CN110061989A - A kind of full partition method of data acquisition gateway - Google Patents
A kind of full partition method of data acquisition gateway Download PDFInfo
- Publication number
- CN110061989A CN110061989A CN201910319489.1A CN201910319489A CN110061989A CN 110061989 A CN110061989 A CN 110061989A CN 201910319489 A CN201910319489 A CN 201910319489A CN 110061989 A CN110061989 A CN 110061989A
- Authority
- CN
- China
- Prior art keywords
- data
- module
- encryption
- encrypting module
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a kind of full partition methods of data acquisition gateway, and data encryption module is added in data collection station, encrypt to data are uploaded, and data are decrypted in big data platform using special-purpose software, realize the transmission protection of data;Encrypting module is attached by serial ports and MCU, communication module;The following are industry internet data to acquire encryption isolation scheme design, comprising: overall construction design, encrypting module hardware design, encrypting module operating mode, cryptographic key design and management process design;The encryption isolation design of this programme, since data acquisition gateway uses open source protocol, original easy exploiting is not sacrificed, the characteristic easily accessed, due to using encryption chip, data are practical with ciphertext state transfer in network, secrecy effect is good, abandons the existing unitary design mostly used greatly, and each system can be designed respectively, and standardized production, advantageously reduce cost.
Description
Technical field
The invention belongs to data safety isolation technology fields, and in particular to a kind of full partition method of data acquisition gateway.
Background technique
Industrial data collection is to be believed using ubiquitous cognition technology elements such as multi-source equipment, heterogeneous system, operating environment, people
Breath carries out real-time high-efficiency acquisition and cloud convergence.Industrial data collection corresponds to the edge in industry internet platform system structure
Layer.Distinct device, system and product, the industrial data that acquisition is a wide range of, profound, Yi Jiyi are accessed by all kinds of means of communication
The protocol conversion and edge processing of structure data construct the data basis of industry internet platform.
Currently, industrial data collection industry supply side mainly has following three classes enterprise:
First is that industrial automation enterprise, from itself core product ability, predominantly industrial data collection provides access
Equipment as the source of industrial data collection, such as 15 Siemens, grinds China, Honeywell, peace control etc.;
Second is that industrial network service enterprise, predominantly industrial data collection provide industrial network protocol conversion, transmission, safety
Equal corollary equipments and service, Some Enterprises are from original advantage areas actively to manufacture field infiltration and development, such as China
Telecommunications, ZTE Corporation, Huawei etc.;
Third is that industrial data collection solution enterprise, main to provide industrial data collection solution, system development, item
The service such as mesh implementation, system integration, such as north are intelligent etc. from institute, Hollysys, bright craftsman.
Industrial data collection architectural framework includes equipment access, protocol conversion, three layers of edge data processing, and access is set downwards
Standby or intellectual product, upwards with industry internet platform/industrial application system docking, as shown in Figure 1.
As shown in Figure 1, data application is collected by data, necessarily passes the network of multiple levels.As equipment accesses level
Pair the field level networks interface such as RS485/232, Industrial Ethernet, CAN bus;UART that protocol conversion, edge processing face,
The chip-scales network interface such as IIC, SPI;And data be transferred to industry internet platform/industrial application system http, mqtt,
The application layers network interface such as S7.Therefore the construction of futurity industry internet necessarily refers to deployment mass data acquisition gateway or similar
Product is the important node of data information circulation just like original conventional internet.Different is involved by industry internet
And data acquisition gateway have numerous in face of agreement, operating condition is complicated, and reliability requirement is high and the new challenges such as safety guarantee difficulty.
For realizing communication and this function of data exchange, many products are able to satisfy existing existing development level completely
There is demand.There are two types of main technical schemes:
One, reached by the product for being originally used for bottom Industry Control by integrating Ethernet communication component.Such as Siemens
SIMATIC controller, it is serial from S3 series development to S7 now, have that small in size, speed is fast, standardization, there is network
Communication capacity, with better function, reliability is higher5.By taking S7-200Smart series as an example: by microprocessor, integrated power supply, input
Circuit and output circuit are combined in a compact-sized shell, form powerful Micro PLC.Download user program
Afterwards, CPU will include logic needed for the input and output device in monitoring application;
Two, by being originally used for the product integration Industry Control of network communication, data acquisition components are reached.Such as the industry of macro electricity
Router series, wireless industrial DTU series, are originally used for M2M (machine to machine communication), predecessor of the field as Internet of Things
And one of most important service link.Wireless industrial DTU is based on GPRS data communication network, is used exclusively for turning serial data
It is changed to IP data or IP data is converted into serial data, and the wireless terminal device that network is transmitted by wireless communication,
It has been widely used in electric power, environment monitoring, vehicle-mounted, water conservancy, meteorology, streetlight monitoring, heat distribution pipe network, coal mine, oil field etc. at present
Industry.Industrial router is the industrial level router based on 3G/4G wireless communication research and development, using Width funtion EMC Design,
It supports 4G, 3G, 2.5G network formats to support double-module double-SIM card, supports the wireless WIFI module of built-in 4G, APN/VPDN private network is supported to connect
Enter, industrial router provides wireless long-range data transfer function, transmission speed using public 2G/3G/4G wireless network for user
Rate is faster more stable, 7 × stable operation for 24 hours, is suitable for adverse circumstances, long-range management/maintenance/upgrading, and power-assisted enterprise reduces
O&M cost.It is widely used in the industries such as finance, medium, traffic, vehicle-mounted, electric power, environmental protection, industrial automation, business chain.
