CN110061989A - A kind of full partition method of data acquisition gateway - Google Patents

A kind of full partition method of data acquisition gateway Download PDF

Info

Publication number
CN110061989A
CN110061989A CN201910319489.1A CN201910319489A CN110061989A CN 110061989 A CN110061989 A CN 110061989A CN 201910319489 A CN201910319489 A CN 201910319489A CN 110061989 A CN110061989 A CN 110061989A
Authority
CN
China
Prior art keywords
data
module
encryption
encrypting module
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910319489.1A
Other languages
Chinese (zh)
Other versions
CN110061989B (en
Inventor
纪丰伟
姜海
沈旭虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aerospace Cloud Network Data Research Institute (jiangsu) Co Ltd
Original Assignee
Aerospace Cloud Network Data Research Institute (jiangsu) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aerospace Cloud Network Data Research Institute (jiangsu) Co Ltd filed Critical Aerospace Cloud Network Data Research Institute (jiangsu) Co Ltd
Priority to CN201910319489.1A priority Critical patent/CN110061989B/en
Publication of CN110061989A publication Critical patent/CN110061989A/en
Application granted granted Critical
Publication of CN110061989B publication Critical patent/CN110061989B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a kind of full partition methods of data acquisition gateway, and data encryption module is added in data collection station, encrypt to data are uploaded, and data are decrypted in big data platform using special-purpose software, realize the transmission protection of data;Encrypting module is attached by serial ports and MCU, communication module;The following are industry internet data to acquire encryption isolation scheme design, comprising: overall construction design, encrypting module hardware design, encrypting module operating mode, cryptographic key design and management process design;The encryption isolation design of this programme, since data acquisition gateway uses open source protocol, original easy exploiting is not sacrificed, the characteristic easily accessed, due to using encryption chip, data are practical with ciphertext state transfer in network, secrecy effect is good, abandons the existing unitary design mostly used greatly, and each system can be designed respectively, and standardized production, advantageously reduce cost.

