CN111698263B - Beidou satellite navigation data transmission method and system - Google Patents

Beidou satellite navigation data transmission method and system Download PDF

Info

Publication number
CN111698263B
CN111698263B CN202010591005.1A CN202010591005A CN111698263B CN 111698263 B CN111698263 B CN 111698263B CN 202010591005 A CN202010591005 A CN 202010591005A CN 111698263 B CN111698263 B CN 111698263B
Authority
CN
China
Prior art keywords
data
target
user terminal
security
security level
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010591005.1A
Other languages
Chinese (zh)
Other versions
CN111698263A (en
Inventor
王雍
张舒黎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronics Technology Network Security Technology Co ltd
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN202010591005.1A priority Critical patent/CN111698263B/en
Publication of CN111698263A publication Critical patent/CN111698263A/en
Application granted granted Critical
Publication of CN111698263B publication Critical patent/CN111698263B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention provides a method and a system for transmitting Beidou satellite navigation data, wherein the method is applied to a data center and comprises the following steps: receiving target data sent by a reference station; determining a target security level corresponding to a target user terminal; sending the target data to a target user terminal by adopting a target safety verification scheme corresponding to the target safety level; the target security verification scheme comprises any one item or any combination of data encryption, data integrity verification and identity authentication. According to the Beidou satellite navigation data transmission method and device, the safety levels of different user terminals are divided, the data transmission is carried out by adopting the safety check scheme of the corresponding level, the safety requirements of different users on the Beidou satellite navigation data transmission process can be fully met, the integrity and confidentiality related to data can be guaranteed, the threshold-crossing data of crossing the safety levels can be effectively prevented from being checked, and the transmission safety of the Beidou satellite navigation data is greatly improved.

Description

Beidou satellite navigation data transmission method and system
Technical Field
The disclosure relates to the technical field of satellite navigation, in particular to a method and a system for transmitting Beidou satellite navigation data.
Background
The Beidou satellite navigation system is a global satellite navigation system which is autonomously developed and independently operated in China, and provides service functions of positioning, navigation, time service and the like for military and civil users. The Beidou satellite navigation system combines with continuous operation reference stations distributed on the ground to provide sub-meter-level, centimeter-level and even millimeter-level positioning data for users. Along with big dipper satellite navigation system's gradual globalization, big dipper high accuracy data play important effect in numerous civilian fields are used, for example, provide accurate navigation positioning for the vehicle in the intelligent transportation field, realize unmanned aerial vehicle accurate seeding etc. in agricultural machinery spring ploughing.
However, in the related art, the data transmission of the Beidou satellite navigation system in civil applications lacks a necessary safety protection mechanism, and the safety is low. In fact, even in the civil field, there is a need for safety protection for data transmission, in particular for some sensitive data with high precision. For example, in some important applications, data of a reference station may be associated with a particular important landmark, and such data has a strong need for security protection.
In view of the above, it is an important need for those skilled in the art to provide a solution to the above technical problems.
Disclosure of Invention
The invention aims to provide a method and a system for transmitting Beidou satellite navigation data, so that a safety transmission mechanism of the Beidou satellite navigation data is optimized and improved, and the safety protection requirements of different users on data transmission are met.
In order to achieve the above object, in a first aspect, the present disclosure provides a method for transmitting Beidou satellite navigation data, which is applied to a data center, and the method includes:
receiving target data sent by a reference station;
determining a target security level corresponding to a target user terminal;
sending the target data to the target user terminal by adopting a target safety verification scheme corresponding to the target safety level;
the target security verification scheme comprises any one item or any combination of data encryption, data integrity verification and identity authentication.
Optionally, the receiving target data sent by the reference station includes:
receiving encrypted data sent by the reference station based on network encryption equipment;
and decrypting the encrypted data to obtain the target data.
Optionally, the network encryption device includes a cryptographic component and a VPN client, and the VPN client is in communication connection with a security gateway of the data center;
before the receiving reference station encrypts data sent by the device based on the network, the method further comprises the following steps:
issuing digital certificates for the VPN client and the security gateway based on a CA system and a key management center deployed at the data center;
the receiving reference station is based on the encrypted data sent by the network encryption equipment, and comprises the following steps:
and after the VPN client finishes identity authentication, receiving the encrypted data which is sent by the VPN client and encrypted by the password component based on the security gateway.
Optionally, the determining a target security level corresponding to the target user terminal includes:
and determining the target security level of the target user terminal according to the data processing capacity and the data service ordering condition of the target user terminal.
Optionally, the determining a target security level corresponding to the target user terminal includes:
if the target user terminal uses high-precision data service, determining a first security level as the target security level; the target security verification scheme corresponding to the first security level comprises data encryption, bidirectional data integrity verification and bidirectional identity authentication;
if the target user terminal uses the precision data service, determining a second security level as the target security level; the target security verification scheme corresponding to the second security level comprises bidirectional data integrity verification and bidirectional identity authentication;
if the target user terminal uses low-precision data service, determining a third security level as the target security level; and the target security verification scheme corresponding to the third security level comprises one-way data integrity verification and one-way identity authentication aiming at the data center side.
Optionally, in a target security verification scheme corresponding to the first security level, identity authentication for the target user terminal is implemented based on a hardware password card;
in a target security verification scheme corresponding to the second security level, identity authentication for the target user terminal is realized based on a password soft module;
and in a target security verification scheme corresponding to the third security level, identity authentication aiming at the target user terminal is realized on the basis of a password soft module.
In a second aspect, the present disclosure also provides a transmission system for Beidou satellite navigation data, including a reference station and a data center, where the reference station is configured to:
receiving target data sent by the reference station; determining a target security level corresponding to a target user terminal; sending the target data to the target user terminal by adopting a target safety verification scheme corresponding to the target safety level;
the target security verification scheme comprises any one item or any combination of data encryption, data integrity verification and identity authentication.
Optionally, the reference station is deployed with a network encryption device; the data center is used for:
receiving encrypted data sent by the reference station based on network encryption equipment; and decrypting the encrypted data to obtain the target data.
Optionally, the network encryption device includes a cryptographic component and a VPN client, and the VPN client is in communication connection with a security gateway of the data center;
the data center is used for:
issuing digital certificates for the VPN client and the security gateway based on a CA system and a key management center deployed at the data center; and after the VPN client finishes identity authentication, receiving the encrypted data which is sent by the VPN client and encrypted by the password component based on the security gateway.
Optionally, the cryptographic module at the data center comprises a cryptographic soft module or a cryptographic hardware module.
Optionally, the data center is configured to:
and determining the target security level of the target user terminal according to the data processing capacity and the data service ordering condition of the target user terminal.
Optionally, the data center is configured to:
if the target user terminal uses high-precision data service, determining a first security level as the target security level; the target security verification scheme corresponding to the first security level comprises data encryption, bidirectional data integrity verification and bidirectional identity authentication;
if the target user terminal uses the precision data service, determining a second security level as the target security level; the target security verification scheme corresponding to the second security level comprises bidirectional data integrity verification and bidirectional identity authentication;
if the target user terminal uses low-precision data service, determining a third security level as the target security level; and the target security verification scheme corresponding to the third security level comprises one-way data integrity verification and one-way identity authentication aiming at the data center side.
Optionally, a security module for implementing the target security verification scheme in a coordinated manner is deployed at the user terminal;
at the user terminal corresponding to the first security level, the security module is a hardware password card, and identity authentication for the target user terminal is realized based on the hardware password card;
at the user terminal corresponding to the second security level, the security module is a password soft module, and identity authentication for the target user terminal is realized based on the password soft module;
and at the user terminal corresponding to the third security level, the security module is a password soft module, and identity authentication for the target user terminal is realized based on the password soft module.
Through the technical scheme, the safety levels of different user terminals are divided, and then the data center transmits data by adopting a safety check scheme with corresponding levels, so that the safety requirements of different users on the Beidou satellite navigation data transmission process can be fully met, the data correlation integrity and confidentiality can be guaranteed, the out-of-limit data crossing the safety levels can be effectively prevented from being checked, and the transmission safety of the Beidou satellite navigation data is greatly improved.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
fig. 1 is an application scene diagram of a transmission method of Beidou satellite navigation data according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a method for transmitting Beidou satellite navigation data according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a transmission system of Beidou satellite navigation data according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram of a transmission method of Beidou satellite navigation data according to an embodiment of the present disclosure;
fig. 5 is a block diagram of a structure of a transmission system of Beidou satellite navigation data provided in the embodiment of the present disclosure.
Detailed Description
The following detailed description of specific embodiments of the present disclosure is provided in connection with the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
The Beidou satellite navigation system is a global satellite navigation system which is autonomously developed and independently operated in China, and has the same safety protection requirements for data transmission in some civil fields, particularly for some high-precision sensitive data. For example, in some important application fields, the data of the reference station may be associated with a particular important landmark, and such data has a strong security requirement. However, in the related technology, the data transmission of the Beidou satellite navigation system in the civil application lacks a necessary safety protection mechanism, the safety is low, and the following safety risks exist:
(1) And (6) data leakage. Generally, the data of a single reference station is only sensitive data and is not confidential, and the data of a plurality of reference stations is aggregated and integrated to form high-precision secret data due to the association with the special important landmark. The big dipper high accuracy data transmission process relates to multiple transmission methods such as ethernet, optic fibre, wireless network, and the network protocol is fragile, and data is easy to be monitored and invaded. Once the secret data is acquired by lawless persons to use and plan lawless actions, the secret data can cause serious threats to the safety of lives and properties of people.
(2) The integrity of the data is destroyed. The data is at risk of being illegally tampered, damaged and the like in the transmission process.
(3) And (4) identity counterfeiting. Some attackers can forge the reference station, thus realize the attack to the operation service platform; or, the attacker can also impersonate the identity of the user to access the application platform to engage in destructive behavior.
(4) And (4) abuse of the authority. A user accesses application platform resources without distinguishing authority, leakage of Beidou satellite navigation data information is easily caused, and the whole system can be damaged in serious conditions.
In view of this, the present disclosure provides a transmission scheme for Beidou satellite navigation data, which can effectively solve the above problems.
Referring to fig. 1, fig. 1 is an application scene diagram of a transmission method of Beidou satellite navigation data provided by the present disclosure.
The Beidou satellite navigation system is based on high and new technologies such as a Beidou satellite positioning technology, a computer network technology, a digital communication technology and the like, a plurality of GNSS continuously operating reference base stations are distributed in a certain area, the overall modeling is carried out on the positioning error of the regional GNSS, and then positioning information and enhancement information are broadcasted to users through a data communication network. The whole navigation system comprises space satellites, reference stations, a data center, a user terminal and the like.
As shown in fig. 1, each reference station is connected to a data center through a security gateway, and the data center is in communication connection with each user terminal. The transmission of the Beidou satellite navigation data mainly comprises two transmission processes of transmitting from a reference station to a data center and transmitting from the data center to a user terminal.
Referring to fig. 2, the present disclosure provides a method for transmitting Beidou satellite navigation data, which is applied to a data center, and the method mainly includes:
s101: and receiving target data transmitted by the reference station.
S102: and determining a target security level corresponding to the target user terminal.
S103: and sending the target data to the target user terminal by adopting a target safety verification scheme corresponding to the target safety level.
The target security verification scheme comprises any one item or any combination of data encryption, data integrity verification and identity authentication.
It should be noted that, in the Beidou satellite navigation data transmission method provided by the disclosure, a data transmission security prevention and control mechanism is arranged at the data center, that is, when target data transmitted by the reference station is sent to a corresponding user terminal (i.e., a target user terminal), the data center specifically performs data transmission by using a corresponding security verification scheme (i.e., a target security verification scheme) according to the security level (i.e., a target security level) of the user terminal, so as to ensure that the data is transmitted to a correct user terminal safely and completely.
Therefore, the safety grade division is specifically carried out on each user terminal, and one safety grade corresponds to one safety verification scheme. Generally, the higher the precision of the used data, the higher the corresponding security level of the user terminal, the more complex the corresponding security verification scheme, and the higher the security performance. The user terminals with different security levels respectively use different security verification schemes correspondingly, so that the acquisition requirements of different users can be fully met, and particularly, the requirements of partial users using high-precision data on data transmission security can be fully met. Based on the management mechanism for the hierarchical authorization distribution, the safety protection requirement of different users for the hierarchical authorization distribution of different positioning precision can be met, and the safety of high-precision data in the network transmission process is ensured.
In general, high-precision data refers to centimeter-level data, medium-precision data refers to sub-meter-level data, and low-precision data refers to meter-level data.
It is easily understood that, based on the implementation requirement of the security verification scheme, the present disclosure provides a cryptographic module at the data center, which can be used for performing data encryption and decryption operations, integrity verification, and identity authentication for the data center. The cryptographic module may be a cryptographic soft module, or a cryptographic hardware module, such as a cryptographic engine, a PCIE cryptographic card, and the like, which is not further limited in this disclosure.
Specifically, those skilled in the art can select a suitable correlation algorithm according to the actual application. For example, based on the cryptographic module, the SM4 algorithm may be used for data encryption, the SM3 algorithm may be used for data integrity verification, and the SM2 algorithm may be used for identity authentication. The SM series algorithm is a series of cipher standards established by the national commercial cipher management office for ensuring the security of commercial ciphers.
Therefore, according to the Beidou satellite navigation data transmission method provided by the disclosure, the safety levels of different user terminals are divided, and then the data transmission is carried out by adopting the safety check scheme with the corresponding level, so that the safety requirements of different users on the Beidou satellite navigation data transmission process can be fully met, the data correlation integrity and confidentiality can be guaranteed, the threshold-crossing data check crossing the safety levels can be effectively prevented, and the transmission safety of the Beidou satellite navigation data is greatly improved.
As a specific embodiment, the method for transmitting Beidou satellite navigation data according to the embodiment of the present disclosure receives target data sent by a reference station on the basis of the above contents, and includes:
receiving encrypted data sent by a reference station based on network encryption equipment;
the encrypted data is decrypted to obtain the target data.
Specifically, in the present embodiment, a network encryption device is further provided in the reference station. Based on the network encryption device, data transmission between the reference station and the data center is not in plaintext transmission, but encrypted transmission. And the data center decrypts the received encrypted data sent by the reference station, and then transmits the target data to the target user terminal by adopting a corresponding target security verification scheme according to the target security level of the target user terminal.
In the embodiment, data encryption is introduced in the data transmission process from the reference station to the data center, so that the potential safety hazard that civil high-precision data transmission is transmitted in a plaintext in a public network can be effectively avoided, and the safety of data transmission is further improved.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a transmission system of the beidou satellite navigation data provided in the present disclosure.
As a specific embodiment, in a Beidou satellite navigation data transmission system applied to the method provided by the embodiment of the disclosure, a reference station is deployed with a network encryption device, the network encryption device comprises a password component and a VPN client, and the VPN client is in communication connection with a security gateway of a data center; a CA system and a key management center for signing and issuing digital certificates for the VPN client and the security gateway are deployed at the data center;
before receiving the encrypted data sent by the reference station based on the network encryption device, the method further comprises the following steps:
based on a CA system and a key management center deployed at a data center, issuing digital certificates for a VPN client and a security gateway;
receiving encrypted data sent by a reference station based on a network encryption device, wherein the method comprises the following steps:
and after the VPN client finishes identity authentication, receiving encrypted data which is sent by the VPN client and encrypted by the encryption component based on the security gateway.
Specifically, the VPN client provided in the reference station may specifically employ a SecPortal client (TLS). The SecPortal client establishes a TLS secure tunnel with a secure gateway of the data center, and can realize the secure transmission of service/monitoring data between the reference station and the data center.
The cryptographic component provided in the reference station may specifically include a USB Key or a secure chip. It is easily understood that, from the technical implementation level, the cryptographic component may also include related components adapted to the USB Key or the security chip.
The reference station can be broadly divided into a business module, a security component, and a security module. The service module specifically comprises a local storage module and a data transmission service; the security component comprises a SecPortal client and a password application middleware adapted to the security module; the safety module comprises a USB Key or a safety chip and a corresponding driver.
The password middleware packages the API of the security module, provides password operation service, reduces the calling complexity of business application and lowers the threshold of password application. The local storage service of the reference station can realize the encrypted storage of the original observation data by calling the interface of the password application middleware. And the data transmission service of the reference station can perform data transmission with the data center through the secure tunnel by calling the SecPortal client.
The CA (digital certificate authentication) system equipped at the data center is responsible for the management of the digital certificate, and can issue the digital certificate for the security gateway, the SecPortal client and the USB Key. The issuance and management of digital certificates generally need to be verified in cooperation with a key, and the key management center is used for realizing the management of the key in cooperation with a CA system, including the functions of key generation, storage, distribution, update, revocation and the like.
Therefore, in the embodiment, on the basis of the existing product of the reference station, the Key and the equipment certificate are used as the security basis, and the basic algorithm of the password resource is encapsulated by configuring the password module (the USB Key or the security chip) and the password middleware, so as to provide the password service; and a SecPortal client (TLS) is configured, so that the safe transmission of the service/monitoring data of the reference station and the data center is realized, and the compliance and the safety of the reference station are guaranteed.
In addition, it is necessary to supplement that, according to actual use requirements, a proxy server may be deployed at the data center to simulate the main functions of the data center itself, so as to be responsible for differential calculation of base station data, response to user requests, data encryption and decryption, identity authentication, and key reception and use.
Furthermore, according to the security requirements of different users, the user terminal can also be equipped with adaptive security modules according to the actual application requirements, including a password soft module, a TF/SD password card, a password + password soft module, and the like.
Specifically, referring to fig. 4, fig. 4 is a schematic diagram of a transmission method of Beidou satellite navigation data provided by the present disclosure.
As a specific embodiment, the method for transmitting Beidou satellite navigation data according to the embodiment of the present disclosure determines a target security level corresponding to a target user terminal based on the above contents, and includes:
and determining the target security level of the target user terminal according to the data processing capacity and the data service ordering condition of the target user terminal.
Specifically, the accuracy of data finally used by a user terminal is limited to two aspects, namely, the data processing capability of the user terminal itself and the data accuracy service purchased by the user terminal. It is easily understood that a user terminal cannot resolve data beyond its own level of processing accuracy, whereas a user terminal with high accuracy resolving power can process data with high and less accuracy.
Therefore, in the embodiment, the data center can determine the corresponding target security level according to the data processing capacity of the target user terminal and the data service ordering condition comprehensively, and the reasonability of security verification in data transmission is guaranteed.
As a specific embodiment, the method for transmitting Beidou satellite navigation data according to the embodiment of the present disclosure determines a target security level corresponding to a target user terminal based on the above contents, and includes:
if the target user terminal uses the high-precision data service, determining the first security level as a target security level; the target security verification scheme corresponding to the first security level comprises data encryption, bidirectional data integrity verification and bidirectional identity authentication;
if the target user terminal uses the precision data service, determining the second security level as a target security level; the target safety verification scheme corresponding to the second safety level comprises bidirectional data integrity verification and bidirectional identity authentication;
if the target user terminal uses the low-precision data service, determining the third security level as a target security level; and the target security verification scheme corresponding to the third security level comprises one-way data integrity verification and one-way identity authentication aiming at the data center side.
Specifically, in this embodiment, a specific security verification scheme is customized for three users with different data accuracies. Firstly, a high-precision data service is used by a target user with higher security requirement, and can be listed as a first security level, and a security verification scheme with the highest security is adopted, and comprises three contents: data encryption, bidirectional data integrity check and bidirectional identity authentication. Here, bidirectional means that security verification is performed in both directions of transmission from the data center to the user terminal and transmission from the user terminal to the data center.
Secondly, the medium-precision data service used by the target user with medium safety requirements can be listed as a second safety level, and a safety verification scheme with medium safety is adopted, and comprises two items: bidirectional data integrity check and bidirectional identity authentication.
Finally, the general internet public users generally have low data security requirements, use low-precision data services, and can be listed as a third security level, and adopt a class of security verification schemes with low security levels, including two items: and performing one-way data integrity check and one-way identity authentication aiming at the data center side. That is, compared to the second security level, the third security level does not need to perform data integrity check on data from the user terminal, and also does not need to perform identity authentication on a mass user using the user terminal.
Therefore, the embodiment respectively sets the security verification schemes with different security performance and different complexity for the users using different precision data, can meet the comprehensive use requirements of different users, and improves the user experience.
As a specific embodiment, the method for transmitting the Beidou satellite navigation data provided by the embodiment of the disclosure is implemented based on a hardware password card aiming at the identity authentication of a target user terminal in a target security verification scheme corresponding to a first security level on the basis of the above contents;
and in the target security verification scheme corresponding to the second security level, the identity authentication aiming at the target user terminal is realized based on a password soft module.
In particular, as before, the user terminal must also be equipped with an appropriate security module to receive data transmitted by the processing data center in the target security verification scheme. In this embodiment, the user terminal using the high-precision data service may specifically deploy a hardware cryptographic card, such as an SD/TF cryptographic card, to implement identity authentication and encryption/decryption operations on the user terminal.
A user terminal using medium-precision data service can be specifically provided with a password soft module so as to complete identity authentication and data encryption and decryption operation on the user terminal in a username + password mode; of course, the username and password need to be registered online in advance.
The user terminal of the common public who uses the low-precision data service can specifically deploy the password soft module to realize the identity authentication of the user terminal.
Therefore, different security modules are respectively arranged for user terminals using different precision data, comprehensive use requirements of different users can be considered, and user experience is improved.
Referring to fig. 5, the present disclosure also provides a transmission system 20 for Beidou satellite navigation data, including a reference station 21 and a data center 22, where the data center 22 is configured to:
receiving target data transmitted by the reference station 21; determining a target security level corresponding to a target user terminal; adopting a target security verification scheme corresponding to the target security level to send the target data to the target user terminal;
the target security verification scheme comprises any one item or any combination of data encryption, data integrity verification and identity authentication.
Of course, it is easily understood that the reference station 21 and the data center 22 also include an infrastructure for maintaining the operation of the service, and those skilled in the art can set the infrastructure according to the actual application needs, which is not further limited in this application.
It should be further noted that in the present disclosure, in order to enable the data center 22 to have the capability of implementing security verification items such as data encryption, data integrity verification, identity authentication, and the like, a cryptographic module is disposed in the data center 22. The cryptographic module may be a cryptographic soft module, or a cryptographic hardware module, such as a cryptographic engine, a PCIE cryptographic card, and the like, which is not further limited in this disclosure. Therefore, the Beidou satellite navigation data transmission system disclosed by the embodiment of the disclosure divides the safety levels of different user terminals, and then the data center transmits data by adopting the safety check scheme with the corresponding level, so that the safety requirements of different users on the Beidou satellite navigation data transmission process can be fully met, the integrity and confidentiality of data correlation can be guaranteed, the off-limit data viewing crossing the safety levels can be effectively prevented, and the transmission safety of the Beidou satellite navigation data is greatly improved.
For specific contents of the transmission system for the Beidou satellite navigation data, reference may be made to the detailed description of the transmission method for the Beidou satellite navigation data, and details thereof are not repeated here.
As a specific embodiment, in the transmission system of the Beidou satellite navigation data disclosed in the embodiment of the present disclosure, on the basis of the above contents, the reference station 21 is deployed with a network encryption device; the data center 22 is used for:
receiving encrypted data sent by the reference station 21 based on the network encryption equipment; the encrypted data is decrypted to obtain the target data.
As a specific embodiment, the transmission system of the Beidou satellite navigation data disclosed in the embodiment of the present disclosure is based on the above contents, and the network encryption device includes a password component and a VPN client, and the VPN client is in communication connection with a security gateway of the data center 22;
the data center 22 is used for:
based on a CA system and a key management center deployed at a data center, issuing digital certificates for a VPN client and a security gateway; and after the VPN client finishes identity authentication, receiving encrypted data which is sent by the VPN client and encrypted by the encryption component based on the security gateway.
As a specific embodiment, in the transmission system of the beidou satellite navigation data disclosed in the embodiment of the present disclosure, on the basis of the above contents, the cryptographic module at the data center 22 includes a cryptographic software module or a cryptographic hardware module.
As a specific embodiment, on the basis of the above content, the data center 22 of the transmission system for Beidou satellite navigation data disclosed in the embodiment of the present disclosure is configured to:
and determining the target security level of the target user terminal according to the data processing capacity and the data service subscription condition of the target user terminal.
As a specific embodiment, on the basis of the above content, the data center 22 of the transmission system for Beidou satellite navigation data disclosed in the embodiment of the present disclosure is configured to:
if the target user terminal uses the high-precision data service, determining the first security level as a target security level; the target security verification scheme corresponding to the first security level comprises data encryption, bidirectional data integrity verification and bidirectional identity authentication;
if the target user terminal uses the precision data service, determining the second security level as a target security level; the target safety verification scheme corresponding to the second safety level comprises bidirectional data integrity verification and bidirectional identity authentication;
if the target user terminal uses the low-precision data service, determining the third security level as a target security level; the target security verification scheme corresponding to the third security level includes one-way data integrity verification and one-way identity authentication for the data center 22 side.
As a specific embodiment, on the basis of the above contents, the transmission system of the Beidou satellite navigation data disclosed in the embodiment of the present disclosure deploys a security module for implementing a target security verification scheme in a coordinated manner at a user terminal;
at the user terminal corresponding to the first security level, the security module is a hardware password card, and identity authentication aiming at the target user terminal is realized on the basis of the hardware password card;
at the user terminal corresponding to the second security level, the security module is a password soft module, and identity authentication aiming at the target user terminal is realized on the basis of the password soft module;
and at the user terminal corresponding to the third security level, the security module is a password soft module, and identity authentication aiming at the target user terminal is realized on the basis of the password soft module.
The embodiments in the disclosure are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the equipment disclosed by the embodiment, the description is relatively simple because the equipment corresponds to the method disclosed by the embodiment, and the relevant parts can be referred to the method part for description.
It is further noted that, in the present disclosure, relational terms such as "first" and "second" are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The technical solutions provided by the present disclosure are described in detail above. The principles and embodiments of the present disclosure are explained herein using specific examples, which are merely set forth to aid in understanding the methods and their core concepts of the present disclosure. It should be noted that, for those skilled in the art, without departing from the principle of the present disclosure, several improvements and modifications can be made to the present disclosure, and these improvements and modifications also fall into the protection scope of the present disclosure.

Claims (4)

1. A transmission method of Beidou satellite navigation data is applied to a data center, and comprises the following steps:
receiving target data sent by a reference station;
determining a target security level corresponding to a target user terminal;
sending the target data to the target user terminal by adopting a target safety verification scheme corresponding to the target safety level; the target security verification scheme comprises any one or any combination of data encryption, data integrity verification and identity authentication;
the receiving of the target data sent by the reference station includes:
issuing digital certificates for the VPN client and the security gateway based on a CA system and a key management center deployed at the data center;
after the VPN client finishes identity authentication, receiving encrypted data which is sent by the VPN client and encrypted by a password component based on the security gateway; the password component and the VPN client are network encryption equipment, and the VPN client is in communication connection with the security gateway of the data center;
decrypting the encrypted data to obtain target data;
the determining of the target security level corresponding to the target user terminal includes:
determining a target security level of the target user terminal according to the data processing capacity and the data service ordering condition of the target user terminal; the data service ordering condition is limited by data precision services purchased by a target user terminal according to the requirement on safety, and the data precision services comprise a high-precision data service, a medium-precision data service and a low-precision data service.
2. The transmission method according to claim 1, wherein the determining the target security level corresponding to the target ue comprises:
if the target user terminal uses high-precision data service, determining a first security level as the target security level; the target security verification scheme corresponding to the first security level comprises data encryption, bidirectional data integrity verification and bidirectional identity authentication;
if the target user terminal uses the precision data service, determining a second security level as the target security level; the target security verification scheme corresponding to the second security level comprises bidirectional data integrity verification and bidirectional identity authentication;
if the target user terminal uses low-precision data service, determining a third security level as the target security level; and the target security verification scheme corresponding to the third security level comprises one-way data integrity verification and one-way identity authentication aiming at the data center side.
3. The transmission method according to claim 2, wherein in a target security verification scheme corresponding to the first security level, authentication for the target user terminal is implemented based on a hardware cryptographic card;
in a target security verification scheme corresponding to the second security level, identity authentication for the target user terminal is realized based on a password soft module;
and in a target security verification scheme corresponding to the third security level, identity authentication aiming at the target user terminal is realized on the basis of a password soft module.
4. The utility model provides a transmission system of big dipper satellite navigation data, includes reference station and data center, its characterized in that, data center is used for:
receiving target data sent by the reference station; determining a target security level corresponding to a target user terminal; sending the target data to the target user terminal by adopting a target security verification scheme corresponding to the target security level based on a password module;
the target security verification scheme comprises any one or any combination of data encryption, data integrity verification and identity authentication;
the reference station is provided with network encryption equipment; the network encryption equipment comprises a password component and a VPN client, and the VPN client is in communication connection with a security gateway of the data center;
issuing digital certificates for the VPN client and the security gateway based on a CA system and a key management center deployed at the data center; after the VPN client finishes identity authentication, receiving encrypted data which is sent by the VPN client and encrypted by the password component based on the security gateway; decrypting the encrypted data to obtain the target data;
determining a target security level of the target user terminal according to the data processing capacity and the data service ordering condition of the target user terminal; the data service ordering condition is limited by data precision services purchased by a target user terminal according to the requirement on safety, and the data precision services comprise a high-precision data service, a medium-precision data service and a low-precision data service.
CN202010591005.1A 2020-06-24 2020-06-24 Beidou satellite navigation data transmission method and system Active CN111698263B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010591005.1A CN111698263B (en) 2020-06-24 2020-06-24 Beidou satellite navigation data transmission method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010591005.1A CN111698263B (en) 2020-06-24 2020-06-24 Beidou satellite navigation data transmission method and system

Publications (2)

Publication Number Publication Date
CN111698263A CN111698263A (en) 2020-09-22
CN111698263B true CN111698263B (en) 2023-04-07

Family

ID=72484056

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010591005.1A Active CN111698263B (en) 2020-06-24 2020-06-24 Beidou satellite navigation data transmission method and system

Country Status (1)

Country Link
CN (1) CN111698263B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112769875B (en) * 2021-04-08 2022-08-12 中国测绘科学研究院 GNSS reference station data transmission and deformation monitoring and early warning method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105515757A (en) * 2014-09-22 2016-04-20 中国银联股份有限公司 Security information interaction equipment based on trusted execution environment
CN106027552A (en) * 2016-06-30 2016-10-12 中经汇通电子商务有限公司 Method and system for accessing cloud storage data by user
CN205910343U (en) * 2016-06-24 2017-01-25 中国人民解放军63888部队 Vehicle information encryption transmission system based on big dipper
CN108718300A (en) * 2018-05-04 2018-10-30 湖南省测绘科技研究所 A kind of online encryption transmission system of GNSS data and method
CN110879880A (en) * 2019-10-24 2020-03-13 南京东科优信网络安全技术研究院有限公司 Password device for user to autonomously control data security level protection

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1933522B1 (en) * 2006-12-11 2013-10-23 Sap Ag Method and system for authentication
CN101895882A (en) * 2009-05-21 2010-11-24 中兴通讯股份有限公司 Data transmission method, system and device in WiMAX system
WO2015071964A1 (en) * 2013-11-12 2015-05-21 株式会社日立製作所 Security management method, device and program
US9935977B1 (en) * 2013-12-09 2018-04-03 Amazon Technologies, Inc. Content delivery employing multiple security levels
US10104129B1 (en) * 2016-06-15 2018-10-16 Prysm, Inc. Confidentiality-based file hosting
CN107315968B (en) * 2017-06-29 2019-08-23 国信优易数据有限公司 A kind of data processing method and equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105515757A (en) * 2014-09-22 2016-04-20 中国银联股份有限公司 Security information interaction equipment based on trusted execution environment
CN205910343U (en) * 2016-06-24 2017-01-25 中国人民解放军63888部队 Vehicle information encryption transmission system based on big dipper
CN106027552A (en) * 2016-06-30 2016-10-12 中经汇通电子商务有限公司 Method and system for accessing cloud storage data by user
CN108718300A (en) * 2018-05-04 2018-10-30 湖南省测绘科技研究所 A kind of online encryption transmission system of GNSS data and method
CN110879880A (en) * 2019-10-24 2020-03-13 南京东科优信网络安全技术研究院有限公司 Password device for user to autonomously control data security level protection

Also Published As

Publication number Publication date
CN111698263A (en) 2020-09-22

Similar Documents

Publication Publication Date Title
CN110971415B (en) Space-ground integrated space information network anonymous access authentication method and system
US10243742B2 (en) Method and system for accessing a device by a user
CN101340443B (en) Session key negotiating method, system and server in communication network
CN102647461B (en) Communication means based on HTTP, server, terminal
CN111585749A (en) Data transmission method, device, system and equipment
CN103973736A (en) Data sharing method and device
CN105873031A (en) Authentication and key negotiation method of distributed unmanned aerial vehicle based on trusted platform
CN105491076B (en) A kind of heterogeneous network end to end authentication key exchange method towards empty day Information Network
KR20180101870A (en) Method and system for data sharing using attribute-based encryption in cloud computing
CN104424446A (en) Safety verification and transmission method and system
Qi et al. An enhanced authentication with key agreement scheme for satellite communication systems
CN111970114B (en) File encryption method, system, server and storage medium
CN103118363A (en) Method, system, terminal device and platform device of secret information transmission
CN107094156A (en) A kind of safety communicating method and system based on P2P patterns
CN112422500B (en) Cross-platform data transmission method and device, storage medium and electronic device
Kumar et al. Blockchain-enabled secure communication for unmanned aerial vehicle (UAV) networks
CN111698263B (en) Beidou satellite navigation data transmission method and system
CN115348023A (en) Data security processing method and device
Chen et al. A secure mutual authentication scheme with non‐repudiation for vehicular ad hoc networks
KR101839048B1 (en) End-to-End Security Platform of Internet of Things
KR20190115489A (en) IOT equipment certification system utilizing security technology
KR101760376B1 (en) Terminal and method for providing secure messenger service
CN103312671A (en) Method and system for verifying server
EP2668737A1 (en) Controlled security domains
CN104901932A (en) Secure login method based on CPK (Combined Public Key Cryptosystem) identity authentication technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041

Patentee after: China Electronics Technology Network Security Technology Co.,Ltd.

Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041

Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc.

CP01 Change in the name or title of a patent holder