Firstly, the construction of industry internet be unable to do without the construction of industrial big data platform in application, net otherwise can not be formed
Network effect and innovation and application.Secondly, open source protocol is necessarily used in order to provide the large-scale application service of data as platform,
Otherwise user and application developer, which face numerous source/semi-closure source protocols that close, will pay huge learning cost, it is clear that be unfavorable for putting down
The development of platform.As existing INDICS industry big data platform uses open source protocol (MQTT and RESTFUL).
But problem of data safety thus can be brought, because of pole when transmitting in internet using the clear data of open source protocol
It is easily identified, captures, replicates, distorts.
Existing similar product solves such security risk generally using the proprietary protocol in source of closing, as (the two is by S7, PPI
West gate subfamily), DDP (DTU DSC Protocol, macro electricity, Han Ketai etc. DTU vendor product, generally customized by manufacturer),
LoRa WAN (LoRa series) etc., it is clear that its advantage and disadvantage is as described above, the generalization characteristic that proprietary protocol belongs to sacrifice product is come
User's viscosity is improved, the development of industry internet platform is unfavorable for.
Further because the essence of proprietary protocol is still clear data, just with the information asymmetry in source of closing, so city
It is had already appeared on field and cracks product specifically for such proprietary protocol.The appearance for cracking product will lead to same agreement or homology
Column Related product faces security risk, it is contemplated that it is high that the connection quantity of industry internet will connect quantity than existing internet
An order of magnitude.7Same agreement or homologous series Related product, which are exposed in security risk, will generate the direct of high an order of magnitude
Loss and harm, this does not also include indirect loss and harm.
It summarizes, the challenge met in existing industry internet construction is exactly that cannot be considered in terms of versatility and peace under existing framework
Quan Xing.The scheme of mainstream is to guarantee safety to sacrifice versatility.Because industry internet is still tentatively being built till now
If the stage, industrial data collection industry relevant enterprise is in the agreement for carrying out oneself, the data exchange standards such as interface, to capture
Market, and versatility is not thought better of.But the next stage growth requirement of industry internet be bound to take into account versatility and
Safety, a mobile radio communication development as in the previous.
Summary of the invention
The purpose of the present invention is to provide a kind of full partition methods of data acquisition gateway, to solve to mention in above-mentioned background technique
Out the problem of.
To achieve the above object, present invention employs following technical solutions:
A kind of full partition method of data acquisition gateway, is added data encryption module in data collection station, to upload number
According to being encrypted, data are decrypted in big data platform using special-purpose software, realize the transmission protection of data;Encrypting module is logical
Serial ports is crossed to be attached with MCU, communication module;The following are industry internet data to acquire encryption isolation scheme design, comprising:
S1. overall construction design:
Data collection station collects the data of enterprise, gives GPRS transmission module by MCU, sends business data to greatly
Data platform;Business data may be faced in transmission process steal, disclosure risk, need to carry out Confidentiality protection;
Data encryption module is added in data collection station, is encrypted to data are uploaded, data are in big data platform
It is decrypted using special-purpose software, realizes the transmission protection of data;Encrypting module passes through serial ports;
S2. encrypting module hardware design:
In view of area, power consumption and cost, encrypting module proposed adoption tailor-made algorithm SOC chip+standard interface mode into
Row is realized;Main function all realized by algorithm chip, chip include master cpu, cryptographic algorithm operation, key storage unit,
Interface module etc.;Standard interface realizes between encrypting module and acquisition terminal, the data interaction of transmission module;Pass through this side
Formula, encrypting module are mainly made of an algorithm chip and support device;Password SOC chip, additional two rows 1*5 contact pin, module
Area is within 2cmX2cm, and since data encryption module uses UART communication with the outside world, module also needs extraneous offer power supply, mould
Block uses the single contact pin 1*5 of two spacing 2.54mm;
S3. encrypting module operating mode:
Encrypting module may be designed to two different operating modes: serial mode and parallel schema in the terminal:
Serial mode:
In serial mode, encrypting module is serially connected on data path as an independent unit;MCU is by collected number
According to encrypting module is sent to, module transfers to communication module to send data encryption, encapsulation;At this point, the work that encrypting module need to be done
It is more, it can be situations such as manufacturer terminal send other service platforms in plain text for business data setting technical barrier and barrier;Number
Following development need to be done according to encrypting module:
1) crypto module-MCU nuclear interface standardizing;Using MCU as main equipment, crypto module is from equipment, with AT instruction mode
Define and realize the communication interface of both sides, primary interface includes network connection parameter configuration, connecting platform server end, sends number
According to data etc. when, request school;
2) encryption function is realized;Including key agreement, data encryption etc.;
3) MQTT protocol encapsulation;Realize MQTT client functionality, connecting platform server-side submits load data after encryption
GPRS mould group is sent;
4) driving of GPRS mould group and data transmit-receive;GPRS mould group is driven, is attached with cloud platform, data is sent, connects
Data when receiving school;In addition, GPRS, as the passive-type communication equipment driven by crypto module, distinct device manufacturer such as selects difference
Radio communication mold group, crypto module need to carry out adaptation exploitation respectively;
Parallel schema:
In parallel schema, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encryption mould
Block encryption, and encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is complete by MCU
At in parallel schema, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encrypting module to add
It is close, and encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is completed by MCU;
S4. cryptographic key designs:
The crypto chip selected in encrypting module can provide SM2, SM3, SM4 scheduling algorithm of common national standard, can be real
Show the different cipher modes such as symmetric cryptography, public key encryption, the not Tongfang such as preset key, key agreement can be achieved in key management
Formula;To simplify user management process, the decryption efficiency at big data platform end is improved, by the way of symmetric cryptography+preset key;
Encrypting module is encrypted using symmetry algorithm, and encryption key is preset at chip interior, by module segmentation, different modules
Encryption key is different;Chip joined safety prevention measure, and outside can not read encryption key;When encrypting module generates factory,
Internal key initialization need to be completed, inside generates ID and encryption key, and encryption key and ID submit to the decryption of big data platform
Program, the decryption for data;It is stored in the encryption keys of big data platform, each encrypting module, prevents from revealing;
Algorithm chip provides algorithm arithmetic element abundant, embedded CPU can also to cryptographic key adapted mode into
Row modification,, can by software upgrading in the case where not changing hardware if subsequent cryptographic key usage mode needs to modify
To realize required function, flexibility is improved;
S5. management process designs:
Equipment production: data collection station is broadly divided into acquisition terminal and encrypting module two parts, between the two definition mark
Quasi- interface is transferred to different producers to be generated respectively, is purchased respectively;After encrypting module production, need to initialize,
Generating device ID and encryption key, and ID and corresponding encryption key are submitted, encrypting storing;
Equipment assembly: after acquisition terminal and encrypting module synthesis, it is handed down to user producer
Communication process:
Encrypting module
(1) device power-on reads device id and encryption key;
(2) encrypting module is encrypted using fixation plaintext data of the encryption key to agreement, obtains data_en;
(3) (ID, data_en) is sent to big data platform as handshake data;
Big data platform:
(1) connection is established with terminal device;
(2) handshake data (ID, ciphertext) is received;
(3) according to ID, the encryption key ciphertext of the ciphering terminal is obtained, and decrypts and obtains clear data;
(4) encryption key decryption data_en is used, data* is obtained;
(5) compare whether data* is the fixed data arranged, if it is not, then disconnecting;If it is, the company of foundation
It connects, follow-up data is decrypted using the encryption key.
Preferably, in S3, under serial mode, data encryption module need to do following development:
1) crypto module-MCU nuclear interface standardizing;Using MCU as main equipment, crypto module is from equipment, with AT instruction mode
Define and realize the communication interface of both sides, primary interface includes network connection parameter configuration, connecting platform server end, sends number
According to data etc. when, request school;
2) encryption function is realized;Including key agreement, data encryption etc.;
3) MQTT protocol encapsulation;Realize MQTT client functionality, connecting platform server-side submits load data after encryption
GPRS mould group is sent;
4) driving of GPRS mould group and data transmit-receive;GPRS mould group is driven, is attached with cloud platform, data is sent, connects
Data when receiving school;In addition, GPRS, as the passive-type communication equipment driven by crypto module, distinct device manufacturer such as selects difference
Radio communication mold group, crypto module need to carry out adaptation exploitation respectively.
Preferably, in S3, under parallel schema, data encryption module need to do following development:
Cryptographic service function, including key agreement, data encryption etc. are provided towards MCU;It is connect by AT instruction mode
The standardization of mouth.
Preferably, in S3, serial mode and parallel schema comparison:
Serial design, which is equal to, migrates the function that original equipment manufacturer does to crypto module;For device manufacturer, all
Completed thing will mark delivery crypto module and be developed;For platform, former and manufacturer to taking over, now need and I
Encryption device manufacturer docking, do second time;As a whole, the main MCU of original equipment has had the ability, passes into disuse, password
Module increases the function, need to select high-end chip else, increases the exploitation and debugging of protocol communication.
Technical effect and advantage of the invention: a kind of full partition method of data acquisition gateway proposed by the present invention, and it is existing
Technology is compared, and is had the advantage that
1, the challenge met in existing industry internet construction is exactly that cannot be considered in terms of versatility and safety under existing framework
Property.The scheme of mainstream is to guarantee safety to sacrifice versatility;And the encryption isolation design of this programme simultaneously solve it is above-mentioned
Problem;
2, versatility: since data acquisition gateway uses open source protocol, original easy exploiting is not sacrificed, the characteristic easily accessed;
3, safety: due to using encryption chip, data are practical with ciphertext state transfer in network, there is three advantages:
(1) even if ciphertext is trapped, also because be difficult to crack and be not likely to produce and distort, the security breaches such as steal;
(2) even if ciphertext is cracked, since encryption chip is the close framework of a machine one, security breaches exist only in single machine
On device, a wide range of more machines of homologous series will not be involved, security risk is relatively controllable;
(3) ciphertext needs corresponding decryption mechanisms that can just revert in plain text, so if keeping back door etc. in communication system
Concealed channel will cease to be in force automatically, because only that effective information could be obtained by disposing the data destination of corresponding decryption mechanisms;
4, it standardizes: due to when being especially operate on serial mode, and encrypting core with the congenital ability for blocking back door
Piece further can take data to acquire using general-purpose interfaces such as UART, data encryption, the industrial data collection system of data transmission
System design.The existing unitary design mostly used greatly is abandoned, each system can be designed respectively, and standardized production, be advantageously reduced
Cost.
Detailed description of the invention
The industrial data collection architectural framework schematic diagram of Fig. 1 prior art;
Fig. 2 is industry internet data acquisition encryption isolation scheme schematic diagram of the invention;
Fig. 3 is data acquisition encryption isolating chip schematic diagram of the invention;
Fig. 4 is data acquisition encryption isolating chip physical size schematic diagram of the invention;
Fig. 5 is encryption isolating chip work in series pattern diagram of the invention;
Fig. 6 is encryption isolating chip concurrent operating modes schematic diagram of the invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention 2- Fig. 6, technical solution in the embodiment of the present invention carry out clear
Chu is fully described by, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.
The specific embodiments described herein are merely illustrative of the present invention, is not intended to limit the present invention.Based on the reality in the present invention
Example is applied, every other embodiment obtained by those of ordinary skill in the art without making creative efforts all belongs to
In the scope of protection of the invention.
The present invention provides a kind of full partition method of data acquisition gateway, and data encryption mould is added in data collection station
Block is encrypted to data are uploaded, and data are decrypted in big data platform using special-purpose software, realizes that the transmission of data is protected
Shield;Encrypting module is attached by serial ports and MCU, communication module;The following are industry internet data to acquire encryption isolation side
Case design, comprising:
S1. overall construction design:
Data collection station collects the data of enterprise, gives GPRS transmission module by MCU, sends business data to greatly
Data platform;Business data may be faced in transmission process steal, disclosure risk, need to carry out Confidentiality protection;
Data encryption module is added in data collection station, is encrypted to data are uploaded, data are in big data platform
It is decrypted using special-purpose software, realizes the transmission protection of data;Encrypting module is connected by serial ports and MCU, communication module
It connects, the position in acquisition terminal is as shown in Figure 2;
It is designed in encipherment scheme, in line with safety, availability, the principle of economy, while guaranteeing data security, to the greatest extent
Amount reduces the change to original system, using standard interface, cost of implementation is controlled, convenient for the application of encipherment scheme;
S2. encrypting module hardware design:
In view of area, power consumption and cost, encrypting module proposed adoption tailor-made algorithm SOC chip+standard interface mode into
Row is realized;Main function all realized by algorithm chip, chip include master cpu, cryptographic algorithm operation, key storage unit,
Interface module etc.;Standard interface realizes between encrypting module and acquisition terminal, the data interaction of transmission module;Pass through this side
Formula, encrypting module are mainly made of an algorithm chip and support device, simplify design, reduce area, reduce costs;
The hardware block diagram of encrypting module is as shown in figure 3, password SOC chip, additional two rows 1*5 contact pin, module area 2cmX2cm with
It is interior;
Since data encryption module uses UART communication with the outside world, module also needs extraneous offer power supply, and module uses two
The single contact pin 1*5 of spacing 2.54mm, the interface that module externally provides are as shown in the table:
Module physical size is as shown in Figure 4;
S3. encrypting module operating mode:
Encrypting module may be designed to two different operating modes: serial mode and parallel schema in the terminal;
3.1 serial mode
In serial mode, the flow direction of data is as shown in Figure 5;
In serial mode, encrypting module is serially connected on data path as an independent unit;MCU is by collected number
According to encrypting module is sent to, module transfers to communication module to send data encryption, encapsulation;At this point, the work that encrypting module need to be done
It is more, it can be situations such as manufacturer terminal send other service platforms in plain text for business data setting technical barrier and barrier;
1 signal definition of contact pin
2 signal definition of contact pin
Under serial mode, data encryption module need to do following development:
1) crypto module-MCU nuclear interface standardizing;Using MCU as main equipment, crypto module is from equipment, with AT instruction mode
Define and realize the communication interface of both sides, primary interface includes network connection parameter configuration, connecting platform server end, sends number
According to data etc. when, request school;
2) encryption function is realized;Including key agreement, data encryption etc.;
3) MQTT protocol encapsulation;Realize MQTT client functionality, connecting platform server-side submits load data after encryption
GPRS mould group is sent;
4) driving of GPRS mould group and data transmit-receive;GPRS mould group is driven, is attached with cloud platform, data is sent, connects
Data when receiving school;In addition, GPRS, as the passive-type communication equipment driven by crypto module, distinct device manufacturer such as selects difference
Radio communication mold group, crypto module need to carry out adaptation exploitation respectively;
3.2 parallel schema
In parallel schema, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encryption mould
Block encryption, and encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is complete by MCU
At;
In parallel schema, the flow direction of data is as shown in Figure 6;
In parallel schema, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encryption mould
Block encryption, and encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is complete by MCU
At;
Under parallel schema, data encryption module need to do following development:
1) cryptographic service function, including key agreement, data encryption etc. are provided towards MCU;It is carried out by AT instruction mode
The standardization of interface;
3.3 two kinds of module comparisons
Serial design, which is equal to, migrates the function that original equipment manufacturer does to crypto module;For device manufacturer, all
Completed thing will mark delivery crypto module and be developed;For platform, former and manufacturer to taking over, now need and I
Encryption device manufacturer docking, do second time;As a whole, the main MCU of original equipment has had the ability, passes into disuse, password
Module increases the function, need to select high-end chip else, increases the exploitation and debugging of protocol communication;Therefore, serial mode development
Amount is slightly more, and the period is slightly long;
S4. cryptographic key designs:
The crypto chip selected in encrypting module can provide SM2, SM3, SM4 scheduling algorithm of common national standard, can be real
Show the different cipher modes such as symmetric cryptography, public key encryption, the not Tongfang such as preset key, key agreement can be achieved in key management
Formula;To simplify user management process, the decryption efficiency at big data platform end is improved, by the way of symmetric cryptography+preset key;
Encrypting module is encrypted using symmetry algorithm, and encryption key is preset at chip interior, by module segmentation, different modules
Encryption key is different;Chip joined safety prevention measure, and outside can not read encryption key;When encrypting module generates factory,
Internal key initialization need to be completed, inside generates ID and encryption key, and encryption key and ID submit to the decryption of big data platform
Program, the decryption for data;It is stored in the encryption keys of big data platform, each encrypting module, prevents from revealing;
Algorithm chip provides algorithm arithmetic element abundant, embedded CPU can also to cryptographic key adapted mode into
Row modification,, can by software upgrading in the case where not changing hardware if subsequent cryptographic key usage mode needs to modify
To realize required function, flexibility is improved;
S5. management process designs:
The production of 5.1 equipment
Data collection station is broadly divided into acquisition terminal and encrypting module two parts, defines standard interface between the two, point
It does not transfer to different producers to be generated, purchases respectively;
After encrypting module production, need to initialize, generating device ID and encryption key, and ID and correspondence are added
Key is submitted, encrypting storing;
The assembly of 5.2 equipment
After acquisition terminal and encrypting module synthesis, it is handed down to user producer;
5.3 communication process
1) encrypting module
(1) device power-on reads device id and encryption key;
(2) encrypting module is encrypted using fixation plaintext data of the encryption key to agreement, obtains data_en;
(3) (ID, data_en) is sent to big data platform as handshake data;
2) big data platform
(1) connection is established with terminal device;
(2) handshake data (ID, ciphertext) is received;
(3) according to ID, the encryption key ciphertext of the ciphering terminal is obtained, and decrypts and obtains clear data;
(4) encryption key decryption data_en is used, data* is obtained;
(5) compare whether data* is the fixed data arranged, if it is not, then disconnecting;If it is, the company of foundation
It connects, follow-up data is decrypted using the encryption key.
This programme, encryption chip design: no matter using serial or parallel schema is worked in, as long as final data acquisition system
Gateway encryption, the mode of server decryption are adopted using number in system, and number is adopted gateway encryption and is completed by individual module or chip, i.e.,
It is believed that being designed using encryption chip;
Encryption chip physical size: original physical size of module and proportional zoom.Stitch definition row
Cloth;
Encryption chip communication protocol: communication process, protocol command, inside are equipped with algorithm.
There are mainly two types of alternative solutions, increases structureization and subtracts structure.
Increase structure: encryption chip function is complicated, mainly has and integrate backward communications part, become encrypted transmission
Unit, similar VPN, special line;Or before integration to part of data acquisition, become encryption and adopt unit, it is similar to use privately owned association
The acquisition equipment of view;Or Codesign is used completely, become the safe acquisition unit of enclosed.
Subtract structure: encryption chip function is simplified, for example only undertake the function of storage key, does not dispose Encryption Algorithm.
Or some simple Encryption Algorithm are used, to provide Partial security characteristic.
Therefore this programme:
1. the challenge met in existing industry internet construction is exactly that cannot be considered in terms of versatility and safety under existing framework
Property.The scheme of mainstream is to guarantee safety to sacrifice versatility;And the encryption isolation design of this programme simultaneously solve it is above-mentioned
Problem;
2. versatility: since data acquisition gateway uses open source protocol, not sacrificing original easy exploiting, the characteristic easily accessed;
3. safety: due to using encryption chip, data are practical with ciphertext state transfer in network, there is three advantages:
(1) even if ciphertext is trapped, also because be difficult to crack and be not likely to produce and distort, the security breaches such as steal;
(2) even if ciphertext is cracked, since encryption chip is the close framework of a machine one, security breaches exist only in single machine
On device, a wide range of more machines of homologous series will not be involved, security risk is relatively controllable;
(3) ciphertext needs corresponding decryption mechanisms that can just revert in plain text, so if keeping back door etc. in communication system
Concealed channel will cease to be in force automatically, because only that effective information could be obtained by disposing the data destination of corresponding decryption mechanisms;
4. standardization: due to when being especially operate on serial mode, and encrypting core with the congenital ability for blocking back door
Piece further can take data to acquire using general-purpose interfaces such as UART, data encryption, the industrial data collection system of data transmission
System design.The existing unitary design mostly used greatly is abandoned, each system can be designed respectively, and standardized production, be advantageously reduced
Cost.
Finally, it should be noted that these are only the preferred embodiment of the present invention, it is not intended to restrict the invention, although
Present invention has been described in detail with reference to the aforementioned embodiments, for those skilled in the art, still can be right
Technical solution documented by foregoing embodiments is modified or equivalent replacement of some of the technical features, it is all
Within the spirit and principles in the present invention, any modification, equivalent replacement, improvement and so on should be included in protection of the invention
Within the scope of.
Claims (4)
1. a kind of full partition method of data acquisition gateway, which is characterized in that data encryption module is added in data collection station,
It is encrypted to data are uploaded, data are decrypted in big data platform using special-purpose software, realize the transmission protection of data;Add
Close module is attached by serial ports and MCU, communication module;Encryption isolation scheme is acquired the following are industry internet data to set
Meter, comprising:
S1. overall construction design:
Data collection station collects the data of enterprise, gives GPRS transmission module by MCU, sends big data for business data
Platform;Business data may be faced in transmission process steal, disclosure risk, need to carry out Confidentiality protection;
Data encryption module is added in data collection station, is encrypted to data are uploaded, data are used in big data platform
Special-purpose software is decrypted, and realizes the transmission protection of data;Encrypting module passes through serial ports;
S2. encrypting module hardware design:
In view of area, power consumption and cost, encrypting module proposed adoption tailor-made algorithm SOC chip+standard interface mode carries out reality
It is existing;Main function is all realized that chip includes master cpu, cryptographic algorithm operation, key storage unit, interface by algorithm chip
Module etc.;Standard interface realizes between encrypting module and acquisition terminal, the data interaction of transmission module;In this way, add
Close module is mainly made of an algorithm chip and support device;Password SOC chip, additional two rows 1*5 contact pin, module area exist
Within 2cmX2cm, since data encryption module uses UART communication with the outside world, module also needs extraneous offer power supply, and module uses
The single contact pin 1*5 of two spacing 2.54mm;
S3. encrypting module operating mode:
Encrypting module may be designed to two different operating modes: serial mode and parallel schema in the terminal:
Serial mode:
In serial mode, encrypting module is serially connected on data path as an independent unit;MCU sends out collected data
Encrypting module is given, module transfers to communication module to send data encryption, encapsulation;At this point, the work that need to do of encrypting module compared with
It is more, it can be situations such as manufacturer terminal send other service platforms in plain text for business data setting technical barrier and barrier;Data
Encrypting module need to do following development:
1) crypto module-MCU nuclear interface standardizing;Using MCU as main equipment, crypto module is from equipment, with the definition of AT instruction mode
And realize the communication interface of both sides, primary interface include network connection parameter configuration, connecting platform server end, send data,
Data etc. when request school;
2) encryption function is realized;Including key agreement, data encryption etc.;
3) MQTT protocol encapsulation;Realize MQTT client functionality, load data after encryption is submitted GPRS by connecting platform server-side
Mould group is sent;
4) driving of GPRS mould group and data transmit-receive;GPRS mould group is driven, is attached with cloud platform, data are sent, receives school
When data;In addition, GPRS, as the passive-type communication equipment driven by crypto module, distinct device manufacturer such as selects different nothings
Line communications module, crypto module need to carry out adaptation exploitation respectively;
Parallel schema:
In parallel schema, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encrypting module to add
It is close, and encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is completed by MCU, and
In row mode, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encrypting module to encrypt, and
Encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is completed by MCU;
S4. cryptographic key designs:
The crypto chip selected in encrypting module can provide SM2, SM3, SM4 scheduling algorithm of common national standard, it can be achieved that right
Claim the different cipher modes such as encryption, public key encryption, the different modes such as preset key, key agreement can be achieved in key management;For
Simplify user management process, the decryption efficiency at big data platform end is improved, by the way of symmetric cryptography+preset key;
Encrypting module is encrypted using symmetry algorithm, and encryption key is preset at chip interior, by module segmentation, different module encryptions
Key is different;Chip joined safety prevention measure, and outside can not read encryption key;When encrypting module generates factory, need
It being initialized at internal key, inside generates ID and encryption key, and encryption key and ID submit to the decryption program of big data platform,
Decryption for data;It is stored in the encryption keys of big data platform, each encrypting module, prevents from revealing;
Algorithm chip provides algorithm arithmetic element abundant, and embedded CPU can also repair cryptographic key adapted mode
Change, it, can be real by software upgrading in the case where not changing hardware if subsequent cryptographic key usage mode needs to modify
Existing required function, improves flexibility;
S5. management process designs:
Equipment production: data collection station is broadly divided into acquisition terminal and encrypting module two parts, defines standard between the two and connects
Mouthful, it transfers to different producers to be generated respectively, purchases respectively;It after encrypting module production, needs to initialize, generate
Device id and encryption key, and ID and corresponding encryption key are submitted, encrypting storing;
Equipment assembly: after acquisition terminal and encrypting module synthesis, it is handed down to user producer
Communication process:
Encrypting module
(1) device power-on reads device id and encryption key;
(2) encrypting module is encrypted using fixation plaintext data of the encryption key to agreement, obtains data_en;
(3) (ID, data_en) is sent to big data platform as handshake data;
Big data platform:
(1) connection is established with terminal device;
(2) handshake data (ID, ciphertext) is received;
(3) according to ID, the encryption key ciphertext of the ciphering terminal is obtained, and decrypts and obtains clear data;
(4) encryption key decryption data_en is used, data* is obtained;
(5) compare whether data* is the fixed data arranged, if it is not, then disconnecting;If it is, establishing connection, make
Follow-up data is decrypted with the encryption key.
2. the full partition method of a kind of data acquisition gateway according to claim 1, it is characterised in that: in S3, serial
Under mode, data encryption module need to do following development:
1) crypto module-MCU nuclear interface standardizing;Using MCU as main equipment, crypto module is from equipment, with the definition of AT instruction mode
And realize the communication interface of both sides, primary interface include network connection parameter configuration, connecting platform server end, send data,
Data etc. when request school;
2) encryption function is realized;Including key agreement, data encryption etc.;
3) MQTT protocol encapsulation;Realize MQTT client functionality, load data after encryption is submitted GPRS by connecting platform server-side
Mould group is sent;
4) driving of GPRS mould group and data transmit-receive;GPRS mould group is driven, is attached with cloud platform, data are sent, receives school
When data;In addition, GPRS, as the passive-type communication equipment driven by crypto module, distinct device manufacturer such as selects different nothings
Line communications module, crypto module need to carry out adaptation exploitation respectively.
3. the full partition method of a kind of data acquisition gateway according to claim 1, it is characterised in that: in S3, parallel mould
Under formula, data encryption module need to do following development:
Cryptographic service function, including key agreement, data encryption etc. are provided towards MCU;Interface is carried out by AT instruction mode
Standardization.
4. the full partition method of a kind of data acquisition gateway according to claim 1, it is characterised in that: in S3, serial mould
Formula and parallel schema comparison:
Serial design, which is equal to, migrates the function that original equipment manufacturer does to crypto module;It is all complete for device manufacturer
At thing to mark deliver crypto module developed;For platform, former and manufacturer now needs close with us to taking over
The docking of decoding apparatus manufacturer, does second time;As a whole, the main MCU of original equipment has had the ability, passes into disuse, crypto module
Increase the function, high-end chip need to be selected else, increases the exploitation and debugging of protocol communication.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910319489.1A CN110061989B (en) | 2019-04-19 | 2019-04-19 | Data acquisition gateway full-isolation method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910319489.1A CN110061989B (en) | 2019-04-19 | 2019-04-19 | Data acquisition gateway full-isolation method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110061989A true CN110061989A (en) | 2019-07-26 |
CN110061989B CN110061989B (en) | 2021-07-13 |
Family
ID=67319803
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910319489.1A Active CN110061989B (en) | 2019-04-19 | 2019-04-19 | Data acquisition gateway full-isolation method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110061989B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111064779A (en) * | 2019-12-10 | 2020-04-24 | 北京国网富达科技发展有限责任公司 | SF of transformer substation6Online monitoring device, method and system |
CN111556093A (en) * | 2020-03-27 | 2020-08-18 | 天津市普迅电力信息技术有限公司 | Multifunctional edge Internet of things agent device for power grid information acquisition |
CN111600705A (en) * | 2020-05-14 | 2020-08-28 | 国网电力科学研究院有限公司 | Isolation card based on auto-negotiation mechanism |
CN113347172A (en) * | 2021-05-28 | 2021-09-03 | 吉萨特自动化技术(上海)有限公司 | Cloud digitization platform and using method thereof |
WO2022077935A1 (en) * | 2020-10-16 | 2022-04-21 | 青岛海尔工业智能研究院有限公司 | Data storage method and device for industrial internet platform, and data retrieval method and device for industrial internet platform |
CN115664841A (en) * | 2022-11-14 | 2023-01-31 | 济南大学 | Data acquisition system and method with network isolation and one-way encryption transmission functions |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050180337A1 (en) * | 2004-01-20 | 2005-08-18 | Roemerman Steven D. | Monitoring and reporting system and method of operating the same |
CN1761209A (en) * | 2004-04-27 | 2006-04-19 | 微软公司 | System and methods for providing network quarantine |
US20070091926A1 (en) * | 2005-10-21 | 2007-04-26 | Apostolopoulos John G | Method for optimizing portions of data from a plurality of data streams at a transcoding node |
US7490332B2 (en) * | 2003-04-04 | 2009-02-10 | Sesma Systems, Inc. | System and method for accessing ActiveX objects in a platform dependent environment from objects in a platform independent environment |
CN103281377A (en) * | 2013-05-31 | 2013-09-04 | 北京鹏宇成软件技术有限公司 | Cryptograph data storage and searching method for cloud |
CN103873230A (en) * | 2014-04-06 | 2014-06-18 | 汪风珍 | Single-direction encryption-decryption technology |
-
2019
- 2019-04-19 CN CN201910319489.1A patent/CN110061989B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7490332B2 (en) * | 2003-04-04 | 2009-02-10 | Sesma Systems, Inc. | System and method for accessing ActiveX objects in a platform dependent environment from objects in a platform independent environment |
US20050180337A1 (en) * | 2004-01-20 | 2005-08-18 | Roemerman Steven D. | Monitoring and reporting system and method of operating the same |
CN1761209A (en) * | 2004-04-27 | 2006-04-19 | 微软公司 | System and methods for providing network quarantine |
US20070091926A1 (en) * | 2005-10-21 | 2007-04-26 | Apostolopoulos John G | Method for optimizing portions of data from a plurality of data streams at a transcoding node |
CN103281377A (en) * | 2013-05-31 | 2013-09-04 | 北京鹏宇成软件技术有限公司 | Cryptograph data storage and searching method for cloud |
CN103873230A (en) * | 2014-04-06 | 2014-06-18 | 汪风珍 | Single-direction encryption-decryption technology |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111064779A (en) * | 2019-12-10 | 2020-04-24 | 北京国网富达科技发展有限责任公司 | SF of transformer substation6Online monitoring device, method and system |
CN111556093A (en) * | 2020-03-27 | 2020-08-18 | 天津市普迅电力信息技术有限公司 | Multifunctional edge Internet of things agent device for power grid information acquisition |
CN111600705A (en) * | 2020-05-14 | 2020-08-28 | 国网电力科学研究院有限公司 | Isolation card based on auto-negotiation mechanism |
CN111600705B (en) * | 2020-05-14 | 2022-10-04 | 国网电力科学研究院有限公司 | Isolation card based on auto-negotiation mechanism |
WO2022077935A1 (en) * | 2020-10-16 | 2022-04-21 | 青岛海尔工业智能研究院有限公司 | Data storage method and device for industrial internet platform, and data retrieval method and device for industrial internet platform |
CN113347172A (en) * | 2021-05-28 | 2021-09-03 | 吉萨特自动化技术(上海)有限公司 | Cloud digitization platform and using method thereof |
CN115664841A (en) * | 2022-11-14 | 2023-01-31 | 济南大学 | Data acquisition system and method with network isolation and one-way encryption transmission functions |
Also Published As
Publication number | Publication date |
---|---|
CN110061989B (en) | 2021-07-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110061989A (en) | A kind of full partition method of data acquisition gateway | |
CN205490665U (en) | Thing networking systems's communication device | |
Saleem et al. | Internet of things-aided smart grid: technologies, architectures, applications, prototypes, and future research directions | |
CN105610706B (en) | A kind of intelligent gateway platform of internet of things oriented control system | |
US20190089788A1 (en) | Intelligent Household Energy Internet of Things System for Intelligent City System | |
CN107040459A (en) | A kind of intelligent industrial secure cloud gateway device system and method | |
CN102280929B (en) | System for information safety protection of electric power supervisory control and data acquisition (SCADA) system | |
CN110289952B (en) | Quantum data link security terminal and security communication network | |
CN102799121A (en) | Remote cooking method based on Internet | |
CN205304872U (en) | Cloud control system towards remote terminal unit | |
CN106773941A (en) | Safety collection remote-terminal unit based on national password high performance chipses | |
CN209265678U (en) | Power information acquiring and transmission system based on quantum cryptography | |
CN104506502B (en) | A kind of method that converged communication network is docked with main website | |
CN104506598A (en) | Power terminal management method for hybrid networking | |
CN106934882A (en) | A kind of bin intelligent lock system and open and close locking method | |
CN104468519B (en) | A kind of embedded electric power security protection terminal encryption device | |
CN203134009U (en) | Near field communication (NFC) gas meter | |
CN205787791U (en) | Network relay and network system | |
CN207083082U (en) | A kind of electric power wireless communication terminal based on Micro USB interfaces | |
CN103198574A (en) | Remote control intelligent water meter embedded with information safety management module | |
CN208063238U (en) | Data encryption security ViGap | |
CN103259649A (en) | Remote control intelligent heat meter provided with information security management module in embedded mode | |
CN203038378U (en) | Encryption type DTU module capable of performing external programming | |
CN206533393U (en) | Special line encrypted authentication system | |
CN205066844U (en) | Intelligence water gauge based on NFC technique |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |