset number of times can be set as The number of times is set to 1-0.7*the number of times of the above-mentioned sending. The coefficient 0.7 here is just for illustration. The specific setting can be arbitrarily selected according to the actual situation, such as 0.6, 0.8, 0.9 and so on.

In this embodiment, the master station identity data receiving module 405 receives the master station identity ciphertext data multiple times, and judges whether the identity ciphertext data received multiple times are consistent, so as to avoid the failure of identity verification between the master and slave stations due to network reasons, It further strengthens the security of data communication between master and slave stations.

The master station identity data decryption module 406 is configured to decrypt the master station identity ciphertext data to obtain the master station identity plaintext data.

The master station identity data decryption module 406 uses a decryption method corresponding to the encryption method adopted by the master station identity data encryption module 302 in Embodiment 3 to decrypt the master station identity ciphertext data. For example, when the master station identity data encryption module 302 adopts the preset encoding rule and the preset encoding rule to rearrange the position of each character in the master station identity plaintext data to generate the master station identity ciphertext data, the master station identity data decryption module 406 adopts the Set the preset anti-encoding rule corresponding to the encoding rule to restore the position of each character in the master station identity ciphertext data to generate the master station identity plaintext data.

For the master station identity plaintext data, reference may be made to the master station identity plaintext data generated by the master station identity data generating module 301 in Embodiment 3, which will not be repeated here.

The master station identity data verification module 407 is used to judge whether the master station identity plaintext data is consistent with the preset master station identity data. Authentication failed.

In this embodiment, after the identity data verification module 407 of the master station confirms that the identity verification of the master station is successful, the slave station is allowed to receive and parse the working data sent by the corresponding master station. Permission for data communication.

In this embodiment, if the master station identity data decryption module 406 fails to decrypt successfully, or the master station identity data verification module 407 judges that the master station identity plaintext data is inconsistent with the preset master station identity data, the master station is considered to be an unsafe master station, Communication between the master station and the slave station is prohibited, and the master station identity data verification module 407 may further generate the master station identity verification error message and prompt the relevant personnel to deal with it.

Specifically, in this embodiment, when the target slave station identifier B02 is randomly generated data, the master station identity data verification module 407 can specifically determine whether the target master station identifier is consistent with the preset master station identity data, and if so, then Confirm that the identity verification of the master station is successful, if not, confirm that the identity verification of the master station fails.

When the target slave station identifier B02 is the data agreed between the master station and the slave station, the master station identity data verification module 407 can specifically judge whether the target master station identifier is consistent with the preset master station identity data and at the same time judge the target slave station Whether the identifier is consistent with the preset slave station identity data, if the above judgment results are all yes, it confirms that the identity verification of the master station is successful, and if any one of the judgment results is no, it confirms that the identity verification of the master station fails.

In this embodiment, the master station identity data verification module 407 can only verify the master station through the target master station identifier obtained after decryption, which enhances the security of data transmission between the master and slave stations while improving the verification speed. In this embodiment, the identity data verification module 407 of the master station can further verify the master station through the target slave station identifier obtained after decryption, thereby further improving the security of data transmission between the master and slave stations.

Since data communication is a mutual process, in a specific implementation manner, the slave station can generate slave station identity ciphertext data for the master station to verify the identity of the slave station. Specifically, the identity recognition system may further Including: a slave station identity data generation module 401, a slave station identity data encryption module 402 and a slave station identity data sending module 403, the master station identity data verification module 407 is also used to confirm that the identity verification of the master station is successful and call the slave station identity Data generation module 401 .

The slave station identity data generating module 401 is used to generate the slave station identity plaintext data.

Among them, the slave station identity plaintext data has multiple implementation manners, and the specific implementation manner may refer to the implementation manner of the master station plaintext data in Embodiment 3, which will not be repeated here.

In order to facilitate the description of this embodiment, the following takes the way in which the slave station identity plaintext data includes the target master station identifier, the target slave station identifier and the master station random code as an example. Specifically, in this embodiment, the slave station The identity data generating module 401 generates the slave station identity plaintext data according to the target master station identifier received from the master station, the target slave station identifier and the master station random code received from the master station.

In a specific implementation manner, when the target slave station identifier in the master station identity plaintext data generated by the master station identity data generation module 301 in Embodiment 3 is the target slave station identifier pre-agreed with the slave station, Here, the slave station identity data generating module 401 may generate the slave station identity plaintext data according to the target slave station identifier received from the master station.

In another specific implementation manner, when the target slave station identifier in the master station identity plaintext data generated by the master station identity data generation module 301 in Embodiment 3 is a randomly generated target slave station identifier, here from The station identity data generating module 401 updates the target slave station identifier according to the self identifier of the slave station, and generates the slave station identity plaintext data according to the updated target slave station identifier.

In this embodiment, according to the difference of the encrypted master station identity plaintext data sent by the master station identity data sending module 303, a variety of implementation modes of the slave station identity plaintext data are provided, which can be selected according to the actual situation in actual operation. This embodiment has wide applicability to the setting method of the plaintext data of the slave station.

In this embodiment, when the master station identity data generation module 301 randomly generates the target slave station identifier and generates the target slave station identifier according to a pre-agreed agreement, the slave station identity data generation module 401 can both generate an identifier for verifying the identity of the slave station. The plaintext data of the slave stations, thereby improving the applicability of the identity identification system in this embodiment, and improving the security of data transmission between the master and slave stations.

The slave station identity data encryption module 402 is used for encrypting the slave station identity plaintext data to generate the slave station identity ciphertext data, wherein the slave station identity data encryption module 402 encrypts the slave station identity plaintext data with reference to the embodiment. The encryption system of the master station identity data encryption module 302 to the master station identity plaintext data in 3 will not be repeated here.

The slave station identity data sending module 403 is used to send the slave station identity ciphertext data to the master station, wherein, the way that the slave station identity data sending module 403 sends the slave station identity ciphertext data can be referred to in Embodiment 3 from the master station. The system for sending the master station identity ciphertext data by the station identity data sending module will not be repeated here.

In a specific implementation, the slave station may also preset a slave station authority token. When the slave station authority token is the second identifier, the slave station has the authority to execute the identity recognition system. When the card is the first identifier, the slave station does not have the authority to execute the identification system, and the identification system also includes a slave station authority modification module 408

The slave station identity data generation module 401 is further configured to call the slave station authority modification module 408 to set the slave station authority token as the second identifier. Similarly, the slave station identity data sending module 403 also uses to call the slave authority modification module 408 to set the slave authority token to the first identifier.

In this embodiment, the slave station authority modification module 408 can modify the operation authority of the slave station by modifying the slave station authority token. It should be understood that at the same time, only one of the master station and the slave station has the operation authority. The modification can prevent the master station and the slave station from processing the identity data of the master station and the slave station at the same time, ensure the synchronization of the identity-related data in the master station and the slave station, and further ensure the identity recognition between the master and slave stations. The process can be carried out efficiently.

In a specific implementation, in order to ensure the security of data transmission between the master and slave stations, the slave station identity data generation module 401, the slave station identity data encryption module 402, the slave station identity data transmission module 403, The slave station identity data judgment module 404 , the master station identity data receiving module 405 , the master station identity data decryption module 406 , the master station identity data verification module 407 and the slave station authority modification module 408 . And within a preset time range, such as 24 hours, 48 hours, etc., during the verification process, the master station identity data verification module 407 opens the master station's data transmission authority after confirming that the master station's identity verification is successful for the first time. That is, the slave station is allowed to receive the working data sent by the corresponding master station and allow the slave station to further process the working data sent by the master station.

In the subsequent cycle, when the identity data verification module 407 of the master station is called for verification, if it is confirmed that the identity verification of the master station fails, the data transmission authority of the slave station is closed, that is, the slave station is prohibited from receiving and processing the working data sent by the master station.

It should be understood that in this embodiment, the master station identity data verification module 407 may decrypt the master station ciphertext data in multiple cycles in the following cycles. For example, in the second cycle, only 10% of the data is decrypted. In the third cycle, 20% of the data is decrypted, and in the fourth cycle, 20% of the data is decrypted. In the process of decrypting the data, the normal data processing between the master station and the slave station is still maintained. In one scenario Next, the master station identity data verification module 407 verifies the decrypted master station plaintext data after the master station identity data decryption module 406 completes the overall decryption of the master station ciphertext data. The station identity data decryption module 406 performs segment verification during the decryption process of the master station ciphertext data, for example, 10% decryption means 10% verification. In the first scenario, if the master station identity data verification module 407 fails the overall verification of the master station plaintext data, it is considered that the master station's identity verification has failed. In the second scenario, the master station identity data verification module 407 If the decrypted part of the data fails to be authenticated, the authentication to the master station is considered to have failed.

In this embodiment, the identity data verification module 407 of the master station enables the data transmission authority of the master station after the identity verification of the master station is successful for the first time. After the data transmission authority of the master station to the slave station is enabled, the master station can Continue to send working data to the slave station. During this period, only when the identity verification module 407 of the master station fails to authenticate the master station in the verification process of the subsequent cycle, the data transmission authority of the master station will be closed. In this way, it can be ensured that after the first verification is successful, the normal data transmission between the master station and the slave station will not be affected, that is, the efficiency of normal data transmission will not be affected while ensuring the security of data transmission.

Example 5

An embodiment of the present invention provides an electronic device, which can be expressed in the form of a computing device (for example, a server device), and includes a memory, a processor, and a computer program stored in the memory and running on the processor, wherein processing When the computer executes the computer program, the Fieldbus-based data transmission method in Embodiment 1 or the Fieldbus-based identification method in Embodiment 2 of the present invention can be implemented.

FIG. 10 shows a schematic diagram of the hardware structure of this embodiment. As shown in FIG. 10 , the electronic device 9 specifically includes:

At least one processor 91, at least one memory 92, and a bus 93 for connecting different system components (including processor 91 and memory 92), wherein:

The bus 93 includes a data bus, an address bus and a control bus.

Memory 92 includes volatile memory, such as random access memory (RAM) 921 and/or cache memory 922 , and may further include read only memory (ROM) 923 .

The memory 92 also includes a program/utility 925 having a set (at least one) of program modules 924 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, examples of which are Each or some combination of these may include an implementation of a network environment.

The processor 91 executes various functional applications and data processing by running the computer program stored in the memory 92, such as the field bus-based data transmission method in the first embodiment of the present invention or the field bus-based identification method in the second embodiment of the present invention. .

The electronic device 9 may further communicate with one or more external devices 94 (eg, keyboards, pointing devices, etc.). Such communication may take place through input/output (I/O) interface 95 . Also, the electronic device 9 may communicate with one or more networks (eg, a local area network (LAN), a wide area network (WAN), and/or a public network such as the Internet) through a network adapter 96 . The network adapter 96 communicates with other modules of the electronic device 9 via the bus 93 . It should be understood that, although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 9, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID (disk array) systems, tape drives, and data backup storage systems.

It should be noted that although several units/modules or sub-units/modules of the electronic device are mentioned in the above detailed description, this division is merely exemplary and not mandatory. Indeed, according to embodiments of the present application, the features and functions of two or more units/modules described above may be embodied in one unit/module. Conversely, the features and functions of one unit/module described above may be further subdivided to be embodied by multiple units/modules.

Example 6

An embodiment of the present invention provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, implements the field bus-based data transmission method in Embodiment 1 of the present invention or the field-based data transmission method in Embodiment 2 of the present invention The steps of the bus identification method.

Wherein, the readable storage media may include, but are not limited to, portable disks, hard disks, random access memories, read-only memories, erasable programmable read-only memories, optical storage devices, magnetic storage devices, or any of the above suitable combination.

In a possible implementation manner, the present invention can also be implemented in the form of a program product, which includes program codes, when the program product runs on a terminal device, the program code is used to cause the terminal device to execute the implementation The steps of the field bus-based data transmission method in the first embodiment of the present invention or the field bus-based identification method in the second embodiment of the present invention.

Wherein, the program code for executing the present invention can be written in any combination of one or more programming languages, and the program code can be completely executed on the user equipment, partially executed on the user equipment, as an independent The software package executes on the user's device, partly on the user's device, partly on the remote device, or entirely on the remote device.

Although the specific embodiments of the present invention have been described above, those skilled in the art should understand that this is only an illustration, and the scope of the present invention is defined by the appended claims. Those skilled in the art can make various changes or modifications to these embodiments without departing from the principle and essence of the present invention, but these changes and modifications all fall within the protection scope of the present invention.

Claims

A field bus-based data transmission method, characterized in that the data transmission method is applied in a master station, and the data transmission method comprises:

Generate master station identity plaintext data;

Encrypting the master station identity plaintext data to generate master station identity ciphertext data, and the master station identity ciphertext data is used for the slave station to authenticate the master station;

Send the master station identity ciphertext data to the slave station.
The data transmission method based on the field bus according to claim 1, wherein the master station identity plaintext data includes the target master station identifier.
The fieldbus-based data transmission method according to claim 2, wherein the step of sending the master station identity ciphertext data to the slave station further comprises:

Receive the slave station identity ciphertext data sent by the slave station;

decrypting the slave identity ciphertext data to generate slave identity plaintext data;

Determine whether the plaintext data of the identity of the slave is consistent with the plaintext data of the preset slave, and if so, confirm that the identity verification of the slave is successful;

The master station identity plaintext data includes a master station random code, the slave station identity plaintext data includes the target master station identifier and the master station random code, and the preset slave station plaintext data includes a preset master station identifier and the target master station identifier sent in the step of sending the master station identity ciphertext data to the slave station;

When the target master station identifier matches the preset master station identifier and the master station random code matches the target master station identifier sent in the step of sending the master station identity ciphertext data to the slave station When , it is determined that the plaintext data of the slave station identity is consistent with the preset plaintext data of the slave station.
The fieldbus-based data transmission method according to claim 3, wherein the master station identity plaintext data further includes a target slave station identifier, and the preset slave station plaintext data further includes a preset slave station identifier ;

The judging that the plaintext data of the slave station identity is consistent with the preset plaintext data of the slave station further includes: the target slave station identifier is consistent with the preset slave station identifier.
The fieldbus-based data transmission method according to claim 4, wherein the target slave station identifier is further used for the slave station to authenticate the master station

and / or,

Before the step of generating the master station identity plaintext data, the step further includes: randomly generating a target slave station identifier, and the target slave station identifier updated in the slave station is used for the master station to identify the slave station. to authenticate;

and / or,

The step of sending the master station identity ciphertext data to the slave station is performed multiple times.
The fieldbus-based data transmission method according to claim 3, wherein the step of receiving the slave station identity ciphertext data sent by the slave station comprises: receiving the slave station identity ciphertext sent by the slave station multiple times data, and count the number of inconsistencies in the data received multiple times, and determine whether the number of times is greater than the first preset number of times, if so, generate slave station identity error information, if not, execute the decryption of the slave Steps for obtaining the identity ciphertext data from the slave station;

and / or,

The step of receiving the slave station identity ciphertext data sent by the slave station includes:

Determine whether the slave station identity ciphertext data sent by the slave station is received within the range of the first time threshold, if not, generate the slave station processing timeout information, if so, decrypt the slave station identity ciphertext data to generate the slave station identity ciphertext data. Station identity plaintext data;

and / or,

Periodically perform receiving the slave station identity ciphertext data sent by the slave station, decrypting the slave station identity ciphertext data to generate the slave station identity plaintext data, and executing judging whether the target master station identifier is the same as the preset master station identifier. If the step of judging whether the identity plaintext data of the slave station is consistent with the preset identity data of the slave station is executed after the step of confirming the success of the identity verification of the slave station for the first time, the result of the judgment is When no, it is confirmed that the authentication of the slave has failed.
The fieldbus-based data transmission method according to any one of claims 1-6, wherein,

Periodically perform the steps of generating the master station identity plaintext data, encrypting the master station identity plaintext data to generate the master station identity ciphertext data and sending the master station identity ciphertext data to the slave station;

and / or,

In the step of encrypting the master station identity plaintext data to generate the master station identity ciphertext data, rearrange the position of each character in the master station identity plaintext data by preset coding rules to generate the master station identity ciphertext data;

and / or,

The master station includes a master station authority token. When the master station authority token is the first identifier, the master station has the authority to execute the data transmission method. When the master station authority token is the first identifier, the master station has the authority to execute the data transmission method. When there are two identifiers, the master station does not have the authority to execute the data transmission method;

The step of generating the master station identity plaintext data further includes the step of: setting the master station authority token as the first identifier;

The step of sending the master station identity ciphertext data to the slave station further includes: setting the master station authority token as the second identifier.
A field bus-based identification method, characterized in that the identification method is applied to a slave station, and the identification method includes:

Receive the master station identity ciphertext data sent by the master station;

Decrypt the master station identity ciphertext data to obtain the master station identity plaintext data;

It is judged whether the master station identity plaintext data is consistent with the preset master station identity data, and if so, it is confirmed that the identity verification of the master station is successful.
The fieldbus-based identification method according to claim 8, wherein the master station identity plaintext data includes a target master station identifier, the preset master station identification data includes a preset master station identifier, and when When the master station identity plaintext data matches the preset master station identity data, it is determined that the target master station identifier matches the preset master station identifier.
The identification method based on the field bus according to claim 9, wherein the master station identity plaintext data further comprises a master station random code, and the master station random code is used for the master station to identify the slave station to the slave station. The identity verification of the master station further includes:

Generate slave station identity plaintext data according to the target master station identifier and the master station random code, and the slave station identity plaintext data is used for the master station to authenticate the slave station;

encrypting the slave station identity plaintext data to generate slave station identity ciphertext data;

Send the slave station identity ciphertext data to the master station.
The identification method based on the field bus according to claim 10, wherein the master station identification plaintext data further includes a target slave station identifier, and the random station identifier is randomly selected according to the target master station identifier and the master station identifier. In the step of generating the slave station identity plaintext data from the code, the slave station identity plaintext data is generated according to the target master station identifier, the target slave station identifier and the master station random code.
The identification method based on the field bus according to claim 11, wherein the preset slave station identification data further includes a preset slave station identifier, and the judgment of the target master station identifier and the preset master station identifier The step of matching the station identifiers also includes:

Judging that the target slave station identifier is consistent with the preset slave station identifier;

and / or,

Before the step of generating the slave station identity plaintext data, the step further includes: updating the target slave station identifier according to the self identifier of the slave station, and the updated target slave station identifier is used for the master station to pair. The slave performs authentication;

and / or,

The step of receiving the master station identity ciphertext data sent by the master station includes: receiving the master station identity ciphertext data sent by the master station multiple times, and judging whether there is a first preset number of data in the multiple received data. If the data is inconsistent with other data, if yes, generate the master station identity error message, if not, execute the step of decrypting the master station identity ciphertext data to obtain the master station identity plaintext data.
The identification method based on field bus according to claim 10, wherein,

In the step of sending the slave station identity ciphertext data to the master station: sending the slave station identity ciphertext data to the master station multiple times;

and / or,

The step of sending the slave station identity ciphertext data to the master station includes:

Determine whether the master station identity ciphertext data sent by the master station is received within the second time threshold range, and if not, generate master station processing timeout information;

and / or,

The steps of generating the slave station identity plaintext data, encrypting the slave station identity plaintext data to generate the slave station identity ciphertext data, and sending the slave station identity ciphertext data to the master station are periodically performed.
The fieldbus-based identification method according to any one of claims 8 to 13, characterized in that, periodically receiving the master station identity ciphertext data sent by the master station and decrypting the master station identity ciphertext data to obtain The master station identity plaintext data and the steps of judging whether the master station identity plaintext data is consistent with the preset plaintext data, and after confirming that the identity verification of the master station is successful for the first time, are allowed to receive and process the data sent by the master station. Working data, after the first step of confirming that the identity verification of the master station is successful, if the judgment result is no in the step of judging whether the master station identity plaintext data is consistent with the preset master station identity data, Then it is confirmed that the authentication of the master station fails;

and / or,

In the step of deciphering the identity ciphertext data, the position of each character in the master station identity ciphertext data is restored by the preset anti-encoding rule corresponding to the preset encoding rule to generate the master station identity plaintext data;

and / or,

The slave station includes a slave station authority token, when the slave station authority token is the second identifier, the slave station has the authority to execute the identification method, and when the slave station authority token is the first identifier. When an identifier is used, the slave station does not have the authority to execute the identification method;

The step of generating the slave station identity plaintext data further includes the step of: setting the slave station authority token as the second identifier;

The step of sending the slave station identity ciphertext data to the slave station further includes: setting the slave station authority token as the first identifier.
A field bus-based data transmission system, characterized in that the data transmission system is applied in a master station, and the data transmission system comprises: a master station identity data generation module, a master station identity data encryption module and a master station identity data sending module;

The master station identity data generation module is used to generate the master station identity plaintext data;

Described master station identity data encryption module and is used for encrypting described master station identity plaintext data to generate master station identity ciphertext data, and described master station identity ciphertext data is used for slave station to carry out identity verification to described master station;

The master station identity data sending module is configured to send the master station identity ciphertext data to the slave station.
A field bus-based identity recognition system, characterized in that the identity recognition system is applied to a slave station, and the identity recognition system comprises: a master station identity data receiving module, a master station identity data decryption module and a master station identity data judgment module;

The master station identity data receiving module is used for receiving the master station identity ciphertext data sent by the master station;

The master station identity data decryption module is used to decrypt the master station identity ciphertext data to obtain the master station identity plaintext data;

The master station identity data verification module is used for judging whether the master station identity plaintext data is consistent with the preset master station identity data, and if so, confirming that the master station's identity verification is successful.
A computer-readable storage medium on which a computer program is stored, characterized in that, when the computer program is executed by a processor, the data transmission method according to any one of claims 1 to 7 and claims 8 to 14 are realized any one of the steps of the identification method.