CN111343606A - Safety protection method and device for train data - Google Patents

Safety protection method and device for train data Download PDF

Info

Publication number
CN111343606A
CN111343606A CN202010119756.3A CN202010119756A CN111343606A CN 111343606 A CN111343606 A CN 111343606A CN 202010119756 A CN202010119756 A CN 202010119756A CN 111343606 A CN111343606 A CN 111343606A
Authority
CN
China
Prior art keywords
train
data
key
unique identification
identification number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010119756.3A
Other languages
Chinese (zh)
Inventor
黄志武
莫然
彭军
张晓勇
李恒
杨迎泽
刘伟荣
蒋富
王成龙
顾欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Central South University
Original Assignee
Central South University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Central South University filed Critical Central South University
Priority to CN202010119756.3A priority Critical patent/CN111343606A/en
Publication of CN111343606A publication Critical patent/CN111343606A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/42Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for mass transport vehicles, e.g. buses, trains or aircraft
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a safety protection method of train data, which comprises a secret key distribution step, an authentication step, an encryption step and a transmission step: the key distribution step is to distribute a unique identification number ID and a corresponding key PW to each train to be monitored, and send the unique identification number ID and the corresponding key PW of each train to a monitoring party; the authentication step is to perform identity authentication on all nodes accessed to the train network; the encryption step is to identify the identity of the train according to the unique identification number ID carried by the train and symmetrically encrypt the acquired train data of the train by using a secret key PW corresponding to the train; the transmission step is to transmit the encrypted train data to a monitoring party; and the monitoring party decrypts the data by using the key PW corresponding to the train and monitors and checks the data. The invention protects the integrity and confidentiality of train data, prevents the occurrence of equipment disguise, eavesdropping and tampering, and improves the real-time protection of train data.

