CN111245783A - Isolated environment data transmission device and method based on digital encryption technology - Google Patents

Isolated environment data transmission device and method based on digital encryption technology Download PDF

Info

Publication number
CN111245783A
CN111245783A CN201911386036.7A CN201911386036A CN111245783A CN 111245783 A CN111245783 A CN 111245783A CN 201911386036 A CN201911386036 A CN 201911386036A CN 111245783 A CN111245783 A CN 111245783A
Authority
CN
China
Prior art keywords
module
digital
data
information
sending
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911386036.7A
Other languages
Chinese (zh)
Inventor
孙永文
黄鹏
段雷
郭亚兵
于洪淼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino Corp filed Critical Aisino Corp
Priority to CN201911386036.7A priority Critical patent/CN111245783A/en
Publication of CN111245783A publication Critical patent/CN111245783A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The invention discloses an isolated environment data transmission device and method based on digital encryption technology, wherein the device comprises a sending device and a receiving device which can be separated; the transmitting equipment comprises a transmitting main control module, an encryption module, a coding display module and a transmitting communication interface module; the transmission main control module is used for transmitting the logic scheduling and the algorithm support of the equipment; the receiving equipment comprises a receiving main control module, a decryption module, an image acquisition module, a digital image processing module and a receiving communication interface module; the device is provided with a sending end and a receiving end which can be separated, so that data import is realized under the condition that the distance between the two systems is long; an encryption algorithm is built in, and a digital envelope technology is adopted to ensure that data is not tampered and forged, so that the security and confidentiality of sensitive data in transmission are realized; the embedded design scheme is adopted, so that the equipment is small in size and low in cost; the built-in communication module supports richer hardware interfaces and protocols, so that the application scene adaptability of the equipment is wider.

Description

Isolated environment data transmission device and method based on digital encryption technology
Technical Field
The invention relates to the technical field of communication, in particular to an isolated environment data transmission device and method based on a digital encryption technology.
Background
At present, a large number of internal secret networks are deployed in security units such as governments, banks, military and the like, data import/export interactive operation and information backup between the network environments and external non-secret networks or wide area internet networks are mainly used as physical isolation transmission media for data interaction between networks through security isolation network gates or media such as optical discs and the like. The traditional network gate equipment has higher cost, generally has the selling price of tens of thousands to hundreds of thousands, and increases extra cost and implementation cost for some information systems which only realize the transmission application of small amount of data at variable time; the adoption of optical discs and other media requires manual management, which is complicated, and although the recording management mode of the automatic mechanical arm appears in recent years, the whole system is complicated, the reliability is low, and the real-time performance of information exchange is not high.
In addition to the above-mentioned methods, some simple unidirectional transmission devices have been developed in recent years to transmit data by means of image technology or radio frequency technology, but the following problems exist: firstly, the hardware aspect needs to be assisted by an industrial personal computer or industrial control mainboard hardware, a desktop operating system or a server operating system, the whole equipment has larger volume and high cost, and meanwhile, the reliability of the whole equipment is reduced because of containing a plurality of unnecessary functional modules; secondly, the existing equipment adopts an integrated mode, so that the application of temporary storage, transfer and the like of data between different systems cannot be solved, and especially, the equipment cannot be directly deployed under the condition that the distance between two networks is long; thirdly, the data transmission process lacks effective security protection, and the data is easy to attack, so that the data is replaced, changed or information is leaked in the data exchange process, and the network security is influenced; and the fourth is that a network interface mode is mostly adopted, so that the use environment is limited.
Disclosure of Invention
In order to solve the problems of high hardware cost, poor confidentiality and the like in the background technology, the invention provides an isolated environment data transmission device and method based on a digital encryption technology, wherein the device comprises: a transmitting device and a receiving device which are separable;
the transmitting equipment comprises a transmitting main control module, an encryption module, a coding display module and a transmitting communication interface module;
the sending main control module obtains original text data through a sending communication interface module, sends the original text data to an encryption module for encryption to obtain encrypted data, and the encrypted data and the original text data are spliced to obtain coding information;
the encryption module is used for encrypting the data obtained from the sending main control module;
the coding display module outputs the coding information generated by the sending main control module to display equipment for the receiving equipment to collect;
the sending communication interface module is used for providing a data transmission interface between the sending equipment and an external system to complete data receiving and feedback.
The receiving equipment comprises a receiving main control module, a decryption module, an image acquisition module, a digital image processing module and a receiving communication interface module;
the receiving main control module polls and detects the image information received by the image acquisition module, if the image information is detected to be changed, the acquired image information is transmitted to the digital image processing module to obtain decoding information, the decoding information is decrypted by the decryption module to complete digital signature verification, and if the verification is successful, the original text data is transmitted by the receiving communication interface module;
the image acquisition module is used for acquiring image information;
the digital image processing module is used for analyzing image data and sending decoding information obtained by analysis to the receiving main control module;
the decryption module is used for decrypting the information obtained by the receiving main control module;
the receiving communication interface module is used for providing a data transmission interface between the receiving equipment and an external system to complete data receiving and feedback.
Further, the device also comprises a storage module;
the storage module is used for storing the coding information;
when the sending main control module detects that the working mode is a storage mode, the coding information is stored in a storage module; and if the working mode is the direct forwarding mode, carrying out image conversion coding on the coded information, and sending the coded information to a coding display module for coding display.
Further, the encryption module stores private key information and certificate information of the sending device and algorithm support provided for the sending main control module, wherein the algorithm comprises Hash operation, asymmetric encryption and decryption operation and symmetric encryption and decryption operation;
the original text data is original data of an application layer protocol packet.
Further, the sending communication interface module provides a wired network interface, a wireless network interface, an RS232 serial interface and an RS485 serial interface.
The receiving communication interface module provides a wired network interface, a wireless network interface, an RS232 serial interface and an RS485 serial interface.
Further, the encryption module performs hash operation on the original text data to obtain digital abstract information;
the encryption module encrypts the digital summary information by using a private key of a sending device according to an asymmetric algorithm to obtain a digital signature;
the sending main control module splices the original text data, the digital signature and the public key of the sending equipment to obtain first packed data;
the encryption module uses a symmetric key to perform encryption operation on the first packet data according to a symmetric algorithm to obtain encryption information;
the encryption module uses a public key of the receiving equipment to encrypt the symmetric key according to an asymmetric algorithm to obtain a digital envelope;
and the sending main control module splices the encrypted information and the digital envelope to obtain second packed data.
Furthermore, when the main control module directly works in the direct sending mode, the pre-stored data are taken out from the storage module one by one and sent to the coding display module for being collected by the receiving equipment.
Further, the receiving device further comprises a digital isolator, and the transmitting device confirms whether the data packet is transmitted by the digital isolator and transmits the next packet of data when detecting the confirmation signal.
Further, the decoding information comprises encrypted information and a digital envelope;
the receiving main control module extracts the digital envelope in the decoding information, and the decryption module decrypts the digital envelope by using a private key of the receiving equipment to obtain a symmetric key;
the decryption module decrypts encrypted information in the decoding information by using the symmetric key according to a symmetric algorithm to obtain original text data, a digital signature and a public key of the sending device;
the decryption module decrypts the digital signature by using the public key of the sending equipment to obtain a first digital abstract, and performs hash operation on the original text data by using the first digital abstract according to the hash algorithm of the encryption module to obtain a second digital abstract;
and the receiving main control module compares the first digital abstract with the second digital abstract, if the first digital abstract and the second digital abstract are the same, the verification is successful, and if the first digital abstract and the second digital abstract are different, the verification fails, the group of original text data is discarded, and alarm information is generated.
A separable isolation environment data sending method based on a digital encryption technology is characterized in that:
receiving original text data, and performing hash operation on the original text data to obtain digital abstract information, wherein the original text data is original data of an application layer protocol packet;
encrypting the digital abstract information by using a private key of the sending equipment according to an asymmetric algorithm to obtain a digital signature;
splicing the original text data, the digital signature and the public key of the sending equipment to obtain first packed data;
performing encryption operation on the first packed data according to a symmetric algorithm by using a symmetric key to obtain encrypted information;
encrypting the symmetric key according to an asymmetric algorithm by using a public key of the receiving equipment to obtain a digital envelope;
splicing the encrypted information and the digital envelope to obtain second packed data;
if the current working mode is the storage mode, storing the second packed data; and if the working mode is the direct forwarding mode, performing image conversion coding on the coded information, and sending the second packed data displayed in a coding mode.
Further, when the direct transmission mode is directly operated, pre-stored data is extracted, and the second packed data is displayed in a coding mode.
Furthermore, the confirmation signal sent by the digital isolator at the receiving end is detected, and the next packet of data is sent when the confirmation signal is detected.
A separable isolation environment data receiving method based on digital encryption technology is characterized in that:
collecting image information and analyzing the image information to obtain decoding information;
extracting the digital envelope in the decoding information, and decrypting the digital envelope by using a private key of the receiving equipment to obtain a symmetric key;
decrypting the encrypted information in the decoding information according to a symmetric algorithm by using the symmetric key to obtain original text data, a digital signature and a public key of the sending equipment;
decrypting the digital signature by using the public key of the sending equipment to obtain a first digital abstract, and performing hash operation on the original text data by using the first digital abstract according to a hash algorithm adopted by data sending to obtain a second digital abstract;
comparing the first digital abstract with the second digital abstract, if the first digital abstract and the second digital abstract are the same, successfully verifying, and transmitting the original text data through the communication interface module; if the verification fails, the group of original text data is discarded, and alarm information is generated.
The invention has the beneficial effects that: the technical scheme of the invention provides an isolated environment data transmission device based on a digital encryption technology, wherein the device is provided with a separable sending end and a receiving end, so that data import is realized under the condition that the distance between the two systems is relatively long; an encryption algorithm is built in, and a digital envelope technology is adopted to ensure that data is not tampered and forged, so that the security and confidentiality of sensitive data in transmission are realized; the embedded design scheme is adopted, so that the equipment is small in size and low in cost; the built-in communication module supports richer hardware interfaces and protocols, so that the application scene adaptability of the equipment is wider; the method can be applied to the fields of important encrypted data transfer and transmission such as identity data, financial data, government department confidential data and the like among multiple networks and multiple systems, and has wide prospect and easy popularization.
Drawings
A more complete understanding of exemplary embodiments of the present invention may be had by reference to the following drawings in which:
FIG. 1 is a block diagram of an isolated environment data transfer device based on digital encryption technology in accordance with an embodiment of the present invention;
FIG. 2 is a flowchart of a separable isolated environment data transmission method based on digital encryption technology according to an embodiment of the present invention;
fig. 3 is a flowchart of a separable isolated environment data receiving method based on digital encryption technology according to an embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.
Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
FIG. 1 is a flow diagram of an isolated environment data transfer device based on digital encryption technology in accordance with an embodiment of the present invention; as shown in fig. 1, the apparatus includes:
the apparatus includes a transmitting device 110 and a receiving device 120 that are separable;
the hardware design of the transmitting device 110 and the receiving device 120 adopts an MCU processor and an embedded operating system, unnecessary hardware circuits and software functions are removed, the cost and the volume of the device are reduced, and the reliability is increased;
the sending device 110 and the receiving device 120 can be separated, so that unidirectional data transmission can be directly carried out between two isolated systems, and the problem of difficulty in remote data import is solved.
The transmitting device 110 includes a transmission main control module 1101, an encryption module 1102, an encoding display module 1103, and a transmission communication interface module 1104.
The sending main control module 1101 is responsible for coordinating processing logic and basic operation support inside sending equipment; acquiring original text data through a sending communication interface module 1104, wherein the original text data is original data of an application layer protocol packet; and sending the original text data to an encryption module 1102 for encryption to obtain encrypted data, and splicing the encrypted data and the original text data to obtain coding information.
The encryption module 1102 is configured to encrypt data obtained from the sending main control module 1101, where the encryption module 1102 stores private key information and certificate information of a sending device and an algorithm support provided to the sending main control module, and the algorithm includes a hash operation, an asymmetric encryption/decryption operation, and a symmetric encryption/decryption operation.
The encoding display module 1103 outputs the encoded information generated by the sending main control module 1101 to a display device for collection by a receiving device.
The sending communication interface module 1104 is used for providing a data transmission interface between the sending device and an external system, and completing data receiving and feedback; the transmitting communication interface module is provided with a wired network interface, a wireless network interface, an RS232 serial interface and an RS485 serial interface; in practice, other communication interfaces can be expanded according to needs, and certain interfaces can be forbidden according to the requirement of a secret network, so that the application range of the device is enlarged.
When the sending device 110 sends data, the encryption module 1102 performs hash operation on the original text data to obtain digital digest information;
then, the encryption module 1102 encrypts the digital digest information according to an asymmetric algorithm by using a private key of the sending device to obtain a digital signature, wherein the asymmetric algorithm adopts an RSA algorithm; the sending main control module 1101 splices the original text data, the digital signature and the public key of the sending device to obtain first packed data;
next, the encryption module 1102 performs encryption operation on the first packet data according to a symmetric algorithm by using a symmetric key to obtain encryption information, wherein the symmetric algorithm adopts a 3DES algorithm; the encryption module 1102 encrypts the symmetric key according to an asymmetric algorithm by using a public key of the receiving device to obtain a digital envelope;
finally, the sending main control module 1101 splices the encrypted information and the digital envelope to obtain second packed data, and sends the second packed data to the encoding display module 1103 for collection by the receiving device.
Therefore, the encryption module 1102 ensures that data is not tampered and forged by using a digital envelope technology, and meanwhile, an upper computer of a system is not required to perform encryption operation or add extra encryption hardware equipment; meanwhile, for persons or terminals which are not authenticated or authorized, the original data cannot be analyzed, information leakage is effectively prevented, and the method has the security and confidentiality effects on sensitive data in transmission.
In addition, the sending device 110 further includes a storage module 1105, where the storage module 1105 is configured to store the encoding information;
after the second packed data is obtained, the sending main control module 1101 detects a working mode, and if the working mode is a storage mode, stores the second packed data in the storage module 1105 and waits for the sending main control module to start a sending instruction; and if the working mode is the direct forwarding mode, performing image conversion coding on the second packed data, and sending the second packed data to the coding display module 1103 for coding display.
The receiving device 120 further includes a digital isolator, and the sending device 110 confirms whether the data packet is sent by the digital isolator, and when detecting the confirmation signal, the sending device 110 sends the next packet of data again.
In addition, the sending main control module 1101 may also directly work in a direct sending mode, and at this time, the stored data is taken out from the storage module 1105 one by one, and sent to the encoding display module 1103 for the receiving device to collect.
The sending device 110 with the storage module 1105 can be used as a secret storage device to move and import data, thereby realizing long-distance data one-way transmission.
The receiving device 120 comprises a receiving main control module 1201, a decryption module 1202, an image acquisition module 1203, a digital image processing module 1204 and a receiving communication interface module 1205;
the receiving main control module 1201 polls and detects the image information received by the image acquisition module 1203, if the image information is detected to be changed, the acquired image information is transmitted to the digital image processing module 1204 to obtain decoding information, the decoding information is decrypted by the decryption module 1202 to complete digital signature verification, and if the verification is successful, the original text data is transmitted out through the receiving communication interface module 1205.
The image collecting module 1203 is configured to collect image information.
The digital image processing module 1204 is configured to analyze image data, and send decoded information obtained by the analysis to the receiving main control module 1201.
The decryption module 1202 is configured to perform decryption processing on the information obtained by the receiving main control module 1201.
The receiving communication interface module 1205 is used to provide a data transmission interface between the receiving device 120 and an external system, so as to complete data reception and feedback; the receiving communication interface module 1205 provides a wired network interface, a wireless network interface, an RS232 serial interface and an RS485 serial interface; in practice, as with the sending communication interface module 1104, other communication interfaces may be extended as needed, or some kind of interface may be disabled according to the requirement of the secure network, so as to increase the application range of the device.
When the receiving device 120 receives the data sent by the sending device 110, the receiving main control module 1201 first extracts the digital envelope in the decoding information, and the decryption module 1202 decrypts the digital envelope by using the receiving device private key to obtain a symmetric key;
the decryption module 1202 decrypts encrypted information in the decoded information according to a symmetric algorithm by using the symmetric key to obtain original text data, a digital signature and a public key of the sending device;
the decryption module 1202 decrypts the digital signature by using the public key of the sending device to obtain a first digital abstract, and performs hash operation on the original text data by using the first digital abstract according to the hash algorithm of the encryption module to obtain a second digital abstract;
the receiving main control module 1201 compares the first digital abstract with the second digital abstract, if the first digital abstract and the second digital abstract are the same, the verification is successful, and if the first digital abstract and the second digital abstract are different, the verification fails, the group of original text data is discarded, and alarm information is generated.
If two pairs of sending equipment and receiving equipment are adopted, the two pairs of equipment are respectively set to different directions, and bidirectional data transmission between two physical isolation systems can be realized.
FIG. 2 is a flowchart of a separable isolated environment data transmission method based on digital encryption technology according to an embodiment of the present invention; as shown in fig. 2, the method includes:
step 210, receiving original text data, and performing hash operation on the original text data to obtain digital summary information;
and the original text data is the original data of the application layer protocol packet.
Step 220, encrypting the digital summary information according to an asymmetric algorithm by using a private key of the sending equipment to obtain a digital signature;
the asymmetric algorithm adopts an RSA algorithm.
Step 230, splicing the original text data, the digital signature and the public key of the sending equipment to obtain first packed data;
step 240, performing encryption operation on the first packet data according to a symmetric algorithm by using a symmetric key to obtain encryption information;
the symmetric algorithm adopts a 3DES algorithm.
Step 250, encrypting the symmetric key according to an asymmetric algorithm by using a public key of the receiving equipment to obtain a digital envelope;
step 260, splicing the encrypted information and the digital envelope to obtain second packed data;
step 270, if the current working mode is the storage mode, storing the second packed data; and if the working mode is the direct forwarding mode, performing image conversion coding on the coded information, and sending the second packed data displayed in a coding mode.
The method for detecting whether the data packet is successfully transmitted comprises the steps of detecting an acknowledgement signal transmitted by the digital isolator of the receiving end, and transmitting the next packet of data if the acknowledgement signal is detected.
And if the working mode is the direct transmission mode, extracting pre-stored data and displaying the second packed data in a coding mode.
FIG. 3 is a flowchart of a separable isolated environment data receiving method based on digital encryption technology according to an embodiment of the present invention; as shown in fig. 3, the method includes:
step 310, collecting image information and analyzing the image information to obtain decoding information;
step 320, extracting the digital envelope in the decoding information, and decrypting the digital envelope by using a private key of the receiving equipment to obtain a symmetric key;
step 330, decrypting the encrypted information in the decoded information according to a symmetric algorithm by using the symmetric key to obtain original text data, a digital signature and a public key of the sending device;
step 340, decrypting the digital signature by using the public key of the sending equipment to obtain a first digital abstract, and performing hash operation on the original text data by using the first digital abstract according to a hash algorithm adopted by data sending to obtain a second digital abstract;
step 350, comparing the first digital abstract with the second digital abstract, if the first digital abstract and the second digital abstract are the same, successfully verifying, and transmitting the original text data through the communication interface module; if the verification fails, the group of original text data is discarded, and alarm information is generated.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the disclosure may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Reference to step numbers in this specification is only for distinguishing between steps and is not intended to limit the temporal or logical relationship between steps, which includes all possible scenarios unless the context clearly dictates otherwise.
Moreover, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the disclosure and form different embodiments. For example, any of the embodiments claimed in the claims can be used in any combination.
Various component embodiments of the disclosure may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. The present disclosure may also be embodied as device or system programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present disclosure may be stored on a computer-readable medium or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the disclosure, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The disclosure may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several systems, several of these systems may be embodied by one and the same item of hardware.
The foregoing is directed to embodiments of the present disclosure, and it is noted that numerous improvements, modifications, and variations may be made by those skilled in the art without departing from the spirit of the disclosure, and that such improvements, modifications, and variations are considered to be within the scope of the present disclosure.

Claims (12)

1. An isolated environment data transmission device based on digital encryption technology is characterized in that:
the device comprises a transmitting device and a receiving device which can be separated;
the transmitting equipment comprises a transmitting main control module, an encryption module, a coding display module and a transmitting communication interface module;
the sending main control module obtains original text data through a sending communication interface module, sends the original text data to an encryption module for encryption to obtain encrypted data, and the encrypted data and the original text data are spliced to obtain coding information;
the encryption module is used for encrypting the data obtained from the sending main control module;
the coding display module outputs the coding information generated by the sending main control module to display equipment for the receiving equipment to collect;
the sending communication interface module is used for providing a data transmission interface between the sending equipment and an external system to complete data receiving and feedback.
The receiving equipment comprises a receiving main control module, a decryption module, an image acquisition module, a digital image processing module and a receiving communication interface module;
the receiving main control module polls and detects the image information received by the image acquisition module, if the image information is detected to be changed, the acquired image information is transmitted to the digital image processing module to obtain decoding information, the decoding information is decrypted by the decryption module to complete digital signature verification, and if the verification is successful, the original text data is transmitted by the receiving communication interface module;
the image acquisition module is used for acquiring image information;
the digital image processing module is used for analyzing image data and sending decoding information obtained by analysis to the receiving main control module;
the decryption module is used for decrypting the information obtained by the receiving main control module;
the receiving communication interface module is used for providing a data transmission interface between the receiving equipment and an external system to complete data receiving and feedback.
2. The apparatus of claim 1, wherein:
the device also comprises a storage module;
the storage module is used for storing the coding information;
when the sending main control module detects that the working mode is a storage mode, the coding information is stored in a storage module; and if the working mode is the direct forwarding mode, carrying out image conversion coding on the coded information, and sending the coded information to a coding display module for coding display.
3. The apparatus of claim 1, wherein:
the encryption module stores private key information and certificate information of the sending equipment and algorithm support provided for the sending main control module, wherein the algorithm comprises Hash operation, asymmetric encryption and decryption operation and symmetric encryption and decryption operation;
the original text data is original data of an application layer protocol packet.
4. The apparatus of claim 1, wherein:
the sending communication interface module provides a wired network interface, a wireless network interface, an RS232 serial interface and an RS485 serial interface.
The receiving communication interface module provides a wired network interface, a wireless network interface, an RS232 serial interface and an RS485 serial interface.
5. The apparatus of claim 2, wherein:
the encryption module carries out Hash operation on the original text data to obtain digital abstract information;
the encryption module encrypts the digital summary information by using a private key of a sending device according to an asymmetric algorithm to obtain a digital signature;
the sending main control module splices the original text data, the digital signature and the public key of the sending equipment to obtain first packed data;
the encryption module uses a symmetric key to perform encryption operation on the first packet data according to a symmetric algorithm to obtain encryption information;
the encryption module uses a public key of the receiving equipment to encrypt the symmetric key according to an asymmetric algorithm to obtain a digital envelope;
and the sending main control module splices the encrypted information and the digital envelope to obtain second packed data.
6. The apparatus of claim 2, wherein:
and when the main control module directly works in a direct sending mode, the pre-stored data are taken out from the storage module one by one and sent to the coding display module for being collected by receiving equipment.
7. The apparatus of claim 1, wherein:
the receiving equipment further comprises a digital isolator, the transmitting equipment confirms whether the data packet is transmitted or not through the digital isolator, and transmits the next packet of data when the confirmation signal is detected.
8. The apparatus of claim 1, wherein:
the decoding information comprises encrypted information and a digital envelope;
the receiving main control module extracts the digital envelope in the decoding information, and the decryption module decrypts the digital envelope by using a private key of the receiving equipment to obtain a symmetric key;
the decryption module decrypts encrypted information in the decoding information by using the symmetric key according to a symmetric algorithm to obtain original text data, a digital signature and a public key of the sending device;
the decryption module decrypts the digital signature by using the public key of the sending equipment to obtain a first digital abstract, and performs hash operation on the original text data by using the first digital abstract according to the hash algorithm of the encryption module to obtain a second digital abstract;
and the receiving main control module compares the first digital abstract with the second digital abstract, if the first digital abstract and the second digital abstract are the same, the verification is successful, and if the first digital abstract and the second digital abstract are different, the verification fails, the group of original text data is discarded, and alarm information is generated.
9. The data transmission processing method according to claim 1, characterized in that:
receiving original text data, and performing hash operation on the original text data to obtain digital abstract information, wherein the original text data is original data of an application layer protocol packet;
encrypting the digital abstract information by using a private key of the sending equipment according to an asymmetric algorithm to obtain a digital signature;
splicing the original text data, the digital signature and the public key of the sending equipment to obtain first packed data;
performing encryption operation on the first packed data according to a symmetric algorithm by using a symmetric key to obtain encrypted information;
encrypting the symmetric key according to an asymmetric algorithm by using a public key of the receiving equipment to obtain a digital envelope;
splicing the encrypted information and the digital envelope to obtain second packed data;
if the current working mode is the storage mode, storing the second packed data; and if the working mode is the direct forwarding mode, performing image conversion coding on the coded information, and sending the second packed data displayed in a coding mode.
10. The data transmission processing method according to claim 9, characterized in that:
and when the direct transmission mode is directly operated, extracting pre-stored data and displaying the second packed data in a coding mode.
11. The data transmission processing method according to claim 9, characterized in that:
and detecting the acknowledgement signal sent by the digital isolator at the receiving end, and sending the next packet of data when the acknowledgement signal is detected.
12. A data reception processing method according to claim 1, characterized by:
collecting image information and analyzing the image information to obtain decoding information;
extracting the digital envelope in the decoding information, and decrypting the digital envelope by using a private key of the receiving equipment to obtain a symmetric key;
decrypting the encrypted information in the decoding information according to a symmetric algorithm by using the symmetric key to obtain original text data, a digital signature and a public key of the sending equipment;
decrypting the digital signature by using the public key of the sending equipment to obtain a first digital abstract, and performing hash operation on the original text data by using the first digital abstract according to a hash algorithm adopted by data sending to obtain a second digital abstract;
comparing the first digital abstract with the second digital abstract, if the first digital abstract and the second digital abstract are the same, successfully verifying, and transmitting the original text data through the communication interface module; if the verification fails, the group of original text data is discarded, and alarm information is generated.
CN201911386036.7A 2019-12-29 2019-12-29 Isolated environment data transmission device and method based on digital encryption technology Pending CN111245783A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911386036.7A CN111245783A (en) 2019-12-29 2019-12-29 Isolated environment data transmission device and method based on digital encryption technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911386036.7A CN111245783A (en) 2019-12-29 2019-12-29 Isolated environment data transmission device and method based on digital encryption technology

Publications (1)

Publication Number Publication Date
CN111245783A true CN111245783A (en) 2020-06-05

Family

ID=70874090

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911386036.7A Pending CN111245783A (en) 2019-12-29 2019-12-29 Isolated environment data transmission device and method based on digital encryption technology

Country Status (1)

Country Link
CN (1) CN111245783A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112968774A (en) * 2021-02-01 2021-06-15 中国海洋石油集团有限公司 Method, device storage medium and equipment for encrypting and decrypting configuration file
CN113093560A (en) * 2021-02-23 2021-07-09 美的集团股份有限公司 Man-machine interaction method and device for household appliance
CN114745207A (en) * 2022-06-10 2022-07-12 国汽智控(北京)科技有限公司 Data transmission method, device, equipment, computer readable storage medium and product
CN114978769A (en) * 2022-07-19 2022-08-30 济南慧天云海信息技术有限公司 Unidirectional lead-in device, method, medium, and apparatus
CN115664841A (en) * 2022-11-14 2023-01-31 济南大学 Data acquisition system and method with network isolation and one-way encryption transmission functions

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020194501A1 (en) * 2001-02-25 2002-12-19 Storymail, Inc. System and method for conducting a secure interactive communication session
CN101989984A (en) * 2010-08-24 2011-03-23 北京易恒信认证科技有限公司 Electronic document safe sharing system and method thereof
CN103401771A (en) * 2013-07-26 2013-11-20 四川华迪航天金穗高技术有限公司 Network isolation method and network isolation system
CN103684997A (en) * 2013-12-31 2014-03-26 厦门市美亚柏科信息股份有限公司 One-way instantaneous transmission method of complete physical isolation data and system for achieving same
CN108259446A (en) * 2016-12-29 2018-07-06 航天信息股份有限公司 A kind of method and device based on isolation network transmission data
CN108683688A (en) * 2018-07-20 2018-10-19 中国建设银行股份有限公司浙江省分行 A method of information transmission security is realized based on Digital Envelope Technology

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020194501A1 (en) * 2001-02-25 2002-12-19 Storymail, Inc. System and method for conducting a secure interactive communication session
CN101989984A (en) * 2010-08-24 2011-03-23 北京易恒信认证科技有限公司 Electronic document safe sharing system and method thereof
CN103401771A (en) * 2013-07-26 2013-11-20 四川华迪航天金穗高技术有限公司 Network isolation method and network isolation system
CN103684997A (en) * 2013-12-31 2014-03-26 厦门市美亚柏科信息股份有限公司 One-way instantaneous transmission method of complete physical isolation data and system for achieving same
CN108259446A (en) * 2016-12-29 2018-07-06 航天信息股份有限公司 A kind of method and device based on isolation network transmission data
CN108683688A (en) * 2018-07-20 2018-10-19 中国建设银行股份有限公司浙江省分行 A method of information transmission security is realized based on Digital Envelope Technology

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张媛等: "《计算机网络安全与防御策略》", 31 May 2019, 天津科学技术出版社 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112968774A (en) * 2021-02-01 2021-06-15 中国海洋石油集团有限公司 Method, device storage medium and equipment for encrypting and decrypting configuration file
CN113093560A (en) * 2021-02-23 2021-07-09 美的集团股份有限公司 Man-machine interaction method and device for household appliance
CN114745207A (en) * 2022-06-10 2022-07-12 国汽智控(北京)科技有限公司 Data transmission method, device, equipment, computer readable storage medium and product
CN114978769A (en) * 2022-07-19 2022-08-30 济南慧天云海信息技术有限公司 Unidirectional lead-in device, method, medium, and apparatus
CN114978769B (en) * 2022-07-19 2023-08-18 济南慧天云海信息技术有限公司 Unidirectional leading-in device, unidirectional leading-in method, unidirectional leading-in medium and unidirectional leading-in equipment
CN115664841A (en) * 2022-11-14 2023-01-31 济南大学 Data acquisition system and method with network isolation and one-way encryption transmission functions

Similar Documents

Publication Publication Date Title
CN111245783A (en) Isolated environment data transmission device and method based on digital encryption technology
CN101442407B (en) Method and system for identification authentication using biology characteristics
US6931549B1 (en) Method and apparatus for secure data storage and retrieval
CN111835511A (en) Data security transmission method and device, computer equipment and storage medium
JP3917679B2 (en) High bandwidth cryptographic system with low bandwidth cryptographic module
JPH1056448A (en) Information transmission method, communication equipment, and storage medium
GB2538052A (en) Encoder, decoder, encryption system, encryption key wallet and method
CN102685093A (en) Mobile-terminal-based identity authentication system and method
CN111079162B (en) Data encryption method, data decryption method and data encryption system based on block chain
CN112217835A (en) Message data processing method and device, server and terminal equipment
CN109274644A (en) A kind of data processing method, terminal and watermark server
CN105848145A (en) WIFI intelligent configuration method and device
CN115499844A (en) Mobile terminal information safety protection system and method
CN103457723B (en) A kind of encryption method and the encryption device based on it
CN108900472A (en) The transmission method and device of information
CN112202794A (en) Transaction data protection method and device, electronic equipment and medium
CN112637172A (en) Novel data security and confidentiality method
CN111698253A (en) Computer network safety system
CN107733936A (en) A kind of encryption method of mobile data
CN115134080B (en) Data transmission method and device based on security encryption chip
CN116756750A (en) Medical sensitive data acquisition desensitization method
CN202495964U (en) Identity authentication system based on mobile terminal
CN103986570A (en) Safe data transmission method of smart instrument system
CN110059630B (en) Verifiable outsourced monitoring video pedestrian re-identification method with privacy protection
Gu et al. Toauth: Towards automatic near field authentication for smartphones

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200605

RJ01 Rejection of invention patent application after publication