Description

A kind of full partition method of data acquisition gateway
Technical field
The invention belongs to data safety isolation technology fields, and in particular to a kind of full partition method of data acquisition gateway.
Background technique
Industrial data collection is to be believed using ubiquitous cognition technology elements such as multi-source equipment, heterogeneous system, operating environment, people Breath carries out real-time high-efficiency acquisition and cloud convergence.Industrial data collection corresponds to the edge in industry internet platform system structure Layer.Distinct device, system and product, the industrial data that acquisition is a wide range of, profound, Yi Jiyi are accessed by all kinds of means of communication The protocol conversion and edge processing of structure data construct the data basis of industry internet platform.
Currently, industrial data collection industry supply side mainly has following three classes enterprise:
First is that industrial automation enterprise, from itself core product ability, predominantly industrial data collection provides access Equipment as the source of industrial data collection, such as 15 Siemens, grinds China, Honeywell, peace control etc.;
Second is that industrial network service enterprise, predominantly industrial data collection provide industrial network protocol conversion, transmission, safety Equal corollary equipments and service, Some Enterprises are from original advantage areas actively to manufacture field infiltration and development, such as China Telecommunications, ZTE Corporation, Huawei etc.;
Third is that industrial data collection solution enterprise, main to provide industrial data collection solution, system development, item The service such as mesh implementation, system integration, such as north are intelligent etc. from institute, Hollysys, bright craftsman.
Industrial data collection architectural framework includes equipment access, protocol conversion, three layers of edge data processing, and access is set downwards Standby or intellectual product, upwards with industry internet platform/industrial application system docking, as shown in Figure 1.
As shown in Figure 1, data application is collected by data, necessarily passes the network of multiple levels.As equipment accesses level Pair the field level networks interface such as RS485/232, Industrial Ethernet, CAN bus;UART that protocol conversion, edge processing face, The chip-scales network interface such as IIC, SPI;And data be transferred to industry internet platform/industrial application system http, mqtt, The application layers network interface such as S7.Therefore the construction of futurity industry internet necessarily refers to deployment mass data acquisition gateway or similar Product is the important node of data information circulation just like original conventional internet.Different is involved by industry internet And data acquisition gateway have numerous in face of agreement, operating condition is complicated, and reliability requirement is high and the new challenges such as safety guarantee difficulty.
For realizing communication and this function of data exchange, many products are able to satisfy existing existing development level completely There is demand.There are two types of main technical schemes:
One, reached by the product for being originally used for bottom Industry Control by integrating Ethernet communication component.Such as Siemens SIMATIC controller, it is serial from S3 series development to S7 now, have that small in size, speed is fast, standardization, there is network Communication capacity, with better function, reliability is higher5.By taking S7-200Smart series as an example: by microprocessor, integrated power supply, input Circuit and output circuit are combined in a compact-sized shell, form powerful Micro PLC.Download user program Afterwards, CPU will include logic needed for the input and output device in monitoring application;
Two, by being originally used for the product integration Industry Control of network communication, data acquisition components are reached.Such as the industry of macro electricity Router series, wireless industrial DTU series, are originally used for M2M (machine to machine communication), predecessor of the field as Internet of Things And one of most important service link.Wireless industrial DTU is based on GPRS data communication network, is used exclusively for turning serial data It is changed to IP data or IP data is converted into serial data, and the wireless terminal device that network is transmitted by wireless communication, It has been widely used in electric power, environment monitoring, vehicle-mounted, water conservancy, meteorology, streetlight monitoring, heat distribution pipe network, coal mine, oil field etc. at present Industry.Industrial router is the industrial level router based on 3G/4G wireless communication research and development, using Width funtion EMC Design, It supports 4G, 3G, 2.5G network formats to support double-module double-SIM card, supports the wireless WIFI module of built-in 4G, APN/VPDN private network is supported to connect Enter, industrial router provides wireless long-range data transfer function, transmission speed using public 2G/3G/4G wireless network for user Rate is faster more stable, 7 × stable operation for 24 hours, is suitable for adverse circumstances, long-range management/maintenance/upgrading, and power-assisted enterprise reduces O&M cost.It is widely used in the industries such as finance, medium, traffic, vehicle-mounted, electric power, environmental protection, industrial automation, business chain.
Firstly, the construction of industry internet be unable to do without the construction of industrial big data platform in application, net otherwise can not be formed Network effect and innovation and application.Secondly, open source protocol is necessarily used in order to provide the large-scale application service of data as platform, Otherwise user and application developer, which face numerous source/semi-closure source protocols that close, will pay huge learning cost, it is clear that be unfavorable for putting down The development of platform.As existing INDICS industry big data platform uses open source protocol (MQTT and RESTFUL).
But problem of data safety thus can be brought, because of pole when transmitting in internet using the clear data of open source protocol It is easily identified, captures, replicates, distorts.
Existing similar product solves such security risk generally using the proprietary protocol in source of closing, as (the two is by S7, PPI West gate subfamily), DDP (DTU DSC Protocol, macro electricity, Han Ketai etc. DTU vendor product, generally customized by manufacturer), LoRa WAN (LoRa series) etc., it is clear that its advantage and disadvantage is as described above, the generalization characteristic that proprietary protocol belongs to sacrifice product is come User's viscosity is improved, the development of industry internet platform is unfavorable for.
Further because the essence of proprietary protocol is still clear data, just with the information asymmetry in source of closing, so city It is had already appeared on field and cracks product specifically for such proprietary protocol.The appearance for cracking product will lead to same agreement or homology Column Related product faces security risk, it is contemplated that it is high that the connection quantity of industry internet will connect quantity than existing internet An order of magnitude.7Same agreement or homologous series Related product, which are exposed in security risk, will generate the direct of high an order of magnitude Loss and harm, this does not also include indirect loss and harm.
It summarizes, the challenge met in existing industry internet construction is exactly that cannot be considered in terms of versatility and peace under existing framework Quan Xing.The scheme of mainstream is to guarantee safety to sacrifice versatility.Because industry internet is still tentatively being built till now If the stage, industrial data collection industry relevant enterprise is in the agreement for carrying out oneself, the data exchange standards such as interface, to capture Market, and versatility is not thought better of.But the next stage growth requirement of industry internet be bound to take into account versatility and Safety, a mobile radio communication development as in the previous.
Summary of the invention
The purpose of the present invention is to provide a kind of full partition methods of data acquisition gateway, to solve to mention in above-mentioned background technique Out the problem of.
To achieve the above object, present invention employs following technical solutions:
A kind of full partition method of data acquisition gateway, is added data encryption module in data collection station, to upload number According to being encrypted, data are decrypted in big data platform using special-purpose software, realize the transmission protection of data;Encrypting module is logical Serial ports is crossed to be attached with MCU, communication module;The following are industry internet data to acquire encryption isolation scheme design, comprising:
S1. overall construction design:
Data collection station collects the data of enterprise, gives GPRS transmission module by MCU, sends business data to greatly Data platform;Business data may be faced in transmission process steal, disclosure risk, need to carry out Confidentiality protection;
Data encryption module is added in data collection station, is encrypted to data are uploaded, data are in big data platform It is decrypted using special-purpose software, realizes the transmission protection of data;Encrypting module passes through serial ports;
S2. encrypting module hardware design:
In view of area, power consumption and cost, encrypting module proposed adoption tailor-made algorithm SOC chip+standard interface mode into Row is realized;Main function all realized by algorithm chip, chip include master cpu, cryptographic algorithm operation, key storage unit, Interface module etc.;Standard interface realizes between encrypting module and acquisition terminal, the data interaction of transmission module;Pass through this side Formula, encrypting module are mainly made of an algorithm chip and support device;Password SOC chip, additional two rows 1*5 contact pin, module Area is within 2cmX2cm, and since data encryption module uses UART communication with the outside world, module also needs extraneous offer power supply, mould Block uses the single contact pin 1*5 of two spacing 2.54mm;
S3. encrypting module operating mode:
Encrypting module may be designed to two different operating modes: serial mode and parallel schema in the terminal:
Serial mode:
In serial mode, encrypting module is serially connected on data path as an independent unit;MCU is by collected number According to encrypting module is sent to, module transfers to communication module to send data encryption, encapsulation;At this point, the work that encrypting module need to be done It is more, it can be situations such as manufacturer terminal send other service platforms in plain text for business data setting technical barrier and barrier;Number Following development need to be done according to encrypting module:
1) crypto module-MCU nuclear interface standardizing;Using MCU as main equipment, crypto module is from equipment, with AT instruction mode Define and realize the communication interface of both sides, primary interface includes network connection parameter configuration, connecting platform server end, sends number According to data etc. when, request school;
2) encryption function is realized;Including key agreement, data encryption etc.;
3) MQTT protocol encapsulation;Realize MQTT client functionality, connecting platform server-side submits load data after encryption GPRS mould group is sent;
4) driving of GPRS mould group and data transmit-receive;GPRS mould group is driven, is attached with cloud platform, data is sent, connects Data when receiving school;In addition, GPRS, as the passive-type communication equipment driven by crypto module, distinct device manufacturer such as selects difference Radio communication mold group, crypto module need to carry out adaptation exploitation respectively;
Parallel schema:
In parallel schema, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encryption mould Block encryption, and encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is complete by MCU At in parallel schema, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encrypting module to add It is close, and encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is completed by MCU;
S4. cryptographic key designs:
The crypto chip selected in encrypting module can provide SM2, SM3, SM4 scheduling algorithm of common national standard, can be real Show the different cipher modes such as symmetric cryptography, public key encryption, the not Tongfang such as preset key, key agreement can be achieved in key management Formula;To simplify user management process, the decryption efficiency at big data platform end is improved, by the way of symmetric cryptography+preset key;
Encrypting module is encrypted using symmetry algorithm, and encryption key is preset at chip interior, by module segmentation, different modules Encryption key is different;Chip joined safety prevention measure, and outside can not read encryption key;When encrypting module generates factory, Internal key initialization need to be completed, inside generates ID and encryption key, and encryption key and ID submit to the decryption of big data platform Program, the decryption for data;It is stored in the encryption keys of big data platform, each encrypting module, prevents from revealing;
Algorithm chip provides algorithm arithmetic element abundant, embedded CPU can also to cryptographic key adapted mode into Row modification,, can by software upgrading in the case where not changing hardware if subsequent cryptographic key usage mode needs to modify To realize required function, flexibility is improved;
S5. management process designs:
Equipment production: data collection station is broadly divided into acquisition terminal and encrypting module two parts, between the two definition mark Quasi- interface is transferred to different producers to be generated respectively, is purchased respectively;After encrypting module production, need to initialize, Generating device ID and encryption key, and ID and corresponding encryption key are submitted, encrypting storing;
Equipment assembly: after acquisition terminal and encrypting module synthesis, it is handed down to user producer
Communication process:
Encrypting module
(1) device power-on reads device id and encryption key;
(2) encrypting module is encrypted using fixation plaintext data of the encryption key to agreement, obtains data_en;
(3) (ID, data_en) is sent to big data platform as handshake data;
Big data platform:
(1) connection is established with terminal device;
(2) handshake data (ID, ciphertext) is received;
(3) according to ID, the encryption key ciphertext of the ciphering terminal is obtained, and decrypts and obtains clear data;
(4) encryption key decryption data_en is used, data* is obtained;
(5) compare whether data* is the fixed data arranged, if it is not, then disconnecting;If it is, the company of foundation It connects, follow-up data is decrypted using the encryption key.
Preferably, in S3, under serial mode, data encryption module need to do following development:
1) crypto module-MCU nuclear interface standardizing;Using MCU as main equipment, crypto module is from equipment, with AT instruction mode Define and realize the communication interface of both sides, primary interface includes network connection parameter configuration, connecting platform server end, sends number According to data etc. when, request school;
2) encryption function is realized;Including key agreement, data encryption etc.;
3) MQTT protocol encapsulation;Realize MQTT client functionality, connecting platform server-side submits load data after encryption GPRS mould group is sent;
4) driving of GPRS mould group and data transmit-receive;GPRS mould group is driven, is attached with cloud platform, data is sent, connects Data when receiving school;In addition, GPRS, as the passive-type communication equipment driven by crypto module, distinct device manufacturer such as selects difference Radio communication mold group, crypto module need to carry out adaptation exploitation respectively.
Preferably, in S3, under parallel schema, data encryption module need to do following development:
Cryptographic service function, including key agreement, data encryption etc. are provided towards MCU;It is connect by AT instruction mode The standardization of mouth.
Preferably, in S3, serial mode and parallel schema comparison:
Serial design, which is equal to, migrates the function that original equipment manufacturer does to crypto module;For device manufacturer, all Completed thing will mark delivery crypto module and be developed;For platform, former and manufacturer to taking over, now need and I Encryption device manufacturer docking, do second time;As a whole, the main MCU of original equipment has had the ability, passes into disuse, password Module increases the function, need to select high-end chip else, increases the exploitation and debugging of protocol communication.
Technical effect and advantage of the invention: a kind of full partition method of data acquisition gateway proposed by the present invention, and it is existing Technology is compared, and is had the advantage that
1, the challenge met in existing industry internet construction is exactly that cannot be considered in terms of versatility and safety under existing framework Property.The scheme of mainstream is to guarantee safety to sacrifice versatility;And the encryption isolation design of this programme simultaneously solve it is above-mentioned Problem;
2, versatility: since data acquisition gateway uses open source protocol, original easy exploiting is not sacrificed, the characteristic easily accessed;
3, safety: due to using encryption chip, data are practical with ciphertext state transfer in network, there is three advantages:
(1) even if ciphertext is trapped, also because be difficult to crack and be not likely to produce and distort, the security breaches such as steal;
(2) even if ciphertext is cracked, since encryption chip is the close framework of a machine one, security breaches exist only in single machine On device, a wide range of more machines of homologous series will not be involved, security risk is relatively controllable;
(3) ciphertext needs corresponding decryption mechanisms that can just revert in plain text, so if keeping back door etc. in communication system Concealed channel will cease to be in force automatically, because only that effective information could be obtained by disposing the data destination of corresponding decryption mechanisms;
4, it standardizes: due to when being especially operate on serial mode, and encrypting core with the congenital ability for blocking back door Piece further can take data to acquire using general-purpose interfaces such as UART, data encryption, the industrial data collection system of data transmission System design.The existing unitary design mostly used greatly is abandoned, each system can be designed respectively, and standardized production, be advantageously reduced Cost.
Detailed description of the invention
The industrial data collection architectural framework schematic diagram of Fig. 1 prior art;
Fig. 2 is industry internet data acquisition encryption isolation scheme schematic diagram of the invention;
Fig. 3 is data acquisition encryption isolating chip schematic diagram of the invention;
Fig. 4 is data acquisition encryption isolating chip physical size schematic diagram of the invention;
Fig. 5 is encryption isolating chip work in series pattern diagram of the invention;
Fig. 6 is encryption isolating chip concurrent operating modes schematic diagram of the invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention 2- Fig. 6, technical solution in the embodiment of the present invention carry out clear Chu is fully described by, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments. The specific embodiments described herein are merely illustrative of the present invention, is not intended to limit the present invention.Based on the reality in the present invention Example is applied, every other embodiment obtained by those of ordinary skill in the art without making creative efforts all belongs to In the scope of protection of the invention.
The present invention provides a kind of full partition method of data acquisition gateway, and data encryption mould is added in data collection station Block is encrypted to data are uploaded, and data are decrypted in big data platform using special-purpose software, realizes that the transmission of data is protected Shield;Encrypting module is attached by serial ports and MCU, communication module;The following are industry internet data to acquire encryption isolation side Case design, comprising:
S1. overall construction design:
Data collection station collects the data of enterprise, gives GPRS transmission module by MCU, sends business data to greatly Data platform;Business data may be faced in transmission process steal, disclosure risk, need to carry out Confidentiality protection;
Data encryption module is added in data collection station, is encrypted to data are uploaded, data are in big data platform It is decrypted using special-purpose software, realizes the transmission protection of data;Encrypting module is connected by serial ports and MCU, communication module It connects, the position in acquisition terminal is as shown in Figure 2;
It is designed in encipherment scheme, in line with safety, availability, the principle of economy, while guaranteeing data security, to the greatest extent Amount reduces the change to original system, using standard interface, cost of implementation is controlled, convenient for the application of encipherment scheme;
S2. encrypting module hardware design:
In view of area, power consumption and cost, encrypting module proposed adoption tailor-made algorithm SOC chip+standard interface mode into Row is realized;Main function all realized by algorithm chip, chip include master cpu, cryptographic algorithm operation, key storage unit, Interface module etc.;Standard interface realizes between encrypting module and acquisition terminal, the data interaction of transmission module;Pass through this side Formula, encrypting module are mainly made of an algorithm chip and support device, simplify design, reduce area, reduce costs; The hardware block diagram of encrypting module is as shown in figure 3, password SOC chip, additional two rows 1*5 contact pin, module area 2cmX2cm with It is interior;
Since data encryption module uses UART communication with the outside world, module also needs extraneous offer power supply, and module uses two The single contact pin 1*5 of spacing 2.54mm, the interface that module externally provides are as shown in the table:
Module physical size is as shown in Figure 4;
S3. encrypting module operating mode:
Encrypting module may be designed to two different operating modes: serial mode and parallel schema in the terminal;
3.1 serial mode
In serial mode, the flow direction of data is as shown in Figure 5;
In serial mode, encrypting module is serially connected on data path as an independent unit;MCU is by collected number According to encrypting module is sent to, module transfers to communication module to send data encryption, encapsulation;At this point, the work that encrypting module need to be done It is more, it can be situations such as manufacturer terminal send other service platforms in plain text for business data setting technical barrier and barrier;
1 signal definition of contact pin
2 signal definition of contact pin
Under serial mode, data encryption module need to do following development:
1) crypto module-MCU nuclear interface standardizing;Using MCU as main equipment, crypto module is from equipment, with AT instruction mode Define and realize the communication interface of both sides, primary interface includes network connection parameter configuration, connecting platform server end, sends number According to data etc. when, request school;
2) encryption function is realized;Including key agreement, data encryption etc.;
3) MQTT protocol encapsulation;Realize MQTT client functionality, connecting platform server-side submits load data after encryption GPRS mould group is sent;