Description

Safety protection method and device for train data
Technical Field
The invention relates to the technical field of high-speed railway train data safety transmission, in particular to a safety protection method and device for train data.
Background
Along with the popularization of high-speed trains in China, the safe operation of the trains is more and more concerned by people. In recent years, train accidents occur from time to time, and some equipment faults are discovered after post-inspection. For this reason, various sensors are installed on the high-speed train to record the running state of the train. According to the data collected by the train sensors, the running state of the train can be monitored and analyzed in real time, and judgment is made according to the analysis result, so that the existing or possible problems can be found and solved. And once the network has malicious nodes and attackers, which forge and tamper the train data, the safe operation of the high-speed train is seriously influenced, and extremely serious accidents are caused. Therefore, data security of the high-speed train is crucial.
In order to solve the above problems, it is necessary to design a safety protection device and method for train operation status data.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a safety protection method and a safety protection device for train data, which protect the integrity and confidentiality of the train data.
In order to achieve the technical purpose, the invention provides the following scheme:
on one hand, the safety protection method of the train data is provided, which comprises a secret key distribution step, an encryption step and a transmission step;
the key distribution step is to distribute a unique identification number ID and a corresponding key PW to each train to be monitored, and send the unique identification number ID and the corresponding key PW of each train to a monitoring party;
the encryption step is to identify the identity of the train according to the unique identification number ID carried by the train and symmetrically encrypt the acquired train data of the train by using a secret key PW corresponding to the train;
the transmission step is to transmit the encrypted train data to a monitoring party;
and the monitoring party decrypts the data by using the key PW corresponding to the train and monitors and checks the data.
The data safety protection method protects the train data when the train data is transmitted to the monitoring party.
Further, in the key distribution step, the key PW distributed to each train is changed at regular time, and the unique identification number ID of each train, the corresponding changed key PW, and the timestamp TS thereof are sent to the monitoring party, so that the monitoring party can determine whether the key PW is valid.
The key distribution comprises the following steps:
generating different 32-bit unique identification numbers ID for each device to be monitored, wherein the first bit is always 0, the second to eleventh bits are device type codes, and the twelfth to thirty-th bits are serial numbers;
for each unique identification number ID, generating a pseudo-random sequence through a symmetric encryption algorithm (AES128 encryption algorithm), generating a 128-bit secret key PW, setting the survival time of the secret key to be 30s, and then regenerating the secret key;
generating a 16-bit timestamp TS accurate to millisecond for each generated key PW record, and judging whether the key is invalid or not during authentication, encryption and decryption;
and sending the unique identification number ID, the key PW and the time stamp TS to a corresponding module.
Further, the method for protecting the safety of the train data is characterized by also comprising an authentication step, wherein the authentication step is used for carrying out safety authentication on all nodes requesting to access the train network according to an information table distributed in the key distribution step, namely a ternary array (ID, PW, TS) of each train, namely a unique identification number ID, a corresponding key PW and a timestamp TS of the key PW; the security authentication (identity authentication) of any node requesting access to the train network comprises the following steps:
whether the node meets the following conditions is sequentially judged: carrying a binary array (ID, PW), matching the carried unique identification number ID and the carried key PW with an information table distributed in the key distribution step, wherein the timestamp TS of the key PW meets the timestamp allowable range; if the two are met, the node passes the authentication; otherwise the node is not authenticated.
Judging the node passing the authentication as a normal node, agreeing to access the train network and providing safety protection for the train network; and for the nodes which do not pass the authentication, judging the nodes as malicious nodes or attackers, refusing the nodes to access the train network, and refusing to provide security protection for the nodes.
Further, the safety protection method of the train data is characterized by further comprising a data acquisition step, wherein data acquisition is carried out on the corresponding train according to the unique identification number ID of the train passing the authentication. The safety protection method only collects, encrypts and transmits the data of the train which needs to be monitored and passes the authentication, so that the data collection, encryption and transmission efficiency is improved.
Further, in the encryption step, data are encrypted in groups according to the size of the data volume of the different collected trains; such as using cipher block chaining mode (CBC) to block encrypt the data of the train.
The data transmission process is combined with the unique identification number ID of the device data to be transmitted, the random initialization vector IV and the encryption result for transmission;
the decryption of the monitoring party comprises the following steps:
the monitoring party matches the information table distributed in the key distribution step according to the transmitted unique identification number ID, searches a corresponding key PW and a timestamp TS thereof, decrypts the corresponding train data if the timestamp TS meets the timestamp allowable range, namely the key PW fails, or else, the key PW fails, and cannot decrypt the corresponding train data; the decryption process is opposite to the encryption process, the encryption process is performed with XOR with the encrypted data block through the secret key PW, the previous ciphertext block is solved once, and finally the decryption process is performed with the first group of ciphertext blocks C through IV1Exclusive or obtains the whole plaintext.
Further, the monitoring party comprises train internal monitoring equipment and cloud monitoring equipment; the transmission step can transmit the encrypted train data to the train internal monitoring equipment for monitoring through a train network, and can also transmit the encrypted train data to the cloud monitoring equipment for monitoring through an external network.
On the other hand, the safety protection device for train data is provided, and comprises a secret key distribution module, an authentication module, a data acquisition module, an encryption module and a transmission module:
the key distribution module distributes a unique identification number ID and a corresponding key PW to each train to be monitored, and sends the unique identification number ID and the corresponding key PW of each train to the encryption module and the monitoring party;
the encryption module identifies the identity of the train according to the unique identification number ID carried by the train, symmetrically encrypts the acquired train data of the train by using a secret key PW corresponding to the train, and sends the encrypted train data to the transmission module;
the transmission module is used for transmitting the encrypted train data to a monitoring party;
and the monitoring party decrypts the data by using the key PW corresponding to the train and monitors and checks the data.
The data safety protection device protects the train data when the train data is transmitted to the monitoring party.
Further, the key distribution module changes the key PW distributed to each train at regular time, sends the unique identification number ID of each train and the corresponding changed key PW to the encryption module and the monitoring party, and sends the timestamp TS of the changed key PW to the monitoring party, so that the monitoring party can judge whether the key PW is valid.
And the encryption module changes the stored key information in real time according to the information sent by the key distribution module.
Further, the safety protection device for train data further includes an authentication module, which receives the information table sent by the key distribution module, including the ternary arrays (ID, PW, TS) of each train, that is, the unique identification number ID, the corresponding key PW, and the timestamp TS of the key PW, and performs safety authentication on all nodes requesting to access the train network.
Furthermore, the safety protection device for train data also comprises a data acquisition module; the authentication module sends the unique identification number ID of the train passing the authentication to the data acquisition module, the data acquisition module acquires data of the corresponding train according to the unique identification number ID, and sends the acquired train data to the encryption module for encryption. The safety protection device only collects, encrypts and transmits the data of the train which needs to be monitored and passes the authentication, so that the data collection, encryption and transmission efficiency is improved.
Has the advantages that:
in the safety protection method and device for train data in the technical scheme, the data volume of the train running state data is large, and if the train running state data is transmitted to a cloud monitoring, an open network (extranet) with larger throughput is required to be used, and a large number of malicious nodes and attackers exist in the open network, the collected train running state data is encrypted and transmitted, so that the train running state data is prevented from being forged and falsified by the malicious nodes and the attackers in the open network, and the safety transmission of the train running state data is guaranteed; in addition, considering that a certain safety risk exists in the train network, a malicious node or an attacker possibly enters the train network to attack data, a unique identification number and different symmetric encryption keys are distributed to each train to be monitored through key distribution, and identity authentication is performed on all nodes accessed to the train network, so that the nodes accessed to the train network are safe and reliable, and the malicious node or the attacker is prevented from entering the train network to attack the data. The technical scheme of the invention protects the integrity and confidentiality of the train running state data, prevents the occurrence of equipment camouflage, data eavesdropping and data tampering, improves the real-time protection of the train data, and provides data support for monitoring the train state, analyzing train faults and the like.
Drawings
Fig. 1 is a block diagram of a safety protection device for train data according to an embodiment of the present invention;
fig. 2 is a flowchart of a key distribution module in a train data safety protection device according to an embodiment of the present invention;
fig. 3 is a flowchart of the operation of an authentication module in a train data safety protection device according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an operation of an encryption module in a train data safety protection device according to an embodiment of the present invention;
Detailed Description
In order to facilitate an understanding of the teachings of the present invention, reference will now be made to the following examples.
Example 1:
the embodiment provides a safety protection method of train data, which comprises a key distribution step, an encryption step and a transmission step;
the key distribution step is to distribute a unique identification number ID and a corresponding key PW to each train to be monitored, and send the unique identification number ID and the corresponding key PW of each train to a monitoring party;
the encryption step is to identify the identity of the train according to the unique identification number ID carried by the train and symmetrically encrypt the acquired train data of the train by using a secret key PW corresponding to the train;
the transmission step is to transmit the encrypted train data to a monitoring party;
and the monitoring party decrypts the data by using the key PW corresponding to the train and monitors and checks the data.
The data safety protection method protects the train data when the train data is transmitted to the monitoring party.
Example 2:
in this embodiment, on the basis of embodiment 1, in the key distribution step, the key PW distributed to each train is changed at regular time, and the unique identification number ID of each train, the corresponding changed key PW, and the timestamp TS thereof are sent to the monitoring party, so that the monitoring party can determine whether the key PW is valid.
The key distribution comprises the following steps:
generating different 32-bit unique identification numbers ID for each device to be monitored, wherein the first bit is always 0, the second to eleventh bits are device type codes, and the twelfth to thirty-th bits are serial numbers;
for each unique identification number ID, generating a pseudo-random sequence through a symmetric encryption algorithm (AES128 encryption algorithm), generating a 128-bit secret key PW, setting the survival time of the secret key to be 30s, and then regenerating the secret key;
generating a 16-bit timestamp TS accurate to millisecond for each generated key PW record, and judging whether the key is invalid or not during authentication, encryption and decryption;
and sending the unique identification number ID, the key PW and the time stamp TS to a corresponding module.
Example 3:
in this embodiment, on the basis of embodiment 2, the method for protecting train data safely is characterized by further including an authentication step of performing safety authentication on all nodes requesting to access the train network according to an information table distributed in the key distribution step, that is, a ternary array (ID, PW, TS) of each train, that is, a unique identification number ID, a corresponding key PW, and a timestamp TS of the key PW; the security authentication (identity authentication) of any node requesting access to the train network comprises the following steps:
step 1, judging whether the node carries a binary array (ID, PW), if so, performing matching judgment in the step 2, and if not, judging that the node does not pass authentication;
step 2, judging whether the unique identification number ID carried by the node is matched with the information table distributed in the key distribution step, if so, performing the PW authentication of the key in the step 3, and if not, judging that the node does not pass the authentication;
step 3, judging whether the key PW carried by the node is correct (whether the key PW is matched with the information table distributed in the key distribution step), if so, verifying the key timestamp TS in the step 4, and if not, verifying that the node does not pass the authentication;
and 4, judging whether the time stamp TS of the key PW meets the time stamp allowable range (judging whether the time difference between the current time and the time stamp TS of the key PW exceeds the key survival time, namely judging whether the key PW is effective), if so, the node passes the authentication, otherwise, the key PW is a historical key, and the node does not pass the authentication.
Judging the node passing the authentication as a normal node, agreeing to access the train network and providing safety protection for the train network; and for the nodes which do not pass the authentication, judging the nodes as malicious nodes or attackers, refusing the nodes to access the train network, and refusing to provide security protection for the nodes.
Example 4:
on the basis of embodiment 3, the safety protection method for train data is characterized by further comprising a data acquisition step of acquiring data of a corresponding train according to the unique identification number ID of the train passing the authentication. The safety protection method only collects, encrypts and transmits the data of the train which needs to be monitored and passes the authentication, so that the data collection, encryption and transmission efficiency is improved.
Example 5:
in this embodiment, on the basis of embodiment 4, in the encrypting step, data is encrypted in groups according to the size of the data volume of the different trains;
the packet encryption of data of a certain train using a cipher packet chaining mode (CBC) includes the steps of:
grouping the collected data of the train, wherein each 16 bytes (each byte has 8 bits), namely each 128 bits is a group; and adding '0' to the data groups with less than 128 bits behind the data groups to form 128 bits, and finally generating n groups of plaintext blocks.
For n sets of plaintext blocks, set 1 of plaintext block K1XOR-processing with a random initialization vector IV, XOR-processing the result with a secret key PW to generate a ciphertext block C1Ciphertext block C1As a 2 nd set of plaintext blocks K2XOR the result and the secret PW to generate a ciphertext block C2… …, and so on:
C1=K1⊕IV⊕PW
C2=K2⊕C1⊕PW
……
Cn=Kn⊕Cn-1⊕PW
are connected in sequence as C1C2……CnI.e. the encryption result.
The data transmission process is combined with the unique identification number ID of the device data to be transmitted, the random initialization vector IV and the encryption result for transmission;
the decryption of the monitoring party comprises the following steps:
the monitoring party matches the information table distributed in the key distribution step according to the transmitted unique identification number ID, searches a corresponding key PW and a timestamp TS thereof, decrypts the corresponding train data if the timestamp TS meets the timestamp allowable range, namely the key PW fails, or else, the key PW fails, and cannot decrypt the corresponding train data; the decryption process is opposite to the encryption process, the encryption process is performed with XOR with the encrypted data block through the secret key PW, the previous ciphertext block is solved once, and finally the decryption process is performed with the first group of ciphertext blocks C through IV1Exclusive or obtains the whole plaintext.
Example 6:
on the basis of embodiment 5, the monitoring party includes an internal train monitoring device and a cloud monitoring device; the transmission step can transmit the encrypted train data to the train internal monitoring equipment for monitoring through a train network, and can also transmit the encrypted train data to the cloud monitoring equipment for monitoring through an external network.
Example 7:
as shown in fig. 1, the present embodiment provides a safety protection device for train data, including: the key distribution module 1, the authentication module 2, the data acquisition module 3, the encryption module 4 and the transmission module 5; the key distribution module 1 distributes a unique identification number ID, different keys PW and a timestamp TS according to a train to be monitored, sends the unique identification number ID and the different keys PW to the train, the authentication module 2, the encryption module 4 and the monitoring party 6, and sends the timestamp TS to the authentication module 2 and the monitoring party 6; the authentication module 2 authenticates the node accessed in the train network according to the received ternary array (ID, PW, TS), namely the unique identification number, different keys and the timestamp; the data acquisition module 3 acquires data of the authenticated train; the encryption module 4 symmetrically encrypts the acquired data and performs grouping encryption on the train data; the transmission module 5 can transmit data to the monitoring party 6 through an intranet (train network) or an extranet (open network), and the monitoring party 6 decrypts corresponding equipment data through the unique identification number ID, the secret key PW and the timestamp TS.
As shown in fig. 2, the workflow of the key distribution module 1 in this embodiment is as follows;
step 101, generating different 32-bit unique identification numbers ID for each device to be monitored, wherein the first bit is always 0, the second to eleventh bits are device type codes, and the twelfth to thirty-th bits are serial numbers;
102, generating a 128-bit secret key PW through a pseudo-random sequence by using a symmetric encryption AES128 encryption algorithm for each unique identification number, setting the survival time of the secret key to be 30s, and then regenerating the secret key (105);
103, generating a 16-bit time stamp TS accurate to millisecond for each generated key record, and judging whether the key is invalid or not during authentication, encryption and decryption;
step 106, sending the unique identification number ID and different keys PW to the train, and authenticating the identity through the unique identification number ID and the keys PW when the train data needs to be protected;
step 107, sending the unique identification number ID, the secret key PW and the timestamp TS to an authentication module to authenticate the train data protection request;
step 108, sending a secret key PW to an encryption module to carry out encryption protection on the authenticated train data;
step 109 sends the unique identification number ID, the secret key PW and the timestamp TS to the monitoring party, and the monitoring party receives the encrypted data and decrypts the encrypted data by using the encrypted data to obtain the plaintext.
As shown in fig. 3, the workflow of the authentication module 2 in this embodiment is as follows;
step 201, a node requests to access a train network;
step 202, judging whether the node carries a binary array (ID, PW), if so, performing matching judgment in step 203, and if not, judging that the node does not pass authentication;
step 203, judging whether the unique identification number ID carried by the node is matched with the information table distributed in the key distribution step, if so, performing the PW authentication of the key in step 204, and if not, determining that the node does not pass the authentication;
step 204, judging whether the key PW carried by the node is correct (whether the key PW is matched with the information table distributed in the key distribution step), if so, performing the verification of the key timestamp TS in step 205, and if not, determining that the node does not pass the authentication;
step 205 determines whether the timestamp TS of the key PW satisfies a timestamp tolerance (i.e., determines whether the time difference between the current time and the timestamp TS of the key PW exceeds the key survival time, i.e., determines whether the key PW is valid), if so, the node passes the authentication, otherwise, the key PW is a history key, and the node does not pass the authentication.
Judging the node passing the authentication as a normal node, agreeing to access the train network and providing safety protection for the train network; and for the nodes which do not pass the authentication, judging the nodes as malicious nodes or attackers, refusing the nodes to access the train network, and refusing to provide security protection for the nodes.
As shown in fig. 4, the workflow of the encryption module 4 in this embodiment is as follows:
grouping the collected data of the train, wherein each 16 bytes (each byte has 8 bits), namely each 128 bits is a group; and adding '0' to the data groups with less than 128 bits behind the data groups to form 128 bits, and finally generating n groups of plaintext blocks.
For n sets of plaintext blocks, set 1 of plaintext block K1XOR-processing with a random initialization vector IV, XOR-processing the result with a secret key PW to generate a ciphertext block C1Ciphertext block C1As a 2 nd set of plaintext blocks K2XOR the result and the secret PW to generate a ciphertext block C2… …, and so on:
C1=K1⊕IV⊕PW
C2=K2⊕C1⊕PW
……
Cn=Kn⊕Cn-1⊕PW
are connected in sequence as C1C2……CnI.e. the encryption result.
In the method and the device for protecting the train data in the embodiment of the invention, the unique identification number and different symmetric encryption keys are distributed to the monitored equipment through key distribution, and all nodes accessed to the train network are authenticated, so that malicious nodes or attackers are prevented from entering the train network to attack the data. The collected train running state data is encrypted and transmitted, and the safe transmission of the train running state data is guaranteed. The integrity and confidentiality of the train running state data are protected, the real-time protection of the train data is improved, and data support is provided for monitoring the train state, analyzing train faults and the like.
The above description is only exemplary of the present invention and should not be taken as limiting the invention, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A safety protection method of train data is characterized by comprising a secret key distribution step, an encryption step and a transmission step;
the key distribution step is to distribute a unique identification number ID and a corresponding key PW to each train to be monitored, and send the unique identification number ID and the corresponding key PW of each train to a monitoring party;
the encryption step is to identify the identity of the train according to the unique identification number ID carried by the train and symmetrically encrypt the acquired train data of the train by using a secret key PW corresponding to the train;
the transmission step is to transmit the encrypted train data to a monitoring party;
and the monitoring party decrypts the data by using the key PW corresponding to the train and monitors and checks the data.
2. The method for protecting train data according to claim 1, wherein in the key distribution step, the key PW distributed to each train is changed at regular time, and the unique identification number ID of each train, the corresponding changed key PW and its timestamp TS are sent to the monitoring party, so that the monitoring party can determine whether the key PW is valid.
3. The method for securing train data according to claim 1, further comprising an authentication step of securely authenticating all nodes requesting access to the train network according to the information table distributed by the key distribution step, i.e., the ternary array (ID, PW, TS) of each train, i.e., the unique identification number ID, the corresponding key PW, and the timestamp TS of the key PW; the safety certification of any node requesting to access the train network comprises the following steps of sequentially judging whether the node meets the following conditions: carrying a binary array (ID, PW), matching the carried unique identification number ID and the carried key PW with an information table distributed in the key distribution step, wherein the timestamp TS of the key PW meets the timestamp allowable range; if the two are met, the node passes the authentication; otherwise the node is not authenticated.
4. The safety protection method for train data according to claim 3, further comprising a data collection step of collecting data of a corresponding train according to the unique identification number ID of the train passing the authentication.
5. The method for protecting the train data according to claim 1, wherein in the encrypting step, the data is encrypted in groups according to the size of the data volume of different trains.
6. The train data safety protection method according to claim 1, wherein the monitoring party comprises an in-train monitoring device and a cloud monitoring device; in the transmission step, the encrypted train data is transmitted to the train internal monitoring equipment through a train network for monitoring, or the encrypted train data is transmitted to the cloud monitoring equipment through an external network for monitoring.
7. The safety protection device for train data is characterized by comprising a secret key distribution module, an authentication module, a data acquisition module, an encryption module and a transmission module:
the key distribution module distributes a unique identification number ID and a corresponding key PW to each train to be monitored, and sends the unique identification number ID and the corresponding key PW of each train to the encryption module and the monitoring party;
the encryption module identifies the identity of the train according to the unique identification number ID carried by the train, symmetrically encrypts the acquired train data of the train by using a secret key PW corresponding to the train, and sends the encrypted train data to the transmission module;
the transmission module is used for transmitting the encrypted train data to a monitoring party;
and the monitoring party decrypts the data by using the key PW corresponding to the train and monitors and checks the data.
8. The train data security protection device according to claim 7, wherein the key distribution module periodically changes the key PW distributed to each train, and sends the unique identification number ID of each train and the corresponding changed key PW to the encryption module and the monitoring party, and sends the timestamp TS of the changed key PW to the monitoring party, so that the monitoring party determines whether the key PW is valid.
And the encryption module changes the stored key information in real time according to the information sent by the key distribution module.
9. The apparatus according to claim 1, further comprising an authentication module for receiving the information table sent by the key distribution module, including a ternary array (ID, PW, TS) of each train, i.e. a unique identification number ID, a corresponding key PW, and a timestamp TS of the key PW, and performing security authentication on all nodes requesting to access to the train network.
10. The train data safety protection device according to claim 3, further comprising a data acquisition module; the authentication module sends the unique identification number ID of the train passing the authentication to the data acquisition module, the data acquisition module acquires data of the corresponding train according to the unique identification number ID, and sends the acquired train data to the encryption module for encryption.
CN202010119756.3A 2020-02-26 2020-02-26 Safety protection method and device for train data Pending CN111343606A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010119756.3A CN111343606A (en) 2020-02-26 2020-02-26 Safety protection method and device for train data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010119756.3A CN111343606A (en) 2020-02-26 2020-02-26 Safety protection method and device for train data

Publications (1)

Publication Number Publication Date
CN111343606A true CN111343606A (en) 2020-06-26

Family

ID=71187894

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010119756.3A Pending CN111343606A (en) 2020-02-26 2020-02-26 Safety protection method and device for train data

Country Status (1)

Country Link
CN (1) CN111343606A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113242235A (en) * 2021-05-08 2021-08-10 卡斯柯信号有限公司 System and method for encrypting and authenticating railway signal secure communication protocol RSSP-I
CN113438617A (en) * 2021-05-18 2021-09-24 广东中发星通技术有限公司 Method and system for encrypting and receiving health data of train driving equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104883372A (en) * 2015-06-19 2015-09-02 中国电子科技集团公司第五十四研究所 Anti-cheating and anti-attack data transmission method based on wireless Ad Hoc network
CN105264831A (en) * 2013-03-26 2016-01-20 赛西蒂系统股份有限公司 Sensor nodes with multicast transmissions in lighting sensory network
CN109639438A (en) * 2019-02-26 2019-04-16 燕山大学 A kind of SCADA network industries information ciphering method based on digital signature
CN109951823A (en) * 2017-12-20 2019-06-28 英特尔公司 Method and apparatus for vehicle-to-vehicle communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105264831A (en) * 2013-03-26 2016-01-20 赛西蒂系统股份有限公司 Sensor nodes with multicast transmissions in lighting sensory network
CN104883372A (en) * 2015-06-19 2015-09-02 中国电子科技集团公司第五十四研究所 Anti-cheating and anti-attack data transmission method based on wireless Ad Hoc network
CN109951823A (en) * 2017-12-20 2019-06-28 英特尔公司 Method and apparatus for vehicle-to-vehicle communication
CN109639438A (en) * 2019-02-26 2019-04-16 燕山大学 A kind of SCADA network industries information ciphering method based on digital signature

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113242235A (en) * 2021-05-08 2021-08-10 卡斯柯信号有限公司 System and method for encrypting and authenticating railway signal secure communication protocol RSSP-I
CN113438617A (en) * 2021-05-18 2021-09-24 广东中发星通技术有限公司 Method and system for encrypting and receiving health data of train driving equipment

Similar Documents

Publication Publication Date Title
CN110635893B (en) Vehicle-mounted Ethernet information security protection method
CN106357400B (en) Establish the method and system in channel between TBOX terminal and TSP platform
Lopez et al. Cyber security analysis of the European train control system
CN101917270B (en) Weak authentication and key agreement method based on symmetrical password
CN106506149B (en) Key generation method and system between a kind of TBOX terminal and TSP platform
CN106572106A (en) Method of transmitting message between TBOX terminal and TSP platform
CN106973056A (en) The safety chip and its encryption method of a kind of object-oriented
CN110661746B (en) Train CAN bus communication security encryption method and decryption method
CN101783793A (en) Method, system and device for improving safety of monitoring data
CN110955918A (en) Contract text protection method based on RSA encrypted sha-256 digital signature
CN111797431B (en) Encrypted data anomaly detection method and system based on symmetric key system
CN111343606A (en) Safety protection method and device for train data
CN110891065A (en) Token-based user identity auxiliary encryption method
CN113312608A (en) Electric power metering terminal identity authentication method and system based on timestamp
Daily et al. Securing CAN traffic on J1939 networks
KR102219086B1 (en) HMAC-based source authentication and secret key sharing method and system for Unnamed Aerial vehicle systems
CN112311553B (en) Equipment authentication method based on challenge response
CN116743470A (en) Service data encryption processing method and device
CN101742229A (en) Method, system and device for improving safety of monitoring data
CN101471775B (en) Authentication method for MS and BS of WiMAX system
CN212305665U (en) Domestic communication encryption device suitable for rail transit
KR102419057B1 (en) Message security system and method of railway communication network
CN112069487B (en) Intelligent equipment network communication safety implementation method based on Internet of things
CN103888438A (en) Train data communication system using information safety technology
CN112260831A (en) Security authentication method based on dynamic key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200626