Background technology
1. encryption technology
Encryption technology is divided two classes: symmetric cryptography and asymmetric encryption.The principle of asymmetric encryption (RSA, DSA, DH asymmetriccryptography) is as follows:
Use one must can be to anyone disclosed PKI to the private key of unwarranted user cipher device and one.PKI and private key all are associated on mathematics; Data with public key encryption can only be deciphered with private key, and can only use public key verifications with the data of private key signature.PKI can offer anyone; PKI is used for the data that will send to the private key holder are encrypted.Two keys all are unique for communication session.Public key encryption algorithm is also referred to as asymmetric algorithm, and reason is need come data decryption with another key with secret key encryption data.The cardinal principle of symmetry algorithm is exactly an one-way function, f (a)=b, but be difficult to obtain a with b.
A method that can jeopardize with the data of this type password encryption is that each possible key is carried out exhaustive search.According to being used to carry out the encrypted secret key size, also extremely consuming time even use the fastest computer to carry out this search, therefore be difficult to carry out.Use bigger key will make deciphering difficulty more.Can not make the adversary can't retrieve ciphered data though encrypt in theory, this has greatly increased the cost of doing so really.Only retrieve that significant data need spend the trimestral time in several days if carry out thoroughly search, the method for exhaustive search is unpractical so.
Public key encryption has bigger key space (or probable value scope of key), therefore not quite is subjected to the exhaustive attack that each possibility key is all attempted easily.Owing to needn't protect PKI, so it is easy to distribution.Public key algorithm can be used for creating the identity of digital signature with the verification msg transmit leg.Public key encryption is generally used for encrypting key and the IV that a private key algorithm will be used.Behind transmission security key and the IV, the remainder of session will use encrypted private key.
According to the concrete technology that programming realizes, in existing basic platform was realized, the .NET of Microsoft provided following asymmetric (public/private keys) cryptographic algorithm by abstract base class (System.Security.Crytography.AsymmetricAlgorithm):
·DSACryptoServiceProvider
·RSACryptoServiceProvider
But, call above-mentioned base class and realize that in program asymmetric encryption belongs to soft encryption, in specific implementation, bind with concrete the application mutually, limited and encrypted the versatility and the flexibility of using.
2. pass through data extract and the remote transmission of Internet/Intranet
In comparatively ripe industrial monitoring such as industrial control system was used, the extraction of data can be accomplished to support from monitored end " pushing away " data and from monitoring client " drawing " data dual mode downwards upwards.But in the middle of the enterprise-level financial regulation was used, current B/S system mostly only supported the function that client data uploads onto the server, and is initiatively comparatively rare to the function of client extraction data from server; Be the client of representative with the financial software particularly, data have certain sensitiveness, should not insert Internet, and the realization of this " drawing " data can become more complicated.For example, a supervision system, to arrive physically be dispersed in the different location a plurality of when being extracted the data that supervision department needs in real time, as required by (several data storehouse type selecting) in the database of supervision financial software, the Web application system of main flow just can only be taked to require to be supervised " pushing away " data mode that the financial system user initiatively declares to supervisory systems at present, and this can not satisfy the requirement that financial regulation department initiatively extracts data (comprising subject, voucher etc.) to each financial machine client far away.Under this " pushing away data " mode, transfer of data is normally finished by the Internet network, and Internet is the packet switching network, adopts this transmission means, requires monitoring client and monitored end all to be linked into Internet in some way.Thereby can bring following problem:
(1) network security needs the solution of a heavyweight, will adopt the network security system that comprises fire compartment wall, intrusion detection (defence) etc. such as monitoring client (server end), realizes complexity, and the cost height;
(2) monitored end must insert Internet in some way; If there is clear and definite business demand to require monitored end (as financial software) must not insert Internet, then problem can't solve;
(3) if monitored end allows to insert Internet, then must have the Internet IP address that to visit, as inserting by modes such as special line, VPN, modem, ADSL; For satisfying the requirement of the real-time image data of monitoring client, monitored end is must 24 hours online, like this, aforesaid way in various degree have an expensive problem; Under modes such as VPN, modem, ADSL, connect for some reason that barrier interrupts in case also exist once, then reconnect IP address, back and dynamically change, thereby cause the problem that monitoring client can't addressing.
Different with Internet, PSTN (public switch telephone network) is a kind of global voice communications circuit switching network, has nearly about 800,000,000 user.It is a kind of analog electrical phone network of fixed line at first, and current PSTN almost all adopts digital telephone network and comprises mobile and landline telephone.Transmission method based on PSTN is to cooperate a kind of data transfer mode that realizes with computer by telephone line and online special equipment (as: modulator-demodulator etc.).Modulator-demodulator (being Modem), it is the device that carries out conversion of signals between computer and the telephone wire, form by modulator and demodulator two parts, modulator is that being modulated into can be at the device of the defeated voice signal of phone line for digital signal (as file etc.) computer, at receiving terminal, demodulator converts voice signal to and calculates the digital signal that function receives.Just can realize data communication between the computer by modulator-demodulator and telephone wire.
Summary of the invention
The object of the present invention is to provide a kind of distributed data extraction method and realization system that can guarantee data integrity and fail safe in the transmission course based on PSTN.
The present invention is directed to enterprise-level application fields such as financial regulation and monitoring, proposed a kind of distributed data extraction method and realization system based on the PSTN secure communication.The present invention has provided the job step and the composition of distributed data extraction middleware, uses PSTN, Modem and fixed telephone number to carry out device talk and addressing, and design centre encryption equipment and node encrytion module are carried out authentification of user and safe transmission; System according to this method realizes can carry out real time remote supervision or monitoring to a plurality of financial softwares that physically are dispersed on the multiple computers.
In the monitoring and supervising business field, some equipment is unsuitable for and is connected to Internet (as financial system because of depositing sensitive data, be example all hereinafter with financial machine) situation, the present invention proposes and utilize PSTN (common transmission telephone network) to carry out server end to the Active Addressing of client and a solution of secure communication.The data extract in this monitoring and supervising field has two characteristics: 1, initiatively initiates by monitoring client (server end), and 2, should have relatively-stationary addressing mode by the monitored end (client) that monitoring client determined, and can guarantee real-time online; Under normal conditions, financial machine is not exposed on the Internet.Only when needs extract financial machine data, the mode that adopts Modem to dial fixed telephone number is carried out addressing, thereby connects with the financial machine of appointment.Extract data in the financial machine by the data extract middleware again.
This realization system can accomplish in long-range mode, guaranteeing by the host safety of supervision/supervision financial software (not by illegal invasion, unauthorized access) under the situation, from physically being deployed in the different financial software (UFSOFT on many various computing equipment, Kingdee, Boke, Newgrand etc.) in the different software versions, automatic or passive extraction financial data (comprises subject, voucher etc.) function, and carry out encryption in the transmission course with the cryptographic algorithm that meets national business secret standard, guarantee that the financial data that relates to business secret is not cracked or distorts by illegal the intercepting and capturing in transmission course.
The target of this method and the system of realization:
1. supervision/monitoring program can be sent the extraction data command to a plurality of by supervision/monitoring client as required at any time.
2. guarantee by the host of supervision/monitoring program operation not by illegal invasion or visit.
3. guarantee data integrity, the fail safe of data transmission procedure.
4. the data extract middleware can adapt to multiple Web service application, can use with J2EE, ASP.NET uses co-operation.
5. it is convenient to dispose, low as far as possible to server requirement.
6. adaptability is strong, goes for multiple network environment and financial software.
7. interface is clear easy-to-use, and Web uses to use with data extract easily and communicates, and comprises issuing command, obtains data and query State.
8. support rear end, several data storehouse.
The present invention does not use and normally used in the information system terminal equipment is inserted Internet, utilize Internet to carry out the mode of equipment addressing, but propose to use Modem (modulator-demodulator) equipment to carry out the equipment addressing at PSTN (common transmission telephone network), and by the certificate validation access rights, use asymmetric encryption techniques that the transmission data are encrypted, form the solution that slave unit is addressed to secure communication.
Among the present invention, the purposes of Modem no longer is the equipment that is linked on the Internet, but a kind of UNICOM equipment of digital terminal equipment (computer equipments such as server, PC) and PSTN network, use fixed telephone number to carry out addressing between the digital terminal equipment, carry out point-to-point (end-to-end) communication by the PSTN network.By after fixed telephone number addressing success and connecting, use center encryption equipment and node encrytion module transmit certificate between digital device, the authority that conducts interviews is confirmed, guarantee the legitimacy of communication between devices, and use asymmetric encryption techniques that the instruction and the data of transmission are encrypted, to guarantee the transmission security of data.Further, by polling mode, support the star topology structure of a center digital terminal equipment (Centroid) to a plurality of monitored (supervision) digital terminal equipments (child node).Its principle as shown in Figure 1.
Generally, realization system can be divided into addressing and secure communication module, distributed data extraction module two large divisions.Addressing and secure communication module partly are made up of Centroid digital device (as server etc.), a N child node digital device (as financial machine etc.), dialing equipment (as modulation equipment), center encryption equipment, encrypting module, certificate key management unit etc.; The distributed data extraction module partly is made up of data integrated assembly (DI assembly), client application assembly (CA assembly), data extraction component (DEC assembly), Service Database and financial database etc., sees shown in Figure 3.Do specific descriptions below respectively.
Addressing and secure communication module
In the realization system, Centroid digital device (i.e. supervision end server) 3 is by monitoring client modulation equipment (Modem) 2, initiate to 9 addressing of child node numeral equipment (financial machine etc.) via pstn telephone network 1 and monitored end modulation equipment 8, after the addressing success, connecting, the Centroid digital device 3 of monitoring client calls center encryption equipment 4 and sends certificate to the child node numeral equipment 9 of monitored end, with the authentication that communicates.The mode of certification authentication even guaranteed that other third parties have unlawfully carried out addressing and connection to monitored child node numeral equipment, owing to there is not certificate, also can't communicate with monitored child node, stops unauthorized access.In transfer of data, the present invention proposes to use the cryptographic algorithm of national commercial code administration committee approval, the data of transmission is carried out encryption and decryption, to guarantee integrality and the fail safe of data in remote transmission.Encrypt and adopt asymmetric encryption techniques.Centroid digital device and each child node numeral equipment all have the public and private key certificate of oneself, and public and private key certificate is provided (during the change of design server end PKI, to the update strategy of financial machine end) by certificate KMC.At first transmit leg (Centroid digital device) generates an interim session key, and expressly with this secret key encryption, generate the ciphertext module, transmit leg obtains recipient's public key certificate (each financial secret key exists in the server with the LDAP form) again, this session key is encrypted, and encrypted session key and ciphertext send the recipient together to; The recipient is decrypted encrypted session key by the private key certificate of oneself, uses the session key decrypting ciphertext that obtains again, thereby obtains the data of needs.Reverse transfer of data adopts same mechanism to carry out.The granting of certificate and key and safeguard by certificate key management unit independently and undertaken; The certificate key management unit directly is stored in the certificate and the key of child node numeral equipment 9 in the corresponding encrypting module, and the certificate of center encryption equipment 4 and key then are stored in the key card by the certificate key management unit, are called by center encryption equipment 4 by card reader.
This project addressing secure communication module physics deployment diagram as shown in Figure 2.
The distributed data extraction module:
The logical construction of distributed data extraction module mainly comprises: the computing function part, form by data integrated assembly (DI), client application assembly (CA), data extraction component (DEC) etc.; Interconnect portion is made up of distributed communication program (Server) and distributed communication program parts such as (Client).
Data integrated service assembly (DI) operates in monitoring/supervision end, being responsible for client application assembly (CA) with the monitored system of other operation systems of using this middleware, far-end waits and carries out alternately, comprise and accept the parameter that other operation systems transmit about the extraction data, this parameters remote is transferred to the client application of monitored end, receive the extraction data that client application (CA) is passed back, and it is write the database of other operation systems, realize the consistency of data;
The client of monitored/supervision that client application assembly (CA) operates in, it mainly acts on is to finish mutual with remote server, promptly solve the Network Transmission problem of distributed middleware, relevant parameter, data are transmitted between DEC assembly and DI assembly.The CA assembly can be supported under two kinds of different patterns:
A) passive-type client (Waiter pattern) also claims to draw data.Under this kind client mode of operation, the CA assembly does not need the operation user intervention of monitored node, and the instruction from long-range DI assembly is accepted in operation automatically, carries out the operation of extracting data, and calls suitable network operation operating result is returned long-range DI assembly.
B) active client (Reporter pattern) also claims to push away data.This kind client can not moved automatically, needs client's start-up by hand, starts the operation of a data extract then, and contact DI assembly, and data are sent to the DI assembly.
By the network row communication, can support multiple network such as PSTN/Internet/Intranet between CA assembly and the DI assembly.Wherein:
A) client can be passed through particular network, communicates with ICP/IP protocol and DI assembly.
B) DI can be accessed by above-mentioned network.DI is connected to the CA assembly by Modem dialing (perhaps by the Internet network, allow to be connected to public network at monitored node, and have under the prerequisite of fixing public network IP), and sends instruction to the CA assembly, and log-on data is extracted.
DEC is designed to an assembly (specific implementation can be developed to the COM+ assembly by DotNet), must with the running software of monitored/supervision on same physical computing resource, be used for directly extracting monitor data (as financial data etc.) from the database of various monitored systems (as financial software etc.).This assembly is by the client application component call, and the parameter according to the client application assembly transmits extracts corresponding field value in monitored/supervision database, pass client application back after encapsulating, and current encapsulation standard is the mode with XML document.
Monitoring and supervise (server) end specifically affixes one's name to the lower part:
A. data integrated assembly DI,
B. distributed communication program (Server),
C. Service Database;
Monitored end (financial machine end) is disposed with the lower part:
The a.CA assembly,
B. distributed communication program (Client),
C.DEC assembly (containing data extraction program, testing tool, configuration tool) 12.
In specific implementation, distributed communication program (Server) can be incorporated in the DI assembly, and distributed communication program (Client) can be incorporated in the CA assembly.During work, data integrated assembly DI is responsible for sending instructions to the CA assembly, and the data of CA assembly passback is handled the back carry out synchronously with the data of calling system; Call the DEC assembly after the instruction of client application (CA) reception DI assembly, and the data of DEC assembly passback are carried out necessary processing forward give the DI assembly.
Operating procedure based on the data extract of above-mentioned realization system is as follows:
Prerequisite: DI assembly 5 and service application assembly 13 can be visited same Service Database 16; Specific normalizing database of DI assembly 5 regulation, service application assembly 13 must satisfy this standard, by professional device database 16 issuing commands and obtain data.
Draw data type:
The first step starts the DI assembly 5 of monitoring server end, poll Service Database 6; If in Service Database 6, do not find satisfactory data extract record, then change the first step;
Second step was then read this record if find satisfactory data extract record in Service Database 6, decomposed the parameter of this record, inquired about according to parameter, obtained extracting parameters such as a telephone number for the treatment of addressing and commencement date and deadline, subject number, voucher number;
The 3rd step DI assembly 5 calls Modem2, dials the telephone number for the treatment of addressing, via pstn telephone network 1, is initiated to the connection that certain specifies CA assembly 13, if the dialing failure then went back to for the 3rd step, if call all failures for three times, then stops and reports an error;
The 4th step dial-up success, DI assembly 3 calls center encryption equipment 4, and to the encrypting module 14 transmission certification authentications of the child node numeral equipment 4 of specifying CA assembly 13 places, the encrypting module 14 of child node numeral equipment 9 calls the PKI of DI assembly and verifies, if authentication failed went back to for the 3rd step;
The certification authentication success of the 5th step, DI assembly 5 calls center encryption equipment 4 and generates session key, extracting parameter is generated ciphertext with this session key, and the public key encryption with session key and ciphertext usefulness CA assembly 13 sends to the encrypting module 14 of specifying CA assembly 13 places;
The encrypting module 14 reception information at CA assembly 13 places of the 6th step appointment are called the private key of oneself and are decoded, if failure changeed for the 3rd step;
The 7th step decoded successfully, obtained extracting parameter, was transmitted to CA assembly 13, and log-on data is extracted;
The 8th step changeed for the 3rd step if CA assembly 13 extracts data failure; If success becomes specified format (as XML document) with the data encapsulation of extracting, turn back to the encrypting module 14 at these CA assembly 13 places;
The encrypting module 14 at the 9th these CA assembly 13 places of step calls the session key of DI assembly 5 transmission, encrypt, and the ciphertext after will encrypting is encrypted with the private key of oneself again, be back to the center encryption equipment 4 of DI assembly 5 ends, the PKI that center encryption equipment 4 calls this CA assembly 13 is decrypted, and call session key ciphertext is decoded into expressly, be forwarded to DI assembly 5;
The plaintext that the tenth step DI assembly 5 will receive writes Service Database according to the specific data form, interrupts connecting, and finishes.
Push away data type:
Centroid digital device end (supervision end) 3 starts DI assembly 5, the port of intercepting an appointment; If active connection request this port discovery reporter (Reporter), then accept this request and receive the data that transmit, judge whether these data have been expressly, if not, the center encryption equipment of calling is decoded, and will expressly write Service Database with the predetermined data form;
Child node numeral equipment end (being supervised end) 9 users start DEC assembly 12, choose self-defining data, DEC assembly 12 will carry out data encapsulation automatically, call that encrypting module is encrypted and through the telephone number of Modem8 addressing Centroid digital device end 3, the encapsulation of data after will encrypting after connecting sends to Centroid digital device end particular port.
Embodiment
Enforcement of the present invention needs monitoring client and monitored end that fixed telephone number is all arranged, by Modem and landline telephone wiring digital device (is moved the host that distributed data is extracted middleware and financial software etc., comprise server, PC etc.) access PSTN network, and require to keep access unimpeded, be telephone wire one directly on Modem, Modem one is directly on digital device, like this, monitoring client can be initiated addressing and connection as required in real time; In addition, require the assemblies such as DI, CA, DEC of distributed extraction middleware to operate in respectively on the corresponding host, the different financial softwares that extract, different software versions is within the scope that DEC supports.
Method proposed by the invention and realization system use in information systems such as Science and Technology of Shanghai administrative supervisory system, Songjiang state-owned assets supervisory systems.
Be example with using in the state-owned assets supervisory systems of Songjiang:
What call data extraction system among the present invention is: Songjiang state-owned assets supervisory systems, the database of sharing is the database of this operation system, this system is become by a Web database and a database servers group, and DI assembly and distributed communication program (Server) are deployed on the Web server; The system that is supervised is the financial system of 23 tame state-owned enterprises, is deployed in respectively in the different business finance chamber of 23 families, has all disposed CA assembly, DEC assembly, distributed communication program (client) on every financial machine.
In should using, data extract takes to draw data type, and once typical partial data extracts and the secure communication running is described below:
1, state-owned assets supervisory systems in Songjiang will be extracted the parameter of data, comprise that beginning and ending time section, the symbolization of accounts of which company (child node numbering), supervision, the relevant parameter that the voucher numbering is waited for extracted data etc. write a record of operation system database, and the mark position 1 that will write down; DI finds that this flag bit is 1 record during poll from this database, with this mark position 0, and reading and recording obtains relevant parameter;
2, DI is after getting access to data extraction task, and inquiry child node code database obtains child node addressing (telephone number), initiates once to connect (once fixedly code dialing);
3, after the addressing success, set up the communication link of one bar based on PSTN, DI sends certificate to the encrypting module of this child node deploy, verify that if checking is not passed through, then later any visit to this child node all will be rejected, after checking is passed through, obtain to call the CA operation power of this child node; The encipheror of DI end will generate a key (the SCB2 general-purpose algorithm of the national commercial code of process management board approval) at random, the relevant parameter of data to be extracted is encrypted to ciphertext with this random key, call the PKI of child node again, the key that obtains at random and the ciphertext of generation are encrypted, send the encrypting module of specifying child node to, after this encrypting module received, the CA assembly PKI that calls storage was decrypted, and parameter and instruction after the deciphering are passed to the CA assembly;
4, the CA assembly sends relevant parameter and instruction to the DEC assembly;
5, the DEC assembly is carried out command adapted thereto, and the data of designated parameter are extracted from the financial database of the said firm, according to specified format, is packaged into XML document, is transmitted to CA;
6, the CA assembly receives XML document, calling the random key received (use meets the secret sign indicating number of national commercial code administration committee approval) encrypts, generate ciphertext, again with this ciphertext and random key with the private key in the encrypting module of this child node, encrypt encapsulation, pass to the DI assembly of monitoring client;
7, the DI assembly of monitoring client receives the enciphered data of passing back, and the PKI that calls this child node is decrypted, and the data after the deciphering are sealed off dress with random key again, writes according to specified format in the database table of operation system correspondence;
8, an addressing, authentication, extracted data, secure communication finish, and the DI assembly is carried out next data extraction task.