4) driving of GPRS mould group and data transmit-receive;GPRS mould group is driven, is attached with cloud platform, data is sent, connects Data when receiving school;In addition, GPRS, as the passive-type communication equipment driven by crypto module, distinct device manufacturer such as selects difference Radio communication mold group, crypto module need to carry out adaptation exploitation respectively;
3.2 parallel schema
In parallel schema, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encryption mould Block encryption, and encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is complete by MCU At;
In parallel schema, the flow direction of data is as shown in Figure 6;
In parallel schema, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encryption mould Block encryption, and encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is complete by MCU At;
Under parallel schema, data encryption module need to do following development:
1) cryptographic service function, including key agreement, data encryption etc. are provided towards MCU;It is carried out by AT instruction mode The standardization of interface;
3.3 two kinds of module comparisons
Serial design, which is equal to, migrates the function that original equipment manufacturer does to crypto module;For device manufacturer, all Completed thing will mark delivery crypto module and be developed;For platform, former and manufacturer to taking over, now need and I Encryption device manufacturer docking, do second time;As a whole, the main MCU of original equipment has had the ability, passes into disuse, password Module increases the function, need to select high-end chip else, increases the exploitation and debugging of protocol communication;Therefore, serial mode development Amount is slightly more, and the period is slightly long;
S4. cryptographic key designs:
The crypto chip selected in encrypting module can provide SM2, SM3, SM4 scheduling algorithm of common national standard, can be real Show the different cipher modes such as symmetric cryptography, public key encryption, the not Tongfang such as preset key, key agreement can be achieved in key management Formula;To simplify user management process, the decryption efficiency at big data platform end is improved, by the way of symmetric cryptography+preset key;
Encrypting module is encrypted using symmetry algorithm, and encryption key is preset at chip interior, by module segmentation, different modules Encryption key is different;Chip joined safety prevention measure, and outside can not read encryption key;When encrypting module generates factory, Internal key initialization need to be completed, inside generates ID and encryption key, and encryption key and ID submit to the decryption of big data platform Program, the decryption for data;It is stored in the encryption keys of big data platform, each encrypting module, prevents from revealing;
Algorithm chip provides algorithm arithmetic element abundant, embedded CPU can also to cryptographic key adapted mode into Row modification,, can by software upgrading in the case where not changing hardware if subsequent cryptographic key usage mode needs to modify To realize required function, flexibility is improved;
S5. management process designs:
The production of 5.1 equipment
Data collection station is broadly divided into acquisition terminal and encrypting module two parts, defines standard interface between the two, point It does not transfer to different producers to be generated, purchases respectively;
After encrypting module production, need to initialize, generating device ID and encryption key, and ID and correspondence are added Key is submitted, encrypting storing;
The assembly of 5.2 equipment
After acquisition terminal and encrypting module synthesis, it is handed down to user producer;
5.3 communication process
1) encrypting module
(1) device power-on reads device id and encryption key;
(2) encrypting module is encrypted using fixation plaintext data of the encryption key to agreement, obtains data_en;
(3) (ID, data_en) is sent to big data platform as handshake data;
2) big data platform
(1) connection is established with terminal device;
(2) handshake data (ID, ciphertext) is received;
(3) according to ID, the encryption key ciphertext of the ciphering terminal is obtained, and decrypts and obtains clear data;
(4) encryption key decryption data_en is used, data* is obtained;
(5) compare whether data* is the fixed data arranged, if it is not, then disconnecting;If it is, the company of foundation It connects, follow-up data is decrypted using the encryption key.
This programme, encryption chip design: no matter using serial or parallel schema is worked in, as long as final data acquisition system Gateway encryption, the mode of server decryption are adopted using number in system, and number is adopted gateway encryption and is completed by individual module or chip, i.e., It is believed that being designed using encryption chip;
Encryption chip physical size: original physical size of module and proportional zoom.Stitch definition row Cloth;
Encryption chip communication protocol: communication process, protocol command, inside are equipped with algorithm.
There are mainly two types of alternative solutions, increases structureization and subtracts structure.
Increase structure: encryption chip function is complicated, mainly has and integrate backward communications part, become encrypted transmission Unit, similar VPN, special line;Or before integration to part of data acquisition, become encryption and adopt unit, it is similar to use privately owned association The acquisition equipment of view;Or Codesign is used completely, become the safe acquisition unit of enclosed.
Subtract structure: encryption chip function is simplified, for example only undertake the function of storage key, does not dispose Encryption Algorithm. Or some simple Encryption Algorithm are used, to provide Partial security characteristic.
Therefore this programme:
1. the challenge met in existing industry internet construction is exactly that cannot be considered in terms of versatility and safety under existing framework Property.The scheme of mainstream is to guarantee safety to sacrifice versatility;And the encryption isolation design of this programme simultaneously solve it is above-mentioned Problem;
2. versatility: since data acquisition gateway uses open source protocol, not sacrificing original easy exploiting, the characteristic easily accessed;
3. safety: due to using encryption chip, data are practical with ciphertext state transfer in network, there is three advantages:
(1) even if ciphertext is trapped, also because be difficult to crack and be not likely to produce and distort, the security breaches such as steal;
(2) even if ciphertext is cracked, since encryption chip is the close framework of a machine one, security breaches exist only in single machine On device, a wide range of more machines of homologous series will not be involved, security risk is relatively controllable;
(3) ciphertext needs corresponding decryption mechanisms that can just revert in plain text, so if keeping back door etc. in communication system Concealed channel will cease to be in force automatically, because only that effective information could be obtained by disposing the data destination of corresponding decryption mechanisms;
4. standardization: due to when being especially operate on serial mode, and encrypting core with the congenital ability for blocking back door Piece further can take data to acquire using general-purpose interfaces such as UART, data encryption, the industrial data collection system of data transmission System design.The existing unitary design mostly used greatly is abandoned, each system can be designed respectively, and standardized production, be advantageously reduced Cost.
Finally, it should be noted that these are only the preferred embodiment of the present invention, it is not intended to restrict the invention, although Present invention has been described in detail with reference to the aforementioned embodiments, for those skilled in the art, still can be right Technical solution documented by foregoing embodiments is modified or equivalent replacement of some of the technical features, it is all Within the spirit and principles in the present invention, any modification, equivalent replacement, improvement and so on should be included in protection of the invention Within the scope of.

Claims (4)

1. a kind of full partition method of data acquisition gateway, which is characterized in that data encryption module is added in data collection station, It is encrypted to data are uploaded, data are decrypted in big data platform using special-purpose software, realize the transmission protection of data;Add Close module is attached by serial ports and MCU, communication module;Encryption isolation scheme is acquired the following are industry internet data to set Meter, comprising:
S1. overall construction design:
Data collection station collects the data of enterprise, gives GPRS transmission module by MCU, sends big data for business data Platform;Business data may be faced in transmission process steal, disclosure risk, need to carry out Confidentiality protection;
Data encryption module is added in data collection station, is encrypted to data are uploaded, data are used in big data platform Special-purpose software is decrypted, and realizes the transmission protection of data;Encrypting module passes through serial ports;
S2. encrypting module hardware design:
In view of area, power consumption and cost, encrypting module proposed adoption tailor-made algorithm SOC chip+standard interface mode carries out reality It is existing;Main function is all realized that chip includes master cpu, cryptographic algorithm operation, key storage unit, interface by algorithm chip Module etc.;Standard interface realizes between encrypting module and acquisition terminal, the data interaction of transmission module;In this way, add Close module is mainly made of an algorithm chip and support device;Password SOC chip, additional two rows 1*5 contact pin, module area exist Within 2cmX2cm, since data encryption module uses UART communication with the outside world, module also needs extraneous offer power supply, and module uses The single contact pin 1*5 of two spacing 2.54mm;
S3. encrypting module operating mode:
Encrypting module may be designed to two different operating modes: serial mode and parallel schema in the terminal:
Serial mode:
In serial mode, encrypting module is serially connected on data path as an independent unit;MCU sends out collected data Encrypting module is given, module transfers to communication module to send data encryption, encapsulation;At this point, the work that need to do of encrypting module compared with It is more, it can be situations such as manufacturer terminal send other service platforms in plain text for business data setting technical barrier and barrier;Data Encrypting module need to do following development:
1) crypto module-MCU nuclear interface standardizing;Using MCU as main equipment, crypto module is from equipment, with the definition of AT instruction mode And realize the communication interface of both sides, primary interface include network connection parameter configuration, connecting platform server end, send data, Data etc. when request school;
2) encryption function is realized;Including key agreement, data encryption etc.;
3) MQTT protocol encapsulation;Realize MQTT client functionality, load data after encryption is submitted GPRS by connecting platform server-side Mould group is sent;
4) driving of GPRS mould group and data transmit-receive;GPRS mould group is driven, is attached with cloud platform, data are sent, receives school When data;In addition, GPRS, as the passive-type communication equipment driven by crypto module, distinct device manufacturer such as selects different nothings Line communications module, crypto module need to carry out adaptation exploitation respectively;
Parallel schema:
In parallel schema, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encrypting module to add It is close, and encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is completed by MCU, and In row mode, encrypting module is only used as a crypto-operation component, and the data that MCU will be encrypted transfer to encrypting module to encrypt, and Encrypted data is read, encapsulation is sent, and encrypting module is only completed encrypted work, and data encapsulation work is completed by MCU;
S4. cryptographic key designs:
The crypto chip selected in encrypting module can provide SM2, SM3, SM4 scheduling algorithm of common national standard, it can be achieved that right Claim the different cipher modes such as encryption, public key encryption, the different modes such as preset key, key agreement can be achieved in key management;For Simplify user management process, the decryption efficiency at big data platform end is improved, by the way of symmetric cryptography+preset key;
Encrypting module is encrypted using symmetry algorithm, and encryption key is preset at chip interior, by module segmentation, different module encryptions Key is different;Chip joined safety prevention measure, and outside can not read encryption key;When encrypting module generates factory, need It being initialized at internal key, inside generates ID and encryption key, and encryption key and ID submit to the decryption program of big data platform, Decryption for data;It is stored in the encryption keys of big data platform, each encrypting module, prevents from revealing;
Algorithm chip provides algorithm arithmetic element abundant, and embedded CPU can also repair cryptographic key adapted mode Change, it, can be real by software upgrading in the case where not changing hardware if subsequent cryptographic key usage mode needs to modify Existing required function, improves flexibility;
S5. management process designs:
Equipment production: data collection station is broadly divided into acquisition terminal and encrypting module two parts, defines standard between the two and connects Mouthful, it transfers to different producers to be generated respectively, purchases respectively;It after encrypting module production, needs to initialize, generate Device id and encryption key, and ID and corresponding encryption key are submitted, encrypting storing;
Equipment assembly: after acquisition terminal and encrypting module synthesis, it is handed down to user producer
Communication process:
Encrypting module
(1) device power-on reads device id and encryption key;
(2) encrypting module is encrypted using fixation plaintext data of the encryption key to agreement, obtains data_en;
(3) (ID, data_en) is sent to big data platform as handshake data;
Big data platform:
(1) connection is established with terminal device;
(2) handshake data (ID, ciphertext) is received;
(3) according to ID, the encryption key ciphertext of the ciphering terminal is obtained, and decrypts and obtains clear data;
(4) encryption key decryption data_en is used, data* is obtained;
(5) compare whether data* is the fixed data arranged, if it is not, then disconnecting;If it is, establishing connection, make Follow-up data is decrypted with the encryption key.
2. the full partition method of a kind of data acquisition gateway according to claim 1, it is characterised in that: in S3, serial Under mode, data encryption module need to do following development:
1) crypto module-MCU nuclear interface standardizing;Using MCU as main equipment, crypto module is from equipment, with the definition of AT instruction mode And realize the communication interface of both sides, primary interface include network connection parameter configuration, connecting platform server end, send data, Data etc. when request school;
2) encryption function is realized;Including key agreement, data encryption etc.;
3) MQTT protocol encapsulation;Realize MQTT client functionality, load data after encryption is submitted GPRS by connecting platform server-side Mould group is sent;
4) driving of GPRS mould group and data transmit-receive;GPRS mould group is driven, is attached with cloud platform, data are sent, receives school When data;In addition, GPRS, as the passive-type communication equipment driven by crypto module, distinct device manufacturer such as selects different nothings Line communications module, crypto module need to carry out adaptation exploitation respectively.
3. the full partition method of a kind of data acquisition gateway according to claim 1, it is characterised in that: in S3, parallel mould Under formula, data encryption module need to do following development:
Cryptographic service function, including key agreement, data encryption etc. are provided towards MCU;Interface is carried out by AT instruction mode Standardization.
4. the full partition method of a kind of data acquisition gateway according to claim 1, it is characterised in that: in S3, serial mould Formula and parallel schema comparison:
Serial design, which is equal to, migrates the function that original equipment manufacturer does to crypto module;It is all complete for device manufacturer At thing to mark deliver crypto module developed;For platform, former and manufacturer now needs close with us to taking over The docking of decoding apparatus manufacturer, does second time;As a whole, the main MCU of original equipment has had the ability, passes into disuse, crypto module Increase the function, high-end chip need to be selected else, increases the exploitation and debugging of protocol communication.
CN201910319489.1A 2019-04-19 2019-04-19 Data acquisition gateway full-isolation method Active CN110061989B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910319489.1A CN110061989B (en) 2019-04-19 2019-04-19 Data acquisition gateway full-isolation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910319489.1A CN110061989B (en) 2019-04-19 2019-04-19 Data acquisition gateway full-isolation method

Publications (2)

Publication Number Publication Date
CN110061989A true CN110061989A (en) 2019-07-26
CN110061989B CN110061989B (en) 2021-07-13

Family

ID=67319803

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910319489.1A Active CN110061989B (en) 2019-04-19 2019-04-19 Data acquisition gateway full-isolation method

Country Status (1)

Country Link
CN (1) CN110061989B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111064779A (en) * 2019-12-10 2020-04-24 北京国网富达科技发展有限责任公司 SF of transformer substation6Online monitoring device, method and system
CN111556093A (en) * 2020-03-27 2020-08-18 天津市普迅电力信息技术有限公司 Multifunctional edge Internet of things agent device for power grid information acquisition
CN111600705A (en) * 2020-05-14 2020-08-28 国网电力科学研究院有限公司 Isolation card based on auto-negotiation mechanism
CN113347172A (en) * 2021-05-28 2021-09-03 吉萨特自动化技术(上海)有限公司 Cloud digitization platform and using method thereof
WO2022077935A1 (en) * 2020-10-16 2022-04-21 青岛海尔工业智能研究院有限公司 Data storage method and device for industrial internet platform, and data retrieval method and device for industrial internet platform
CN115664841A (en) * 2022-11-14 2023-01-31 济南大学 Data acquisition system and method with network isolation and one-way encryption transmission functions

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050180337A1 (en) * 2004-01-20 2005-08-18 Roemerman Steven D. Monitoring and reporting system and method of operating the same
CN1761209A (en) * 2004-04-27 2006-04-19 微软公司 System and methods for providing network quarantine
US20070091926A1 (en) * 2005-10-21 2007-04-26 Apostolopoulos John G Method for optimizing portions of data from a plurality of data streams at a transcoding node
US7490332B2 (en) * 2003-04-04 2009-02-10 Sesma Systems, Inc. System and method for accessing ActiveX objects in a platform dependent environment from objects in a platform independent environment
CN103281377A (en) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 Cryptograph data storage and searching method for cloud
CN103873230A (en) * 2014-04-06 2014-06-18 汪风珍 Single-direction encryption-decryption technology

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7490332B2 (en) * 2003-04-04 2009-02-10 Sesma Systems, Inc. System and method for accessing ActiveX objects in a platform dependent environment from objects in a platform independent environment
US20050180337A1 (en) * 2004-01-20 2005-08-18 Roemerman Steven D. Monitoring and reporting system and method of operating the same
CN1761209A (en) * 2004-04-27 2006-04-19 微软公司 System and methods for providing network quarantine
US20070091926A1 (en) * 2005-10-21 2007-04-26 Apostolopoulos John G Method for optimizing portions of data from a plurality of data streams at a transcoding node
CN103281377A (en) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 Cryptograph data storage and searching method for cloud
CN103873230A (en) * 2014-04-06 2014-06-18 汪风珍 Single-direction encryption-decryption technology

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111064779A (en) * 2019-12-10 2020-04-24 北京国网富达科技发展有限责任公司 SF of transformer substation6Online monitoring device, method and system
CN111556093A (en) * 2020-03-27 2020-08-18 天津市普迅电力信息技术有限公司 Multifunctional edge Internet of things agent device for power grid information acquisition
CN111600705A (en) * 2020-05-14 2020-08-28 国网电力科学研究院有限公司 Isolation card based on auto-negotiation mechanism
CN111600705B (en) * 2020-05-14 2022-10-04 国网电力科学研究院有限公司 Isolation card based on auto-negotiation mechanism
WO2022077935A1 (en) * 2020-10-16 2022-04-21 青岛海尔工业智能研究院有限公司 Data storage method and device for industrial internet platform, and data retrieval method and device for industrial internet platform
CN113347172A (en) * 2021-05-28 2021-09-03 吉萨特自动化技术(上海)有限公司 Cloud digitization platform and using method thereof
CN115664841A (en) * 2022-11-14 2023-01-31 济南大学 Data acquisition system and method with network isolation and one-way encryption transmission functions

Also Published As

Publication number Publication date
CN110061989B (en) 2021-07-13

Similar Documents

Publication Publication Date Title
CN110061989A (en) A kind of full partition method of data acquisition gateway
CN205490665U (en) Thing networking systems's communication device
Saleem et al. Internet of things-aided smart grid: technologies, architectures, applications, prototypes, and future research directions
CN105610706B (en) A kind of intelligent gateway platform of internet of things oriented control system
US20190089788A1 (en) Intelligent Household Energy Internet of Things System for Intelligent City System
CN107040459A (en) A kind of intelligent industrial secure cloud gateway device system and method
CN102280929B (en) System for information safety protection of electric power supervisory control and data acquisition (SCADA) system
CN110289952B (en) Quantum data link security terminal and security communication network
CN102799121A (en) Remote cooking method based on Internet
CN205304872U (en) Cloud control system towards remote terminal unit
CN106773941A (en) Safety collection remote-terminal unit based on national password high performance chipses
CN209265678U (en) Power information acquiring and transmission system based on quantum cryptography
CN104506502B (en) A kind of method that converged communication network is docked with main website
CN104506598A (en) Power terminal management method for hybrid networking
CN106934882A (en) A kind of bin intelligent lock system and open and close locking method
CN104468519B (en) A kind of embedded electric power security protection terminal encryption device
CN203134009U (en) Near field communication (NFC) gas meter
CN205787791U (en) Network relay and network system
CN207083082U (en) A kind of electric power wireless communication terminal based on Micro USB interfaces
CN103198574A (en) Remote control intelligent water meter embedded with information safety management module
CN208063238U (en) Data encryption security ViGap
CN103259649A (en) Remote control intelligent heat meter provided with information security management module in embedded mode
CN203038378U (en) Encryption type DTU module capable of performing external programming
CN206533393U (en) Special line encrypted authentication system
CN205066844U (en) Intelligence water gauge based on NFC technique

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant